A 28-year-old hacker has been charged in what federal prosecutors are calling the largest case of identity theft ever seen. The man, Albert Gonzalez, worked with two unnamed Russian conspirators to run wild through the computer networks of a handful of prominent corporations, including 7-Eleven, the supermarket chain Hannaford Brothers, and the payment processor Heartland Payment Center. The size of the heist—130 million credit and debit card numbers, according to prosecutors—have many people wondering: How exactly is such a massive theft carried out?
The Justice Department’s indictment (pdf) describes how Gonzales (a.k.a. “segvec” and “soupnazi,” among other aliases) and his co-conspirators pulled it off. They began the job by scanning lists of Fortune 500 companies for likely targets, and then visited retail outlets to scope out the payment systems used at checkout counters and to look for vulnerabilities. Then they would write specific codes to corrupt their data systems and launch a virus from computers in the United States and Europe to pull hundreds and thousands of credit card numbers, and sort through them using a “sniffer,” which is basically a data analysis system that decodes big chunks of information [The Atlantic].
The hackers allegedly tested their malicious code, or “malware,” by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks.” The methods used by Gonzalez and his team weren’t all that sophisticated, either; the long and short of it is that they were able to exploit end users that didn’t know how poor their security was, according to security experts [ChannelWeb]. It’s still unclear how many of the stolen credit card numbers were resold and used to make unauthorized purchases or bank withdrawals.
Gonzalez has an interesting record, and has worked on both sides of the legal line. In 2003, after being arrested in New Jersey in a computer crime, he helped the Secret Service and federal prosecutors in New Jersey identify his former conspirators in the online underworld where credit and debit card numbers are stolen, bought and sold. But Mr. Gonzalez secretly reconnected with his old associates, federal officials have said [The New York Times]. He’s currently in jail awaiting trial on two other cases of credit card data theft: the 2005 breach at T. J. Maxx stores, and the 2008 hack of the Dave & Busters restaurant chain and other companies.
Related Content:
80beats: Attack That Took Down Twitter May’ve Been Aimed at Just One Blogger
80beats: Cyber Attack Hits Government Web Sites; North Korea Is Blamed
80beats: Researchers Guess Social Security Numbers From Public Data
80beats: Mystery of the Conficker Worm Continues: Does It Want to Scam or Spam?
Image:
August 18th, 2009 at 2:38 pm
Hopefully Mr. Gonzalez’s actions can have a beneficial effect. Companies can learn to better protect our sensitive information, and consumers can learn just how vigilant they need to be in regards to their finances. It might be a lot to ask, but I think some good can come from this.
Of course its hard when it oftentimes seem like our best and brightest minds would rather go into the criminal side of the computing world, than the legitimate one.
Check out my blog on Mr. Gonzalez and his actions at…. http://www.thedebtgazette.com/2009/08/miami-hacker-creditcards/
August 18th, 2009 at 2:42 pm
I don’t know who’s writing for the Atlantic, but they have their terminology wrong. In network security, a sniffer is something that samples network traffic passing by your machine that isn’t intended for you, to discover vulnerabilities or steal information passing by in plain text.
http://en.wikipedia.org/wiki/Sniffer
A quick google of “wiki sniffer” would have set the Atlantic straight. It’s a shame to see journalism in the state it’s in today.
Re: Frank: Why would they bother improving their security? That costs money, and legislating ridiculously tough laws on computer fraud is much cheaper, since Congress is full of undereducated people who have little clue about computers, as they grew up in the time of punch cards.
August 19th, 2009 at 4:43 pm
Agree with #2. Why would they bother? Particularly when it’s the merchants who eventually accept these fraudulent forms of payment that are taking the hit. Where’s the incentive for those who are storing this data to keep it secure? Or for the credit card companies to make their product less vulnerable to theft, for that matter? Having someone’s credit card number should NOT be all that’s required to start using it fraudulently. Ridiculous.
September 14th, 2009 at 5:37 pm
This guy and his cohorts need to go off a tall building…oops.