TJX Arrests Are 'Tip of the Iceberg'
Largest ID Theft Case in History is Just a Symptom of True Global Threat, Experts Say
August 6, 2008 - Linda McGlasson, Managing Editor
This article was originally created for BankInfoSecurity.com, and contains information that should interest our GovInfoSecurity.com readers.
This week's arrest of 11 alleged hackers accused of stealing more than 40 million credit and debit card numbers may be only the "tip of the iceberg," security experts say.
In the largest identity theft case ever prosecuted by the US Department of Justice, 11 alleged hackers from around the globe face up to life in prison for hacking nine major US retailers - including TJX. Their crimes include conspiracy, computer intrusion, fraud and identity theft, according to indictments unsealed Tuesday by federal grand juries in Boston, MA and San Diego, CA.
Three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People's Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.
The Message to Financial Institutions
These indictments "clearly show what we in the intelligence community have known about and talked about for some time -- there is a very mature, multi-billion dollar industry out there when you look below the surface," says Ken Dunham, an expert in malicious code and Director of Global Response at iSight Partners, a global risk management company. "These criminals are only one group -- there are other large-scale criminal operatives dealing with major money. They're in multiple languages and find in their network of contacts those people who help with credential collection, monetization and laundering of the criminal gains. It's a complete criminal business model that reaches around the world."
Financial institutions must look to their own security in light of this case, says another security leader, Dave Kennedy, Principal and Practice Lead of Profiling and e-Discovery at SecureState, a Cleveland, OH information security and risk assessment firm. "This breach is a proof of concept of what can happen and what attackers are capable of doing," Kennedy says. "A lot of companies never know they're breached until the Feds come knocking on their door. So are financial institutions the same... have they been breached? Are they in the process of being breached as we speak? There is no way of knowing."
Dunham adds everyone needs to realize online crimes are integrated with all types of fraud. "This would have never been possible before the Internet -- to have the level of efficiency that we see today in criminal activity, measured by some analysts as high as $100 billion," he observes. Security researchers have known for a very long time that criminals were performing fraud through multiple entities, but when they are under the radar it is very difficult to quantify and qualify. "The criminal marketplace is mature and is much bigger than we may realize," Dunham says
Details of the Indictments
The indictments include charges against ringleader Albert "Segvec" Gonzalez, of Miami, including computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for his role in the scheme. Related charges were also filed against Christopher Scott and Damon Patrick Toey, both of Miami.
Federal prosecutors say that during the course of the sophisticated conspiracy, Gonzalez and his co-conspirators stole credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers � including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
"This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results," said U.S. Attorney Michael J. Sullivan in a Department of Justice statement. "Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain."
Once inside the networks, the hackers installed "sniffer" programs to capture card numbers, passwords and account information, as they were processed through the retailers' credit and debit processing networks. The stolen information was then moved to encrypted computer servers the hackers controlled in Eastern Europe and United States. They then sold some of the information on the Internet to other criminals who took the card numbers and made fake cards to withdraw cash and make purchases. The criminals withdrew "tens of thousands of dollars at a time from ATMs."
"Technology has forever changed the way commerce is conducted, virtually erasing geographic boundaries," said U.S. Secret Service Director Mark Sullivan in the DOJ statement. "While these advances and the global nature of cyber crime continue to have a profound impact on our financial crimes
 | Will the financial losses that banks have taken in these cases be reimbursed by the merchants, since they are guilty of not protecting the data? |
|
| We have been hearing this trend of data being stolen. Many countries in Europe, Asia and the Middle have either gone or now going through migration to a chip card technology. I know this is a large endeavor. Has anyone given it a thought? I have seen some chip ready POS terminals in few shops such as Target. |
|
| Call it the 'invisible elephant' in the room. I name it 'data cover', not cyber-insurance. What is required is a new online risk paradigm....risk mitigation based on the assessment of an organization's best practice security and best encryption infrastructure. If you rate low-risk/highly-protected, you are insurable at the individual transmission-transaction exposure for whatever ails you. If you do not pass the security litmus assessment, then you will not be insured. period. |
|
| The issue is not better protection of credit card and ATM card information. The issue is that banks need to make it difficult for thieves who have this information to drain victim's bank accounts, and make charges to victim's credit cards. Just consider than when you write out a check, the numbers on the bottom contain all the information needed by a thief to drain your checking account. What's needed is a complete overhaul of the system, so that bogus charges cannot be made on the basis of stolen information. What's needed is a way to verify that the person seeking to use the credit card or ATM card is actually authorized to do so. It cannot depend on knowledge of a PIN, since merchants seem to have recorded the PINs. |
|
| We live in interesting times-there is plenty of blame to go around for everyone involved-consumers who exercise no common sense, oversight, or responsibility in how they conduct their business---retailers who have no motivation to care about security---and ultimately it the financial institutions themselves who created this situation.
We are quick to make the sale, even quicker to embrace all the technologies that make "ease of use" the driving force when it comes to credit and debit cards. I know of no program where anything that resembles periodic due diligence is performed once the site inspection and installation are performed. The retailers can only be expected to do what they are required to do--that we are taking hits from a half a world away leads me to believe we need to look closely at the entire process.
I realize this is coming close to blaming the victim for the crime, but when the process makes it this easy, few of us should be surprised. |
|
| This article simply underscores the need for consumers and businesses to be better-informed. Three issues, adequately addressed, would greatly reduce risk to Internet theft. (1) Either cash or the restorative cash cards with pre-planned amounts for pending purchases, would be much safer to use in restaurants, gas stations, and other public places. (2)Unless your bank has an adequately protected online site, do not do business over the Internet with it. If online access lacks security, you should question whether its overall IT security is adequate. The public needs to know what to look for in a secure site--and it needs to be better informed of what constitutes good bank IT security. (3)Business IT environments need the same level of security and oversight that regulators require of banks. Otherwise, they should not be permitted to retain Non-Public Personal Information in their databases! |
|
| There are no deterrents for these type of people. |
|
| No ..... This is just the tip of the iceberg so to speak. The blackhats are just beginning a long run into the world of theft and mayhem. As long as companies don't go beyond standard practices for securing their networks, this will be a continuing story. |
|
| Again we tie our shoe lace (banks)
while our shoe has no sole(merchants & ISOs) i.e. banks are required to allocate such huge expenses for security deployment, yet merchants and ISOs are allowed to use the end products from the banks, without any semblance of security. At what point does the merchant get held accountable as an enabler of these crimes?? |
|
| I think these arrests are not deterrents. There is just too much profit to be made from these tactics. It seems to me that the mindset of these types of criminals would be, "That guy got caught, but I won't." I think this news will only cause the criminals to work more sophisticated approaches. The retailers (large and small) seem to have no clue how to prevent these breaches, and I think we will only see more and more of these breaches. |
|
| This issue is on the heads of the retailers for not protecting the communications between their transaction hubs and the credit card companies. Seems many assume if you secure the beginning and end of the communication you're done. Shame on these guys for putting their customers in harm's way. |
|
| The issue is not about deterring cyber criminals. It is about retailers taking wireless security seriously and spending the money to protect data. Wireless brings great benefits and great efficiencies to the enterprise but haphazard installation and mis-configuration and lack of monitoring and intrusion prevention have created this weakness in the networks.It is time retailers stopped passing the responsibility and the blame off to someone else (e.g. the credit card companies). The analogy could be drawn to the automobile industry some 30 to 40 years ago. It was very resistant to enhancing safety features, blaming drivers and parts manufacturers. When accidents and deaths reached a critical mass, the government stepped in. And we all know how private enterprise feels about "government interference."
I bet if these crooks were emptying the bank accounts of these stores, they would pay more attention. But when they can pass the blame to the credit card companies and when they figure folks will not stop shopping, they ignore the problem. |
|
| Financial Institutions are not "the same," are highly regulated, and do not use Wireless Networks. |
|
| It's more likely that some retailers will erroneously think their exposure is now significantly reduced, since almost every major retail breach is getting pinned on these guys. |
|
| No, the money is too much, and the chance of being caught is too small. |
|
Comment on this article
