August 5, 2008

Major credit-card hacking case comes to trial

From CNN:
Justice: Hackers steal 40 million credit card numbers
Eleven people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers, federal authorities said.

The indictments, which alleged that at least nine major U.S. retailers were hacked, were unsealed Tuesday in Boston, Massachusetts, and San Diego, California, prosecutors said.

It is believed to be the largest hacking case that the Justice Department has ever tried to prosecute.

Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus.

The remaining individual is known only by an alias and authorities do not know where that person is.

Under the indictments, three Miami, Florida, men -- Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey -- are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks, said Michael Sullivan, the U.S. attorney in Boston.
From the St. Louis Post-Dispatch/AP:
11 charged in connection with credit card fraud
Eleven people, including a U.S. Secret Service informant, have been charged in connection with the hacking of nine major retailers and the theft and sale of more than 41 million credit and debit card numbers, the Justice Department announced Tuesday.
The hack:
Sullivan said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.

The information was stored on two servers in Ukraine and Latvia - one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said.
Probably would have gotten away with it if they hadn't gotten so careless and greedy. No word on how the takedown was done. I bet there are some high-level job openings at TJX's IT department... Posted by DaveH at August 5, 2008 9:44 PM