Another big heist in the US netting a whole lot of juicy information on credit and debit cards, over half a million USD lost in this case alone. There’s a whole lot of fraud going on..
Not bad for fiddling with the cash register system of a restaurant chain. It just shows, anyone dealing with finanical information really should make sure they are secure.
These guys are clever and they know how to make the most out of whatever they get.
Three men have been indicted for hacking into a number of cash registers at Dave & Buster’s restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week.
The government’s 27-count indictment unsealed this week names Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine, and Aleksandr “JonnyHell,” Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.
That’s a whole long list of indictments! It seems these guys are in pretty serious trouble for what they’ve done. They managed to get hold of the “Track 2″ data encoded in the cards, this is quite enough info to reprint new cards with a matching ID and use them in stores.
It’s not really useful for online transactions as they don’t actually know the customers name or postal address.
The stolen card data, known as “Track 2″ data, is stored in the magnetic stripe on the back of each credit and debit card. It’s stored unencrypted and in plain text. Consequently, it can be read and re-encoded onto a counterfeit card that can then be used to make purchases at main street stores. It includes the customer’s account number and expiration date, but not the cardholder’s name or other personally identifiable information.
As a result, Dave & Busters had no way to notify the individual affected customers. Rather, in Sept. 2007, the company alerted its payment processor, Santa Monica, Calif., based Chased Paymentech Solutions, LLC, which in turn notified the credit card companies.
I wonder will the company get sued for incompetence or allowing such a breach of data? Saying that though no ‘confidential’ or ‘personal’ information was lost, so the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.
Source: Washington Post
- drozer – The Leading Security Testing Framework For Android
- Twitter Vulnerability Allows Deletion Of Payment Details
- Twitter Bug Bounty Official – Started Paying For Bugs
- TJX Hacker Albert “Segvec” Gonzalez Indicted By Federal Grand Jury
- TJX Hacker Albert Gonzalez Claims Government Made Him Do It
- TJX Credit Card Hackers Busted – Largest US Data Breach
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 227,556 views
- AJAX: Is your application secure enough? - 119,113 views
- eEye Launches 0-Day Exploit Tracker - 85,060 views