Three Charged With Hacking Dave & Buster’s Chain


Another big heist in the US netting a whole lot of juicy information on credit and debit cards, over half a million USD lost in this case alone. There’s a whole lot of fraud going on..

Not bad for fiddling with the cash register system of a restaurant chain. It just shows, anyone dealing with finanical information really should make sure they are secure.

These guys are clever and they know how to make the most out of whatever they get.

Three men have been indicted for hacking into a number of cash registers at Dave & Buster’s restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week.

The government’s 27-count indictment unsealed this week names Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine, and Aleksandr “JonnyHell,” Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.

That’s a whole long list of indictments! It seems these guys are in pretty serious trouble for what they’ve done. They managed to get hold of the “Track 2” data encoded in the cards, this is quite enough info to reprint new cards with a matching ID and use them in stores.

It’s not really useful for online transactions as they don’t actually know the customers name or postal address.

The stolen card data, known as “Track 2” data, is stored in the magnetic stripe on the back of each credit and debit card. It’s stored unencrypted and in plain text. Consequently, it can be read and re-encoded onto a counterfeit card that can then be used to make purchases at main street stores. It includes the customer’s account number and expiration date, but not the cardholder’s name or other personally identifiable information.

As a result, Dave & Busters had no way to notify the individual affected customers. Rather, in Sept. 2007, the company alerted its payment processor, Santa Monica, Calif., based Chased Paymentech Solutions, LLC, which in turn notified the credit card companies.

I wonder will the company get sued for incompetence or allowing such a breach of data? Saying that though no ‘confidential’ or ‘personal’ information was lost, so the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.

Source: Washington Post

Posted in: Exploits/Vulnerabilities, Hacking News, Legal Issues, Privacy

, , , ,


Latest Posts:


truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.


5 Responses to Three Charged With Hacking Dave & Buster’s Chain

  1. zupakomputer May 20, 2008 at 4:35 pm #

    Credit cards have been hackable all along. It was even possible to use hotel door key scanners to read the magnetic strips, and make dupes.

    At the end of the day, there’s some things that don’t benefit from becoming automated. At least when it was old ring-up tills, you couldn’t mess things up with the wrong scan-in, one person on the till at a time, sorry can’t give you change of whatever cause it’s all automated – you just punched in the prices, and added them up, and printed a receipt.

    It’s an awful thing when technology replaces what works fine without it (or in this case, without it updating past mechanical or stand-alone electrical).

  2. Guy Sohmbadi May 20, 2008 at 5:44 pm #

    Hey – just a quick note: You say “the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.”

    This is incorrect. Visa/MC/AMEX are setup so that in the event of a fraudulent transaction, the MERCHANT loses. not the bank or credit card company. In fact, they even get to keep the transaction fees for the fraudulent transaction…

    Let me repeat that. The ONLY person that loses in a fraudulent CC purchase is the MERCHANT. They are out the goods, and the CC company takes back the money, to give it back to the real card holder.

  3. linuxamp May 21, 2008 at 9:42 am #

    Guy, you say that the merchant is hurt. Don’t the CC companies have security policies that, if followed, remove such liability? What about auditors? You’d think the merchants could have CC audits also to shift liability.

  4. Jinesh Doshi May 21, 2008 at 11:21 am #

    Thankfully our country is not tht advanced or I would have lost $5k-$10k already :)

  5. Lawrence Pingree May 21, 2008 at 5:13 pm #

    Actually, the losers here is the retailer, the retailer is held responsible for fraudulent transactions since the retailer is the one who was not protecting the data appropriately. The credit card companies and banks are almost never held responsible, it sucks, but its the way their contracts are written. I have proposed several times to the House Subcommittee on Finance and Consumer credit to change the laws regarding validation of PII during credit issuance to include validation of the credit to check a valid Bank Checking account information against the credit card before permitting the credit issuance, I know it does not apply here but must fraud is performed without AVS (Address Verification Service) which is one huge issue with processing cards. I feel the PII should be encrypted in the card with the user’s PIN just like debit cards, this way the card cannot be used unless you have the PIN duh, credit card companies have this ability on their terminals but refuse to utilize it because then they would be held more responsible instead of the retailer. My 2 cents.