Three Charged With Hacking Dave & Buster’s Chain

Outsmart Malicious Hackers


Another big heist in the US netting a whole lot of juicy information on credit and debit cards, over half a million USD lost in this case alone. There’s a whole lot of fraud going on..

Not bad for fiddling with the cash register system of a restaurant chain. It just shows, anyone dealing with finanical information really should make sure they are secure.

These guys are clever and they know how to make the most out of whatever they get.

Three men have been indicted for hacking into a number of cash registers at Dave & Buster’s restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week.

The government’s 27-count indictment unsealed this week names Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine, and Aleksandr “JonnyHell,” Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.

That’s a whole long list of indictments! It seems these guys are in pretty serious trouble for what they’ve done. They managed to get hold of the “Track 2” data encoded in the cards, this is quite enough info to reprint new cards with a matching ID and use them in stores.

It’s not really useful for online transactions as they don’t actually know the customers name or postal address.

The stolen card data, known as “Track 2” data, is stored in the magnetic stripe on the back of each credit and debit card. It’s stored unencrypted and in plain text. Consequently, it can be read and re-encoded onto a counterfeit card that can then be used to make purchases at main street stores. It includes the customer’s account number and expiration date, but not the cardholder’s name or other personally identifiable information.

As a result, Dave & Busters had no way to notify the individual affected customers. Rather, in Sept. 2007, the company alerted its payment processor, Santa Monica, Calif., based Chased Paymentech Solutions, LLC, which in turn notified the credit card companies.

I wonder will the company get sued for incompetence or allowing such a breach of data? Saying that though no ‘confidential’ or ‘personal’ information was lost, so the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.

Source: Washington Post

Posted in: Exploits/Vulnerabilities, Hacking News, Legal Issues, Privacy

, , , ,


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


5 Responses to Three Charged With Hacking Dave & Buster’s Chain

  1. zupakomputer May 20, 2008 at 4:35 pm #

    Credit cards have been hackable all along. It was even possible to use hotel door key scanners to read the magnetic strips, and make dupes.

    At the end of the day, there’s some things that don’t benefit from becoming automated. At least when it was old ring-up tills, you couldn’t mess things up with the wrong scan-in, one person on the till at a time, sorry can’t give you change of whatever cause it’s all automated – you just punched in the prices, and added them up, and printed a receipt.

    It’s an awful thing when technology replaces what works fine without it (or in this case, without it updating past mechanical or stand-alone electrical).

  2. Guy Sohmbadi May 20, 2008 at 5:44 pm #

    Hey – just a quick note: You say “the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.”

    This is incorrect. Visa/MC/AMEX are setup so that in the event of a fraudulent transaction, the MERCHANT loses. not the bank or credit card company. In fact, they even get to keep the transaction fees for the fraudulent transaction…

    Let me repeat that. The ONLY person that loses in a fraudulent CC purchase is the MERCHANT. They are out the goods, and the CC company takes back the money, to give it back to the real card holder.

  3. linuxamp May 21, 2008 at 9:42 am #

    Guy, you say that the merchant is hurt. Don’t the CC companies have security policies that, if followed, remove such liability? What about auditors? You’d think the merchants could have CC audits also to shift liability.

  4. Jinesh Doshi May 21, 2008 at 11:21 am #

    Thankfully our country is not tht advanced or I would have lost $5k-$10k already :)

  5. Lawrence Pingree May 21, 2008 at 5:13 pm #

    Actually, the losers here is the retailer, the retailer is held responsible for fraudulent transactions since the retailer is the one who was not protecting the data appropriately. The credit card companies and banks are almost never held responsible, it sucks, but its the way their contracts are written. I have proposed several times to the House Subcommittee on Finance and Consumer credit to change the laws regarding validation of PII during credit issuance to include validation of the credit to check a valid Bank Checking account information against the credit card before permitting the credit issuance, I know it does not apply here but must fraud is performed without AVS (Address Verification Service) which is one huge issue with processing cards. I feel the PII should be encrypted in the card with the user’s PIN just like debit cards, this way the card cannot be used unless you have the PIN duh, credit card companies have this ability on their terminals but refuse to utilize it because then they would be held more responsible instead of the retailer. My 2 cents.