Three Charged With Hacking Dave & Buster’s Chain


Another big heist in the US netting a whole lot of juicy information on credit and debit cards, over half a million USD lost in this case alone. There’s a whole lot of fraud going on..

Not bad for fiddling with the cash register system of a restaurant chain. It just shows, anyone dealing with finanical information really should make sure they are secure.

These guys are clever and they know how to make the most out of whatever they get.

Three men have been indicted for hacking into a number of cash registers at Dave & Buster’s restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week.

The government’s 27-count indictment unsealed this week names Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine, and Aleksandr “JonnyHell,” Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.

That’s a whole long list of indictments! It seems these guys are in pretty serious trouble for what they’ve done. They managed to get hold of the “Track 2” data encoded in the cards, this is quite enough info to reprint new cards with a matching ID and use them in stores.

It’s not really useful for online transactions as they don’t actually know the customers name or postal address.

The stolen card data, known as “Track 2” data, is stored in the magnetic stripe on the back of each credit and debit card. It’s stored unencrypted and in plain text. Consequently, it can be read and re-encoded onto a counterfeit card that can then be used to make purchases at main street stores. It includes the customer’s account number and expiration date, but not the cardholder’s name or other personally identifiable information.

As a result, Dave & Busters had no way to notify the individual affected customers. Rather, in Sept. 2007, the company alerted its payment processor, Santa Monica, Calif., based Chased Paymentech Solutions, LLC, which in turn notified the credit card companies.

I wonder will the company get sued for incompetence or allowing such a breach of data? Saying that though no ‘confidential’ or ‘personal’ information was lost, so the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.

Source: Washington Post

Posted in: Exploits/Vulnerabilities, Hacking News, Legal Issues, Privacy

, , , ,


Latest Posts:


RandIP - Network Mapper To Find Servers RandIP – Network Mapper To Find Servers
RandIP is a nim-based network mapper application that generates random IP addresses and uses sockets to test whether the connection is valid or not with additional tests for Telnet and SSH.
Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.
BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.


5 Responses to Three Charged With Hacking Dave & Buster’s Chain

  1. zupakomputer May 20, 2008 at 4:35 pm #

    Credit cards have been hackable all along. It was even possible to use hotel door key scanners to read the magnetic strips, and make dupes.

    At the end of the day, there’s some things that don’t benefit from becoming automated. At least when it was old ring-up tills, you couldn’t mess things up with the wrong scan-in, one person on the till at a time, sorry can’t give you change of whatever cause it’s all automated – you just punched in the prices, and added them up, and printed a receipt.

    It’s an awful thing when technology replaces what works fine without it (or in this case, without it updating past mechanical or stand-alone electrical).

  2. Guy Sohmbadi May 20, 2008 at 5:44 pm #

    Hey – just a quick note: You say “the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.”

    This is incorrect. Visa/MC/AMEX are setup so that in the event of a fraudulent transaction, the MERCHANT loses. not the bank or credit card company. In fact, they even get to keep the transaction fees for the fraudulent transaction…

    Let me repeat that. The ONLY person that loses in a fraudulent CC purchase is the MERCHANT. They are out the goods, and the CC company takes back the money, to give it back to the real card holder.

  3. linuxamp May 21, 2008 at 9:42 am #

    Guy, you say that the merchant is hurt. Don’t the CC companies have security policies that, if followed, remove such liability? What about auditors? You’d think the merchants could have CC audits also to shift liability.

  4. Jinesh Doshi May 21, 2008 at 11:21 am #

    Thankfully our country is not tht advanced or I would have lost $5k-$10k already :)

  5. Lawrence Pingree May 21, 2008 at 5:13 pm #

    Actually, the losers here is the retailer, the retailer is held responsible for fraudulent transactions since the retailer is the one who was not protecting the data appropriately. The credit card companies and banks are almost never held responsible, it sucks, but its the way their contracts are written. I have proposed several times to the House Subcommittee on Finance and Consumer credit to change the laws regarding validation of PII during credit issuance to include validation of the credit to check a valid Bank Checking account information against the credit card before permitting the credit issuance, I know it does not apply here but must fraud is performed without AVS (Address Verification Service) which is one huge issue with processing cards. I feel the PII should be encrypted in the card with the user’s PIN just like debit cards, this way the card cannot be used unless you have the PIN duh, credit card companies have this ability on their terminals but refuse to utilize it because then they would be held more responsible instead of the retailer. My 2 cents.