[ad]
We reported on this case back in September 2007, the largest US data breach in history so far (45 million customer records!).
It seems like finally the people behind it have been busted, 11 people have been charged by US authorities.
The US authorities have charged 11 people in connection with the theft of credit-card details in the country’s largest-ever identity theft case.
They are accused of stealing more than 40 million credit and debit card numbers before selling the information.
They allegedly hacked into the computer systems of several major US retailers and installed software to access account details and passwords. Prosecutors said the alleged fraud was an “international conspiracy”.
It seems like a pretty well organised operation, internationally collaborated across multiple continents to hit multiple chains.
I’d guess they made quite some money out of it…but well now then are going to pay the price.
Three of those charged are US citizens. The others come from Estonia, Ukraine, Belarus and China.
The 11 suspects are alleged to have obtained card numbers, account information and password details by driving around neighbourhoods and hacking into wireless equipment.
They are said to have then concealed the information in computer servers both in the US and Europe.
The Department of Justice said the scam caused “widespread” losses among banks, retailers and ordinary consumers – although it did not put a precise figure on the financial damage.
It seems like the usual suspects when it comes to hacking though, eastern european countries and China of course!
They seem to have covered their tracks pretty well so I wonder how they got caught. It’ll be an interesting case to follow and see what kind of sentences they get.
And of course if there’s any extradition involved.
Source: BBC News (Thanks Navin)
Finity says
Hopefully they will make an example out of them. Odds are that information was sold before it was even in their hands!
Navin says
cheers :)
Ya Finity I do agree wid U….many a time in such cases, its the middlemen (the skiddies) who get caught and get immortalized as “hackers” while the real l33t h@x0r5 rarely come into the picture!!
gmckee says
Yeah, hopefully they waited long enough to get the people behind the front line attackers. Otherwise it is just a waste of time.
lyz says
I’m new here. Found this great site thru google. Anyway, back to the topic. The online world will surely celebrate, (I think now celebrating), for the captivity of this guys. But as what you gentlemen have said, I hope the “real bad guys” that has been hiding in their masks also be caught. Surely, their time will come. And I can’t wait till that happens!
Bookmarked the website! :)
Brill says
What is really scary is that there is no clues about what really happened with that information (from customer point of view).. I mean.. was it already sold? .. It seems that only those who stole the information have been caught but What happened with those who bought it?…. Have been the customers warned?
As Darknet mentioned it looks like a well organised and international operation so I guess no Big fishes appeared even in the picture… :(
@Lyz,… Wellcome.!!.. I read from this blog since some time ago but only started collaborating a few days ago… is really a very good place to be on the loop for security stuff
Morgan Storey says
I think the info must have been sold and used because even my wife had a re-issue of her card due to a breach at around the same time as the TJX incident.
Also if you listen to the secthis.com podcast one of the presenters wifes got a new card after someone bought $500 worth of stuff with her card after the TJX incident. The funniest thing is weren’t they PCI certified…
@Darknet: How do we submit articles? Do you want a hand approving posts, I am glad to be of service, I am not however in to different a timezone to you.
Also on the spam issue(I got blocked posting this 5 times), and a captcha one of the other sites I post on uses http://recaptcha.net/ it is free and looks pretty good.
lyz says
Thanks Brill!
I really need to be updated. Just today, two of the websites on our shared hosting has just been hacked. SQL vulnerabilities. :( This developers are really hard-headed. tsktsk
Pantagruel says
It shows crime indeed doesn’t pay even though it might take quite some time before you’re actually caught.
As some have mentioned before, big question is indeed did the compromised card holder companies inform their customers in any way or form. If the captured cc data has indeed been sold (multiple times I presume) and the involved companies disclosed little, the actuall loses will remain popping up.
I guess the cc companies will be reluctant to admit being among those suffering from the TJX data breach (image and all that nonsense)
zupakomputer says
I commented on this same story at a forum, and listed a bunch of vulnerabilities about cards in general and online banking. Then the guy that had posted it tried to claim I made up the vulnerabilities, and he said this kind of fraud would only be prevented by the US adopting a chip & pin on credit cards.
As if that would prevent it!
eM3rC says
The thing that scares me the most about busts like this is the information. Although the criminals have been caught there is no knowing where the information may have gone.
Consider this. When they got the information they uploaded it to a file hosting server or some high tier hacker forum for their close colleagues to view and work with. The question is how many people had/have access to the information and what is still being done with it.
I would also be willing to bet that some of it has been sold off for extra profit.
Morgan Storey says
I would say without doubt the responsible Credit card companies, cancelled the cards compromised and re-issued. So at least the cancelled ones are no longer of use to whoever had or still has access. My suggestion would be to those that think they may have been among the compromised (if you bought at TJX, odds on you were) just get the cards re-issued for the hell of it.
I have started customising my signature recently to make it a one-off signature everytime I sign it, so that if it comes back to me I can look for the one-off mark and contest it if it isn’t there. I am wondering if these hackers got any signatures or pins as that could be bad as people are likely to use these again.
Benjamin Wright says
Careful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. –Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
Brill says
Very good point from Morgan Storey I assume that this company was PCI compliant…. So this would be an example of being compliance with current Laws and regulations doesn’t mean that you are secure at all (altough I agree that at least all those rules stablish a minimun).
Morgan Storey says
correct Brill they establish a minimum that needs to be maintained, in this case it wasn’t and they got caught out. PCI responded by becomming more secure and strict.
From this and other articles it is now saying they broke wep passwords and dumped in trojans and keyloggers to get the info, interesting how any company in this day and age doesn’t have a strict wireless policy. Good ones are wpa1(min) prefferable 2 with keyphrase longer than 12 characters, or none at all depending on location, ssid prefferably off, and policy set on laptops to only allow infrastructure mode.
lyz says
Maybe coz’ some other people are not that knowledgeable technically speaking? Having a working internet connection is fine and enough for them. They don’t care about the pro’s and con’s. That’s why information dissemination is important.
Or maybe it’s time to tell them to hire new IT/network staffs! :D lol
Morgan Storey says
@lyz: again not buying it, a company like TJX has a cso, or at least someone in there security department. They need to wake up or as you put it they will be replaced with new staff.
lyz says
Not talking about TJX here.. I meant companies that are not having those strict wireless policies.. :D
Brill says
About being PCI compliant, when I say that its a minimum what I am trying to say is that all Laws/regulations become obsolete by definition. Even if the security requirements of any law and/or specification change in response to any incidents… we all know that there are allways new security threats/holes appearing at very high speed (in fact that is a perfect example of why regulations become obsolete).
They are necesary (as a minimum) but people should be aware that just because a company is PCI compliant or SOX compliant, etc. doesn’t mean that is also “SECURE”
Morgan Storey says
@Brill: But proper compliances such as PCI and SOX require regular log reviews and and regular testing of security, of course this is like the whole no speeding, or no lieing, some people don’t some do… Just shows PCI and SOX needs more spot checking etc. It also needs to enforce security training and policies for IT staff.
@lyz: cmon little companies only need either a IT guy that knows what he is doing, or out source it. I used to be a consultant, and I always warned customers on security issues, and locked down issues. WPA is easy to setup and if I came in and found an ap that wasn’t WPA compatible I would turn it off, warn them and geez get it replaced with a $100 ap that did.
Even 1 person companies need to know about security issues, like they know they need insurance, accounting etc.
lyz says
That’s why every company dealing with the online world needs a staff dedicated to securing the network, coz’ some other people doesn’t really care about this thing. And we know that it’s a fact. Am not against anything here…
Morgan Storey says
@lyz: Correct, so do ones that aren’t dealing with the online world (can anyone say Scada) and thats why we will all have jobs till computers are no longer relevant, I don’t see that happening for a long, long time.
lyz says
lol, not telling that. just forgot to mention that a while back.
zupakomputer says
What jobs?! None over here. Not even those kinds where you get trained (from your own web surfing I mean, as issues arise) as-you-earn.