funsec mailing list archives

Previous By Date Next
Previous By Thread Next

The breach

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Sun, 17 Aug 2008 09:35:37 -0400
http://www.boston.com/business/technology/articles/2008/08/17/the_breach?mod
e=PF

The breach 
A loose-knit ring of hackers stole credit card data from unsuspecting US
retailers. Though 11 people have been indicted, experts say the case shows
how sophisticated identity-theft schemes have become.
By Ross Kerber, Globe Staff  |  August 17, 2008

Five years ago, Albert Gonzalez allegedly used an unsecured radio link to
tap into the computers of a BJ's Wholesale Club store in Miami and access
customer credit-card numbers.

It was a simple trick, but it was only the beginning.


From that first break-in, Gonzalez and a ring of accomplices flew up the

learning curve, prosecutors charge. They wirelessly broke into the computer
networks of other stores including those operated by OfficeMax Inc., Boston
Market Corp., Barnes & Noble Inc., and TJX Cos. And they apparently learned
to decrypt customer PIN numbers, install sophisticated software, and park
payment card data in offshore databases, in what the Justice Department on
Aug. 5 called the biggest hacking and identity-theft case it has ever
prosecuted - compromising more than 40 million credit and debit card
accounts.

Court filings and interviews with investigators paint a picture of an
international ring of 11 loosely knit conspirators from China to Ukraine,
and show how quickly such criminal groups can graduate to increasingly
sophisticated schemes to exploit the vulnerabilities that remain in the
payment card network.

Despite the arrests, Gartner Inc. technology analyst Avivah Litan said it's
too soon to relax. Though prosecutors tied the ring to some of the biggest
breaches in this decade, their cases don't mention other intrusions such as
one of Maine grocer Hannaford Bros. earlier this year.

Also worrisome, Litan said, was that the group allegedly was able to use
fake ATM cards with real account numbers to withdraw money from bank
machines, indicating they cracked the encryption of PIN numbers.

"The implications are ominous," Litan said. While many banks and retailers
have begun using tougher encryption since then, some companies are still on
the older standards that she called "inherently vulnerable."

...


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: