funsec mailing list archives
The breach
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Sun, 17 Aug 2008 09:35:37 -0400
http://www.boston.com/business/technology/articles/2008/08/17/the_breach?mod e=PF The breach A loose-knit ring of hackers stole credit card data from unsuspecting US retailers. Though 11 people have been indicted, experts say the case shows how sophisticated identity-theft schemes have become. By Ross Kerber, Globe Staff | August 17, 2008 Five years ago, Albert Gonzalez allegedly used an unsecured radio link to tap into the computers of a BJ's Wholesale Club store in Miami and access customer credit-card numbers. It was a simple trick, but it was only the beginning.
From that first break-in, Gonzalez and a ring of accomplices flew up the
learning curve, prosecutors charge. They wirelessly broke into the computer networks of other stores including those operated by OfficeMax Inc., Boston Market Corp., Barnes & Noble Inc., and TJX Cos. And they apparently learned to decrypt customer PIN numbers, install sophisticated software, and park payment card data in offshore databases, in what the Justice Department on Aug. 5 called the biggest hacking and identity-theft case it has ever prosecuted - compromising more than 40 million credit and debit card accounts. Court filings and interviews with investigators paint a picture of an international ring of 11 loosely knit conspirators from China to Ukraine, and show how quickly such criminal groups can graduate to increasingly sophisticated schemes to exploit the vulnerabilities that remain in the payment card network. Despite the arrests, Gartner Inc. technology analyst Avivah Litan said it's too soon to relax. Though prosecutors tied the ring to some of the biggest breaches in this decade, their cases don't mention other intrusions such as one of Maine grocer Hannaford Bros. earlier this year. Also worrisome, Litan said, was that the group allegedly was able to use fake ATM cards with real account numbers to withdraw money from bank machines, indicating they cracked the encryption of PIN numbers. "The implications are ominous," Litan said. While many banks and retailers have begun using tougher encryption since then, some companies are still on the older standards that she called "inherently vulnerable." ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The breach Richard M. Smith (Aug 17)