Companies and law-enforcement agencies in the United States faced fresh questions this month about the ease with which hackers can penetrate their defences, following the arrest and indictment of a man in Miami, Florida, for what is allegedly the biggest credit-card scam in history.
Albert Gonzalez, a 28-year-old former informant for the US Secret Service (he previously helped track down his fellow hackers), has been charged with conspiring to steal the details of 130 million credit cards. The charge sheet details a complex history of online skulduggery. Gonzalez used three internet aliases: segvec, soupnazi and j4guar17, each marking different stages in his life.
The fraud was perpetrated with devices that could penetrate computer networks, steal credit- and debit-card data and send it to servers in the US and Europe, say prosecutors. According to Gonzalez's indictment, two unnamed co-conspirators (hackers 1 and 2) who live "in or near Russia" helped with the attacks.
Dan Clements, president of CardCops, which tracks stolen credit-card data online, calls it a "cleverly written indictment" that suggests the US government is trying to squeeze its former informant for more information about Hacker 1 and Hacker 2. However, chances of extraditing those suspects are slim.
"We are not safe," says Clements. "[Gonzalez is] here on US soil. That was his big flaw. If he were anywhere else, he's not going to jail."
Acting US attorney general Ralph Marra praised investigators for "tracking down cutting-edge hacking schemes committed by hackers working together across the globe" but security experts suggest the scam was relatively simple and questions should be asked about the failure of the big companies involved to properly defend their computer systems.
"None of this is revolutionary or the work of rocket scientists - it's the kind of thing we see every day," says Graham Cluley, a consultant with hi-tech security company Sophos. "It seems to me there was a concerted effort to target major retailers and there is egg on the face of these large corporations for failing to protect their data adequately."
Prosecutors claim that, in December 2007, the trio injected "structured query language" - designed to retrieve and manage data - into the computers of companies such as Heartland, one of the world's biggest credit- and debit-card payment processing companies. "Malware", or malicious software, was used to identify, sort and export information.
Other targets included convenience store giant 7-Eleven and Hannaford Brothers, a supermarket chain.
The charge sheet says Gonzalez "would identify potential corporate victims by, among other methods, reviewing a list of Fortune 500 companies". He also travelled "to retail stores of potential corporate victims, both to identify the payment processing systems that the would-be victims used at their point of sale terminals [cash registers] and to understand the potential vulnerabilities of those systems".
Gonzalez faces up to 30 years in jail on a wire fraud conspiracy conviction. He is already in prison, having been charged last year in New York with hacking into the computer system of a national restaurant chain.
The charge sheet relating to the 130 million credit cards does not say if any have been used for illegal gain but Linda Foley, founder of US consumer group Identity Theft Resource Centre, says some of the data may have been auctioned off and the true scope of the attack might only emerge over time, with the potential to drag in financial institutions as well as other retailers.
"Things may go quiet for six months but the fear is that when the heat is off, they could start using the information again," Foley warns. She says there has been no decline in the number of similar incidents reported since Gonzalez was jailed. "That tells us there are more hackers out there."
Estimates of the total financial impact of breaches vary but a study by Forrester Research put the cost at US$90 to US$305 per compromised record, considering the cost of upgrades, notifying customers and legal and marketing expenses. Non-profit Privacy Rights Clearinghouse (PRC) puts the number of compromised records in the US alone at more than 263 million but Beth Givens, executive director at PRC, says that may be a fraction of the true number.
"Charging [Gonzalez] is a great development but hacking and other forms of fraud are pervasive these days," says Givens. She points out that many companies never disclose whether they have been attacked or reveal the total number of compromised cards.
Gonzalez, a Cuban-American, was brought up in Coral Gables, near Miami. After helping the Secret Service in order to avoid conviction for credit card theft in 2003, he went back to a life of crime. US prosecutors have said that starting in 2003, Gonzalez and his accomplices drove through Miami looking for stores with poor wireless security and used that vulnerability to hack into corporate computer networks.
They used techniques including planting software which could steal customer payment information, break encrypted pin numbers and send the data offshore, according to prosecutors.
To counter such attacks, the payment industry began requiring merchants to meet tougher security standards - but prosecutors say Gonzalez and his European accomplices were still able to breach the defences of several companies that had reported meeting the new standards.
Gartner security analyst Avivah Litan says card companies and banks should take additional steps such as adding computer chips to cards or requiring more data encryption on their networks. The case against Gonzalez shows the current standard "isn't effective", she says.
Consumers don't have many options when it comes to monitoring whether the shops they frequent are good at protecting their card numbers. Stores aren't graded on their computer security. The best advice is to regularly check statements for suspicious activity and set free fraud alerts - asking to be called when lines of credit in a customer's name are requested - with the credit-reporting agencies.
In this case, the thieves may have been caught out because they were too successful. It's not easy to unload hundreds of millions of stolen credit card numbers onto the black market. Clements says criminals usually sell stolen card numbers in batches of 10,000 or less. This helps to avoid attracting the attention of law enforcement agencies and the card providers, which might replace cards pre-emptively if a lot of them are being fenced. Many of the numbers stolen in the breaches cited in the Gonzalez indictment have already been cancelled and replaced.
Magazine Wired says Gonzalez, who is alleged to have personally amassed about US$1.6 million, was a big spender and once splashed out US$75,000 on a birthday party.
Ori Eisen, founder of Arizona-based security firm 41st Parameter and previously worldwide fraud director for American Express, adds that Gonzalez is "most likely not the kingpin".
"The kingpin would not risk being in the United States. They operate out of the Ukraine or Russia and they're former militants or ex-KGB who know their way around just enough not to get caught."
Gonzalez's trial is due to begin next month.
Guardian News & Media
Additional reporting by Associated Press and Reuters
