7
No soup for you, credit card thief
I hope Albert Gonzalez goes to prison for a long, long time. He's the guy who was just charged with masterminding the theft of 130 million credit card numbers. In hacker circles, they call him the Soup Nazi, after the character in the Seinfeld episode. But there's nothing amusing about Gonzalez.
According to the new indictment, Mr. Gonzalez and his conspirators reviewed lists of Fortune 500 companies to decide which corporations to take aim at and visited their stores to monitor which payment systems they used. The online attacks took advantage of flaws in the SQL programming language, which is commonly used for databases.
They chose 7-Eleven, the supermarket chain Hannaford, the payment processor Heartland and two other unnamed corporations. More:
Prosecutors say the defendants created and placed "sniffer" programs on corporate networks; the programs intercepted credit card transactions in real time and transmitted the numbers to computers the defendants had leased in the United States, the Netherlands and Ukraine.
Reporter Rico Gagliano is doing a story on this for tonight's Marketplace, so I've found out a little bit more about the methods Gonzalez may have employed. He's supposedly what's known as a "harvester". His speciality is extracting the information that's on the back of your credit card. He does this in large batches by hacking into company databases, as described above.
The information might then be sold online or to another specialist called a "carder." The carder puts the data onto a new card with a magnetic stripe. Actually, often they use old cards that people throw away. The new card is then used to buy things or take money out of ATM's (sometimes, PIN #'s are sold with the data). A lot of this work is done in Eastern Europe, home to some seriously skilled hackers.
What's striking is that the price of this data has fallen considerably. Criminals used to pay $10-$15 per card number. Now, they're going for about $1.50. The market has been over-saturated with stolen credit card numbers. Gonzalez is likely a big reason for that. He's already in jail awaiting a trial for separate credit card fraud charges. Hopefully, getting him off the street makes a dent in this worldwide trade.
But I wouldn't count on it.
I just typed some simple keywords into Google and turned up a website where people were listing prices for this stuff. One of them actually listed some woman's entire portfolio of information, as a sample of his goods. It listed her account #, password, answers to secret questions, address, social security number, mother's maiden name, checking account number, routing number. Everything. It's frightening. Other people on the site were writing messages, begging for a working card number, making offers.
Here's some of it (cvv is that little security code on the back of your card):
Sell Cvv info live 100% fresh in to day!
Us cvv Visa-Master price $1.50/cvv buy from 40/cvv price $1/cvv
Us cvv Amex-discovery price $2.50/cvv buy from 30/cvv price $2/cvv
Ca cvv Visa-Master price $4/cvv if u buy from 40/cvv price $3/cvv
Ca cvv Amex-discovery price $5/cvv if u buy from 40/cvv price $4/cvvSELLING FRESH CVV,(EU,US,UK,CA,AU) FULLZ WITH SSN, MMN, DOB, DVL AND
FRESH BASE DUMPS 101 AND 201 .. FRESH PAYPALS TOOPRICES
Credit Cards (With CVV)
US With CVV - 3$
US With CVV - 5$
UK With CVV - 5$
EU With CVV - 8$Full Credit Card (With MMN, SSN, DOB, PIN)
US With CVV - 15$
CA With CVV - 20$
UK With CVV - 20$
EU With CVV - 25$
Like I said, I hope Gonzalez goes to prison for a long, long time. But perhaps this case will open some eyes. You certainly can't trust companies to protect your information. You have to be vigilant yourself, check your accounts often, call the bank immediately if you see something suspicious. And of course, check your credit as often as you can, because a stolen credit card number is bad enough, but it's resolved fairly quickly.
If the bad guys get all that other personal information, they can do something much more difficult to fix -- open new accounts in your name.
I know. I was a victim of identity theft. And it was just about my worst nightmare.
Marketplace needs to do a story on all the hackers coming out of Ukraine.
A lot of the hacks you see available on the web, like for ripping copyright protections and hacking software come from Ukraine.
I've also had to block IP addresses from Ukraine in my firewall. Might be a story there.
Max sentence for Gonzalez is 20 yrs for wire fraud + 5 for conspiracy. That means he'll be out in 10-12 due to prison overcrowding. Last month, April DuBoise was convicted on 34 counts of card skimming as a server at Hamburger Hamlet in L.A. She got 5 yrs probation and a $3,000 fine, while damages were $28,000 (prosecutors said this was underestimated) and the restaurant had to close due to bad publicity. I know prisons need to be reserved for violent criminals, but they should put these white-collar convicts to work cleaning up our hwys and beaches or sorting recyclables out of our garbage.
Another thing I've only seen on wired.com
<a href="http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartla... target="_blank">Link</a>
Gonzalez (looks like Richard Ramirez aka the Night Stalker serial killer in L.A.) was part of the ShadowCrew, a big cybercrime ring busted in 2004. He turned informant for the Secret Service, but after their "Operation Firewall," he disappeared and started using another online alias. They let him slip away! Marketplace also failed to mention he was already in custody for the TJX hack of 40 million accts in 2008. This current case actually broke in January, but I'm sure they've held off charging him until they could build evidence - it's not like he was going anywhere, LOL.
I'm disappointed the discussion seemed to say there's nothing we can do. The truth is, banks don't want to make using credit cards inconvenient or spend money on new hardware and software for the stores' credit processing. We all know clerks don't check IDs regularly, but it would be possible to protect card by use of passwords, pins, secret questions, etc. This is an inconvenience to customers, who aleady get riled up when a clerk *does* check ID (if you've ever worked retail, you know what I mean). As for new technology, there's absolutely no reason for any information to be kept once a transaction is confirmed. Once a transaction confirmation number is created, you don't need the mag strip info stored. However, to change this now would require wholesale system changes akin to the analog-to-digital TV transition - every retailer would need to change out their equipment.
It's much easier for banks to pass the costs of fraud onto the consumer in the form of higher interest rates and fees. Remember the days before computers and cybercrime? Interest rates less than 10% and $5 late fees.
I didn't say there's nothing we can do. I just said you can't trust companies to protect your personal information. As you point out, card companies aren't motivated enough financially. They've done the math and decided that passing the costs onto the consumer is the best option.
What we can do is keep on top of our accounts and credit reports, etc. Or we can avoid credit cards. If enough people dropped their cards, the math would come out differently. But we both know people aren't going to do that.
Are you hinting that the government should get involved?
Hi Scott, nice to hear your voice again this weekend on Marketplace Money ;) It brought me back to this article. The "nothing we can do" discussion to which I referred was Tess/Crooks, not your blog.
I didn't mean to suggest Federal or State intervention, but it may be necessary to force banks to provide more security. It was regulation which allows us to check our credit reports for free and to be notified when there has been an info breach.
Funny you mention SQL. We put a SQL database on one of our websites and it was hacked almost immediately. The hackers never seemed to use our website to distribute malware but to host porn sites and links to a site offering our site for others! We could not stop them until we got rid of the SQL database.
Our ISP, a well-respected name, did not want to tell us anything until we asked pointed questions and then they admitted that SQL security was a major problem. Funny, Wikipedia doesn't even have security discussed in their page on SQL!
My experiences with this and other hacking/SPAM/malware, etc. indicates that nobody really cares about stopping it. All that traffic and bad stuff sells more hardware and software - a market that would go away if we actually solved the problem!
SQL is not inherently secure or insecure. It has nothing to with security at all. That's the jobs of the web application that uses SQL. It's just a programming language for interacting with databases. You have to think of computer systems as an onion, with multiple layers of programs each depending on the other. The first layer should always be security, and there should always be more than one of them. The next layer will generally be the actual thing that users see, and under that are logic and persistence layers. it's those persistence layers where SQL lives. No attacker should ever get that far down.
I run a payment gateway, and spent 1.5 years making it secure from the round up. This is not easy, but it is possible. Now the problems that I see with this situation are the following: TJ-MAX obviously did not conform to PCI-DSS (payment card industry data security standards) if they were hit by a SqL injection attack. They are required to conform to these standards in order to process payment data. Second, SQL injection is one of the most common attack vectors against websites, and also one of the most preventable. So whoever wrote their website and the others mentioned, needs to be shot for not doing their job.
Having also worked with other PCI compliance projects, I can tell you that most companies only give it lip service at best. Creating a secure infrastructure and the documentation to go with it, as well as maintaining it are far more than most organizations are willing to spend. It requires vast changes to the way ever piece of software works, and is extremely complex. Most consultants in this area, are INCREDIBLY expensive, and most IT staff doesn't want to change the way they do things just because some manager who won't know the difference says so.
We have 16 employees where I work, 3 of them spend 90% of their time on PCI compliance. Of those, one of them spends al of their time maintaing documentation about the systems and security polices. This obviously cuts into our margins, and is another reason why most companies blow security off.
I'm of the opinion that Mr. Gonzalez does need to spend a good amount of time in jail, but that at the same time he did a good job of raising awareness about these issues. I also guarantee that when he gets out of jail he will have more job offers than he knows what to do with.
One more point to think about is the fact that the hardest part of securing these systems, is keeping insiders out of them. Gonzalez had to find, and then climb through an open window. Insiders are already in the building with the keys.
