2
3 accused in big credit card fraud case
A number on a credit card
To view this content, Javascript must be enabled and Adobe Flash Player must be installed.
TEXT OF STORY
Steve Chiotakis: It's the biggest case of identification theft ever prosecuted. The Justice Department yesterday accused three men of stealing more than 130 million credit and debit card numbers, and all the account information that goes along with them. From New York, Marketplace's Alisa Roth reports.
Alisa Roth: This sounds like one for the Hollywood producers. One American and two unnamed Russians reportedly used elaborate techniques to hack into the systems of five different companies and steal account information. They allegedly sold some of the numbers online. They used others to buy stuff and take money out of bank accounts.
The companies include 7-Eleven, and a chain of regional grocery stores. But the men reportedly used lists of Fortune 500 companies to decide which ones to break into.
The American, Albert Gonzalez, has a long rap sheet for other, similar crimes -- including taking tens of millions of card numbers from TJX, the company that owns T.J. Maxx and Marshalls. He's been in custody for more than a year. If they're convicted, the three men could get up to 35 years in prison and be made to pay large fines.
In New York, I'm Alisa Roth for Marketplace.
I completely disagree with Mr. Beasley. Encrypting the data should be 100% in the hands of the banks, and 0% in the hands of merchants or payment processors. There are lots of technical details, but the banks could certainly issue smart cards with on-board encryption that would produce secure transactions. The reason it's not done today is the cost to the banks would be high, and the banks (through the Payment Card Industry) are in control of the protocols. Instead, they place the onus of PCI DSS compliance on every single retailer and payment processor to bear their security burden for them.
Take a hard look at the indictment of Gonzales. He and his conspirators evaded every single mandated point of PCI DSS, and were successful in breaching Heartland. Heartland was following all of the banks' rules, and those rules were simply not good enough.
The real answer is to use encryption to move all security to the hands of the banks, who are supposed to be in the security business. Quit asking the retailers to carry your valuable secrets. Protect the data yourself before you give it to them.
In part of Steve's interview with a consultant, alot of owness was cast on "the banks." Steve wanted to know, "Why aren't the bank's encrypting this data?" and "Is it something the banks can do, but just don't want to?"
These questions were completely inappropriate for this story. The only finger pointing needs to be directed at Hearland. "The banks" can only do their part. This payments industry catastrophe happened because Heartland did not follow aggreed upon standards to protect consumer data.
By this point you might can tell that I am biased. I work for a small community bank. Eventhough we have held up our end of PCI compliance, we had to reissue new debit cards to 25% of our customers because of the Heartland compromise. In no way should "the banks" be blamed in this case.
As a reporter, don't take the easy way out. Make sure you understand the story before you hurl fault at one party or the other. I myself condemn some of the practices of the "big banks." But that doesn't mean I am going to blame them for everything that is wrong in the world. Give credit where it is due, and criticism alike.
