- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
A ring of identity thieves that targeted U.S. retailers used sophisticated and multifaceted attacks to steal more than 40 million credit and debit card numbers from TJX, OfficeMax, Barnes & Noble and other companies, according to court documents.
The attacks cost retailers and credit card companies tens of millions of dollars.
Members of the ID theft conspiracy used so-called wardriving techniques to find holes in wireless networks operated by retail stores. Once inside the networks, the thieves located and stole credit card transaction information stored on the retailers' networks, according to court documents.
The thieves also installed so-called sniffer software to capture password and account data on the stores' networks, and they used Internet-based attacks, including SQL injection attacks, to gain access to credit card databases.
The ID theft group stored the captured credit card numbers on compromised servers in the U.S., Latvia and the Ukraine, according to court documents. The thieves then encrypted the credit card numbers on those servers, according to the indictment document of Albert Gonzalez, the alleged ringleader of the ID theft scheme.
Gonzalez, of Miami, was indicted Tuesday in U.S. District Court for the District of Massachusetts on charges of computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. Ten other defendants have been indicted or charged with crimes in what's believed to be the largest ID theft and computer hacking investigation in the history of the U.S. Department of Justice, the DOJ announced Tuesday.
The indictment document for Gonzalez, who was working as an informant for the U.S. Secret Service while allegedly engaged in the scheme, sheds some light on the ID theft operation. The thieves were able to encode credit card information on blank cards that were used to obtain tens of thousands of dollars from cash machines in single visits, the court document says.
Among the attacks detailed in the court document:
-- In about 2003, Gonzalez and others found an unencrypted wireless access point at a BJ's Wholesale Club store. BJ's reported a breach of its computer networks in early 2004.
-- In 2004, other members of the ID theft ring compromised an OfficeMax wireless access point in Miami, and they were able to steal credit card data. After law enforcement officials in 2006 identified OfficeMax as the victim of a data breach, the company said it hired an outside auditor to conduct an investigation and found no evidence of a security breach. An OfficeMax spokesman didn't immediately return a message seeking comment.
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (3)
over-reactionBy Anonymous on August 8, 2008, 3:57 amCareful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were...
Reply | Read entire comment
No over-reaction!By tuomoks on August 8, 2008, 1:13 amSorry, I agree with nellwal - accountability is the only way. There is some "accountability" that users / customers trust the company less, you lose some business,...
Reply | Read entire comment
accountabilityBy nellwal on August 7, 2008, 8:51 amIn order for this problem to be stopped we need accountability on both sides, those that are responsible for SECURING the data to begin with as well as those who...
Reply | Read entire comment
View all comments