John mentioned these dudes in yesterday’s Tech5 podcast. Thought folks might get a giggle from the details:
Eleven people have been indicted in Boston for stealing and selling some 40 million credit and debit card numbers they obtained by hacking into the computers of nine major US retailers.
In what the Justice Department believes is the largest hacking and identity theft case it has ever prosecuted, the stolen numbers were sold via the Internet to other criminals in the US and Eastern Europe and used to withdraw tens of thousands of dollars at a time from ATMs…
It alleges that the conspirators obtained the credit and debit card numbers by “wardriving” and hacking into the wireless computer networks of major retailers, including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Once inside the networks, they installed “sniffer” programs that captured card numbers, as well as password and account information.
The usual jive statements are being issued about “we must further develop ways to protect our sensitive personal and business information, blah, blah”.
Do you believe these dudes pulled this off from wardriving?
I think they found spots where the Tubes were leaking and they funneled the flow into a waiting tanker truck. That’s my story and I’m sticking to it
One of the major defects in computer security is human stupidity. I am sure Symantec will come out with a Social Engineering protection suite any day now.
According to my news feeds, one of them was in the secret service.
Last time I looked the average American had $8500 of credit card debt. What credit?
All those pin numbers should have been encrypted…
“Do you believe these dudes pulled this off from wardriving?” – yes. What general public fails to understand is that electronic security is always attacked at the weakest point. Crooks do not mind wardriving to the Macy’s or other such store if they suspect that the network inside is recklessly built and maintained. Particularly when the people involved include teen hackers with nothing else to do and high technical proficiency. So, yes they likely entered via wardriving and proceeded deeper from that point on. Not strange at all (reminds me of the Security Now guru Steve’s story of how they broke in highly protected and sensitive business by snooping on the wireless phone system…).
Since when does stealing credit card numbers count as identity theft? I don’t see where any identities were stolen. Were new accounts opened up in other people’s name?
Wouldn’t say “wardriving” per se, but absolutely believe wireless.
Inside job w/a wireless USB and a compromised computer…
#9 is right… but you could do it with WiFi and an iPod…
from the parking lot..
CORPS are STUPID..
Example..
WOW we could save money by installing wireless.
We wouldnt need all the Wires, drilling holes, Man power to set it up, and 1 node could do it all in a few hours, rather then taking 1 month to install.
Encryption?? WHAT is encryption?
==================
Lets ask if these folks know the RANGE of their wireless system.
Lets ask these folks about encoding and encryption.
“Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information.”
How about, I don’t know, SECURING YOUR WIRELESS NETWORKS!?
Why does a physical store even need a wireless network? Is that cheaper than a couple hundred feet of cable? WEP is useless and WPA sucks. Large corporations like those listed in the article could easily muster the resources to add their own layer of security/encryption, and apply it to the wired as well as wireless networks. I see cause for negligence suits here. Criminal organizations the world over are feasting on the results of widespread incompetence. Perhaps it really is true that as the president goes, so goes the nation…
If you really want to put a stop to poor corporate security you have give corporations an incentive to improve security. For every credit card number, social security number, or other private information comprised levy a $1000 fine. The greater part of the money going to the person who’s data was stolen.
Now the companies can decide for themselves which is more cost affective; invest in better security or pay the fine. It becomes a simple business study.
As the system is now it doesn’t cost business any thing if their systems are comprised so there is no incentive to improve security.
I remember reading in Scientific American a number of years ago that the same carrot and stick approach was implemented in the UK to deal with the electric power outages. Power outages were so frequent that the Parlament passed a law requiring the electric companies to rebate a fee (something like $10 or $20) to each consumer every time the power when out.
It didn’t take too long before the electric companies realized that it was cheaper to maintain the system than pay. As a result the electric grid in the UK went from being one of the worst to one of the best in Europe.
Typical sacrifice of security for convenience. And for cheaper operating costs, too. These cheapo discount stores certainly aren’t going to invest in the priciest of computer security. The blame should really be aimed at the credit card industry for not having or enforcing more stringent standards of information security. Now they’re the ones who are going to have to pay for this (or rather their stockholders will). If they don’t enact some tighter security standards for the use of their cards. Then they’ll just go on, business as usual, and pass the losses onto everyone else with higher fees. This is one of the major reason I’ve avoid the major credit cards. No real security against theft. Just passing the cost of it on to everyone, rather than investing as much in fixing it.
BTW, this should have been more widely reported on the news. But it only rated a couple minutes on a some local Tv news stations. And nothing at all on the national Tv news networks ABC, CBS, or NBC. They were more concerned about those guys Rockefeller and Ivins. And naturally anything to do with the Olympics. So what if 40 million credit card numbers were stole?