Tuesday, August 19, 2008

More on the "WarDriving 11" and their 40 Million Card Data Theft

A loose-knit ring of hackers stole credit card data from unsuspecting US retailers. Though 11 people have been indicted, experts say the case shows how sophisticated identity-theft schemes have become.

Five years ago, Albert Gonzalez allegedly used an unsecured radio link to tap into the computers of a BJ's Wholesale Club store in Miami and access customer credit-card numbers.

It was a simple trick, but it was only the beginning.

From that first break-in, Gonzalez and a ring of accomplices flew up the learning curve, prosecutors charge. They wirelessly broke into the computer networks of other stores including those operated by OfficeMax Inc., Boston Market Corp., Barnes & Noble Inc., and TJX Cos. And they apparently learned to decrypt customer PIN numbers, install sophisticated software, and park payment card data in offshore databases, in what the Justice Department on Aug. 5 called the biggest hacking and identity-theft case it has ever prosecuted - compromising more than 40 million credit and debit card accounts.

Court filings and interviews with investigators paint a picture of an international ring of 11 loosely knit conspirators from China to Ukraine, and show how quickly such criminal groups can graduate to increasingly sophisticated schemes to exploit the vulnerabilities that remain in the payment card network.

Despite the arrests, Gartner Inc. technology analyst Avivah Litan said it's too soon to relax. Though prosecutors tied the ring to some of the biggest breaches in this decade, their cases don't mention other intrusions such as one of Maine grocer Hannaford Bros. earlier this year.

Also worrisome, Litan said, was that the group allegedly was able to use fake ATM cards with real account numbers to withdraw money from bank machines, indicating they cracked the encryption of PIN numbers.

"The implications are ominous," Litan said. While many banks and retailers have begun using tougher encryption since then, some companies are still on the older standards that she called "inherently vulnerable."

Another technology analyst, Mary Monahan of Javelin Strategy & Research, said more stores have met data-security standards spelled out by Visa and MasterCard since the time of breaches like the one at TJX in 2005, which should make customers' card numbers more secure. Still, Hannaford met those standards at the time of its breach, illustrating how criminal tactics have evolved to stay ahead of defensive measures.

One lesson from this months' indictments, Monahan said, is how the hackers learned to become more sophisticated and global. "You can see that they're developing their skills over time, and transferring skills among one another," she said.

A defense attorney for Gonzalez, Rene Palomino, said his client will plead not guilty to the charges. He described Gonzalez, 27, as a self-taught computer consultant who first met several of the other defendants online.

Former informant

Ironically, the story of how the group of accomplices came to be begins with Gonzalez helping law enforcement officials. Though arrested in connection with theft from an automated teller machine in 2003, Gonzalez soon became a key Secret Service informant and even gave the agency security lectures, Palomino said. Gonzalez was best known for helping officials bring charges against a group known as the "Shadowcrew" after one of the online message boards that served as a marketplace for stolen payment card numbers - 1.7 million of them in all, prosecutors would charge.

Despite serving as an informant, the Justice Department claims, Gonzalez also began "wardriving" in the areas around US Highway 1 in Miami, according to this month's indictments. The term refers to the tactic of cruising in a vehicle with a laptop computer to spot unsecured connections to wireless systems maintained by various stores.

Gonzalez' partner in the wireless probes allegedly was another twentysomething, Christopher Scott, who Palomino said Gonzalez had met in online circles in Miami. Scott's attorney said he hasn't yet entered a plea.

According to the indictments, the pair first got lucky in 2003 at a BJ's Wholesale Club store, which wasn't using encryption software to protect customers' data, and accessed the account numbers of payment cards used by customers.

The next year Scott and another accomplice, described only by the acronym "J.J.," went further. Tapping into a similar access point at an OfficeMax store near the highway, they located data including customers' encrypted PIN numbers punched in when they used debit cards. They turned the data over to Gonzalez, who allegedly sent it to an unnamed coconspirator for decryption.

Filings and investigators say other stores hit by the ring included Barnes & Noble and Sports Authority, many in the Miami area. The indictments suggest the biggest breach began in July 2005 when Scott compromised two wireless access points of Marshalls' stores in the Miami area, both operated by Framingham retailer TJX Cos.

Soon the group was downloading payment card data from TJX's home servers. By the following May, in 2006, Scott had graduated to setting up a "virtual private network" connection to a TJX server, making it harder to detect the intrusion.

Next, Gonzalez brought in a Ukrainian, Maksym Yastremskiy, who prosecutors describe as an international trafficker of stolen card data who sold it on the Web. Via instant message in May 2006, Gonzalez allegedly asked Yastremskiy for help finding an undetectable "sniffer" program that would pick up customer card numbers and provide a feed of stolen data. Several days later, Scott, Gonzalez, and others installed sniffer programs onto a TJX server - likely provided by Yastremskiy, the indictment implies.

Craig Magaw, special agent in charge of the Secret Service's criminal investigative division, which led the probe of the hacker ring, said he had no evidence that Gonzalez and Yastremskiy ever met or spoke outside of their electronic communications. But their virtual connections, he said in an interview, were a common trait to criminal rings using web-based message boards.

"It's the usual M.O., where they can go to be anonymous and help each other further their activity," he said. "It's not just that they're selling the information but, if you go on these [message] boards, it's how to do compromises and giving advice. It's the criminals' playground."

Authorities arrested Yastremskiy in Turkey a year ago while he was visiting a resort. The US Postal Inspection Service confirmed to the Globe at the time that he was tied to the TJX probe. Since then, neither the Justice Department nor Turkish officials have provided contact information for Yastremskiy or an attorney representing him.

Yastremskiy's laptop provided a trove of details including an e-mail tie to Gonzalez, Magaw said. Gonzalez was arrested May 7 at a hotel room in Miami in connection with a related hacking case to which he has also denied wrongdoing. Court papers show officials seized from him three laptop computers, and a Glock 27 automatic pistol.

Encoding blank cards

In addition to showing how the group allegedly stole information, the indictments also shed light on how the ring may have used the data on the streets.

In 2005 and 2006, Gonzalez allegedly sold large amounts of payment card data to a person named only by the initials "J.W." This person allegedly encoded the information on the magnetic stripes of blank plastic payment cards, then used the cards to withdraw hundreds of thousands of dollars from ATMs and split the money with Gonzalez. Another unnamed San Diego purchaser also bought 100 blank payment cards from an individual in China connected to Yastremskiy in 2005, prosecutors charge.

Both examples recall cases in Florida last year in which state prosecutors won guilty pleas from six people who misused card numbers stolen from TJX. After obtaining blank cards magnetically encoded with the stolen numbers, they took the plastic to various Wal-Mart stores in Florida to buy gift cards that could be used like cash. In turn they used those cards to buy $8 million worth of expensive electronics, jewelry, and other items, officials said, returning some items for cash.

Details of how to encode blank cards with stolen account numbers are among the topics typically discussed on underground websites, security experts say; the Secret Service estimates there are 20 message boards or websites in the United States and overseas where criminals sell stolen numbers, trade tips, and form bonds like those between Gonzalez and Yastremskiy. Was theirs like an underground university? "I guess, but there's no diplomas coming out of there," Magaw said.

Or, as Massachusetts US Attorney Michael Sullivan put at a press conference announcing the indictments on Aug. 5: "There's no evidence that any of these people had PhDs."

Globe staff reporter Marion Schmidt contributed to this report. Ross Kerber can be reached at kerber@globe.com.

Disqus for ePayment News