Tuesday, August 19, 2008

More on the "WarDriving 11" and their 40 Million Card Data Theft

A loose-knit ring of hackers stole credit card data from unsuspecting US retailers. Though 11 people have been indicted, experts say the case shows how sophisticated identity-theft schemes have become.

Five years ago, Albert Gonzalez allegedly used an unsecured radio link to tap into the computers of a BJ's Wholesale Club store in Miami and access customer credit-card numbers.

It was a simple trick, but it was only the beginning.

From that first break-in, Gonzalez and a ring of accomplices flew up the learning curve, prosecutors charge. They wirelessly broke into the computer networks of other stores including those operated by OfficeMax Inc., Boston Market Corp., Barnes & Noble Inc., and TJX Cos. And they apparently learned to decrypt customer PIN numbers, install sophisticated software, and park payment card data in offshore databases, in what the Justice Department on Aug. 5 called the biggest hacking and identity-theft case it has ever prosecuted - compromising more than 40 million credit and debit card accounts.

Court filings and interviews with investigators paint a picture of an international ring of 11 loosely knit conspirators from China to Ukraine, and show how quickly such criminal groups can graduate to increasingly sophisticated schemes to exploit the vulnerabilities that remain in the payment card network.

Despite the arrests, Gartner Inc. technology analyst Avivah Litan said it's too soon to relax. Though prosecutors tied the ring to some of the biggest breaches in this decade, their cases don't mention other intrusions such as one of Maine grocer Hannaford Bros. earlier this year.

Also worrisome, Litan said, was that the group allegedly was able to use fake ATM cards with real account numbers to withdraw money from bank machines, indicating they cracked the encryption of PIN numbers.

"The implications are ominous," Litan said. While many banks and retailers have begun using tougher encryption since then, some companies are still on the older standards that she called "inherently vulnerable."

Another technology analyst, Mary Monahan of Javelin Strategy & Research, said more stores have met data-security standards spelled out by Visa and MasterCard since the time of breaches like the one at TJX in 2005, which should make customers' card numbers more secure. Still, Hannaford met those standards at the time of its breach, illustrating how criminal tactics have evolved to stay ahead of defensive measures.

One lesson from this months' indictments, Monahan said, is how the hackers learned to become more sophisticated and global. "You can see that they're developing their skills over time, and transferring skills among one another," she said.

A defense attorney for Gonzalez, Rene Palomino, said his client will plead not guilty to the charges. He described Gonzalez, 27, as a self-taught computer consultant who first met several of the other defendants online.

Former informant

Ironically, the story of how the group of accomplices came to be begins with Gonzalez helping law enforcement officials. Though arrested in connection with theft from an automated teller machine in 2003, Gonzalez soon became a key Secret Service informant and even gave the agency security lectures, Palomino said. Gonzalez was best known for helping officials bring charges against a group known as the "Shadowcrew" after one of the online message boards that served as a marketplace for stolen payment card numbers - 1.7 million of them in all, prosecutors would charge.

Despite serving as an informant, the Justice Department claims, Gonzalez also began "wardriving" in the areas around US Highway 1 in Miami, according to this month's indictments. The term refers to the tactic of cruising in a vehicle with a laptop computer to spot unsecured connections to wireless systems maintained by various stores.

Gonzalez' partner in the wireless probes allegedly was another twentysomething, Christopher Scott, who Palomino said Gonzalez had met in online circles in Miami. Scott's attorney said he hasn't yet entered a plea.

According to the indictments, the pair first got lucky in 2003 at a BJ's Wholesale Club store, which wasn't using encryption software to protect customers' data, and accessed the account numbers of payment cards used by customers.

The next year Scott and another accomplice, described only by the acronym "J.J.," went further. Tapping into a similar access point at an OfficeMax store near the highway, they located data including customers' encrypted PIN numbers punched in when they used debit cards. They turned the data over to Gonzalez, who allegedly sent it to an unnamed coconspirator for decryption.

Filings and investigators say other stores hit by the ring included Barnes & Noble and Sports Authority, many in the Miami area. The indictments suggest the biggest breach began in July 2005 when Scott compromised two wireless access points of Marshalls' stores in the Miami area, both operated by Framingham retailer TJX Cos.

Soon the group was downloading payment card data from TJX's home servers. By the following May, in 2006, Scott had graduated to setting up a "virtual private network" connection to a TJX server, making it harder to detect the intrusion.

Next, Gonzalez brought in a Ukrainian, Maksym Yastremskiy, who prosecutors describe as an international trafficker of stolen card data who sold it on the Web. Via instant message in May 2006, Gonzalez allegedly asked Yastremskiy for help finding an undetectable "sniffer" program that would pick up customer card numbers and provide a feed of stolen data. Several days later, Scott, Gonzalez, and others installed sniffer programs onto a TJX server - likely provided by Yastremskiy, the indictment implies.

Craig Magaw, special agent in charge of the Secret Service's criminal investigative division, which led the probe of the hacker ring, said he had no evidence that Gonzalez and Yastremskiy ever met or spoke outside of their electronic communications. But their virtual connections, he said in an interview, were a common trait to criminal rings using web-based message boards.

"It's the usual M.O., where they can go to be anonymous and help each other further their activity," he said. "It's not just that they're selling the information but, if you go on these [message] boards, it's how to do compromises and giving advice. It's the criminals' playground."

Authorities arrested Yastremskiy in Turkey a year ago while he was visiting a resort. The US Postal Inspection Service confirmed to the Globe at the time that he was tied to the TJX probe. Since then, neither the Justice Department nor Turkish officials have provided contact information for Yastremskiy or an attorney representing him.

Yastremskiy's laptop provided a trove of details including an e-mail tie to Gonzalez, Magaw said. Gonzalez was arrested May 7 at a hotel room in Miami in connection with a related hacking case to which he has also denied wrongdoing. Court papers show officials seized from him three laptop computers, and a Glock 27 automatic pistol.

Encoding blank cards

In addition to showing how the group allegedly stole information, the indictments also shed light on how the ring may have used the data on the streets.

In 2005 and 2006, Gonzalez allegedly sold large amounts of payment card data to a person named only by the initials "J.W." This person allegedly encoded the information on the magnetic stripes of blank plastic payment cards, then used the cards to withdraw hundreds of thousands of dollars from ATMs and split the money with Gonzalez. Another unnamed San Diego purchaser also bought 100 blank payment cards from an individual in China connected to Yastremskiy in 2005, prosecutors charge.

Both examples recall cases in Florida last year in which state prosecutors won guilty pleas from six people who misused card numbers stolen from TJX. After obtaining blank cards magnetically encoded with the stolen numbers, they took the plastic to various Wal-Mart stores in Florida to buy gift cards that could be used like cash. In turn they used those cards to buy $8 million worth of expensive electronics, jewelry, and other items, officials said, returning some items for cash.

Details of how to encode blank cards with stolen account numbers are among the topics typically discussed on underground websites, security experts say; the Secret Service estimates there are 20 message boards or websites in the United States and overseas where criminals sell stolen numbers, trade tips, and form bonds like those between Gonzalez and Yastremskiy. Was theirs like an underground university? "I guess, but there's no diplomas coming out of there," Magaw said.

Or, as Massachusetts US Attorney Michael Sullivan put at a press conference announcing the indictments on Aug. 5: "There's no evidence that any of these people had PhDs."

Globe staff reporter Marion Schmidt contributed to this report. Ross Kerber can be reached at kerber@globe.com.

Irish Payment Services Organisation Announces 20,000 Card Breach

Opportunistic data thieves masquerading as bank technicians — have fooled shop owners into giving them access to credit card terminals and managed to download the details of over 20,000 credit and debit cards, it emerged this morning.

The Irish Payment Services Organisation has warned that individuals pretending to be from Irish banks convinced shop owners they were carrying out maintenance on behalf of banks.

This enabled them to plug in wireless devices that pushed the data to the internet and allowed the card numbers to be used overseas.

The scam has forced banks to restrict cash withdrawals to €100 a day for card holders travelling outside the country.

It is understood the scam was only uncovered by gardaĆ­ in the past 48 hours and they have retrieved CCTV footage of the gang in action.  Banks worked hard on the issue over the weekend and have either blocked or restricted access on cards affected. 

Until now criminals have focused mainly on putting devices on ATM machines to skim card data from consumers. However, this suggests a sinister, but startling overconfidence on the part of data thieves, who believe they can fool shop staff used to technicians working on the machines.

Retailers are being urged to check the identity of anyone claiming to be working on behalf of banks going forward.

Restaurants Hit by WarDrivers in Louisiana/Mississippi

It's getting to the point where you can't even go out and get a good Cajun meal anymore...

A ring of cyber-thieves has stolen tens of thousands of credit card numbers from Louisiana and Mississippi restaurants this year, leading to over $1 million in losses for the banks that issued them.

The restaurants began reporting the thefts beginning in March in Baton Rouge, followed by similar cases in Flowood, Miss., Lafayette, Lake Charles and West Monroe. The hackers have swiped credit and debit card numbers off 16 restaurants' computer systems, then sought to sell them for anywhere between $1 and $100 each, according to Special Agent Sean Connor of the U.S. Secret Service, an arm of the Department of Homeland Security that investigates financial crimes.

"Once they get a big pile of credit card numbers, they turn around and sell them on the Internet," Connor said.

The cases appear connected and probably involve a criminal network that stretches overseas, which would be consistent with other identity theft cases, U.S. Attorney David Dugas said. A group indicted in a separate case earlier this month includes defendants from three continents.

Authorities have no total dollar figure for the losses sustained in the Louisiana-Mississippi cases because the victims _ local and national banks _ are still compiling figures, Connor said. The hardest hit is a bank reporting over $1.1 million in losses, he said.

One bright spot: it's easier to steal the credit information than it is to sell it, meaning the losses could have been much greater. "Their methods for using the cards aren't as efficient as their methods for getting the numbers," Dugas said.

Jim Christy, a Maryland-based computer security expert with the Department of Defense, said such a scheme can get started by a thief with a laptop, driving around town until he finds a business with wireless computer networks.

The thief breaches an insecure wireless network, then inserts malicious software...similar to a wiretap...in the merchant's computer that will collect customers' credit card numbers and send them to the thief's e-mail account. Such identity theft operations began about five years ago and are becoming more common, he said.

"This is a worldwide problem today. Everything's networked and everything's going to wireless," said Christy, director of futures exploration for the Defense Department's Cybercrime Center.

The scheme is not sophisticated. Christy compared the hackers to teenage pranksters who get a garage-door opener and drive around the neighborhood, seeing how many garages they can open up by pushing the button. Eventually, they find one or two.

In the largest such identity theft case so far, 41 million credit and debit card numbers were stolen from chain retailers including Barnes and Noble, Sports Authority and OfficeMax. TJX Cos., which runs T.J. Maxx clothing stores, took $197 million in charges to cover losses from the security breach.  Eleven people _ from the U.S., Estonia, China, Ukraine and Belarus _ have been indicted in that case.

The big money for hackers may be in big chains, but the Louisiana-based case shows that small businesses can be targets, too. The targets included Roman's, a family owned Lebanese eatery in Baton Rouge, and Sammy's Grill, in the rural town of Zachary.

Restaurants are among the most common targets for hackers, experts said, because they often fail to update their antivirus software and other computer security systems. Credit card companies urge merchants to make sure they're not storing sensitive data on "point-of-sale" computers _ the modern equivalent of cash registers. The machines also need to be continuously upgraded to meet security standards, said Joe Majka, a senior business leader at Visa Inc. who focuses on computer security.  "We're working more to direct our attention to the merchant community, to make sure they are protecting their data correctly, so that these things don't occur," Majka said.

About 100 restaurant owners are expected at a meeting Monday in Baton Rouge, where Secret Service agents and representatives from Visa will explain how to protect against breaches.

Credit card contracts generally protect consumers from any fraudulent use of stolen card numbers. To protect against the inconvenience of credit card theft, the companies recommend that consumers be vigilant in checking charges that appear on credit or debit accounts _ and quickly report suspicious ones to the issuer of the card.But Christy said there's little that credit users can do to protect themselves.  He said the threat of identity theft is "part of doing business today. You just hope businesses do what they're supposed to do to protect you."

PCI SSC Announces Free Webinar "A Perfect Fit"

The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today announces it is offering a complimentary and educational webinar, "A Perfect Fit - Understanding the Interrelationship of the PCI Standards,” to be held on Thursday August 21, 2008 at 9:00 a.m. EDT and a second session the same day at 7:30 p.m. EDT.

This one hour webinar is designed for any entity that processes, stores or transmits cardholder data and will feature Bob Russo, General Manager of the Council. During the session Mr. Russo will address how each of the standards fit together in a larger perspective of data security.

Webinar participants will discover:

• How the PCI DSS, PA-DSS and PED Security Requirements interrelate;
• Why merchants should know about PA-DSS and PED;
• Why incorporating PCI standards is your best approach to protecting cardholder data;
• Using PCI standards as a model for data security.

To register for the Thursday, September 4, 2008 session at 9:00 a.m. EDT session, visit: http://www.webcastgroup.com/client/start.asp?wid=0650904084240  or http://www.webcastgroup.com/client/start.asp?wid=0650904084241  for the 7:30 p.m. EDT
session. The morning webinar will be recorded and available for download for those who cannot attend either session.

For More Information:

If you would like more information about the PCI Security Standards Council or would
like to become a Participating Organization please visit pcisecuritystandards.org, or contact the PCI Security Standards Council at participation@pcisecuritystandards.org.

PCI SS Council Announces Summary of Changes

Changes to the PCI DSS include clarifications and explanations to the requirements, with these clarifications offering improved flexibility to address today’s security challenges in the payment card transaction environment. The new summary document on these changes highlights the key clarifications by requirement. These clarifications will also eliminate existing redundant sub-requirements while improving scoping and reporting requirements. When version 1.2 is released, incorporating existing best practices, supporting documents will also be updated and consolidated. Most importantly, version 1.2 does not introduce any new major requirements to the existing 12 in place since the Council’s inception.

“The Council’s Participating Organizations, through the feedback process, have provided an invaluable service in enhancing the PCI DSS to meet today’s market needs,” said Bob Russo, General Manager, PCI Security Standards Council. “Version 1.2 should be seen as an improvement, not a departure from tried and true best security practices. By distributing a summary of the forthcoming changes, we are ensuring that stakeholders are not taken by surprise by any of the clarifications.”

With the summary of changes to the revision of the PCI DSS, the Council is giving stakeholders guidance on what to expect when version 1.2 is publicly available. The Council is finalizing the changes to the standard and will be providing its Participating Organizations with version 1.2 in early September. PCI SSC Participating Organizations and the Council’s Board of Advisors have been providing feedback on the revisions and the Council is in the final stages of preparing the latest standard and supporting documentation. This follows the established lifecycle process that will ensure that the PCI DSS standard is revised and updated on a two year cycle. PCI DSS version 1.1 was introduced in September 2006.

Disqus for ePayment News