Forgot your password?
typodupeerror
The Courts Government Security News

Hacking Ring Nabbed By US Authorities 146

Posted by samzenpus
from the go-directly-to-jail dept.
Slatterz writes "The members of a hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged. The case before the US Department of Justice is believed to be the largest hacking and identity theft case ever prosecuted. The criminals allegedly obtained bank details by hacking into the retailers' computer networks and then installing 'sniffer' programs to capture card numbers and password details as the customers moved through the retailers' credit and debit processing networks."
This discussion has been archived. No new comments can be posted.

Hacking Ring Nabbed By US Authorities

Comments Filter:
  • Re:More details (Score:3, Interesting)

    by Anonymous Coward on Thursday August 07, 2008 @03:42AM (#24507289)
    From that FA:

    "Criminal informations were also released today in Boston on related charges against Christopher Scott and Damon Patrick Toey, both of Miami."

    Informations? The DOJ can't find a person who knows basic English to write their PRs?

  • by unfasten (1335957) on Thursday August 07, 2008 @04:34AM (#24507549)
    Well if you can record the call (and phone boxes aren't hard to tap, though I'm not sure how exactly it would work at a call center) then it's easy to convert the DTMF tones into numbers using a tone decoder.

    Here's a link to a DIY hardware version: http://www.bobblick.com/techref/projects/tonedec/tonedec.html [bobblick.com] And a quick search should turn up software solutions, or you could write one yourself since the tones are standard. Wiki lists all the tones: http://en.wikipedia.org/wiki/DTMF#Keypad [wikipedia.org]
  • Who foots the bill? (Score:3, Interesting)

    by brucmack (572780) on Thursday August 07, 2008 @05:01AM (#24507637)

    So, who foots the bill for this? The retailer, the credit card comany / debit card issuer, or the customer?

  • by unfasten (1335957) on Thursday August 07, 2008 @05:19AM (#24507697)
    The main defendant in this case, Albert Gonzalez, used to be a informant for the Secret Service and cooperated in the Operation: Firewall [usdoj.gov] case 4 years ago. Apparently they didn't keep a very good eye on him while he was working for them or after they were done with him. He became an informant after he was arrested around mid-2003 and the case lasted until the end of October, 2004. So according to this Washington Post article [washingtonpost.com] (which got the informantion from the indictment [usdoj.gov] someone linked above) he was actively committing crimes at the same time he was an informant:

    -- In about 2003, Gonzalez and others found an unencrypted wireless access point at a BJ's Wholesale Club store. BJ's reported a breach of its computer networks in early 2004.

    -- In 2004, other members of the ID theft ring compromised an OfficeMax wireless access point in Miami, and they were able to steal credit card data. After law enforcement officials in 2006 identified OfficeMax as the victim of a data breach, the company said it hired an outside auditor to conduct an investigation and found no evidence of a security breach. An OfficeMax spokesman didn't immediately return a message seeking comment.

    So either the Secret Service was letting this go on just so they could make one bust, or they had no idea that their own informant was committing major breaches while under their supervision. Also, how stupid is this guy that he didn't even stop breaking the law after getting busted and becoming an informant? Some people are just begging to be sent to prison, and it looks like the prosecuters are going to grant his wish. For the rest of his life if they have their way.

    P.S.: The Threat Level post [wired.com] with the info about him being an informant also contains a link [wired.com] to another case about another informant who was stealing social security numbers while working on a computer inside the Secret Service offices.

    The usdoj.gov website seems to be down for me at the moment but should come back up eventually.

  • by Strilanc (1077197) on Thursday August 07, 2008 @07:00AM (#24507995)

    I'm going to go out on a limb and say the core of the problem isn't the security of the computers, it's the fact that in order to use a credit card number you have to reveal it. There will always be some retailer or customer without a secure system. _We can't change this, it's too hard_.

    I think the solution is a small device with an embedded secret key. All it has to do is sign data [secondary: show text, wireless, usb, etc].

    For example, to complete a transaction, a store asks you to sign this:
    [
          VISA Credit Transfer
          "here's a one-line ad because we just can't help it!"
          amount: 12.34$us
          buyer: John Doe
          seller: Matt's Grocery Store
          date: August 7, 2008
          buyer public key: 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0
          seller public key: 4B 3D BA 71 3B D8 56 43 2B A7 E8 F4 69 CA C5 5A
          seller transaction id: 594864purplebunnies
          protocol version: 1
    ]
    Then the store also signs it, and sends it and the signatures to VISA, or whoever.

    The beauty here is that the security is now entirely encapsulated in a) the signing device, and b) the plaintext format for requesting credit.

    In the example I have given the buyer only has to check that the amount is correct because all other modifications give them free groceries. The store only needs to ensure they match the format specified by VISA, and that the buyer's signature is valid. VISA takes most of the work, checking that the format is correct, the signatures are valid, the transaction id is unique for the seller, the buyer has enough credit, etc.

    I'm sure there are holes, but it's a hell of a lot better than what we have now.

  • Re:Hacking? (Score:3, Interesting)

    by houghi (78078) on Thursday August 07, 2008 @07:02AM (#24508003)

    The price for correcting the Editors is being moderated as a troll, apparently.

  • by xgr3gx (1068984) on Thursday August 07, 2008 @08:23AM (#24508435) Homepage Journal
    But they'll probably just end up going to club fed for 2 years
  • by Iamthecheese (1264298) on Thursday August 07, 2008 @08:30AM (#24508479)
    hash clash
  • by Anonymous Coward on Thursday August 07, 2008 @09:20AM (#24508879)

    The members of a hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged.

    You wouldn't think so from the summary. So much for the presumption of innocence.

  • by phayes (202222) on Thursday August 07, 2008 @09:48AM (#24509239) Homepage

    Time to wakey wakey young one, the world is more complicated than your parents told you...

    In order to catch a thief, law enforcement officials will use people who are criminals themselves. When, in the course of an investigation, they have enough evidence to put away suspect A, A will often turn over information on other people the government wants to put away more. As the leaders of criminal organizations usually protect themselves by passing orders on to underlings & often do not commit overtly illegal acts themselves, this is the only way to collect enough evidence to put them behind bars.

    However, turning states evidence, will not protect A a second time if he continues to break the law unless he can once again deliver on someone that the DA wants more than A.

    I see nothing abnormal in putting in prison a criminal who was too dumb to stop committing crimes.

  • by gcatullus (810326) on Thursday August 07, 2008 @10:57AM (#24510237)

    Will not happen because credit card companies are NOT The ones on the hook for the losses. The charade of PCI compliance has foisted all responsibility back to the merchant. The Visa/Mastercard cartel actually make MORE money from fraud because there are many more transactions, and they profit from every single transaction. Visa/mastercard took approximately $40 Billion last year in interchange fees, this is in addition to any customer interest or late penalties. They have no incentive to change and teh merchants (other than say Walmart) are in no position to quibble with them.

  • by tlhIngan (30335) <slashdot@ w o r f.net> on Thursday August 07, 2008 @11:40AM (#24510795)

    I'm surprised that we even still use signatures now. It seems like no cashier actually looks at them, or could tell if there is even a difference. There is a strong part of me that would like the credit/debit card industry to add various biometrics that would at least be scanned by a machine so we'd actually have some ID verification other than the damn PIN number.

    Actually, it's a misconception that the signature has meaning to the retailer if they match. If you look at the slip you sign, it says something to the effect of "I agree to pay this debt according to the terms of the cardholder agreement" or similar.

    SIgning your card is an indication that you accept the cardholder agreement (i.e., the card is valid). Technically, a store can refuse to accept any card that is unsigned, says "CHECK ID" or similar because those cards are invalid (because you haven't indicated you accept the cardholder agreement, which covers things like... repayment of debt). The slip is used to indicate that you, the cardholder, will pay the issuer the amount listed, who will then pay the merchant that amount.

    During a dispute, the best proof a merchant has is the signed slip. What makes life interesting are those places where signing the slip isn't necessary (e.g., some for transactions under $25).

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...