11 Charged In TJX, Other Breaches

coondoggie writes "The Justice Department has charged 11 people in connection with the massive theft of credit card numbers from various retailers, including TJX, BJs and OfficeMax. Authorities say the group charged was involved in the theft of more than 40 million credit and debit card numbers. In an indictment returned today by a federal grand jury in Boston, Albert 'Segvec' Gonzalez, of Miami, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft, and conspiracy for his role in the scheme. Others indicted are from the US, Estonia, China, and Belarus." We've been following the TJX breach since the beginning.

Re:

[seanonymous]

and I don't drink!

And here I was

[thermian]

Thinking I'm silly for not having a credit card.

I kind of need one nowadays, but this kind of thing scares me shartless. How easy would it be to get fiscally wiped out by this kind of thing?

Re:

[FireStormZ]

What you could do is obtain a low balanced secure credit card for things you do on-line. A secured balance of say 500 to 1,000$ would be enough for most people and would be the most you could lose.

Re:

[thermian]

I didn't know there was such a thing. I've been avoiding credit cards and (to my banks bizarre frustration) overdrafts for years.

Two years back they actually threatened to not let me withdraw money from the ancient savers account I've been using for almost 15 years if there was less then £500 in it, to try and get me to accept their account with a credit card and overdraft.

I was a bit incredulous, and requested that they close the account (requested loudly, clearly, and very politely, in front o

Re:And here I was

[QuantumRiff]

actually, with a proper credit card (not a debit card) you are not responsible for charges that are not yours. If you lose your card, and report it missing, the most that can be charged to you is $50. For fraud, you have to file a police report, and report it to your bank, but you should not be responsible for paying it. However, you might spend alot of time, filling out that paperwork, disputing problems on your credit history because of it, etc.. These protections do not exist for most checking, savings, or debit accounts..

If you order something online, and it doesn't get delivered or whatever, most card companies will allow you to request a charge-back, where they just reverse the charge, and then it is up to the merchant to deal with your card company...

Re:

[skeeto]

If you lose your card, and report it missing, the most that can be charged to you is $50.

And if you only lose the number but still possess the physical, real card (i.e. someone wrote down your credit card number or something), you are responsible for no more than $0.

Re:

[mea_culpa]

Being a victim of ID theft, I agree and would go a step further to suggest canceling any debit card you have. They are worthless to the account holder and valuable only to the bank.

Banks only care about their money (Credit Cards) not yours (Check/Debit cards) and don't give a damn when it's your money that gets taken and will do only the minimum they are required to assist you, often times charging a 'research fee' of $100 or more to 'look into' each discrepancy.

It still sucks when someone gets hold of your

Re:

[BigLonn]

You're correct, they aren't responsible, if, it's a proper credit card, the point is the credit card company's are on the hook for these charges and yes they will pass these expenses back to you and me some how.

Re:And here I was

[smashin234]

Except that as long as you keep yourself covered by reporting fraud early, you don't get charged for those purchases that were not yours. Being responsible with a credit card is the answer, not burying your head in the sand.

Re:

[4D6963]

Thinking I'm silly for not having a credit card.

I kind of need one nowadays, but this kind of thing scares me shartless. How easy would it be to get fiscally wiped out by this kind of thing?

Following the same logic that's why I don't have a car, the risk being much more important and the consequences being much more grave. This being put in perspective, I have a credit car. Let me guess, you have a car? ;-)

Re:

[thermian]

Let me guess, you have a car? ;-)

Nope, never learned to drive, never needed to. I have a bicycle.

Re:

[Tenebrousedge]

See, because you own a car, that means that you are capable of accepting a small risk to reap a large benefit. To use a car analogy...

...oops. fuck, never mind. Maybe we can try another smug assumption posing as an argument? How about, "Let me guess, you are left-handed? ;-)"?

"Let me guess, you vote libertarian? ;-)"?

"Let me guess, you welcome our non-car-owning pedestrian overlords? ;-)"?

I like the last one.

Re:

[MRe_nl]

Shouldn't that be
"I for one welcome our non-creditcard owning pedestrian overlords" ;-)?

Re:

[thermian]

"Let me guess, you welcome our non-car-owning pedestrian overlords? ;-)

You've got me there..

Be careful, seriously

[Mathinker]

Geeks + bikes always makes me a bit nervous, one of my high school math teachers was killed by a traffic accident he had while biking to school; and then as an adult I read about Jerry Keiper [stephenwolfram.com] dying similarly.

And yes, being a fan of Bruce Schneier, I understand that this nervousness is probably not commensurate with the actual risks involved in traveling by bicycle.

Re:And here I was

[oldspewey]

How easy would it be to get fiscally wiped out by this kind of thing?

I've had a credit card "compromised" twice over the last ~10 years. In the first case, I noticed the fraudulent charges on my statement and contacted the card issuer. They promptly reversed every single one of the charges and my liability was zero. In the second case, the card issuer actually phoned me to ask about a series of suspicious charges. My statement wasn't even due to arrive for another couple weeks. When I told them I had not made the purchases in question, then promptly reversed every single one of the charges and my liability was zero.

IMO the real risk is identity theft - when a scammer gets hold of enough of your info to open accounts in your name, apply for credit, etc. It's never happened to me but I've heard it's a real nightmare to get corrected when it happens. Having a credit card may or may not make you more vulnerable to identity theft. I make it a policy to use a shredder on any paperwork that could potentially be used to build a profile on me ... nothing goes straight into the trash.

Re:

[BronsCon]

Having horrible credit has made me significantly less vulnerable for years.

A friend and I were robbed at gunpoint once after a night out. We had both started a new job that day and had our social security cards on us (employer needed copies, we went out immediately after work), check books and, obviously, drivers' licenses, everything.

This was about 6 years ago. We're still both cleaning up our credit. Him, from identity theft. Me, from my own stupidity; they weren't able to open a single account in my name

Re:

[ardle]

Having horrible credit has made me significantly less vulnerable

Thanks, I've been trying to convince myself of that - for years ;-)

Re:

[BronsCon]

I turned 26 in December last year. I got my first credit card in March of this year, through no lack of trying.

Yes. Bad credit really does work.

Re:

[StatusWoe]

hehe, appropriately flame-bait

nice work on whomever modded that

Re:

[StatusWoe]

Agreed, My wife recently had her credit card # stolen, along with her full name and address (though the latter is in the phone book and is hardly stealing)

Credit card company reversed all charges, no questions asked, I'm annoyed that they and the police refused to attempt to catch the thieves but still, no issues with the credit,,, until they started opening cell phone accounts using JUST the name and address, not even requiring the credit card # which I think it total BS.

I did receive some of the bills fro

Re:

[Beryllium Sphere(tm)]

The shredder is good advice. Also make sure your physmail gets delivered to something that locks, like a PO box or an apartment mailbox. Mail theft from those Leave It To Beaver on-street mailboxes is a real problem.

Re:

[KernelMuncher]

You are protected for a wide range of fraudulent charges. For instance my credit card number was recently stolen and a large purchase was initiated at a popular web site. My credit card company denied the charge since it was so out of character for my spending patterns. Then they contacted me to ask if the charge was legitimate. I didn't lose a cent over the matter. The only hassle was having to replace the credit card. Their fraud detection algorithms are getting more and more sophisticated - which l

Re:

[ivan256]

Harder than you'd think.

If you use credit responsibly, and have a reasonable fallback of savings, the worst case is a temporary loss of access to credit. You aren't liable for this type of fraud if it happens to you. It's just that three month period of proving it was fraud that would suck if you depend on your credit card to live day to day.

I had my credit card info stolen as part of the TJX breach. Whoever ended up with the data maxed out my card in an internet cafe in Paris ($6200 over two days... In an

Re:

[Alpha830RulZ]

How easy would it be to get fiscally wiped out by this kind of thing?

Not very, actually. Your protections are fairly good when someone gets your CC #. Yeah, you'll be in for a hassle protesting the charges, but you don't have to pay the bill on the disputed charges. This is a better situation than if they got your debit card info, in which case they can clean your bank account out.

I -never- use my ATM card for payments for this reason.

It always gives me the warm and fuzzies when

[FireStormZ]

guys like this get caught, this is why I seldom do anything important off wire, even on my own wireless network...

"The indictment alleges that during the course of the sophisticated conspiracy, Gonzalez and his co-conspirators obtained the credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers - including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW."

If your going to offer a se

wire security

[toby]

I seldom do anything important off wire, even on my own wireless network...

Because you run Windows, right? :)

My advice is to use a secure proxy (e.g. over OpenVPN) if you are concerned about local eavesdropping (residence, ISP). I use a VPN for all browsing and email, even from home, but this is particularly advised when travelling and using unknown residential/hotel/office networks.

And this was all.....

[ragethehotey]

Because they transmitted customers credit card information in plaintext over an unsecured wireless connection. Not saying they shouldn't be held responsible for their incompetence, but I'm shocked that they actually had to pay out $60,000,000 for it instead of just passing the blame.

Re:

[darkmeridian]

This isn't true. TJX did not transmit credit card information over plaintext. This would have been better than what they actually did. TJX did something dumber: it transmitted the keys to the store server via WEP. The bad guys were able to use this to sign into the store server, then access the main server, and then put in a backdoor to capture all the credit card info used in all stores as opposed to that one store.

Re:And this was all.....

[The Breeze]

Actually, if memory serves, the TJ Maxx connection was a wireless link between two buildings - it was a WEP connection. So, yeah, it was encrypted, but it only took them about 10 minutes to crack it. Too bad the company was too lazy to use WPA. The other interesting part about this (again going from memory) is that they popped the back cover off one of those "Apply for a Job" kiosks in the store, and lo and behold, the job kiosk was on the hardwire, unencrypted network. Oops. And then the bad guys plugged in a USB key with a bootable Linux system on it. Double oops. They then had access to everything on the corporate network. Everything. Triple oops.

-Steve

I used to work at one of them

[Anonymous Coward]

And still work in retail security. At least two of these companies did not transmit data in the clear, and in the case of debit pins, none of them did. The debit PIN standard was developed after the old ISO 8583 clear text credit transmission standard. (Yes the iso credit auth format was unencrypted. http://en.wikipedia.org/wiki/ISO_8583. Some credit processors still require it.)

Your processor has to verify your setup before it goes into production, and debit card readers all require the hardware injecti

Re:

[plover]

I hope the method used to capture the debit pins becomes known, I still have retail networks to secure.

As you no doubt are aware, most debit PINs are encrypted using DUKPT for key exchange. But it wasn't until very recently that PCI PED required compliant devices to use 3DES, and not DES. Back when these attacks started showing up in 2004, plain-old DES was still an accepted standard. It's entirely possible that they could have brute forced the BDK with something like a meet-in-the-middle attack.

These guys obviously had access to metric boatloads of computrons. They may even have hijacked the retailer's

Re:

[arglesnaf]

DUKPT is derived unique key per transaction, and is most likely to be 3Des anyway.
The old standard was Master/Session, which was more likely to use DES keys, but your point is still valid.

WTF is "aggravated identity theft"

[TheRealMindChild]

Seriously. WTF is "aggravated identity theft"? The only logical thing I can come up with is that he held someone up with a gun or something to steal their credentials. But then wouldn't this in fact BE "aggravated assault" + "identity theft"? My comprehension that they actually made one law by merging two other already illegal things just doesn't sit well.

aggravated identity theft: defined

[deft]

let me guess, not a lawyer?

http://www4.law.cornell.edu/uscode/18/usc_sec_18_00001028---A000-.html [cornell.edu]

(a) Offenses.--
(1) In general.-- Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
(2) Terrorism offense.-- Whoever, during and in relation to any felony violation enumerated in section 2332b (g)(5)(B), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person or a false identification document shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 5 years.

(c) Definition.-- For purposes of this section, the term "felony violation enumerated in subsection (c)" means any offense that is a felony violation of--
(1) section 641 (relating to theft of public money, property, or rewards [1]), section 656 (relating to theft, embezzlement, or misapplication by bank officer or employee), or section 664 (relating to theft from employee benefit plans);
(2) section 911 (relating to false personation of citizenship);
(3) section 922 (a)(6) (relating to false statements in connection with the acquisition of a firearm);
(4) any provision contained in this chapter (relating to fraud and false statements), other than this section or section 1028 (a)(7);
(5) any provision contained in chapter 63 (relating to mail, bank, and wire fraud);
(6) any provision contained in chapter 69 (relating to nationality and citizenship);
(7) any provision contained in chapter 75 (relating to passports and visas);
(8) section 523 of the Gramm-Leach-Bliley Act (15 U.S.C. 6823) (relating to obtaining customer information by false pretenses);
(9) section 243 or 266 of the Immigration and Nationality Act (8 U.S.C. 1253 and 1306) (relating to willfully failing to leave the United States after deportation and creating a counterfeit alien registration card);
(10) any provision contained in chapter 8 of title II of the Immigration and Nationality Act (8 U.S.C. 1321 et seq.) (relating to various immigration offenses); or
(11) section 208, 811, 1107(b), 1128B(a), or 1632 of the Social Security Act (42 U.S.C. 408, 1011, 1307 (b), 1320a-7b (a), and 1383a) (relating to false statements relating to programs under the Act).

Re:

[Otter]

A number of offenses come in "aggravated" flavors, not just assault.

Re:

[SirGarlon]

charged with computer fraud, wire fraud, access device fraud, aggravated identity theft,

The optimist in me says maybe it's like the way the Eskimo language has 15 different words for "snow."

The pessimist in me says Congress simply outlawed the same crime in four different laws because the last law they passed obviously didn't make the crime stop happening...

Re:

[fishbowl]

>The optimist in me says maybe it's like the way the Eskimo language has 15 different words for "snow."

I've never understood what was supposed to be strange about that. Don't you know any snowboarders? They have different words for snow too.

Re:

[billcopc]

They have different words for snow too.

What does cocaine have to do with any of this ? :P

Re:

[Fulcrum of Evil]

The optimist in me says maybe it's like the way the Eskimo language has 15 different words for "snow."

No, they have an agglutinative language [wikipedia.org] where you tack lots of descriptive stems onto a root to make your words. It's like german, where whole phrases turn into a single word.

Legal speak for really bad...

[FireStormZ]

http://en.wikipedia.org/wiki/Aggravation_(legal_concept) [wikipedia.org]

Aggravation, in law, is "any circumstance attending the commission of a crime or tort which increases its guilt or enormity or adds to its injurious consequences, but which is above and beyond the essential constituents of the crime or tort itself."[1]

Re:

[Nos.]

They'll have a heck of a time suing when they knew before hand of the sloppy security measures and actually game them an extension on PCI compliance: http://www.darkreading.com/document.asp?doc_id=138838 [darkreading.com]

Re:

[billcopc]

I'd rather see the fraudsters and every incompetent up the chain, be forced to work the customer service call center, dealing with fraud complaints 16 hours a day, 7 days a week for the duration of their sentence. Watch them get yelled at by psychotic soccer moms for hours on end, dealing with the aftermath of their own crooked acts.

Jail ain't worth shit. It doesn't reform, it doesn't produce any results. Make these fuckers pay, just like we suffer every day for the bullshit that goes on in the world.

Re:

[heteromonomer]

lol! mod theup!

Aggravated Identity Theft

[AP31R0N]

Does that mean it won't heal by just spending a blood point or two? Maybe they should call it, aggravating identity theft.(not serious)

What makes a crime aggravated? (serious)

Separate charges per card?

[tsstahl]

Pun intended. I wonder if they can be charged for each INSTANCE of a fraudulent charge. Several thousand years behind bars, consecutive would suit my taste for vengeance. Yes, I know that prison is supposed to be about rehabilitation, not revenge, but still...

Re:

[Pincus]

Yes, I know that prison is supposed to be about rehabilitation, not revenge, but still...

Not entirely true. Prison is also about public safety and punishment. Given the number of repeat offenders, it's difficult to argue that the rehabilitation angle works. These guys need to be locked up for a while to ensure that they can't do it again and because every action has a consequence. That said, hundreds of years of consecutive imprisonment is overkill, and overkill is bad. It's the reason the death penalty is rarely (1 state, I think) available in rape cases. It motivates the assailant to ki

Treble Damages would be Fine

[bill_mcgonigle]

Pun intended. I wonder if they can be charged for each INSTANCE of a fraudulent charge. Several thousand years behind bars, consecutive would suit my taste for vengeance. Yes, I know that prison is supposed to be about rehabilitation, not revenge, but still...

My wife's card got stung by the TJ Max fiasco. Hers was the one we use for automatic payments on various accounts. Since none of the vendors with whom we deal sent notice of expiration, and I wasn't keeping close track, between proactively and reacti

Was it...

[BobMcD]

Gonzalez and others were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe, the DOJ said.

...WoW gold?

Re:

[Coraon]

it trades higher then the American dollar now.

goodluckwiththat

[PseudoLogic]

From TFA:"Others indicted are from the US, Estonia, China, and Belarus". Yeah, good luck with that. I'm sure those countries will have no problem handing people over.

Labor punishment

[Pincus]

This is exactly the sort of case where I wish the US had hard labor as a form of punishment. Let them work off the money they stole.

Re:

[Monkeyriot]

Ok, 40 million credit cards at say $100 per card is $4,000,000,000 divided by 11 people at 40 hours a week for 20 years $96,153.84 per hour. Heck of a wage.

Re:

[Pincus]

While TFA only states that they would withdraw tens of thousands of dollars at a time, I'm skeptical that they could have done so to the tune of $4 billion.

More likely, they stole something like $40mm - we'll say $44mm for the sake of simple math. That's $4mm per person, divided by 60 hours per week (40 hours isn't HARD labor) for 25 years.

My math puts their wages just upwards of $50/hr. Let's make them earn it.

Hell, make the punishment dollar based and say that they need to earn $4mm. Then tell t

We need authenticated transactions!

[bobbuck]

We need authenticated transactions using public key technology so that an account number or routing number is not sufficient to charge an account. The technology is dirt cheap now and could be built into cell phones. When you make a purchase the vendor should send a payment request with a transaction number to you. You send a signed authorization back to the vendor who then checks it against your balance and public key at the finacial institution. Approval comes back and you're done. If someone uses the sto

Re:

[johndmartiniii]

Agreed. Public keys have been used successfully for all sorts of less "sensitive" applications. Why not?

Being from Miami

[Ardipithecus]

I like that the indictments were handed down to people in Miami, the US, Estonia, China, and Belarus.

It is a different place.

Who pays?

[shadwstalkr]

Can someone explain where the money comes from? The cardholders aren't responsible for the charges as long as they report them in time, the card company probably won't cover the charges, and the criminals won't be paying full restitution even if it's part of their sentence. So who pays for all this? Is it like counterfeit money added to the economy?

Re:

[CodeBuster]

So who pays for all this?

Banks (who own the ATMs where the withdrawals occurred), merchants (if the thieves were able to use the cards before they were reported stolen), and all of us in the form of slightly higher bank fees and retail prices in the future as the banks and merchants attempt to make up for their fraud losses.

Something tells me...

[dos4who]

... this guy isn't going to be the next Kevin Mitnick.

Corporate Negligence

[Mr. Lwanga]

The cheapskate CEOs, CFOs, CTOs, CIOs, and PHBs should also be indicted for aiding and abetting, maybe a RICO charge for unintentional co-conspirators in stupidity.

I am sure that these corporations went to the top of the list as targets of opportunity for "security consultants", hardware vendors and other information solution providers.

An ounce of prevention ...