Hacking Ring Nabbed By US Authorities 146
Slatterz writes "The members of a hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged. The case before the US Department of Justice is believed to be the largest hacking and identity theft case ever prosecuted. The criminals allegedly obtained bank details by hacking into the retailers' computer networks and then installing 'sniffer' programs to capture card numbers and password details as the customers moved through the retailers' credit and debit processing networks."
will there be changes? (Score:5, Informative)
Re:will there be changes? (Score:5, Funny)
Of course not. After all, they caught the people that abused it. Why waste money to protect something from criminals when the criminals were already caught. Nobody would dare to try it again.
Re: (Score:2)
Just like in the cartoons.
Re: (Score:2)
Re:will there be changes? (Score:5, Interesting)
I'm going to go out on a limb and say the core of the problem isn't the security of the computers, it's the fact that in order to use a credit card number you have to reveal it. There will always be some retailer or customer without a secure system. _We can't change this, it's too hard_.
I think the solution is a small device with an embedded secret key. All it has to do is sign data [secondary: show text, wireless, usb, etc].
For example, to complete a transaction, a store asks you to sign this:
[
VISA Credit Transfer
"here's a one-line ad because we just can't help it!"
amount: 12.34$us
buyer: John Doe
seller: Matt's Grocery Store
date: August 7, 2008
buyer public key: 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0
seller public key: 4B 3D BA 71 3B D8 56 43 2B A7 E8 F4 69 CA C5 5A
seller transaction id: 594864purplebunnies
protocol version: 1
]
Then the store also signs it, and sends it and the signatures to VISA, or whoever.
The beauty here is that the security is now entirely encapsulated in a) the signing device, and b) the plaintext format for requesting credit.
In the example I have given the buyer only has to check that the amount is correct because all other modifications give them free groceries. The store only needs to ensure they match the format specified by VISA, and that the buyer's signature is valid. VISA takes most of the work, checking that the format is correct, the signatures are valid, the transaction id is unique for the seller, the buyer has enough credit, etc.
I'm sure there are holes, but it's a hell of a lot better than what we have now.
Re: (Score:1, Informative)
already done, patented and on the way for deployment (at least in Switzerland):
http://www.zurich.ibm.com/ztic/
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
In the example I have given the buyer only has to check that the amount is correct because all other modifications give them free groceries. The store only needs to ensure they match the format specified by VISA, and that the buyer's signature is valid. VISA takes most of the work, checking that the format is correct, the signatures are valid, the transaction id is unique for the seller, the buyer has enough credit, etc.
I'm sure there are holes, but it's a hell of a lot better than what we have now.
I'm surp
Re:will there be changes? (Score:5, Interesting)
Actually, it's a misconception that the signature has meaning to the retailer if they match. If you look at the slip you sign, it says something to the effect of "I agree to pay this debt according to the terms of the cardholder agreement" or similar.
SIgning your card is an indication that you accept the cardholder agreement (i.e., the card is valid). Technically, a store can refuse to accept any card that is unsigned, says "CHECK ID" or similar because those cards are invalid (because you haven't indicated you accept the cardholder agreement, which covers things like... repayment of debt). The slip is used to indicate that you, the cardholder, will pay the issuer the amount listed, who will then pay the merchant that amount.
During a dispute, the best proof a merchant has is the signed slip. What makes life interesting are those places where signing the slip isn't necessary (e.g., some for transactions under $25).
Re:will there be changes? (Score:5, Informative)
Re: (Score:2)
There's a demand for credit cards, people aren't going to "just use cash". Not to mention cash doesn't work nearly as well as credit over the internet. The idea is to fix the system, not throw it out.
Re: (Score:3, Insightful)
Or you could.. ya know.. discover that there's vulnerabilities inherent in the system and just use cash instead. Using cards (even debit) causes price inflation. Cash is king.
But your cash is counterfeit. Please step to the side and speak with the nice policeman. Thank you.
Re: (Score:2)
Re: (Score:3, Interesting)
Will not happen because credit card companies are NOT The ones on the hook for the losses. The charade of PCI compliance has foisted all responsibility back to the merchant. The Visa/Mastercard cartel actually make MORE money from fraud because there are many more transactions, and they profit from every single transaction. Visa/mastercard took approximately $40 Billion last year in interchange fees, this is in addition to any customer interest or late penalties. They have no incentive to change and teh mer
Re: (Score:2)
Bullshit. Banks certify payment systems before allowing retailers to authorize through them. For smaller operations they may delegate to a payment processor that certifies devices on the network, such as mom and pop stores
Re: (Score:2)
Afaict all you need to put a transaction through is the card number, other stuff helps if the transaction is challanged but afaict is not needed to put the transaction through.
All the information most online retailers ask for is either printed on the card or availible to anyone who knows or stalks the victim. The pin is only used for face to face transactions (which helps keep it secure but also means it is no help in many situations).
Also the chips aren't particularlly reliable. So at least in the uk if yo
Re:will there be changes? (Score:4, Insightful)
are security measures going to be changed with this revelation to the public?
If they secured credit cards so that there was no fraud, then how would the providers justify their exorbitant [unfaircreditcardfees.com] fees?
Re: (Score:2, Funny)
Re: (Score:1)
Re: (Score:2)
This week I personally stopped what could have been a major breach of credit card security. My company works for retail companies, and one of our clients emailed us a transaction log containing full credit card data for a day's worth of transactions. I don't mean masked data, times, etc. I mean full numbers, expiration dates, CCV numbers, names, everything. They just handed it
More details (Score:5, Informative)
Re: (Score:1)
Re: (Score:3, Interesting)
"Criminal informations were also released today in Boston on related charges against Christopher Scott and Damon Patrick Toey, both of Miami."
Informations? The DOJ can't find a person who knows basic English to write their PRs?
Re: (Score:2)
They only know legalese.
Re:More details (Score:5, Funny)
Re: (Score:2)
Re:More details (Score:5, Informative)
wireless registers (Score:1)
Re: (Score:1)
Is this related to the 7-11 / Chase ATM crack? (Score:2)
They just backdoored the reception system so they didn't just get the card numbers that were being used in that store, but in all of whatever chain of stores.
A month or so ago I heard of a bust of a team that had done a similar "backdoor the server" crack that got the card numbers and PINs of essentially everybody who had used the ATMs at 7-11 nationally for several months.
Does anybody know if that crime and this one are related (other than by compromising the server)?
indictment links (Score:5, Informative)
Links to the indictments of the top two suspects:
suspect 1 [usdoj.gov]
suspect 2 [usdoj.gov]
Better Article (Score:5, Informative)
So now we will get even MORE draconian measures to stop the "evil hackers" when in reality, it was a combination of bad intentions, and old-fashioned stupidity. The article specifically mentions looking for "vulnerable" access points. This means that whoever set the network up for these stores did not do a proper job in securing said network. Also, why the HELL were the systems used to process credit card transactions on the same insecure wireless network? There is NO excuse for that. I'm not excusing what these guys did, but once again we have a case where whoever setup the hardware in these places needs to be held for criminal negligence.
Re:Better Article (Score:5, Insightful)
whoever setup the hardware in these places needs to be held for criminal negligence
IANA(legal scholar), but this doesn't seem to fit the definition of criminal negligence for two reasons:
1) Doing a bad job at something and allowing others to come to harm isn't enough. Essentially, you must be aware of the risk of your actions (or inaction), or you must intentionally allow yourself too little information to make a proper decision.
2) I'm pretty sure that once you commit a negligent act, it has to be nature that takes something "the rest of the way." If your act simply allows someone else to commit a crime, then the crime falls the perpetrator, not you.
Keep in mind too, that I'm talking about criminal negligence. You can sue in civil courts on a much broader basis.
In fact, I find your entire comment rather ironic, since you imply that the recent crimes will be an excuse for some 1984-state to implement "MORE draconian measures," but then go on to suggest criminalizing what is essentially poor job performance.
Re: (Score:2)
Re: (Score:2)
As I understand the case, the criminals installed network sniffers at the retail network headquarters of these companies, and simply sniffed the unencrypted cleartext credit card numbers going across the wire.
I don't think it would be unreasonable to prove that the
Re: (Score:2)
If you think it's scary for banks, fire up kismet near a doctor's or lawyer's office sometime.
Billing department infiltration (Score:1)
I've always wondered how safe you are when paying utility bills over the phone using a tone phone, like if someone finds a connection at the call centre which takes the card number and listens to tones of card numbers/expiry dates/verification numbers flowing through the line. Maybe it's a little more secure than my paranoid mind thinks, maybe someone knows a little detail on what's involved with these systems?
Re:Billing department infiltration (Score:4, Interesting)
Here's a link to a DIY hardware version: http://www.bobblick.com/techref/projects/tonedec/tonedec.html [bobblick.com] And a quick search should turn up software solutions, or you could write one yourself since the tones are standard. Wiki lists all the tones: http://en.wikipedia.org/wiki/DTMF#Keypad [wikipedia.org]
Re: (Score:2)
Slashdot is days behind the news (Score:5, Insightful)
There used to be a time when you read tech-news first on slashdot. Nowadays I read it in my (Dutch) newspaper first (yep, the paper one that they actually have to print and deliver first) end a few days later it appears in /.
What the hell is wrong?
Re: (Score:1)
Re: (Score:1, Informative)
Beats me. A while back you could tell the BBC's sci/tech section was taking cues from /., and now it's one to four weeks before the same news show up here, and usually linked to 'articles' with a lot less info.
July 8 http://news.bbc.co.uk/1/hi/sci/tech/7495961.stm [bbc.co.uk]
Aug 4 http://science.slashdot.org/article.pl?sid=08/08/03/200240 [slashdot.org]
Re: (Score:2)
There used to be a time when you read tech-news first on slashdot.
If it's any consolation, this appears to be a quasi-dupe of this story [slashdot.org] from a few days ago. It's not the same article, but it's the same event. Slashdot wasn't days behind until they posted the dupe.
Re: (Score:2)
Was the ring working in a windowless environment? (Score:5, Funny)
;-)
Re: (Score:2)
The NES version, or the Apple ][ version?
Who foots the bill? (Score:3, Interesting)
So, who foots the bill for this? The retailer, the credit card comany / debit card issuer, or the customer?
Re:Who foots the bill? (Score:5, Funny)
So, who foots the bill for this? The retailer, the credit card comany / debit card issuer, or the customer?
The credit card company raises my rates to cover their expenses, the government uses my taxes to pay for the investigation and prosecution, looks like I'm paying for it!
Drinks for everyone! Here, use my card!
Re:Who foots the bill? (Score:4, Insightful)
So, who foots the bill for this? The retailer, the credit card comany / debit card issuer, or the customer?
The credit card company raises my rates to cover their expenses, the government uses my taxes to pay for the investigation and prosecution, looks like I'm paying for it!
Dude, the customer pays for everything one way or another -- haven't you figured that out by now?
Re: (Score:3, Insightful)
Defendant worked for the Secret Service (Score:5, Interesting)
-- In about 2003, Gonzalez and others found an unencrypted wireless access point at a BJ's Wholesale Club store. BJ's reported a breach of its computer networks in early 2004.
-- In 2004, other members of the ID theft ring compromised an OfficeMax wireless access point in Miami, and they were able to steal credit card data. After law enforcement officials in 2006 identified OfficeMax as the victim of a data breach, the company said it hired an outside auditor to conduct an investigation and found no evidence of a security breach. An OfficeMax spokesman didn't immediately return a message seeking comment.
So either the Secret Service was letting this go on just so they could make one bust, or they had no idea that their own informant was committing major breaches while under their supervision. Also, how stupid is this guy that he didn't even stop breaking the law after getting busted and becoming an informant? Some people are just begging to be sent to prison, and it looks like the prosecuters are going to grant his wish. For the rest of his life if they have their way.
P.S.: The Threat Level post [wired.com] with the info about him being an informant also contains a link [wired.com] to another case about another informant who was stealing social security numbers while working on a computer inside the Secret Service offices.
The usdoj.gov website seems to be down for me at the moment but should come back up eventually.
Re: (Score:2)
Re:Defendant worked for the Secret Service (Score:5, Informative)
I believe his point is, they were supposed to be former criminals, in the past tense. Law enforcement's job is to see that they stay that way, not to go run amok with 40+ million credit cards.
In the case of the other informant he linked, the guy stole information directly from the Secret Service office's computers while the agents are on duty (though probably off viewing porn while the informant conducts non-authorized criminal activity). Mind you, they had a huge monitor displaying whatever the informant was doing on there aside from keylogging. Seriously, that's a huge lax on monitoring, if they can't even watch an informant in their own office. Makes you wonder if they are even capable of doing their jobs.
He's basically saying that this bust is just a front for the US government cleaning up a mess they created in 2003 by not initially locking this guy up or restricting his computer access/monitoring him more closely.
One other thing, the informant did absolutely no time for all previous criminal activity he conducted before turning informant, after his initial arrest in 2003 (which according to the FBOP inmate tracker [bop.gov], he is 27). Thus, he could have been doing this for some time. Basically, he got a free pass on whatever crime he did before his intial arrest, plus almost five more years of reeking havoc on the banking system. This is in sharp contrast to what most people would assume "informing" is, where a criminal cuts a deal for reduced time or perhaps probation/house arrest, but still gets charged. This guy however has not been charged, until now.
Re: (Score:3, Interesting)
Time to wakey wakey young one, the world is more complicated than your parents told you...
In order to catch a thief, law enforcement officials will use people who are criminals themselves. When, in the course of an investigation, they have enough evidence to put away suspect A, A will often turn over information on other people the government wants to put away more. As the leaders of criminal organizations usually protect themselves by passing orders on to underlings & often do not commit overtly illega
Re: (Score:3, Insightful)
Uh, no. It is law enforcement's job to apprehend people who have committed a crime. It is not their job to ride shotgun on people who have in the past committed crimes, only to catch them again if they repeat.
Re: (Score:2)
priceless (Score:5, Funny)
hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged.
To which they replied.. "put it on the card"
This was in Wednesdays newspaper! (Score:2, Informative)
This was in Wednesdays newspaper!
Kill some trees! Better than Slashdot!
Re:This was in Wednesdays newspaper! (Score:5, Informative)
This was in Wednesdays newspaper!
It was also in Tuesday's /. [slashdot.org]
Are they trying to freshen up Captain Planet? (Score:1)
one time CC numbers (Score:3, Insightful)
Re:one time CC numbers (Score:4, Informative)
If you don't feel you are getting your money's worth from the annual fee, you should consider switching to one of the hundreds (thousands?) of cards available without an annual fee.
Re: (Score:2, Insightful)
Maybe he/she was referring to the merchant fees (the part that actually goes to VISA). These are (for me) $0.50 transaction and 2% of gross.
Don't worry though, it's the customers, credit cards or no, that pay these fees in the end. SInce profits are low enough and it is a competitive business, without the fees, prices would be lower.
Re: (Score:2)
How's that going to work when you're out at a store? For online shopping it's real easy, but when you're waiting in line at the supermarket?
One time CC numbers can be abused too (Score:2)
Good - Hang the fsckers (Score:2, Interesting)
Wow, Ring of Hacking +3 (Score:1, Funny)
Is this something I can buy in World of Whorecraft?
(I hope this isn't about golf hackers...)
Deja Vu (Score:1)
Re: (Score:2)
Thank you. I was just about to post the exact same comments.
Sort of Frightening (Score:4, Insightful)
The people arrested were in several nations. What is unusual and a bit frightening is that it seems like they were able to get arrest warrants or whatever was needed crossing international lines really quickly. It almost seems like some uber government organization was at work on this affair.
Re: (Score:2)
What is unusual and a bit frightening is that it seems like they were able to get arrest warrants or whatever was needed crossing international lines really quickly.
What makes you think it was quick. It doesn't hit the news until after the announcement, which is after the bust. If it takes two hours, two weeks, or two months to push the paper the visible timing is the same.
Until more information comes out the only date you have to put a limit on how much time it took is the time of the crime.
It almost see
Re: (Score:2)
Only seems to be the case if they happen to cross over into a pro-western country. If you want to break the law, appearently it's relative safe in the former Soviet states.
Suspects seem to be relatively safe so far in m
Re: (Score:2)
Innocent until proven guilty? (Score:1, Interesting)
You wouldn't think so from the summary. So much for the presumption of innocence.
This is entirely for show (Score:2)
This really is entirely for show politically. There are too many strategic positions up for grabs in November that just spoke volumes of "We need to look good"... Yea, I'm speaking to some republicans out there! You know who you are. Who's eyes are you trying to pull wool over??
Fact is there is too much of this out there and these guys are not the only fish out there.
Bail was set at $10,000,000 each... (Score:2, Funny)
This is why I only buy online. (Score:2)
Re:Hacking? (Score:5, Informative)
1. (computing) Unauthorized attempts to bypass the security mechanisms of an information system or network.
Hack [merriam-webster.com]
You may prefer to use other definitions yourself, but the usage here is perfectly correct.
Re:Hacking? (Score:5, Informative)
Re:Hacking? (Score:5, Funny)
kick to the chest
Re: (Score:2)
Shouldn't that be "boot to the head"?
Re: (Score:1)
Re: (Score:3, Informative)
Re: (Score:2)
Trust me, linking to Eric S. Raymond's tiresome ramblings should never be necessary.
Re: (Score:1)
Ouch, looks like I hit a nerve...
Re: (Score:2, Funny)
Re: (Score:2)
hacking comes from german "hacken" which means to chop, so a hacker is actually a lumberjack (and is okay).
Re: (Score:1)
Re: (Score:3, Insightful)
Dear hackers,
You can't own a word. Get over it.
Re: (Score:1)
Re: (Score:1)
"Word to your mom?"
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Re: (Score:2)
there is no dupe.
There is new dope? Where?!
It is sad (Score:1)
Re: (Score:1)
Re: (Score:1)
Don't forget all the hard hacks too. They're fun, a challenge and (mostly) even legal.
Signed
An Electronic Eng Student
Re: (Score:1)
Don't forget about hard hacks and hard hackers... They're fun, a challenge and (mostly) even legal... :-)
Re: (Score:1)