11 Charged In TJX, Other Breaches

← Back to Stories (view on slashdot.org)

11 Charged In TJX, Other Breaches

Posted by kdawson on Tuesday August 5, 2008 @08:23AM from the wardriving-for-profit dept.

coondoggie writes "The Justice Department has charged 11 people in connection with the massive theft of credit card numbers from various retailers, including TJX, BJs and OfficeMax. Authorities say the group charged was involved in the theft of more than 40 million credit and debit card numbers. In an indictment returned today by a federal grand jury in Boston, Albert 'Segvec' Gonzalez, of Miami, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft, and conspiracy for his role in the scheme. Others indicted are from the US, Estonia, China, and Belarus." We've been following the TJX breach since the beginning.

77 comments

Min score:

Reason:

Sort:

Weird by Anonymous Coward · 2008-08-05 08:27 · Score: 0

Seems nobody cares.
1. Re:Weird by Anonymous Coward · 2008-08-05 08:27 · Score: 0
  
  I care
2. Re:Weird by seanonymous · 2008-08-05 09:43 · Score: 1
  
  and I don't drink!
And here I was by thermian · 2008-08-05 08:27 · Score: 1

Thinking I'm silly for not having a credit card.
I kind of need one nowadays, but this kind of thing scares me shartless. How easy would it be to get fiscally wiped out by this kind of thing?

--
A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
1. Re:And here I was by FireStormZ · 2008-08-05 08:29 · Score: 2, Informative
  
  What you could do is obtain a low balanced secure credit card for things you do on-line. A secured balance of say 500 to 1,000$ would be enough for most people and would be the most you could lose.
  
  --
  "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
2. Re:And here I was by smashin234 · 2008-08-05 08:32 · Score: 5, Insightful
  
  Except that as long as you keep yourself covered by reporting fraud early, you don't get charged for those purchases that were not yours. Being responsible with a credit card is the answer, not burying your head in the sand.
3. Re:And here I was by 4D6963 · 2008-08-05 08:32 · Score: 1
  
  Thinking I'm silly for not having a credit card.
  I kind of need one nowadays, but this kind of thing scares me shartless. How easy would it be to get fiscally wiped out by this kind of thing?
  Following the same logic that's why I don't have a car, the risk being much more important and the consequences being much more grave. This being put in perspective, I have a credit car. Let me guess, you have a car? ;-)
  
  --
  You just got troll'd!
4. Re:And here I was by thermian · 2008-08-05 08:37 · Score: 1
  
  I didn't know there was such a thing. I've been avoiding credit cards and (to my banks bizarre frustration) overdrafts for years.
  Two years back they actually threatened to not let me withdraw money from the ancient savers account I've been using for almost 15 years if there was less then Â£500 in it, to try and get me to accept their account with a credit card and overdraft.
  I was a bit incredulous, and requested that they close the account (requested loudly, clearly, and very politely, in front of all the other customers). At which point they (or rather the arrogant teller) backed down.
  It seems to me they don't want you if you aren't in Debt.
  Also
  +5 for choice of Sig.
  
  --
  A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
5. Re:And here I was by oldspewey · 2008-08-05 08:41 · Score: 5, Insightful
  
  How easy would it be to get fiscally wiped out by this kind of thing?
  I've had a credit card "compromised" twice over the last ~10 years. In the first case, I noticed the fraudulent charges on my statement and contacted the card issuer. They promptly reversed every single one of the charges and my liability was zero. In the second case, the card issuer actually phoned me to ask about a series of suspicious charges. My statement wasn't even due to arrive for another couple weeks. When I told them I had not made the purchases in question, then promptly reversed every single one of the charges and my liability was zero.
  IMO the real risk is identity theft - when a scammer gets hold of enough of your info to open accounts in your name, apply for credit, etc. It's never happened to me but I've heard it's a real nightmare to get corrected when it happens. Having a credit card may or may not make you more vulnerable to identity theft. I make it a policy to use a shredder on any paperwork that could potentially be used to build a profile on me ... nothing goes straight into the trash.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
6. Re:And here I was by QuantumRiff · 2008-08-05 08:42 · Score: 5, Informative
  
  actually, with a proper credit card (not a debit card) you are not responsible for charges that are not yours. If you lose your card, and report it missing, the most that can be charged to you is $50. For fraud, you have to file a police report, and report it to your bank, but you should not be responsible for paying it. However, you might spend alot of time, filling out that paperwork, disputing problems on your credit history because of it, etc.. These protections do not exist for most checking, savings, or debit accounts..
  If you order something online, and it doesn't get delivered or whatever, most card companies will allow you to request a charge-back, where they just reverse the charge, and then it is up to the merchant to deal with your card company...
  
  --
  
  What are we going to do tonight Brain?
7. Re:And here I was by thermian · 2008-08-05 08:43 · Score: 1
  
  Let me guess, you have a car? ;-)
  Nope, never learned to drive, never needed to. I have a bicycle.
  
  --
  A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
8. Re:And here I was by Anonymous Coward · 2008-08-05 08:44 · Score: 0
  
  And,
  Many check cards also now have protection..
9. Re:And here I was by KernelMuncher · 2008-08-05 08:46 · Score: 1
  
  You are protected for a wide range of fraudulent charges. For instance my credit card number was recently stolen and a large purchase was initiated at a popular web site. My credit card company denied the charge since it was so out of character for my spending patterns. Then they contacted me to ask if the charge was legitimate. I didn't lose a cent over the matter. The only hassle was having to replace the credit card. Their fraud detection algorithms are getting more and more sophisticated - which leads to better consumer protection.
10. Re:And here I was by skeeto · 2008-08-05 08:53 · Score: 1
  
  If you lose your card, and report it missing, the most that can be charged to you is $50.
  And if you only lose the number but still possess the physical, real card (i.e. someone wrote down your credit card number or something), you are responsible for no more than $0.
11. Re:And here I was by BronsCon · 2008-08-05 08:56 · Score: 2, Interesting
  
  Having horrible credit has made me significantly less vulnerable for years.
  A friend and I were robbed at gunpoint once after a night out. We had both started a new job that day and had our social security cards on us (employer needed copies, we went out immediately after work), check books and, obviously, drivers' licenses, everything.
  This was about 6 years ago. We're still both cleaning up our credit. Him, from identity theft. Me, from my own stupidity; they weren't able to open a single account in my name.
  Sadly, it appears that I'll be free and clear long before he will.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
12. Re:And here I was by Anonymous Coward · 2008-08-05 09:03 · Score: 0
  
  This is no longer the case. Most debit cards from the have the same fraud protections as a credit card. Check your bank's web site or give them a call to make sure you are safe.
13. Re:And here I was by aztektum · 2008-08-05 09:06 · Score: 0, Flamebait
  
  Bah that's nothin', I keep that stuff in a pile specifically for lighting the grill with my chimney starter :)
  
  --
  :: aztek ::
  No sig for you!!
14. Re:And here I was by ivan256 · 2008-08-05 09:11 · Score: 2, Informative
  
  Harder than you'd think.
  If you use credit responsibly, and have a reasonable fallback of savings, the worst case is a temporary loss of access to credit. You aren't liable for this type of fraud if it happens to you. It's just that three month period of proving it was fraud that would suck if you depend on your credit card to live day to day.
  I had my credit card info stolen as part of the TJX breach. Whoever ended up with the data maxed out my card in an internet cafe in Paris ($6200 over two days... In an internet cafe...). There was a lot of paperwork and phone calls, but the overall outcome was that I didn't have access to $6200 in credit for 90 days, and I was slightly hassled.
  It is ridiculously unlikely that you are going to get your identity stolen in such a way that you will be completely, irrecoverably wiped out... And having a credit card doesn't really increase your chances of that all that much. They can do that to you even if you don't have a credit card.
15. Re:And here I was by Tenebrousedge · 2008-08-05 09:13 · Score: 1
  
  See, because you own a car, that means that you are capable of accepting a small risk to reap a large benefit. To use a car analogy...
  ...oops. fuck, never mind. Maybe we can try another smug assumption posing as an argument? How about, "Let me guess, you are left-handed? ;-)"?
  "Let me guess, you vote libertarian? ;-)"?
  "Let me guess, you welcome our non-car-owning pedestrian overlords? ;-)"?
  I like the last one.
  
  --
  Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
16. Re:And here I was by Anonymous Coward · 2008-08-05 09:17 · Score: 0
  
  It's good to shred, but ID thieves are too lazy to go digging through the trash as a rule. In my case, all my info was simply stolen from my university records by an employee, doubtless along with many others. So just because you're doing the right things, doesn't mean you're not going to get hit. I didn't lose any money, but I lost a lot of time straightening it out. And now I'm an AC...
17. Re:And here I was by ardle · 2008-08-05 09:18 · Score: 1
  
  Having horrible credit has made me significantly less vulnerable
  Thanks, I've been trying to convince myself of that - for years ;-)
18. Re:And here I was by StatusWoe · 2008-08-05 09:44 · Score: 1
  
  Agreed, My wife recently had her credit card # stolen, along with her full name and address (though the latter is in the phone book and is hardly stealing)
  Credit card company reversed all charges, no questions asked, I'm annoyed that they and the police refused to attempt to catch the thieves but still, no issues with the credit,,, until they started opening cell phone accounts using JUST the name and address, not even requiring the credit card # which I think it total BS.
  I did receive some of the bills from different accounts that had been opened up, some of which contained repeated calls to the same landline in residential Montreal. Police still refuse to do anything, but I didn't really expect any help from them.
  Rule #1 if any ID materials get stolen call and get a fraud alert on your credit reports immediately and save yourself a world of trouble.
  
  --
  "drink deeply the illusion of your safety"
19. Re:And here I was by MRe_nl · 2008-08-05 09:52 · Score: 1
  
  Shouldn't that be
  "I for one welcome our non-creditcard owning pedestrian overlords" ;-)?
  
  --
  "Kill 'em all and let Root sort 'em out"
20. Re:And here I was by Alpha830RulZ · 2008-08-05 10:00 · Score: 1
  
  How easy would it be to get fiscally wiped out by this kind of thing?
  Not very, actually. Your protections are fairly good when someone gets your CC #. Yeah, you'll be in for a hassle protesting the charges, but you don't have to pay the bill on the disputed charges. This is a better situation than if they got your debit card info, in which case they can clean your bank account out.
  I -never- use my ATM card for payments for this reason.
  
  --
  I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
21. Re:And here I was by StatusWoe · 2008-08-05 10:08 · Score: 1
  
  hehe, appropriately flame-bait
  nice work on whomever modded that
  
  --
  "drink deeply the illusion of your safety"
22. Re:And here I was by thermian · 2008-08-05 10:24 · Score: 1
  
  "Let me guess, you welcome our non-car-owning pedestrian overlords? ;-)
  You've got me there..
  
  --
  A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
23. Re:And here I was by Beryllium+Sphere(tm) · 2008-08-05 13:52 · Score: 2, Insightful
  
  The shredder is good advice. Also make sure your physmail gets delivered to something that locks, like a PO box or an apartment mailbox. Mail theft from those Leave It To Beaver on-street mailboxes is a real problem.
24. Re:And here I was by BronsCon · 2008-08-05 16:04 · Score: 1
  
  I turned 26 in December last year. I got my first credit card in March of this year, through no lack of trying.
  Yes. Bad credit really does work.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
25. Re:And here I was by mea_culpa · 2008-08-05 19:18 · Score: 1
  
  Being a victim of ID theft, I agree and would go a step further to suggest canceling any debit card you have. They are worthless to the account holder and valuable only to the bank.
  Banks only care about their money (Credit Cards) not yours (Check/Debit cards) and don't give a damn when it's your money that gets taken and will do only the minimum they are required to assist you, often times charging a 'research fee' of $100 or more to 'look into' each discrepancy.
  It still sucks when someone gets hold of your credit card, but it is only 1% of the potential suckage of getting your debit card compromised.
26. Re:And here I was by Anonymous Coward · 2008-08-07 10:03 · Score: 0
  
  Debit cards do NOT have the same consumer protections. Some banks may have policies that are similar, but they are not identical. Two test to see if those protections are the same:
  
  1) Buy something, then return it immediately. When you return something, does the credit post immediately (or the next day)? In most case, the bank keeps your fund frozen until the return actually posts. With a credit card, the settlement process usually balances things out.
  
  2) If you lose control of your card, and DON'T notify the bank promptly, see if they do honor the $50 liability claim. With a credit card, it doesn't matter. With a debit card, the onus of proof is on you (and, your checking account has already been debited, leading to other unpleasantness)
  
  Just say NO to debit cards. If you can balance your checkbook, you can keep track of indebtedness and not exceed what your budget allows.
27. Re:And here I was by BigLonn · 2008-08-07 11:05 · Score: 1
  
  You're correct, they aren't responsible, if, it's a proper credit card, the point is the credit card company's are on the hook for these charges and yes they will pass these expenses back to you and me some how.
It always gives me the warm and fuzzies when by FireStormZ · 2008-08-05 08:27 · Score: 2, Insightful

guys like this get caught, this is why I seldom do anything important off wire, even on my own wireless network...
"The indictment alleges that during the course of the sophisticated conspiracy, Gonzalez and his co-conspirators obtained the credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers - including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW."
If your going to offer a service for the love of God do at least something to make it safe, wide open wireless as a 'perk' is like led tainted lemon aid.

--
"Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
1. Re:It always gives me the warm and fuzzies when by Anonymous Coward · 2008-08-05 09:01 · Score: 0
  
  If you're going to offer a service, for the love of God, do at least something to make it safe; wide-open wireless as a 'perk' is like lead-tainted lemonade.
  
  --A. Coward, Oberleutenant 1. Gruppe Grammatik-SS
And this was all..... by ragethehotey · 2008-08-05 08:29 · Score: 5, Interesting

Because they transmitted customers credit card information in plaintext over an unsecured wireless connection. Not saying they shouldn't be held responsible for their incompetence, but I'm shocked that they actually had to pay out $60,000,000 for it instead of just passing the blame.
1. Re:And this was all..... by darkmeridian · 2008-08-05 09:35 · Score: 2, Informative
  
  This isn't true. TJX did not transmit credit card information over plaintext. This would have been better than what they actually did. TJX did something dumber: it transmitted the keys to the store server via WEP. The bad guys were able to use this to sign into the store server, then access the main server, and then put in a backdoor to capture all the credit card info used in all stores as opposed to that one store.
  
  --
  A NYC lawyer blogs. http://www.chuangblog.com/
2. Re:And this was all..... by The+Breeze · 2008-08-05 09:38 · Score: 3, Informative
  
  Actually, if memory serves, the TJ Maxx connection was a wireless link between two buildings - it was a WEP connection. So, yeah, it was encrypted, but it only took them about 10 minutes to crack it. Too bad the company was too lazy to use WPA. The other interesting part about this (again going from memory) is that they popped the back cover off one of those "Apply for a Job" kiosks in the store, and lo and behold, the job kiosk was on the hardwire, unencrypted network. Oops. And then the bad guys plugged in a USB key with a bootable Linux system on it. Double oops. They then had access to everything on the corporate network. Everything. Triple oops.
  -Steve
3. Re:And this was all..... by Anonymous Coward · 2008-08-06 05:00 · Score: 0
  
  "unsecured wireless connection" sorry you are wrong about this...way wrong. thats all i can say...
WTF is "aggravated identity theft" by TheRealMindChild · 2008-08-05 08:37 · Score: 0, Offtopic

Seriously. WTF is "aggravated identity theft"? The only logical thing I can come up with is that he held someone up with a gun or something to steal their credentials. But then wouldn't this in fact BE "aggravated assault" + "identity theft"? My comprehension that they actually made one law by merging two other already illegal things just doesn't sit well.

--

"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
1. Re:WTF is "aggravated identity theft" by Otter · 2008-08-05 08:48 · Score: 1
  
  A number of offenses come in "aggravated" flavors, not just assault.
  
  --
  What I'm listening to now on Pandora...
2. Re:WTF is "aggravated identity theft" by SirGarlon · 2008-08-05 08:50 · Score: 1
  
  charged with computer fraud, wire fraud, access device fraud, aggravated identity theft,
  
  The optimist in me says maybe it's like the way the Eskimo language has 15 different words for "snow."
  The pessimist in me says Congress simply outlawed the same crime in four different laws because the last law they passed obviously didn't make the crime stop happening...
  
  --
  [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
3. Re:WTF is "aggravated identity theft" by fishbowl · 2008-08-05 08:56 · Score: 1
  
  >The optimist in me says maybe it's like the way the Eskimo language has 15 different words for "snow."
  I've never understood what was supposed to be strange about that. Don't you know any snowboarders? They have different words for snow too.
  
  --
  -fb Everything not expressly forbidden is now mandatory.
4. Re:WTF is "aggravated identity theft" by Anonymous Coward · 2008-08-05 09:26 · Score: 0
  
  > I've never understood what was supposed to be strange about that.
  Gee-whiz fascination with foreign exotic cultures? Who knows. It's not like we don't also have many words for snow...
  hardpack, slush, sleet, powder, avalanche, crust, permafrost, glacier, flurries, blizzard, hail, dusting, snowdrift, and so on.
5. Re:WTF is "aggravated identity theft" by Fulcrum+of+Evil · 2008-08-05 10:14 · Score: 1
  
  The optimist in me says maybe it's like the way the Eskimo language has 15 different words for "snow."
  No, they have an agglutinative language where you tack lots of descriptive stems onto a root to make your words. It's like german, where whole phrases turn into a single word.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
6. Re:WTF is "aggravated identity theft" by billcopc · 2008-08-05 10:49 · Score: 2, Funny
  
  They have different words for snow too.
  What does cocaine have to do with any of this ? :P
  
  --
  -Billco, Fnarg.com
aggravated identity theft: defined by deft · 2008-08-05 08:44 · Score: 3, Informative

let me guess, not a lawyer?
http://www4.law.cornell.edu/uscode/18/usc_sec_18_00001028---A000-.html
(a) Offenses.--
(1) In general.-- Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
(2) Terrorism offense.-- Whoever, during and in relation to any felony violation enumerated in section 2332b (g)(5)(B), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person or a false identification document shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 5 years.
(c) Definition.-- For purposes of this section, the term "felony violation enumerated in subsection (c)" means any offense that is a felony violation of--
(1) section 641 (relating to theft of public money, property, or rewards [1]), section 656 (relating to theft, embezzlement, or misapplication by bank officer or employee), or section 664 (relating to theft from employee benefit plans);
(2) section 911 (relating to false personation of citizenship);
(3) section 922 (a)(6) (relating to false statements in connection with the acquisition of a firearm);
(4) any provision contained in this chapter (relating to fraud and false statements), other than this section or section 1028 (a)(7);
(5) any provision contained in chapter 63 (relating to mail, bank, and wire fraud);
(6) any provision contained in chapter 69 (relating to nationality and citizenship);
(7) any provision contained in chapter 75 (relating to passports and visas);
(8) section 523 of the Gramm-Leach-Bliley Act (15 U.S.C. 6823) (relating to obtaining customer information by false pretenses);
(9) section 243 or 266 of the Immigration and Nationality Act (8 U.S.C. 1253 and 1306) (relating to willfully failing to leave the United States after deportation and creating a counterfeit alien registration card);
(10) any provision contained in chapter 8 of title II of the Immigration and Nationality Act (8 U.S.C. 1321 et seq.) (relating to various immigration offenses); or
(11) section 208, 811, 1107(b), 1128B(a), or 1632 of the Social Security Act (42 U.S.C. 408, 1011, 1307 (b), 1320a-7b (a), and 1383a) (relating to false statements relating to programs under the Act).

--

There's nothing Intelligent about Intelligent Design.
Good! by Anonymous Coward · 2008-08-05 08:50 · Score: 0

Now. Time to make an example of the fraudsters. Give them the longest time in jail possible by law, preferably in cells shared by men who call themselves Bubba. Then. Time the credit card companies sued TJX and other companies with insufficient concern for customers' online security.
1. Re:Good! by Nos. · 2008-08-05 09:02 · Score: 3, Informative
  
  They'll have a heck of a time suing when they knew before hand of the sloppy security measures and actually game them an extension on PCI compliance: http://www.darkreading.com/document.asp?doc_id=138838
2. Re:Good! by billcopc · 2008-08-05 10:54 · Score: 1
  
  I'd rather see the fraudsters and every incompetent up the chain, be forced to work the customer service call center, dealing with fraud complaints 16 hours a day, 7 days a week for the duration of their sentence. Watch them get yelled at by psychotic soccer moms for hours on end, dealing with the aftermath of their own crooked acts.
  Jail ain't worth shit. It doesn't reform, it doesn't produce any results. Make these fuckers pay, just like we suffer every day for the bullshit that goes on in the world.
  
  --
  -Billco, Fnarg.com
3. Re:Good! by heteromonomer · 2008-08-05 12:07 · Score: 1
  
  lol! mod theup!
Legal speak for really bad... by FireStormZ · 2008-08-05 08:52 · Score: 5, Informative

http://en.wikipedia.org/wiki/Aggravation_(legal_concept)
Aggravation, in law, is "any circumstance attending the commission of a crime or tort which increases its guilt or enormity or adds to its injurious consequences, but which is above and beyond the essential constituents of the crime or tort itself."[1]

--
"Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
Aggravated Identity Theft by AP31R0N · 2008-08-05 08:53 · Score: 1

Does that mean it won't heal by just spending a blood point or two? Maybe they should call it, aggravating identity theft.(not serious)
What makes a crime aggravated? (serious)

--
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
Separate charges per card? by tsstahl · 2008-08-05 08:56 · Score: 1

Pun intended. I wonder if they can be charged for each INSTANCE of a fraudulent charge. Several thousand years behind bars, consecutive would suit my taste for vengeance. Yes, I know that prison is supposed to be about rehabilitation, not revenge, but still...
1. Re:Separate charges per card? by Pincus · 2008-08-05 09:48 · Score: 1
  
  Yes, I know that prison is supposed to be about rehabilitation, not revenge, but still...
  Not entirely true. Prison is also about public safety and punishment. Given the number of repeat offenders, it's difficult to argue that the rehabilitation angle works. These guys need to be locked up for a while to ensure that they can't do it again and because every action has a consequence. That said, hundreds of years of consecutive imprisonment is overkill, and overkill is bad. It's the reason the death penalty is rarely (1 state, I think) available in rape cases. It motivates the assailant to kill the victim, eliminating a witness. The punishment needs to fit the crime as it fits in the scale of "bad things done".
Was it... by BobMcD · 2008-08-05 08:57 · Score: 4, Funny

Gonzalez and others were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe, the DOJ said.
...WoW gold?
1. Re:Was it... by Coraon · 2008-08-05 09:01 · Score: 1
  
  it trades higher then the American dollar now.
  
  --
  -Ours is the wisdom of Solomon, the magic of Merlyn, the fall of Icaris.
2. Re:Was it... by Anonymous Coward · 2008-08-05 10:59 · Score: 0
  
  and just as "real"
3. Re:Was it... by Anonymous Coward · 2008-08-06 00:00 · Score: 0
  
  It's an amazingly scary real way to conceal fraud shouldn't be modded as funny.
goodluckwiththat by PseudoLogic · 2008-08-05 09:07 · Score: 1

From TFA:"Others indicted are from the US, Estonia, China, and Belarus". Yeah, good luck with that. I'm sure those countries will have no problem handing people over.

--
Insert witty comment here
I used to work at one of them by Anonymous Coward · 2008-08-05 09:42 · Score: 1, Informative

And still work in retail security. At least two of these companies did not transmit data in the clear, and in the case of debit pins, none of them did. The debit PIN standard was developed after the old ISO 8583 clear text credit transmission standard. (Yes the iso credit auth format was unencrypted. http://en.wikipedia.org/wiki/ISO_8583. Some credit processors still require it.)
Your processor has to verify your setup before it goes into production, and debit card readers all require the hardware injection of keys. All PAPB verified hardware has to be injected in a secure facility, so itâ(TM)s not possible to buy debit pin pads that fail to meet the standard without collusion between the manufacturer, acquiring bank, and the merchant.
This really scares the crap out of me, since it implies either the keys were compromised, or the debit card readers have a hidden debug mode. Possibly the corporate credit switch which re-encrypts the data before sending it to the authorizing bank was compromised, but most of these things run on obscure platforms like Tandem mid frames with self-destructing Attalla encryption processors and are purpose built. We used no wireless, we had no cleartext.
Skimmers are not possible for the pin pad like they are for the swipe (that's why ATMs now have a "tounge", so you can't stick on a skimmer) We looked for cameras, but the cards were used in hundred of stores in a 13 state or so region. I suspect it appeared to be regional because bank are regional and not all banks noticed.
I worked with the security firm sent out by VISA to clean up these sorts of things, and some 3 letter agencies and we never found a breach. It scares me that you can manage a thing by best practices, to the state of the art, and still not know what happened. I know we did some things poorly, but we handled debit pins in a textbook perfect way.
I hope the method used to capture the debit pins becomes known, I still have retail networks to secure.
1. Re:I used to work at one of them by plover · 2008-08-05 13:48 · Score: 1
  
  I hope the method used to capture the debit pins becomes known, I still have retail networks to secure.
  As you no doubt are aware, most debit PINs are encrypted using DUKPT for key exchange. But it wasn't until very recently that PCI PED required compliant devices to use 3DES, and not DES. Back when these attacks started showing up in 2004, plain-old DES was still an accepted standard. It's entirely possible that they could have brute forced the BDK with something like a meet-in-the-middle attack.
  These guys obviously had access to metric boatloads of computrons. They may even have hijacked the retailer's own computers to run a distributed key cracker!
  
  --
  John
2. Re:I used to work at one of them by arglesnaf · 2008-08-06 00:21 · Score: 1
  
  DUKPT is derived unique key per transaction, and is most likely to be 3Des anyway.
  The old standard was Master/Session, which was more likely to use DES keys, but your point is still valid.
Labor punishment by Pincus · 2008-08-05 09:49 · Score: 1

This is exactly the sort of case where I wish the US had hard labor as a form of punishment. Let them work off the money they stole.
1. Re:Labor punishment by Monkeyriot · 2008-08-05 11:06 · Score: 1
  
  Ok, 40 million credit cards at say $100 per card is $4,000,000,000 divided by 11 people at 40 hours a week for 20 years $96,153.84 per hour. Heck of a wage.
2. Re:Labor punishment by Pincus · 2008-08-05 11:34 · Score: 1
  
  While TFA only states that they would withdraw tens of thousands of dollars at a time, I'm skeptical that they could have done so to the tune of $4 billion.
  
  More likely, they stole something like $40mm - we'll say $44mm for the sake of simple math. That's $4mm per person, divided by 60 hours per week (40 hours isn't HARD labor) for 25 years.
  
  My math puts their wages just upwards of $50/hr. Let's make them earn it.
  
  Hell, make the punishment dollar based and say that they need to earn $4mm. Then tell them each widget they correctly build earns them $20. See how hard they are willing to work for their own freedom.
We need authenticated transactions! by bobbuck · 2008-08-05 10:31 · Score: 1

We need authenticated transactions using public key technology so that an account number or routing number is not sufficient to charge an account. The technology is dirt cheap now and could be built into cell phones. When you make a purchase the vendor should send a payment request with a transaction number to you. You send a signed authorization back to the vendor who then checks it against your balance and public key at the finacial institution. Approval comes back and you're done. If someone uses the store records to get your account number they still don't have your authorization for further purchases.
1. Re:We need authenticated transactions! by johndmartiniii · 2008-08-05 16:03 · Score: 1
  
  Agreed. Public keys have been used successfully for all sorts of less "sensitive" applications. Why not?
  
  --
  If you don't know what you're doing, you can't make mistakes.
wire security by toby · 2008-08-05 10:37 · Score: 1

I seldom do anything important off wire, even on my own wireless network...
Because you run Windows, right? :)
My advice is to use a secure proxy (e.g. over OpenVPN) if you are concerned about local eavesdropping (residence, ISP). I use a VPN for all browsing and email, even from home, but this is particularly advised when travelling and using unknown residential/hotel/office networks.

--
you had me at #!
Treble Damages would be Fine by bill_mcgonigle · 2008-08-05 10:54 · Score: 1

Pun intended. I wonder if they can be charged for each INSTANCE of a fraudulent charge. Several thousand years behind bars, consecutive would suit my taste for vengeance. Yes, I know that prison is supposed to be about rehabilitation, not revenge, but still...
My wife's card got stung by the TJ Max fiasco. Hers was the one we use for automatic payments on various accounts. Since none of the vendors with whom we deal sent notice of expiration, and I wasn't keeping close track, between proactively and reactively dealing with this, I probably spent about 12 hours on it. If I were to bill that time @$150/hr, they'd owe me $1800. A 3x multiple ($5400) for recompense due to those loses being incurred through the commission of a crime seems fair to me.
So, multiply something like that by the number of aggrieved (take an average if necessary) and let them pay it back or work it off.
Go ahead and credit mine to my account. Well, the $2 left after the lawyers take their cut anyway.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Being from Miami by Ardipithecus · 2008-08-05 11:08 · Score: 1

I like that the indictments were handed down to people in Miami, the US, Estonia, China, and Belarus.
It is a different place.
LMFAO by chyllaxyn · 2008-08-05 12:23 · Score: 0

Slashdot editors are fuckless wonders !
Who pays? by shadwstalkr · 2008-08-05 13:32 · Score: 1

Can someone explain where the money comes from? The cardholders aren't responsible for the charges as long as they report them in time, the card company probably won't cover the charges, and the criminals won't be paying full restitution even if it's part of their sentence. So who pays for all this? Is it like counterfeit money added to the economy?
1. Re:Who pays? by CodeBuster · 2008-08-05 19:20 · Score: 1
  
  So who pays for all this?
  Banks (who own the ATMs where the withdrawals occurred), merchants (if the thieves were able to use the cards before they were reported stolen), and all of us in the form of slightly higher bank fees and retail prices in the future as the banks and merchants attempt to make up for their fraud losses.
TJX and BJS are sibling companies. Same flaw? by Anonymous Coward · 2008-08-05 14:31 · Score: 0

TJ Maxx and BJs Warehouse club are essentially sibling companies, both having been spawned by the same parent company, the old Zayre department store chain.
Zayre was kind of like a shabbier version of K-Mart, maybe something like today's Family Dollar. Zayre died about 20 years ago thanks to Walmart's relentless pressure.
Anyway, Zayre was reknowned for their idiotic management and piss-poor operations. It was a pathetic store that deserved to die, and did. But not before spinning off BJs and then mutating Zayre corporate itself into TJX.
There is a LOT of old Zayre blood in both companies so I'd look there for some common flaw in the way they handle credit cards. I bet it's there.
Something tells me... by dos4who · 2008-08-05 14:42 · Score: 1

... this guy isn't going to be the next Kevin Mitnick.

--
"Yes, I have a Disaster Recovery Plan. It's called my Resume"
Corporate Negligence by Mr.+Lwanga · 2008-08-05 19:05 · Score: 1

The cheapskate CEOs, CFOs, CTOs, CIOs, and PHBs should also be indicted for aiding and abetting, maybe a RICO charge for unintentional co-conspirators in stupidity.
I am sure that these corporations went to the top of the list as targets of opportunity for "security consultants", hardware vendors and other information solution providers.
An ounce of prevention ...
Hang the fscker! by xgr3gx · 2008-08-06 00:19 · Score: 0, Flamebait

I hope he suffers the same fate as the spam king

--
Shameless plug alert: Game server control panel
Be careful, seriously by Mathinker · 2008-08-06 21:10 · Score: 1

Geeks + bikes always makes me a bit nervous, one of my high school math teachers was killed by a traffic accident he had while biking to school; and then as an adult I read about Jerry Keiper dying similarly.
And yes, being a fan of Bruce Schneier, I understand that this nervousness is probably not commensurate with the actual risks involved in traveling by bicycle.