Slashdot Mirror

← Back to Stories (view on slashdot.org)

11 Charged In TJX, Other Breaches

Posted by kdawson on from the wardriving-for-profit dept.

coondoggie writes "The Justice Department has charged 11 people in connection with the massive theft of credit card numbers from various retailers, including TJX, BJs and OfficeMax. Authorities say the group charged was involved in the theft of more than 40 million credit and debit card numbers. In an indictment returned today by a federal grand jury in Boston, Albert 'Segvec' Gonzalez, of Miami, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft, and conspiracy for his role in the scheme. Others indicted are from the US, Estonia, China, and Belarus." We've been following the TJX breach since the beginning.

9 of 77 comments (clear)

  1. Re:And here I was by FireStormZ · · Score: 2, Informative

    What you could do is obtain a low balanced secure credit card for things you do on-line. A secured balance of say 500 to 1,000$ would be enough for most people and would be the most you could lose.

    --
    "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
  2. Re:And here I was by QuantumRiff · · Score: 5, Informative

    actually, with a proper credit card (not a debit card) you are not responsible for charges that are not yours. If you lose your card, and report it missing, the most that can be charged to you is $50. For fraud, you have to file a police report, and report it to your bank, but you should not be responsible for paying it. However, you might spend alot of time, filling out that paperwork, disputing problems on your credit history because of it, etc.. These protections do not exist for most checking, savings, or debit accounts..

    If you order something online, and it doesn't get delivered or whatever, most card companies will allow you to request a charge-back, where they just reverse the charge, and then it is up to the merchant to deal with your card company...

    --

    What are we going to do tonight Brain?
  3. aggravated identity theft: defined by deft · · Score: 3, Informative

    let me guess, not a lawyer?

    http://www4.law.cornell.edu/uscode/18/usc_sec_18_00001028---A000-.html

    (a) Offenses.--
    (1) In general.-- Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
    (2) Terrorism offense.-- Whoever, during and in relation to any felony violation enumerated in section 2332b (g)(5)(B), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person or a false identification document shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 5 years.

    (c) Definition.-- For purposes of this section, the term "felony violation enumerated in subsection (c)" means any offense that is a felony violation of--
    (1) section 641 (relating to theft of public money, property, or rewards [1]), section 656 (relating to theft, embezzlement, or misapplication by bank officer or employee), or section 664 (relating to theft from employee benefit plans);
    (2) section 911 (relating to false personation of citizenship);
    (3) section 922 (a)(6) (relating to false statements in connection with the acquisition of a firearm);
    (4) any provision contained in this chapter (relating to fraud and false statements), other than this section or section 1028 (a)(7);
    (5) any provision contained in chapter 63 (relating to mail, bank, and wire fraud);
    (6) any provision contained in chapter 69 (relating to nationality and citizenship);
    (7) any provision contained in chapter 75 (relating to passports and visas);
    (8) section 523 of the Gramm-Leach-Bliley Act (15 U.S.C. 6823) (relating to obtaining customer information by false pretenses);
    (9) section 243 or 266 of the Immigration and Nationality Act (8 U.S.C. 1253 and 1306) (relating to willfully failing to leave the United States after deportation and creating a counterfeit alien registration card);
    (10) any provision contained in chapter 8 of title II of the Immigration and Nationality Act (8 U.S.C. 1321 et seq.) (relating to various immigration offenses); or
    (11) section 208, 811, 1107(b), 1128B(a), or 1632 of the Social Security Act (42 U.S.C. 408, 1011, 1307 (b), 1320a-7b (a), and 1383a) (relating to false statements relating to programs under the Act).

    --

    There's nothing Intelligent about Intelligent Design.
  4. Legal speak for really bad... by FireStormZ · · Score: 5, Informative

    http://en.wikipedia.org/wiki/Aggravation_(legal_concept)

    Aggravation, in law, is "any circumstance attending the commission of a crime or tort which increases its guilt or enormity or adds to its injurious consequences, but which is above and beyond the essential constituents of the crime or tort itself."[1]

    --
    "Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
  5. Re:Good! by Nos. · · Score: 3, Informative

    They'll have a heck of a time suing when they knew before hand of the sloppy security measures and actually game them an extension on PCI compliance: http://www.darkreading.com/document.asp?doc_id=138838

  6. Re:And here I was by ivan256 · · Score: 2, Informative

    Harder than you'd think.

    If you use credit responsibly, and have a reasonable fallback of savings, the worst case is a temporary loss of access to credit. You aren't liable for this type of fraud if it happens to you. It's just that three month period of proving it was fraud that would suck if you depend on your credit card to live day to day.

    I had my credit card info stolen as part of the TJX breach. Whoever ended up with the data maxed out my card in an internet cafe in Paris ($6200 over two days... In an internet cafe...). There was a lot of paperwork and phone calls, but the overall outcome was that I didn't have access to $6200 in credit for 90 days, and I was slightly hassled.

    It is ridiculously unlikely that you are going to get your identity stolen in such a way that you will be completely, irrecoverably wiped out... And having a credit card doesn't really increase your chances of that all that much. They can do that to you even if you don't have a credit card.

  7. Re:And this was all..... by darkmeridian · · Score: 2, Informative

    This isn't true. TJX did not transmit credit card information over plaintext. This would have been better than what they actually did. TJX did something dumber: it transmitted the keys to the store server via WEP. The bad guys were able to use this to sign into the store server, then access the main server, and then put in a backdoor to capture all the credit card info used in all stores as opposed to that one store.

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
  8. Re:And this was all..... by The+Breeze · · Score: 3, Informative

    Actually, if memory serves, the TJ Maxx connection was a wireless link between two buildings - it was a WEP connection. So, yeah, it was encrypted, but it only took them about 10 minutes to crack it. Too bad the company was too lazy to use WPA. The other interesting part about this (again going from memory) is that they popped the back cover off one of those "Apply for a Job" kiosks in the store, and lo and behold, the job kiosk was on the hardwire, unencrypted network. Oops. And then the bad guys plugged in a USB key with a bootable Linux system on it. Double oops. They then had access to everything on the corporate network. Everything. Triple oops.

    -Steve

  9. I used to work at one of them by Anonymous Coward · · Score: 1, Informative

    And still work in retail security. At least two of these companies did not transmit data in the clear, and in the case of debit pins, none of them did. The debit PIN standard was developed after the old ISO 8583 clear text credit transmission standard. (Yes the iso credit auth format was unencrypted. http://en.wikipedia.org/wiki/ISO_8583. Some credit processors still require it.)

    Your processor has to verify your setup before it goes into production, and debit card readers all require the hardware injection of keys. All PAPB verified hardware has to be injected in a secure facility, so itâ(TM)s not possible to buy debit pin pads that fail to meet the standard without collusion between the manufacturer, acquiring bank, and the merchant.

    This really scares the crap out of me, since it implies either the keys were compromised, or the debit card readers have a hidden debug mode. Possibly the corporate credit switch which re-encrypts the data before sending it to the authorizing bank was compromised, but most of these things run on obscure platforms like Tandem mid frames with self-destructing Attalla encryption processors and are purpose built. We used no wireless, we had no cleartext.

    Skimmers are not possible for the pin pad like they are for the swipe (that's why ATMs now have a "tounge", so you can't stick on a skimmer) We looked for cameras, but the cards were used in hundred of stores in a 13 state or so region. I suspect it appeared to be regional because bank are regional and not all banks noticed.

    I worked with the security firm sent out by VISA to clean up these sorts of things, and some 3 letter agencies and we never found a breach. It scares me that you can manage a thing by best practices, to the state of the art, and still not know what happened. I know we did some things poorly, but we handled debit pins in a textbook perfect way.

    I hope the method used to capture the debit pins becomes known, I still have retail networks to secure.