Slashdot Mirror
Hacking Ring Nabbed By US Authorities
Slatterz writes "The members of a hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged. The case before the US Department of Justice is believed to be the largest hacking and identity theft case ever prosecuted. The criminals allegedly obtained bank details by hacking into the retailers' computer networks and then installing 'sniffer' programs to capture card numbers and password details as the customers moved through the retailers' credit and debit processing networks."
-- In about 2003, Gonzalez and others found an unencrypted wireless access point at a BJ's Wholesale Club store. BJ's reported a breach of its computer networks in early 2004.
-- In 2004, other members of the ID theft ring compromised an OfficeMax wireless access point in Miami, and they were able to steal credit card data. After law enforcement officials in 2006 identified OfficeMax as the victim of a data breach, the company said it hired an outside auditor to conduct an investigation and found no evidence of a security breach. An OfficeMax spokesman didn't immediately return a message seeking comment.
So either the Secret Service was letting this go on just so they could make one bust, or they had no idea that their own informant was committing major breaches while under their supervision. Also, how stupid is this guy that he didn't even stop breaking the law after getting busted and becoming an informant? Some people are just begging to be sent to prison, and it looks like the prosecuters are going to grant his wish. For the rest of his life if they have their way.
P.S.: The Threat Level post with the info about him being an informant also contains a link to another case about another informant who was stealing social security numbers while working on a computer inside the Secret Service offices.
The usdoj.gov website seems to be down for me at the moment but should come back up eventually.
I'm going to go out on a limb and say the core of the problem isn't the security of the computers, it's the fact that in order to use a credit card number you have to reveal it. There will always be some retailer or customer without a secure system. _We can't change this, it's too hard_.
I think the solution is a small device with an embedded secret key. All it has to do is sign data [secondary: show text, wireless, usb, etc].
For example, to complete a transaction, a store asks you to sign this:
[
VISA Credit Transfer
"here's a one-line ad because we just can't help it!"
amount: 12.34$us
buyer: John Doe
seller: Matt's Grocery Store
date: August 7, 2008
buyer public key: 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0
seller public key: 4B 3D BA 71 3B D8 56 43 2B A7 E8 F4 69 CA C5 5A
seller transaction id: 594864purplebunnies
protocol version: 1
]
Then the store also signs it, and sends it and the signatures to VISA, or whoever.
The beauty here is that the security is now entirely encapsulated in a) the signing device, and b) the plaintext format for requesting credit.
In the example I have given the buyer only has to check that the amount is correct because all other modifications give them free groceries. The store only needs to ensure they match the format specified by VISA, and that the buyer's signature is valid. VISA takes most of the work, checking that the format is correct, the signatures are valid, the transaction id is unique for the seller, the buyer has enough credit, etc.
I'm sure there are holes, but it's a hell of a lot better than what we have now.