Hacking Ring Nabbed By US Authorities

← Back to Stories (view on slashdot.org)

Hacking Ring Nabbed By US Authorities

Posted by samzenpus on Wednesday August 6, 2008 @07:13PM from the go-directly-to-jail dept.

Slatterz writes "The members of a hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged. The case before the US Department of Justice is believed to be the largest hacking and identity theft case ever prosecuted. The criminals allegedly obtained bank details by hacking into the retailers' computer networks and then installing 'sniffer' programs to capture card numbers and password details as the customers moved through the retailers' credit and debit processing networks."

13 of 146 comments (clear)

will there be changes? by CaptainNerdCave · 2008-08-06 19:26 · Score: 5, Informative

are security measures going to be changed with this revelation to the public? having seen the inner-workings of various bank and investment facilities, i can safely say that one doesn't need to go through any really complicated work to take financial information from consumers: most wiring closets aren't even locked.
1. Re:will there be changes? by El_Muerte_TDS · 2008-08-06 21:04 · Score: 5, Funny
  
  are security measures going to be changed with this revelation to the public?
  Of course not. After all, they caught the people that abused it. Why waste money to protect something from criminals when the criminals were already caught. Nobody would dare to try it again.
2. Re:will there be changes? by Strilanc · 2008-08-06 23:00 · Score: 5, Interesting
  
  I'm going to go out on a limb and say the core of the problem isn't the security of the computers, it's the fact that in order to use a credit card number you have to reveal it. There will always be some retailer or customer without a secure system. _We can't change this, it's too hard_.
  I think the solution is a small device with an embedded secret key. All it has to do is sign data [secondary: show text, wireless, usb, etc].
  For example, to complete a transaction, a store asks you to sign this:
  [
  VISA Credit Transfer
  "here's a one-line ad because we just can't help it!"
  amount: 12.34$us
  buyer: John Doe
  seller: Matt's Grocery Store
  date: August 7, 2008
  buyer public key: 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0
  seller public key: 4B 3D BA 71 3B D8 56 43 2B A7 E8 F4 69 CA C5 5A
  seller transaction id: 594864purplebunnies
  protocol version: 1
  ]
  Then the store also signs it, and sends it and the signatures to VISA, or whoever.
  The beauty here is that the security is now entirely encapsulated in a) the signing device, and b) the plaintext format for requesting credit.
  In the example I have given the buyer only has to check that the amount is correct because all other modifications give them free groceries. The store only needs to ensure they match the format specified by VISA, and that the buyer's signature is valid. VISA takes most of the work, checking that the format is correct, the signatures are valid, the transaction id is unique for the seller, the buyer has enough credit, etc.
  I'm sure there are holes, but it's a hell of a lot better than what we have now.
More details by hattable · 2008-08-06 19:28 · Score: 5, Informative

If you felt a little cheated by the lack of info in the 'article' the DOJ site has more.

--
OMG facts!
1. Re:More details by Anonymous Coward · 2008-08-06 20:07 · Score: 5, Funny
  
  those damn Legali immigrants.
Re:Hacking? by srjh · 2008-08-06 19:35 · Score: 5, Informative

hacking (uncountable)

1. (computing) Unauthorized attempts to bypass the security mechanisms of an information system or network.

Hack

...4b: to gain access to a computer illegally

You may prefer to use other definitions yourself, but the usage here is perfectly correct.
Re:Hacking? by BPPG · 2008-08-06 19:43 · Score: 5, Informative

You can bet hackers didn't write those definitions. Those definitions are accurate in the context of mainstream media, but as the GP stated, this is /.

--
What's the value of information that you don't know?
Better Article by FSWKU · 2008-08-06 19:48 · Score: 5, Informative

http://news.bbc.co.uk/2/hi/business/7545212.stm has a much better write-up.

So now we will get even MORE draconian measures to stop the "evil hackers" when in reality, it was a combination of bad intentions, and old-fashioned stupidity. The article specifically mentions looking for "vulnerable" access points. This means that whoever set the network up for these stores did not do a proper job in securing said network. Also, why the HELL were the systems used to process credit card transactions on the same insecure wireless network? There is NO excuse for that. I'm not excusing what these guys did, but once again we have a case where whoever setup the hardware in these places needs to be held for criminal negligence.

--
"So after all this, you make my case for me. To end this stalemate, you must die..."
Re:Hacking? by Anonymous Coward · 2008-08-06 19:53 · Score: 5, Funny

This is SLASHDOT!!!

kick to the chest
Slashdot is days behind the news by Xenna · 2008-08-06 20:02 · Score: 5, Insightful

There used to be a time when you read tech-news first on slashdot. Nowadays I read it in my (Dutch) newspaper first (yep, the paper one that they actually have to print and deliver first) end a few days later it appears in /.
What the hell is wrong?
Defendant worked for the Secret Service by unfasten · 2008-08-06 21:19 · Score: 5, Interesting

The main defendant in this case, Albert Gonzalez, used to be a informant for the Secret Service and cooperated in the Operation: Firewall case 4 years ago. Apparently they didn't keep a very good eye on him while he was working for them or after they were done with him. He became an informant after he was arrested around mid-2003 and the case lasted until the end of October, 2004. So according to this Washington Post article (which got the informantion from the indictment someone linked above) he was actively committing crimes at the same time he was an informant:

-- In about 2003, Gonzalez and others found an unencrypted wireless access point at a BJ's Wholesale Club store. BJ's reported a breach of its computer networks in early 2004.

-- In 2004, other members of the ID theft ring compromised an OfficeMax wireless access point in Miami, and they were able to steal credit card data. After law enforcement officials in 2006 identified OfficeMax as the victim of a data breach, the company said it hired an outside auditor to conduct an investigation and found no evidence of a security breach. An OfficeMax spokesman didn't immediately return a message seeking comment.

So either the Secret Service was letting this go on just so they could make one bust, or they had no idea that their own informant was committing major breaches while under their supervision. Also, how stupid is this guy that he didn't even stop breaking the law after getting busted and becoming an informant? Some people are just begging to be sent to prison, and it looks like the prosecuters are going to grant his wish. For the rest of his life if they have their way.

P.S.: The Threat Level post with the info about him being an informant also contains a link to another case about another informant who was stealing social security numbers while working on a computer inside the Secret Service offices.

The usdoj.gov website seems to be down for me at the moment but should come back up eventually.
Re:Who foots the bill? by Bravoc · 2008-08-06 22:21 · Score: 5, Funny

So, who foots the bill for this? The retailer, the credit card comany / debit card issuer, or the customer?
The credit card company raises my rates to cover their expenses, the government uses my taxes to pay for the investigation and prosecution, looks like I'm paying for it!
Drinks for everyone! Here, use my card!
Re:This was in Wednesdays newspaper! by Redneck+Hacker · 2008-08-06 23:12 · Score: 5, Informative

This was in Wednesdays newspaper!
It was also in Tuesday's /.