CNN is reporting that 11 people were charged yesterday for allegedly stealing more than 40 million credit and debit card numbers. The hacking incidents relating to the accused took place at various major retail outlets in the USA over the past three years.

The defendants come from U.S.; Estonia; Belarus; China, with one individual whose country of origin still remains unknown.

From the report:

Under the indictments, three Miami, Florida, men — Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey — are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall’s and T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed “sniffer” programs designed to capture credit card numbers, passwords and account information as they moved through the retailers’ card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

We can speculate a plenty about the poor security deployed at the major retail stores that were affected, but what intrigues me the most, is not that they had wireless network and let their RF waves propagate far and wide, but that the affected stores did not learn from similar attacks that took place in the past.

Major card hacking rings today sell off the numbers to “wholesalers” who then go on to sell the numbers in the “retail market” by advertising the same on publicly available forums and IRC channels. A quick search on Google yields plenty of these postings:

Although the law is catching up with the card rings, it would do us all good if the available security technologies are implemented effectively and people trained to ward off social engineers.

Share / Save