Shocking Internet Hack

Posted by Mark Brousseau

An interesting article from newsday.com about the incredible scope of a recent Internet hack case:

Feds astounded by volume, scope of Internet hack case
BY KEIKO MORRIS
mailto:keiko.morris@newsday.com?subject=Newsday.com
August 7, 2008

The sheer volume of the credit and debit card numbers stolen was astounding as was the far-flung cast of multinational characters in one of the largest Internet hacking and fraud cases federal prosecutors say they've seen in this country.

And while many credit card users are protected from full or partial liability, the scope of the impact of the mammoth case that snagged 11 people in the heist of more than 40 million card numbers is unknown.

For retailers, banks and credit card companies, Tuesday's announcement by federal prosecutors that they had unraveled a case stretching back years, highlighted the constant battle against Internet criminals. And although most consumers won't bear the burden immediately, the price of Internet fraud to banks and retailers could end up costing customers in the long run, technology security experts say.

"... The overall cost is high and you can bet your bottom dollar that that cost will get passed on to us, Joe Average card holder," said Ed Moyle, manager at CTG, an Internet technology firm in Amherst, N.H.

The unveiling of the ring and the numerous charges, including fraud and identity theft, was reason for retailers to rejoice, industry experts said. The conspiracy, allegedly led by Albert "Segvec" Gonzalez, 27, of Miami, hit some of the biggest retailers, including TJX Cos., BJ's Wholesale Club, OfficeMax, DSW and Barnes & Noble, among others."

This was a very targeted attack on our industry," said Scott Krugman, spokesman for the National Retail Federation. "It took a very sophisticated network to do this."

The incidents in which the defendants -- hailing from Belarus and China and Ukraine -- found wireless access points to steal credit and debit card numbers date to 2003. TJX Cos. Inc. based in Framingham, Mass., discovered its computer system allegedly had been attacked by the defendants in 2006. Shoe retailer DSW was hit in 2005. Most of the major credit card companies and banks contacted declined to comment about the case specifically but said they know of the investigation and they have procedures to secure information. For card issuers, the cost to reissue cards is significant and, eventually will get passed down to consumers, Moyle said.

"The sheer number of retailers attacked by these cyber criminals demonstrates the much broader challenges in protecting sensitive customer data from this increasing threat," Sherry Lang, a TJX spokeswoman, said in a statement. "... Broader action beyond retailers alone is required to protect consumer data. Banks and the U.S. payment card industry must join retailers and work together."

Technology security experts said retailers and credit card companies fight a constant battle against cyber crimes and have made strides over the years to comply with technical standards set by the PCI Security Standards Council, a group founded by five of the major credit card companies, to protect information systems.Retailers worry more about their credibility with consumers and their confidence in using the electronic systems, said Brit Beemer, chairman of the market research firm America's Research Group.

The idea that more than 40 million card numbers were stolen from major national chains will make consumers wary, but both retail and technology security experts said they were skeptical the case will change the way consumers used their credit or debit cards.

Both experts and prosecutors said consumers should check their accounts as well as their credit reports and set up fraud alerts if they believe their information has been stolen. Consumers face the hassle of requesting new cards or accounts but institutions' zero-liability policies mean that consumers won't suffer the losses.

"They have zero-liability protection so that definitely helps them get over those fears associated with data breaches," said Bruce Cundiff, director of payments research at Javelin Strategy & research in San Francisco.

What do you think is the solution to these types of hacks?

Post your comment below.