Fallout From TJX Credit Card Scandal
Page 1 of 2
The indictment of 11 criminals involved in the TJX credit card theft incident shows that cybercrime is indeed a global effort, and the bad guys are many steps ahead of their victims in terms of sophistication and knowledge.
While all the attention has been on TJX, parent company of the TJ Maxx, Marshall's, Bob's Stores and a few other chains, a number of retailers unassociated with TJX were also victims of credit card theft by the same criminals. This includes Office Max, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and more.
After obtaining the credit card information, the perpetrators stored it on encrypted servers in Eastern Europe and the US, then sold the data to customers in those countries. Fake credit cards were created and used to withdraw tens of thousands of dollars from ATMs.
The U.S. Department of Justice estimates that the crooks stole more than 40 million credit and debit card numbers, making it the largest hacking and identity theft case ever prosecuted by the Department of Justice.
Three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the Peoples Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.
Despite many foreigners being involved in the case, the U.S. actually has some of them in its grip, or will shortly. Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, was apprehended in July 2007 in Turkey when he traveled there on vacation. The U.S. has made a formal request for his extradition.
Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia was apprehended by the German Federal Police in Frankfurt in March 2008, again while traveling on vacation. He is currently in confinement pending the resolution of extradition proceedings.
A double agent
The one in the most trouble is Albert "Segvec" Gonzalez, of Miami. He had been previously arrested in 2003 by federal authorities and had agreed to help them in a sting operation as a confidential informant. Instead, the Secret Service discovered that he was essentially a double agent, and was criminally involved in the case. Gonzalez now faces a maximum penalty of life in prison if he is convicted of all the charges.
"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said Attorney General Michael Mukasey in a statement. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers."
An unfair fight
The U.S. may have gotten these guys in the end, but when it came down to the hackers vs. the retailers, it was a lopsided battle, with the hackers completely unmatched by the stores. Many of the break-ins were due to poor or non-existent security around the wireless networks in the stores.
The retail industry has added wireless networks as a convenience in its stores, usually for the staff, but the in-store staff's focus is on selling stuff, not something like wireless security.
"This is a rampant problem across the whole retail industry," Amit Sinha, the CTO of AirDefense, a vendor of wireless security products, told InternetNews.com. "I would say half the retail networks today are extremely vulnerable from a wireless perspective."
He said in one survey of retail stores, 25 percent were found to have no wireless encryption on their Wi-Fi networks, while another 25 percent used WEP, which can be broken in about one to two minutes with simple hacking tools.
That's because these networks were set up several years ago, when there wasn't much wireless hacking, and retailers never upgraded their systems. Retail outlets detest down time and live by the maxim "If it ain't broke, don't fix it."
"A lot of stores just set Wi-Fi up and forgot about it," said Sinha. "But that's not how security has evolved. Hacking has evolved where fences are not high enough. Upgrading wireless technology in a large retail establishment with 3,000 stores could be a costly effort but has to be done."
Next page: Spreading the blame