Largest ID theft ring in U.S. busted, feds say
Matthew B. Stannard, Chronicle Staff Writer

Tuesday, August 5, 2008

(08-05) 20:19 PDT -- Secretary of Homeland Security Michael Chertoff announced the nation's largest-ever hacking and identity-theft case today when, coincidentally, he was in San Jose to talk to Silicon Valley business leaders about the need for improved network security.

Federal indictments unsealed today in Boston and San Diego against 11 individuals outlined an extraordinary global scheme that siphoned 40 million customer credit and debit card numbers out of the networks of nine major U.S.-based retailers and placed them - for a price - in the hands of individuals around the world, who in turn used them to make purchases or withdraw cash from ATMs.

The scope of the venture and losses sustained by the credit card companies and individual victims was not immediately clear. It does not appear from the indictment that any of the companies' Bay Area branches were targeted.

The accused include three U.S. citizens, an Estonian, three Ukrainians, two Chinese nationals, one citizen of Belarus and one individual known only by an online alias. Three people are in custody; the rest remain at large.

Chertoff called the indictment a "milestone" in the evolving history of cybersecurity.

"It's an opportunity, in fact an obligation at this point, for everybody involved in this scenario to take a careful look at the security systems in place," Chertoff said in the San Jose offices of the U.S. Secret Service, which investigated the case.

According to the indictment, the case centered on Miami resident Albert "Segvec" Gonzalez, an informant for the U.S. Secret Service who investigators discovered was continuing his criminal acts on government time.

Gonzalez and his associates in China, Eastern Europe and elsewhere set up a criminal enterprise that spanned continents and offered one-stop online shopping for pilfered credit card numbers, the indictment alleges.

Gonzalez and his associates allegedly engaged in "wardriving" - the practice of literally driving around with a laptop or other device searching for open or vulnerable networks. Some hobbyists use the practice to map the emerging wireless world; Gonzales and his associates allegedly used it to access the targeted companies' networks in Florida, New York and elsewhere.

Once in the networks, the indictment alleges, Gonzales and his associates installed programs called packet sniffers that captured credit card numbers as they were transmitted between, for example, a waiter's kiosk and the company's central server. The numbers were downloaded into a log file that the hackers later downloaded.

Investigators said the co-conspirators then used some of the stolen numbers to create cloned credit cards for their own use. Many of the other numbers ended up on a Web site the conspirators created called "DumpsMarket," where so-called "carders" traded tips and bought and sold pilfered numbers in member-only forums.

The site no longer exists, but a copy archived in 2004 and accessed by The Chronicle billed itself as "created to acquaint you with the dark side of Internet." The site featured a "buy" section with a drop-down menu offering visas for the UK, Germany and France, passports for everywhere from Israel to Iraq, EU "dumps" - a term for credit card data - and "my usual very big US dumps base."

The Internet aliases listed as contacts on the site are listed in the indictment as aliases for the indicted suspects.

According to the indictment, the venture eventually evolved into a partially-automated e-commerce site, where buyers - paying with Western Union - could get a bulk discount on large numbers of credit card numbers. Once payment cleared, the system automatically accessed the correct quantity of credit card numbers from a database and delivered them to the buyer.

At least one of Gonzalez's co-conspirators enriched himself to the tune of some $11 million, according to the indictment. Gonzalez himself allegedly profited by at least $1.7 million and purchased a 2006 BMW, computers, a Glock handgun and a condominium in Florida where he let a co-conspirator stay for free in exchange for help in the scheme, the indictment alleges.

Sherry Lang, senior vice president of TJX Companies, one of those targeted, said the company has cooperated closely with law enforcement, but said the scale of the cybersecurity problem goes beyond retailers into a need for better cooperation between banks, retailers and credit card companies.

"The sheer number of retailers attacked by these cyber criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat," the statement said.

Boston Market spokeswoman Angela Proctor said the Secret Service contacted the company in 2004 about a possible security breach. After that "isolated incident," she said, the company hired a forensic firm to "review our entire network and computer system" at the restaurant but couldn't conclude that a data breach had occurred or identify any customers.

Boston Market follows industry security practices and is audited by Visa every year. No credit card information is stored at point-of-sale terminals inside restaurants, "so what happened to TJX couldn't happen to us," Proctor said.

But some advocates and security experts were unwilling to let the retailers off the hook.

"This is as much a story about the lax security practices of the major retailers as it is the triumph of justice," said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit in San Diego. "What deplorable security practices. What a bunch of leaky boats."

Phillip Dunkelberger, President & CEO of Menlo Park-based PGP Corp. a leading encryption company, said the case illustrated the need for a change in mindset when it comes to network security in businesses.

The fact that the alleged hacking took place at retail outlets - and not banks, for example - suggested that the suspects were targeting weaker links in the network, Dunkelberger said. In some cases, the indictment said, the network and credit card data were unsecured; in others the suspects were able to crack the encryption.

Either way, Dunkelberger said, "They were watching data basically passing in the clear, and they were able to access it ... they were basically eavesdropping on a conversation between a device and its intended server."

Such eavesdropping could have been thwarted had all the data been properly encrypted, Dunkelberger said, leaving even a successful intruder with meaningless data. But while such encryption is readily available, many companies still think about their infrastructure security rather than the invisible data on e-mail and other types of wireless communication.

"They have tended to try to protect the data like a fortress or a castle. The problem with that is the drawbridges are let down," he said. "You've got to protect the data itself ... Data is currency on the Internet now."

In San Jose, Chertoff agreed that companies should do more to improve security, although he declined to address the companies targeted in this case. Asked if he continues to use a credit card at retailers, Chertoff said he does - "with trepidation, sometimes."

E-mail Matthew B. Stannard at mstannard@sfchronicle.com

http://www.sfgate.com/cgi-bin/article.c ... 125UH7.DTL