The last few weeks have included a huge increase in identity-theft news. First, we consumers heard on August 17 about the indictment of three hackers -- a Miami man and two Russian accomplices -- in what is probably the largest data breach and theft in the USA. More than 130 million debit and credit card numbers were stolen.
This latest theft of 130 million card numbers covered data breaches from 2006 to 2008 for companies including Heartland Payment Systems, a card payment processor, and retail chains 7-Eleven Inc and Hannaford Brothers. The Heartland breach has affected dozens of banks nationwide.
Second, we learned that this the Miami man, Albert Gonzalez, was also a former government informant for the U.S. Secret Service since 2003 and was already known to government officials, and already in prison for a series of eight retail hacks affecting and additional 40 million credit cards. The thefts of those 40 million additional cards included retail companies such as BJ's Wholesale Club and TJX Companies/T.J.Maxx. So one man (with help from some friends) stole more than 170 million debit/credit cards.
How do three people steal 130 (or 170) million credit cards? Third, we started hearing technical terms like the "SQL injection" technique the criminals used to exploit weaknesses in the way computer system developers write code for credit card databases. According to InternetNews:
"For his crimes, if Gonzalez is convicted in the Heartland incident, he'll face a fine of at least $250,00, and up to 25 years in prison. Gonzalez had servers in California, Illinois, Latvia, the Netherlands and Ukraine..."
Sounds to me like far more than three people are involved. You don't simply set up servers in multiple countries without some help. This theft smells like an organized business. I want law enforcement to capture and prosecute other criminals worldwide (e.g., Hacker-1 and Hacker-2 who are in or near Russia) who aided the thefts and/or resold the stolen data.
Fourth, details then began to emerge about the breaches at specific companies:
"... Dallas-based 7-Eleven, while confirming security breaches, said that only ATMs at some stores were affected... Moreover, the Dallas chain would not say where the affected stores were.... A 7-Eleven statement said the chain became aware of attacks in late 2007, saying they had occurred Oct. 28 through Nov. 8. The indictment said the chain’s network was breached from August 2007... Each card-issuing company made its own decision on what action to take, including replacing cards or putting card numbers on an alert for fraud..."
Like a bad screenplay, we further learned that Gonzalez went by the "soupnazi" online alias and he:
"... reportedly became an informant for the Secret Service in 2003, helping in a sting of a cybercrime syndicate, known as Shadowcrew.com. But afterward, Gonzalez re-established his own hacking group, called "Operation Get Rich or Die Tryin," according to Threat Level..."
Perhaps most troubling:
"Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks."
Most of this was summarized nicely in the New York Times:
"The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research."
You may remember that the breaches at Heartland and Hannaford occurred while both companies were supposedly within compliance to security requirements. Again, from the New York Times:
"Those standards were set by a council that includes the world's two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald's Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc... Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa."
Clearly, the security standards are insufficient and need to be strengthened. Then, we learned that J.C. Penny, Target, Boston Market, DSW, Office Max, Barnes & Noble, and Sports Authority were affected by the Gonzalez-led breaches. By the end of the week, Gonzalez pled guilty to several charges about the breaches, and would get a maximum of 25 years in prison.
Meanwhile, the banks, credit card networks, and retailers argue about the appropriate security standards and who should pay. What should consumers do?
We consumers can't control the squabbles between the banks, credit card networks, and retailers. We can control which cards we use and when. My advice is this:
- Shop online with your credit card, since that gives you more protection than a debit card.
- If you can, use cash for in-store purchases, or use a credit card. Why? Retailers are not honest and transparent about informing consumers of breaches or about which stores in their chain are problematic. (Remember, not all states have data breach notification laws.) And, the credit card industry still hasn't solved its security problems. See this blog post above.
- Use your debit card at your bank's ATM machines. Regardless of those entertaining Visa and MasterCard advertisements on television, the system isn't as secure as it should be. I avoid ATM machines in convenience stores, and try to use ATM machines only in my bank's branches.
- Review your monthly credit card statements, since some fraud shows up as tiny charges first (e.g., 25 cents) and since you may spot fraud first. Don't rely on your bank spotting it first. If you spot fraudulent charges, report it quickly to your bank or credit card issuer.
Recent Comments