Stealing hundreds of millions of credit cards ridiculously easy
This is an interesting profile of a cybercriminal who, after being caught by police, worked for the Secret Service only to betray them by carrying out an astonishing cybercrime spree while in their employ.
Well, it’s astonishing in the sense of how much credit card information and money he stole. What’s really shocking is how easy it sounds, thanks to totally incompetent corporations:
Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America: OfficeMax, BJ’s Wholesale Club, Dave & Buster’s restaurants, the T. J. Maxx and Marshalls clothing chains. They hacked into Target, Barnes & Noble, JCPenney, Sports Authority, Boston Market and 7-Eleven’s bank-machine network….
Just as data security had been an afterthought for many businesses in their rush to get online in the 1990s, creating opportunities for the likes of Shadowcrew, many firms had taken no precautions as they eagerly adopted WiFi in the early 2000s. Gonzalez was especially intrigued by the possibilities of a technique known as “war driving”: hackers would sit in cars or vans in the parking lots of big-box stores with laptops and high-power radio antennae and burrow through companies’ vulnerable WiFi networks. Adepts could get into a billion-dollar multinational’s servers in minutes….
His [colleague’s] experiments at BJ’s Wholesale Club and DSW met with success. He stole about 400,000 card accounts from the former, a million from the latter….
they hacked into [Marshalls/TJX,] OfficeMax, Barnes & Noble, Target, Sports Authority and Boston Market, and probably many other companies that never detected a breach or notified the authorities. Scott bought a six-foot-tall radio antenna, and he and James rented hotel rooms near stores for the tougher jobs. In many cases, the data were simply there for the taking, unencrypted, unprotected….
He is not a gifted programmer — according to [co-conspirators] Watt and Toey, in fact, he can barely write simple code…
Gonzalez urged Watt and Toey to experiment with SQL [Injection]. …Forever 21 didn’t stand a chance. “I went to their Web site, and I looked at their shopping-cart software, and within five minutes, I found a problem,” he said, with his customary concision. “Within 10 minutes we were on their computers and were able to execute commands freely. From there we leveraged access until we were the domain administrators.”
So this Miami Dade College drop-out who could barely write a simple computer program stole hundreds of millions of credit cards from dozens of major U.S. corporations, all of which were monumentally incompetent at data protection.
Posted by James on Monday, November 15, 2010