Law enforcement authorities may have arrested a key figure in a criminal gang that has stolen 130 million credit and debit card numbers from retailers, but payment security experts say that’s no reason for online merchants to relax.
“You should be just as nervous today as you were yesterday, because there’s not just one of these guys,” says Andrew Lauter, chief technology officer of fraud-prevention firm Accertify LLC. “Everything he knew and learned has probably been disseminated to another 100,000 bad guys.”
The U.S. Department of Justice announced yesterday the indictment of Albert Gonzalez of Miami on charges he was at the center of a crime ring that stole card numbers by breaking into the computer networks of several companies, including Heartland Payment Systems, which sells card-processing services to many retailers, convenience store chain 7-Eleven Inc. and Hannaford Brothers Co. Inc., a Maine-based supermarket chain.
The indictment says that, beginning in October 2006, Gonzalez and two unnamed conspirators researched store payment card systems, figured out how to break into computer networks and steal card data, and sent the data to servers they operated in California, Illinois, Latvia, the Netherlands and the Ukraine.
There are several lessons for online retailers in this story, security experts say.
One is that, although the data was stolen by breaching systems in bricks-and-mortar stores, often the card numbers are used to make fraudulent purchases at retailer’s Internet sites, says Michael Petitti, chief marketing officer of payment security firm Trustwave. That’s because the criminal often can complete a web purchase with just a card number, the kind of data this crime ring allegedly stole in large numbers.
It’s also noteworthy, Petitti says, that the way they broke into computer networks involved an attack known as SQL injection, in which the hacker enters into an information field software code that, if not blocked, gives him broad access to data in a computer network. In the case of online retailers, SQL injection attacks often take place on checkout pages where consumers are asked for such information as name and address.
However, increasingly hackers are carrying out such attacks on non-payment pages, such as customer support pages of a web site, figuring those pages are not as carefully reviewed by security experts, Petitti says. Even online social network pages that request information can be targeted in a SQL injection attack, he adds. He says the solution is to make sure a qualified security expert reviews any new web site application to make sure it’s not vulnerable to this type of attack.
Another result of this massive fraud is that criminals now often have more information about a consumer—not just card data but in many cases name and address, for instance, says Paul Brock, senior manager of managed services at payment processing and security firm CyberSource Corp. In addition, hackers have become adept at hiding their true Internet address, often by taking over the PCs of unsuspecting consumers.
Thus, a criminal who has card data about a consumer who lives in Los Angeles can take over a computer in that city and make a purchase from an online retailer that appears to be coming from the area where the legitimate cardholder lives, even though the hacker may be in another country.
Brock says it’s important for online retailers to use a technique called deep packet inspection that looks carefully at all incoming data, and which can detect, for instance, that a purchase request is coming from a computer controlled by another machine and the address of the controlling PC. If a retailer sees that the card number of that Los Angeles consumer is being used by someone at a computer in Romania, that would set off a warning flag, Brock says.
He also recommends merchants take advantage of services that track transaction data across retailers. That kind of service can spot, for instance, a card number being used for purchases from several retailers being sent to multiple shipping addresses, another sign of possible fraud.
Online retailers also should be aware that the use of the card numbers stolen by this gang is likely not over, says Lauter of Accertify. He says criminals know that once breaches are detected cardholders often are offered a year of free credit report monitoring, which can spot signs of a card number being abused. Once a year goes by, consumers often relax, and that makes it easier for criminals to use the card numbers without being detected for some time.
“If they’ve stolen millions of credit card numbers they don’t have to use them all right away,” Lauter says. “They don’t even need to sell them all in the first 12 months.” That means online retailers could still feel the effects of these data breaches for some time to come.
Back...
