Harsh sentences handed down recently against the mastermind behind the network break-ins at Heartland Payment Systems and major retailers will do little to deter future attacks, though it may lead criminals to change their tactics, security experts say.
Federal prosecutors say the harsh sentences handed down recently against the mastermind behind the network break-ins at Heartland Payment Systems Inc., TJX Cos. Inc., Hannaford Brothers Co., and other major retailers are meant as a warning to would-be hackers. But security experts say the long prison term will do little to deter future attacks, as criminals respond by changing their tactics.
A U.S. District Court in New Jersey on March 26 sentenced Albert Gonzalez, who has been identified by federal law enforcement officials as the leader of the largest hacking ring ever prosecuted by the U.S. government, to 20 years and one day in prison for his role in a series of hacks into Heartland, a New Jersey-based payment processor; 7-Eleven Inc., a Dallas-based convenience store chain; and Hannaford Brothers, a supermarket chain headquartered in Maine. He also was ordered to serve three years of supervised release following his prison term and pay a $25,000 fine.
The sentence will run concurrently with a sentence imposed on Gonzalez March 25 by the U.S. District Court in Boston. In that case, a federal judge sentenced Gonzalez to 20 years in prison for his role in data breaches at TJX, BJ’s Wholesale Club Inc., OfficeMax Inc., Boston Market Corp., Barnes & Noble Inc., and The Sports Authority Inc. He also was ordered to serve three years of supervised release following his prison term and to pay a $25,000 fine.
While the sentences imposed on Gonzalez may deter criminals in the U.S. and in countries with extradition treaties with the U.S., they will have little impact on the vast majority of cases, security experts say.
“This stuff happens every day, it’s coming from countries where extradition is not the case,” says Branden R. Williams, director of security consulting at RSA Security. “There’s really no fear of prosecution.”
But the Gonzalez case may cause hackers to change their tactics. “The more sophisticated among them will take it as a lesson in scale and shift way from massive attacks against very large targets and toward small-scale targeted attacks in distributed hacking environments,” Avivah Litan, senior analyst at Gartner Research, said in a recent report.
Criminals also are likely to turn to techniques such as social engineering-manipulating people or companies into revealing confidential data through methods such as phishing, Williams says. Phishing e-mails purport to come from legitimate companies and ask consumers to reveal personal information that can be used to commit fraud, such as bank account or Social Security numbers.
“These guys do have to get a little more creative, do have to use more than just poking at firewalls from across the ocean, or their basement or whatever,” he says.
That means retailers need to beef up data security, including more effective fraud detection, stronger cardholder authentication and stronger card security, Litan says.
And retailers need to put more resources into protecting confidential consumer information, Williams adds.
“Until companies really take data security seriously, and not just as an operational thing that I.T. people do, you’ll have the possibilities of these types of breaches,” he says.
Authorities say Gonzalez and his associates used weaknesses in retailers’ wireless networks in their bricks-and-mortar stores to gain access to corporate databases and steal tens of millions of credit and debit card numbers.