Fallout From TJX Credit Card Scandal - internetnews.com - 07 Aug 2008

Thanks to international cooperation, hackers from outside the U.S. were apprehended in one of the largest identity theft cases ever prosecuted by the Department of Justice

The indictment of 11 criminals involved in the TJX credit card theft incident shows that cybercrime is indeed a global effort, and the bad guys are many steps ahead of their victims in terms of sophistication and knowledge.

While all the attention has been on TJX, parent company of the TJ Maxx, Marshall's, Bob's Stores and a few other chains, a number of retailers unassociated with TJX were also victims of credit card theft by the same criminals. This includes Office Max, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and more.

After obtaining the credit card information, the perpetrators stored it on encrypted servers in Eastern Europe and the US, then sold the data to customers in those countries. Fake credit cards were created and used to withdraw tens of thousands of dollars from ATMs.

The U.S. Department of Justice estimates that the crooks stole more than 40 million credit and debit card numbers, making it the largest hacking and identity theft case ever prosecuted by the Department of Justice.

Three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People’s Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.

Despite many foreigners being involved in the case, the U.S. actually has some of them in its grip, or will shortly. Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, was apprehended in July 2007 in Turkey when he traveled there on vacation. The U.S. has made a formal request for his extradition.

Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia was apprehended by the German Federal Police in Frankfurt in March 2008, again while traveling on vacation. He is currently in confinement pending the resolution of extradition proceedings.

A double agent

The one in the most trouble is Albert "Segvec" Gonzalez, of Miami. He had been previously arrested in 2003 by federal authorities and had agreed to help them in a sting operation as a confidential informant. Instead, the Secret Service discovered that he was essentially a double agent, and was criminally involved in the case. Gonzalez now faces a maximum penalty of life in prison if he is convicted of all the charges.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said Attorney General Michael Mukasey in a statement. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers."

An unfair fight

The U.S. may have gotten these guys in the end, but when it came down to the hackers vs. the retailers, it was a lopsided battle, with the hackers completely unmatched by the stores. Many of the break-ins were due to poor or non-existent security around the wireless networks in the stores.

The retail industry has added wireless networks as a convenience in its stores, usually for the staff, but the in-store staff's focus is on selling stuff, not something like wireless security.

"This is a rampant problem across the whole retail industry," Amit Sinha, the CTO of AirDefense, a vendor of wireless security products, told InternetNews.com. "I would say half the retail networks today are extremely vulnerable from a wireless perspective."

He said in one survey of retail stores, 25 percent were found to have no wireless encryption on their Wi-Fi networks, while another 25 percent used WEP, which can be broken in about one to two minutes with simple hacking tools.

That's because these networks were set up several years ago, when there wasn't much wireless hacking, and retailers never upgraded their systems. Retail outlets detest down time and live by the maxim "If it ain't broke, don't fix it."

"A lot of stores just set Wi-Fi up and forgot about it," said Sinha. "But that's not how security has evolved. Hacking has evolved where fences are not high enough. Upgrading wireless technology in a large retail establishment with 3,000 stores could be a costly effort but has to be done."
Gartner security analyst Avivah Litan concurs. "These systems weren't built with security in mind, and when they were rolled out, there weren't cybercriminals this sophisticated," she said.

Litan adds "I don't think it's practical to expect retailers to plug every hole. Certainly they can deal with the sloppy holes. They've made a lot of progress with PCI compliance. But the blame has to go around a little bit. It's also the banks' problem. The point of sale systems are owned by the banks, and they need to upgrade their payment systems architecture."

The importance of monitoring

Still, there is some liability for the stores, because they didn't monitor their own systems, argued Anthony James, vice president of products for Fortinet, a threat management provider.

"You need to monitor your database and provide some security mechanism when it looks like an abundance of data is being downloaded in one SQL statement," he said. "It looks on the surface that there was not a lot of due diligence done on the back end. There are plenty of tools out there that look for that kind of activity so it can be stopped."

Both James and Sinha said a multi-layered security approach is needed. "What we preach is a multilayered security environment, to secure your database, your apps, and your access points. So if someone did get past your wireless access point, you have a second tier of security to look for someone deploying a Trojan horse," said James.

Sinha said stores should not broadcast their wireless network's ID, a suggestion James also offered, and should use strong encryption -- WPA2-Enterprise – and monitor both attempts at intrusion and sending data out. "Make sure you have wireless monitoring and intrusion detection deployed, to make sure no rogue devices try to connect to your network," he said.

By Andy Patrizio