Register for an account

X

Enter your name and email address below.

Your email address is used to log in and will not be shared or sold. Read our privacy policy.

X

Website access code

Enter your access code into the form field below.

If you are a Zinio, Nook, Kindle, Apple, or Google Play subscriber, you can enter your website access code to gain subscriber access. Your website access code is located in the upper right corner of the Table of Contents page of your digital edition.

Technology

How Did "Soupnazi" Allegedly Steal 130 Million Credit Card Numbers?

80beatsBy Eliza StricklandAugust 18, 2009 10:38 PM
computer-security.jpg

Newsletter

Sign up for our email newsletter for the latest science news

A 28-year-old hacker has been charged in what federal prosecutors are calling the largest case of identity theft ever seen. The man, Albert Gonzalez, worked with two unnamed Russian conspirators to run wild through the computer networks of a handful of prominent corporations, including 7-Eleven, the supermarket chain Hannaford Brothers, and the payment processor Heartland Payment Center. The size of the heist—130 million credit and debit card numbers, according to prosecutors—have many people wondering: How exactly is such a massive theft carried out? The Justice Department's indictment (pdf) describes how Gonzales (a.k.a. "segvec" and "soupnazi," among other aliases) and his co-conspirators pulled it off. They began the job by scanning lists of Fortune 500 companies for likely targets, and then visited retail outlets to scope out the payment systems used at checkout counters and to look for vulnerabilities.

Then they would write specific codes to corrupt their data systems and launch a virus from computers in the United States and Europe to pull hundreds and thousands of credit card numbers, and sort through them using a "sniffer," which is basically a data analysis system that decodes big chunks of information [The Atlantic].

The hackers allegedly tested their malicious code, or "malware," by

using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware's presence from the corporate victims' networks." The methods used by Gonzalez and his team weren't all that sophisticated, either; the long and short of it is that they were able to exploit end users that didn't know how poor their security was, according to security experts [ChannelWeb].

It's still unclear how many of the stolen credit card numbers were resold and used to make unauthorized purchases or bank withdrawals. Gonzalez has an interesting record, and has worked on both sides of the legal line.

In 2003, after being arrested in New Jersey in a computer crime, he helped the Secret Service and federal prosecutors in New Jersey identify his former conspirators in the online underworld where credit and debit card numbers are stolen, bought and sold. But Mr. Gonzalez secretly reconnected with his old associates, federal officials have said [The New York Times].

He's currently in jail awaiting trial on two other cases of credit card data theft: the 2005 breach at T. J. Maxx stores, and the 2008 hack of the Dave & Busters restaurant chain and other companies. Related Content: 80beats: Attack That Took Down Twitter May’ve Been Aimed at Just One Blogger 80beats: Cyber Attack Hits Government Web Sites; North Korea Is Blamed 80beats: Researchers Guess Social Security Numbers From Public Data 80beats: Mystery of the Conficker Worm Continues: Does It Want to Scam or Spam? Image:

2 Free Articles Left

Want it all? Get unlimited access when you subscribe.

Subscribe

Already a subscriber? Register or Log In

Want unlimited access?

Subscribe today and save 70%

Subscribe

Already a subscriber? Register or Log In