Hacker pleads guilty to giant ID theft; learn how to protect yourself

Hacker pleads guilty to giant ID theft; learn how to protect yourself

In what has been called a global "cash-out" conspiracy, Ehud Tenenbaum, also known as "The Analyzer," has pleaded guilty to a single count of bank card fraud in what officials say was a scheme that eventually was able to pilfer more than $10 million from various U.S. banks.

Tenenbaum first gained public notoriety 10 years ago when, along with a group of Israelis and two California teenagers, he hacked into multiple computer networks, including the Pentagon. Quoted in an online article from Wired Magazine, Tenenbaum's mother said she was unaware her son had pleaded guilty to the charge. "I don't know what to think. I hope that all is OK."

This latest security hack should be a warning not only to banks and financial institutions, but also to anyone concerned about ID theft, data breach and network security. The question, though, is what can be done to make sure your data is as secure as possible? The first thing any institution should do is make sure it complies with the PCI Data Security Standard. This six-part standard is a product of the PCI Security Standards Council. The Council, according to the group's Web site, is "an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection." The organization was founded in 2004 to align the various security protocols of its founding members. The Council was formed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc.

The PCI Data Security Standard has six broad goals, with 12 requirements that, if followed, should provide the greatest protection from private data being stolen or unwittingly made public. More information may be found at the group's page, but in short, those six goals are:

1. Build and maintain a secure network.
2. Protect cardholder data.
3. Maintain a vulnerability management program.
4. Implement strong access control measures.
5. Regularly monitor, test networks.
6. Maintain an information security policy.

The six steps are a general guideline that all PCI-compliant institutions must meet. But beyond that, individual businesses can follow similar methods on a more local level. For smaller businesses, those too small to accept credit cards except via a small merchant account, the government has also listed five guidelines that should make securing private customer data easier. Again, more in-depth information may be found at the originating article's Web site:

1. Secure documents and equipment.
2. Secure electronic data.
3. Train employees.
4. Secure vendor relationships.
5. Create a response plan.

While no protection is perfect (the method of attack in Tenenbaum's case -- an SQL Injection -- is discussed in the PCI standards), everything a business does to protect customer data can only make customers feel more secure about their relationship with that business, whether it be a retail store around the corner or a financial institution.

Published: September 4,2023