Man charged with massive credit card data theft

Man charged with massive credit card data theft

Identity theft is a growing problem, but Albert Gonzalez of Miami has taken this crime to a whole new level. According to the Associated Press, Gonzalez, who currently is in jail, was charged on August 17 with stealing 130 million credit card account numbers. Combined with the 40 million account numbers he took previously, Gonzalez has arguably set the all-time record for identity theft.

Gonzalez exploited weaknesses
As the AP article pointed out, Gonzalez, 28, and two Russian accomplices would hack into the computer networks used by such large corporations as 7-Eleven Inc. and Heartland Payment Systems. Once inside, the data thieves would install software to give them unauthorized access to the network, which is referred to in the industry as a "backdoor."

The exact method Gonzalez used to gain entry to these networks has not been released, but he may have exploited at least one of these common data security weaknesses:

• Easy passwords. Despite constant warnings, some corporate employees still use pretty simple passwords, such as birthdays or a child's name. The information security department of each corporation must require everyone to use "strong passwords" that contain a combination of letters, numbers and special characters. Individual and system passwords should be changed at least every 45 days.
• Leaking USB ports. An iPod Classic has a storage capacity of 120 gigabytes, enough to hold an estimated 36 hours of music. An unscrupulous employee also can use this handy device to steal sensitive corporate data, including access codes and passwords. Unless a computer workstation needs active USB data ports, disable them immediately.
• Paper trails. As part of their daily duties, some employees need access to credit card records. It is all too easy, though, for those same employees to carelessly discard reports and print outs without shredding them. A data thief just has to do some dumpster diving to make an illegal fortune, which is why every paper document should be shredded into confetti after use.

40 million accounts stolen via "wardriving"
Before his most recent indictment, Gonzalez was awaiting trial for stealing 40 million credit card account numbers via "wardriving." The hacker's equivalent of a drive-by shooting, data thieves drive around with a laptop computer and "sniff out" wireless networks. When an unprotected network is found, the wardrivers install programs to capture credit card numbers.

Plugging the data leaks
The staggering scale of Gonzalez's identity theft crimes points out some ways that payment processors can plug data leaks:

• Better encryption. A customer's credit card number should be encrypted at every stage in the transaction process, from the point-of-sale to the authorizing computer. Last week, Electronic Payment Exchange (EPX) announced a new "end-to-end" encryption solution that they say better protects customer account information.
• Plug the leaks. Wireless networks are convenient, but credit card numbers should never be transferred over an insecure network. This goes for both employees using a company laptop and the average consumer sitting at the local coffee shop, paying a credit card bill over a free, unsecured wireless network.
• Software tokens. Every information technology employee should be issued a "software token." In addition to their normal password, the employee must use the token, which generates a random pass code each time it is used. PayPal also makes tokens like these available to customers to restrict access to their own personal accounts.

Published: August 25,2023