Stolen data now more marketable

Hackers today are cyber pros going for big bucks, not kids or vandals.

By Madhusmita Bora
Published July 8, 2007

Laura Myerson's credit card bill usually runs a couple hundred dollars. So, the St. Petersburg-resident gasped when she called to pay her bill after Christmas and a Visa employee told her she owed $10,000.

Months later, Myerson would find out that hers was among 45.7-million credit and debit card numbers that were stolen from retailer TJX Cos.' database. The breach, considered the largest in history, happened in the summer of 2005 reportedly outside a Marshall's store in St. Paul, Minn. Armed with a telescope antenna, hackers squeezed in through a hole in the network and made their way into the company's central data system, newspaper reports say. The infiltration has ignited a nationwide debate about network security.

Traditionally, security controls have focused on protecting servers and services, according to a January report by the information technology research company Gartner Inc. So, cyber criminals have become smarter and begun targeting point-of-sale systems that store magnetic-stripe card data. By 2008, more than 50 percent of the attacks against retailers will be directed at their point-of-sale systems, Gartner said. Retailers aren't the only ones targeted.

In March, global security software maker Symantec Corp. said it discovered 2,526 network vulnerabilities in the second half of 2006. That's the highest volume ever. The government sector in that same period accounted for 25 percent of all identity-theft-related breaches. That's more than any other sector, Symantec said.

"The over-arching theme for anyone, anywhere is that hackers need to find just one way in, and we need to defend against all possible entries, " said Mark Rasch, managing director of technology at Washington, D.C.,'s FTI Consulting. The business advisory company helps organizations protect and enhance enterprise value.

Cyber criminals usually go after large amounts of data as they did in the TJX breach, said Rasch. Unlike earlier, they now want information that can translate into money.

Others agree.

"Traditionally, it hacking started with some kids in a basement doing it for fun or for bragging rights, " said Mustaque Ahamad, director at the Georgia Tech Information Security Center. "The last several years, the trend shifted to criminals and now it's more of an organized crime."

The emerging underground economy has become so sophisticated that it had specialized roles assigned to different individuals, said Dave Cole, director of security response at Symantec.

Once hackers get to the information, they sell it on fraud communities, on chat portals such as ICQ or on bulletin boards. Some of them are audacious enough to run banner ads on Web sites listing their rates on delivering specific information, Cole said.

"Law enforcement officials have got a real chase in their hands, " he said.

The masterminds behind the TJX intrusion have yet to be caught, but authorities in Florida arrested a gang that had allegedly used some of the stolen credit card information while on several buying sprees at Wal-Mart and Sam's Club stores across the state.

Behind the scam, they believe, was Irving Escobar, a Miami teenager, who was caught on Wal-Mart surveillance tapes allegedly making some of the purchases. Federal officials also caught a man who allegedly manufactured the counterfeit credit cards.

"It was more like modern day money laundering, " said Luis Bustamante, chief assistant statewide prosecutor at Attorney General Bill McCollum's office. Investigators aren't saying how Escobar and his gang landed the credit card information. Between last fall and winter the group rang up more than $1-million purchasing everything from Huggies to rice cookers, XBox 360 consoles, jewelry and plasma screen televisions.

Their approach was simple. They rented cars and traveled to northern and central parts of the state, buying stacks of $400 gift cards from Wal-Mart stores. To avoid suspicion, they drove back to South Florida to cash them in for goods at other Wal-Marts.

Escobar and his ring are several steps removed from the actual crime, Bustamante said. The modus operandi of the original hackers echo the style of established gangs in Romania, Bulgaria and other Eastern European countries, experts say. In the small world of the Internet, the market reach for the stolen data goes beyond the boundaries of America.

Myerson's Visa card was used to buy gift cards by the Florida gang before cashing them at a Miami Sam's Club between Dec. 1 and Dec. 30.

"I was like geez ... I am just glad I found out when I called to make a payment, " she said. "I would have felt a lot worse had I got it in the mail. I hope they catch them all."

That may remain a wishful thought.

Over 155-million data records of U.S. residents have been exposed due to security breaches since January 2005, according to the Privacy Rights Clearinghouse. One of the reasons why the numbers are so high is recent laws that require companies to notify their customers when a security breach occurs, said Chad Loder, engineering manager at Rapid7 LLC. The California firm sells vulnerability assessment software and recently added TJX as a client.

"Before 2003, any number of large-scale incidents could have occurred (and certainly did occur) without the public knowing, " Loder said.

Many companies are beefing up their systems, but protecting information technology infrastructure on a large scale is an extremely complex endeavor especially in a global world, Loder said.

"While individual systems must be protected, companies must also address the larger scale issues of security policy, best practices, and continuous auditing and security training, " he said.

At TJX, the financial damage continues to trickle in. The breach should serve as a wake up call to all to be more careful with how they store and secure data, said Rasch of FTI Consulting.

"If you want e-commerce to work you have to convince your customers that credit cards are safe and secure from privacy violations, " he said.

Consumers, too, need to be vigilant.

"On the one hand you have a big corporation with firewalls, hard security teams and fraud alert and then you have Grandma Sally who might be easily duped to give up her ID, " said Cole of Symantec. "So, you see more pick-pocketing of consumers than big Ocean's 11 type of heists."

Myerson, the St. Petersburg victim, said she often wonders how safe it is to use plastic.

"I just make sure that I keep an eye on my account, " she said.

Madhusmita Bora can be reached at (813) 225-3112 or mbora@sptimes.com


How can you combat security breaches?


- Continuously upgrade security infrastructure

- Focus on protecting card holder data by encryption and other methods

- Safeguard host systems by deploying intrusion-prevention systems.

Banks and payment processors

- Add stronger user authentication to cards to ensure stolen data can't be used.

- Use chip and PIN authentication as a tool.


- Monitor your financial accounts

- Check your credit report frequently.

- Shred financial documents

- Ultimate protection against data breach is placing a security freeze on credit reports, says Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, a nonprofit consumer organization.

"That locks up your credit report without access to which there isn't a whole lot a criminal can do, " Stephens said.

Source: Gartner Inc., an information technology research and advisory company

How credit card info was stolen from TJX

In the summer of 2005, hackers apparently focused a telescope-shaped antenna toward a Marshall's store near St. Paul, Minn., and infiltrated the company's central data system in Farmingham, Mass., which handles TJX's credit card, debit card, check and merchandise return transactions for stores in the United States, Puerto Rico and Canada. TJX identified 45.7 million payment cards that were compromised, as well as the driver's license numbers, military IDs or state IDs of 455, 000 customers.


1 In the summmer of 2005, hackers broke into the TJX Co.'s central database.

2 Experts believe that the hackers sold the credit card, and debit card information.

3 The information was used by some to manufacture counterfeit credit cards.

4 Last fall 19-year-old Irving Escobar of Miami and nine others allegedly zoomed through northern and central Florida using the fake cards to buy stacks of gift cards at Wal-Mart stores. Authorities said Escobar cashed the cards and bought expensive televisions, PCs and jewelry from Wal-Mart and Sam's Club stores in south Florida,

5 In March police arrested Escobar and six other suspects. Three are still on the lam The original hackers are still at large.

Hacking vulnerability trends

- The government sector accounted for 25 percent of all identity-related data breaches. (See chart, Page XD)

- The theft or loss of a computer or other data-storage medium made up 54 percent of all identity theft.

-Home users were the most highly targeted sector, accounting for 93 percent of all attacks.

-U.S. was the top country of attack origin, accounting for 33 percent of worldwide attack activity.

- Symantec documented 2, 526 vulnerabilities in the second half of 2006, highest ever in a six month period and 12 percent higher than the first half.

-China has 26 percent of the world's bot-infected computers, more than any other country.

Source: Symantec Internet Security Threat Report for July-December 2006.