U.S. Indicts Three For Theft Of 130 Million Credit Cards

U.S. authorities on Monday obtained indictments against three men for their involvement in the theft of more than 130 million credit and debit card numbers, in what's being called the largest reported hacking and identity theft incident in U.S. history.

Albert Gonzalez, 28, of Miami, Fla., and two unnamed Russian co-conspirators are each facing charges that include conspiracy to commit wire fraud that could result in 35 years in prison and fines of at least $1.25 million.

According to details of the indictment, between October 2006 and May 2008 the three fraudsters conducted online and in-person surveillance of Heartland Payment Systems, 7-Eleven, and other companies to determine what type of point-of-sale systems they used.

Once establishing this, the hackers launched SQL injection attacks against these firms and harvested customers' credit card and debit card data. Afterwards, they sold off some of this data to third parties, according to a statement from the U.S. Attorney's Office in New Jersey.

To cover their tracks, the hackers accessed their victims' Web sites through proxy servers, tested their malware against leading security vendors' products, and designed the malware to remove all traces of itself from their victims' networks, according to the indictment.

Company executives at Heartland, Princeton, N.J., first learned of the security breach in October 2008 when credit card companies Visa and MasterCard alerted them to suspicious activity occurring in credit card transactions. On Jan. 20 of this year, Heartland issued a press release officially announcing the breach.

Security experts point to the Heartland breach as an example of how federal regulatory compliance mandates such as PCI DSS, which are designed to mitigate external threats, aren't sufficient for dealing with inside attacks.

"Perhaps the most important lesson from this breach is: Compliance is not security. Unfortunately, many businesspeople think if they are compliant with something like PCI, it means they are safe," said Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based solution provider.

Added Plato: "Hackers don't care if you're compliant or not. If there is an opportunity to break in, a Report On Compliance from a Qualified Security Assessor isn't going to stop them."

The latest evolution of attacks are socially engineered approaches that target specific types of systems and include on-site physical reconnaissance, according to Peter Bybee, president and CEO of San Diego-based solution provider Network Vigilance.

"This may include attempted physical breaches of a victim's internal network, which is a fairly easy thing to do considering the poor security surrounding remote site offices, the lack of education of end users, and the absence of active security monitoring of security devices," Bybee said.

Darrel Bowman, CEO of Tacoma, Wash.-based security solution provider Mynetworkcompany.com, said the Heartland breach was a poignant reminder that constant vigilance and education are just as important as firewall, IDS and various other malware defenses.

"It's important to remember every entry into your systems, no matter how small, is subject to compromise," said Bowman. "The biggest vulnerability continues to be from within, and will remain so until more of these internal hacking incidents occur."