Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Government The Courts News

Three Indicted In Huge Identity/Data Breach 101

Posted by kdawson from the hoping-you-didn't-charge-that-slurpee dept.
ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology.
This discussion has been archived. No new comments can be posted.

Three Indicted In Huge Identity/Data Breach More

Three Indicted In Huge Identity/Data Breach

Comments Filter:

  • Re:Hate to say it... (Score:3, Informative)

    by Anonymous Coward on Monday August 17, 2009 @07:15PM (#29098887)

    That's only relevant to the end stores that need payment processing. The rules, of course, do not apply to the big name at the top.

  • Re:Losing faith in the system (Score:3, Informative)

    by nametaken ( 610866 ) on Monday August 17, 2009 @07:19PM (#29098931)

    Seriously.

    I mean, SQL injection? That's just disgustingly stupid and lazy.

  • Re:Show Me The Money (Score:3, Informative)

    by ScentCone ( 795499 ) on Monday August 17, 2009 @08:00PM (#29099273)
    But where's the money? ... would have been bitten out of the economy. There doesn't seem to be any significant bleeding.

    It does take a huge bite out. It costs a fortune for merchants, card processors, banks (and of course to the retailers they pass those costs along to) to deal with fraud. Billions and billions a year. It's a drag on the economy that makes it more expensive to be a merchant, more expensive to (however briefly) borrow money, more expensive to run law enforcement, etc.

  • Re:Hate to say it... (Score:2, Informative)

    by hawleyal ( 871947 ) on Monday August 17, 2009 @08:05PM (#29099321)

    PCI

    only relevant to the end stores ... rules do not apply to the big name at the top

    Um. Ur wrong. It's relevant for everyone not Visa, MasterCard, American Express, Discover. TJX et al have way heavy PCI fines.

  • The 1990's called ... (Score:4, Informative)

    by DrJimbo ( 594231 ) on Monday August 17, 2009 @08:17PM (#29099425)
    They want their SQL injection attack back. I would imagine that the companies involved had to put forth a huge recruitment effort in order to find people competent enough to create a working site and yet clueless enough to allow SQL injection.

  • Re:Faith is gone. We need a better way! (Score:3, Informative)

    by Tweenk ( 1274968 ) on Monday August 17, 2009 @08:22PM (#29099469)

    The current system sucks. We need a better system.

    Here in Poland it is customary to pay for online purchases with bank transfers, and only use debit cards as a substitute for cash and at ATMs - nobody ever gives their card number to anybody. I am wondering why people bother with insecure credit cards when online banking fills most use cases of card-not-present transactions.

  • Re:Faith is gone. We need a better way! (Score:3, Informative)

    by caramelcarrot ( 778148 ) on Monday August 17, 2009 @08:26PM (#29099489)
    In the UK, my bank has given me a card signing device - whenever I set up a standing order, I put my card in, enter the amount, and then give my PIN. It spits back a response code, which I then type in. I believe it's possible to use a method like this on some websites that require credit cards, but not all processing systems support it; and that's a fundamental problem with any security improvements in credit card processing, that it'd require a replacement of effectively all current code.

  • Re:Rob Malda wishes to make an announcement (Score:2, Informative)

    by Phusion0 ( 665359 ) on Monday August 17, 2009 @10:53PM (#29100555) Homepage
    Holy flerking schnit man, you are some kind of Internet mutant. I love it! You know, I met Rob at a LinuxWorld one year, they were passing the mic around and giving out Slashdot shirts to anyone who asked a question. When I saw him, he looked kind of like the kind of guy who would enjoy participating in a furious, multi-cock, world record busting gang bang. I don't know, that's just me. Make sure to step out of the basement for just a moment and smell the air, it's nice, I promise.

Slashdot Top Deals

Receiving a million dollars tax free will make you feel better than being flat broke and having a stomach ache. -- Dolph Sharp, "I'm O.K., You're Not So Hot"

Close