- The Washington Times - Tuesday, August 18, 2009

An informant who once helped federal investigators hunt computer hackers is now accused of turning on the government to help perpetrate the worst credit card scam in the nation’s history, leaving vulnerable the identities of millions of Americans.

Albert Gonzalez, 28, of Miami, was charged Monday with conspiracy to commit wire fraud. Authorities say he hacked into the computer networks of major American retail and financial outlets, stealing data relating to more than 130 million credit and debit cards, about one-tenth of the U.S. total, authorities said.

Authorities said Mr. Gonzalez, whose online nicknames included “soupnazi,” worked with two men in Russia and targeted the 7-Eleven convenience store chain; Heartland Payment Systems, a New Jersey-based company that is one of the world’s largest credit and debit card payment-processing companies; and Hannaford Brothers, a supermarket chain in the Northeast. The indictment says the scheme also targeted two other companies, which it did not name.

“Upon stealing the credit and debit card data, Gonzalez and the co-conspirators would seek to sell the data to others who would use it to make fraudulent purchases, make unauthorized withdrawals from banks and further identity theft schemes,” the Justice Department said in a statement.

Mr. Gonzalez has been jailed for more than a year, but the information and card numbers he is accused of selling would presumably still be in the hands of the buyers.

It is unknown exactly what impact this will have on individual consumers, but one expert - who estimates there are about 1 billion credit cards and 250 million debit cards issued in the U.S. - sees it as an ominous sign.

“I guarantee you two things, that any company who does not take a look at this scenario and see the writing on the wall will in the near future find out the hard way,” said Jay Foley, executive director of the Identity Theft Resource Center, which is in San Diego. “And two, this is just the start of it, folks; it’s going to get a lot worse.”

He noted that Heartland and the entire debit card industry are much looser in their security procedures than the big banks and credit card issuers.

The largest companies “use robust programs for detecting anomalies in your spending habits, whereas the smaller companies and the little private companies don’t necessarily use that kind of support. And to make things worse, the debit card industry doesn’t use it at all,” he said.

For the companies involved, the impact can clearly be found on their bottom lines. In May, Heartland Payment Services, which handles millions of transactions daily, disclosed that the then-unattributed security breach in which Mr. Gonzalez was charged Monday had cost it nearly $32 million already, an amount that included legal fees and fines from credit card companies.

As Mr. Gonzalez sits in jail, he faces separate charges of hacking into the networks of other companies and stealing credit card information from them. One of the companies Mr. Gonzalez is accused of targeting in those cases, TJX Corp., revealed in a Securities and Exchange Commission filing that its security breach has cost $172 million.

All the charges were filed years after Mr. Gonzalez worked as an informant for the Secret Service. Authorities said his cooperation led them to a Web site that was used to transmit stolen credit card information, in a case in which law enforcement used a wiretap on a computer system for the first time.

He became an informant after a 2003 arrest on fraud charges.

“Obviously, we weren’t happy that the person we had working for us as an informant was double-dealing,” former Massachusetts U.S. Attorney Michael Sullivan said last year when Mr. Gonzalez was charged in the TJX case. Mr. Gonzalez has been in jail since May 2008.

In regard to Monday’s charges, authorities say, Mr. Gonzalez used a sophisticated hacking technique called an “SQL injection attack,” which allows hackers to sneak around a network’s security firewall to steal credit and debit card information.

He and the two unnamed Russian co-conspirators are accused of launching the attacks from computers in New Jersey - where prosecutors brought the indictment - as well as in California, Illinois, Latvia, the Netherlands and Ukraine.

They chose their victims carefully. According to the indictment, they reviewed lists of Fortune 500 companies, went to retail outlets to study the payment systems for vulnerabilities and visited the Web sites of other companies in an effort to expose weaknesses.

Authorities say they also took great pains to conceal their crimes by leasing computers under fake names and disguising their locations with phony Internet protocol addresses. Along with swiping credit and debit card information from their victims’ computer systems, authorities say, Mr. Gonzalez and his cohorts installed what are known as “sniffers” to intercept in real-time information that their victims were processing.

Mr. Foley, the identity fraud expert, said the case shows just how easy it is for hackers to steal, and continue stealing, credit card information.

“We now see that the system has a vulnerability that extends from the time it’s been exposed to the time it’s shut back down,” he said. “Companies like TJX and Heartland and all the others that have processing networks are going to have to be more and more vigilant with their processing software.”

Mr. Foley also says the case is a reminder of the vulnerabilities associated specifically with debit cards.

“On the credit card side, federal law says the worst they can hold me to is $50,” he said. “There’s a cute little caveat in your contract you signed when you accepted that debit card, and that is that you will protect it, you will keep it safe. And if I got it, you obviously didn’t do your job very well, did you?”

The new charges Mr. Gonzalez faces carry penalties of up to 25 years in prison, but he already faces life in prison from the earlier charges.

In the earlier cases, Mr. Gonzalez is charged with stealing credit card information after hacking into the computer networks of TJX Corp., a discount chain that operates Marshall’s and TJ Maxx stores.

Mr. Gonzalez is also charged with infiltrating the pricing systems of BJ’s Wholesale Club, Barnes & Noble Inc., the Sports Authority, Boston Market restaurants, Office Max, Dave & Buster’s restaurants, DSW shoe stores and Forever 21, a popular women’s clothing retailer.

He is accused of stealing 40 million credit card numbers from those companies.

As one indication of how easily a sophisticated person can steal sensitive credit card and financial information, authorities say that Mr. Gonzalez stole the data merely by driving around with a laptop computer and hacking into those retailers’ unsecured wireless systems.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times is switching its third-party commenting system from Disqus to Spot.IM. You will need to either create an account with Spot.im or if you wish to use your Disqus account look under the Conversation for the link "Have a Disqus Account?". Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide