We have written a lot about the need to clamp down POS terminals. Today's news is particularly important as they provide much speculated evidence about the largest case of identity fraud on record.
Right here in Boston, 11 defendants got away with 40 Million Credit Card Numbers, defrauding organizations such as OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies.
How did they do it? Mass Attorney General Michael Mukasey
explained that defendants used "sniffer" programs to "breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves." This is the first confirmation of the criminal method. We are not talking about simple "Wardriving", but a criminal enterprise designed to steal as much as possible.
And to make the matter worse, 1 of the defendants was double dealing, according to ABC News, as he was involved in the heist and at the same time working with government on other cases.
People speculated for awhile that most of the losses were caused by simple
Wardriving or sniffing poorly secured networks for credit card data in transit. This may sound plausible in Dave & Buster's
case which allegedly involved some 5,000 credit cards (even though it is not true). But it could never explain theft of 40M credit card numbers.
It turns out that it was all work of a single gang that at least in the case of Dave & Buster's, have installed the "packet sniffer" software directly onto Dave & Buster's computers, intercepted networked computer transmissions of 11 cash registers over 4 months, yielding 5,100 credit cards. 675 "good numbers" were used to generate $600K of damages.
If 5K stolen credit cards can generate $600K, then 40M stolen credit cards could easily generate $40B in damages. That's
more than the federal bailout of Bear Stearns.
These kinds of breaches could seriously undermine the global economy if left unchecked. POS entrypoints, as well as all the systems involved in handling of personal financial data, have to be locked down, insuring only that only allowed applications run, with "sniffing" software safely blocked. Anti-Malware suites are not designed to help in these scenarios as "sniffing" software can be a useful tool in the hands of IT administrators, and yet deadly in the hands of criminals.