Sunday, August 23, 2009
Profile of a hacker: How the "soupnazi" did it
Profile of a hacker:
Name: Albert Gonzalez
Online pseudonyms: segvec, soupnazi, Cumbajohnny and j4guar17
Current co-conspirators: Two men from Russia who authorities did not identify by name.
Past criminal affiliations: Leader of Shadowcrew, an online credit-card hacking ring. In 2004, 26 of the 4,000 members of the hacking crew were arrested and convicted.
Gonzalez's hacking timeline:
2003: Gonzalez was arrested for hacking but not charged with a crime because he agreed to work as an informant for the Secret Service on cyber-crimes. Yet, according to the Justice Department, he was again engaging in illicit activities fairly soon after his arrest.
October 2004: The government arrests members of the Shadowcrew. Gonzalez was the alleged leader of this hacking group.
November 2004: Gonzalez is allowed by the government to move from New Jersey to Florida. He then begins his hacking of Dave & Buster's restaurant chain.
October 2006-May 2008: Gonzalez and his associates targeted Fortune 500 companies with network security problems. He allegedly stole over 130 million credit and debit card numbers from Heartland Payment Systems Inc., a credit card payment processor, 7-Eleven, a national convenience store chain, and Hannaford Brothers Co., a supermarket chain. He was indicted for his leadership in this hacking ring Monday. Heartland is the world's 9th largest credit card processor.
May 2008: Gonzalez has been in custody since May 2008 when he was arrested for data theft at Dave & Buster's.
August 2008: Gonzalez is indicted for improperly probing the networks of many major U.S. retailers including TJX Companies (owner of TJ Maxx), BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. At the time, it was thought to be the largest individual instance of credit card data theft via the hacking of private computer systems, as nearly 40 million card numbers were stolen. Authorities have said the breach cost TJ Maxx close to $200 million.
August 2009: Gonzalez and two unnamed associates are charged in federal court in New Jersey with running the largest credit card and identity theft hacking operation ever prosecuted. Gonzalez was already awaiting trial in New York for his hacking of the network at Dave & Buster's restaurants and in Massachusetts for his penetration of TJX Companies.
How he did it:
By all accounts, what makes Gonzalez's success so terrifying for consumers is that his alleged hacking ring was not very sophisticated. Officials have said Gonzalez used a technique called "wardriving," in which he and his associates travel to different areas searching for accessible wireless Internet networks. They then hacked into these networks, installing "sniffer programs" and "malware" software that allowed them to steal credit and debit card numbers from retailers. Gonzalez exploited holes in the SQL programming language used by many databases.
In the charges brought against Gonzalez on Monday, authorities said that once Gonzalez and his co-hackers captured the personal data, they'd send the information to computer servers in California, Illinois, Latvia, the Netherlands and Ukraine. Gonzalez would either then sell the numbers online or make purchases or unauthorized withdrawals from the banks the cards were linked to.
Gonzalez and his associates face anywhere from 35 years in prison to possible life sentences if convicted on all the charges currently brought against them. They also may have to pay more than a $1 million in fines.
What consumers should know:
•According to identity theft experts, restaurants are particularly attractive for hackers because they seldom update their anti-virus software and other computer security systems.
•Not all states require companies to notify consumers once their information has been compromised. It is unknown whether those affected by Gonzalez's heist were ever even alerted.
•If you're worried about identity theft, you should check the government's site here: FTC Id Theft