Skip to: Content
Skip to: Site Navigation
Skip to: Search

Indictment of card hacker unlikely to end thefts

Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them.

(Page 2 of 2)

Authorities allege Gonzalez and the others infiltrated the Heartland, Hannaford and 7-Eleven computer networks using SQL-based attacks.

Skip to next paragraph

In a statement Tuesday, 7-Eleven Inc., which hadn’t commented on its breach before, said the attack affected ATMs operated by a third party inside its stores and lasted for 12 days in 2007. That is likely referring to an attack in which criminals infiltrated Citibank’s network of ATMs inside 7-Eleven stores and stole the mother lode in the ID theft world: customers’ PIN codes. Neither 7-Eleven nor Citibank would elaborate Tuesday.

Security experts also noted that Gonzalez’s latest indictment charges two unnamed co-conspirators who live “in or near Russia” and allegedly helped with the attacks.

Dan Clements, president of CardCops, which tracks stolen credit card data online, called it a “cleverly written indictment” that suggests the government might be trying to squeeze its former informant for more information about Hacker 1 and Hacker 2. However, extraditing those suspects is unlikely, Clements added.

“We are not safe,” Clements said. Gonzalez is “here on U.S. soil. That was his big flaw. If he were anywhere else, he’s not going to jail.”

Ori Eisen, founder of Scottsdale, Ariz.-based security firm 41st Parameter and previously worldwide fraud director for American Express, added that Gonzalez is “most likely not the kingpin. The kingpin would not risk being in the United States. They operate out of the Ukraine or Russia, and they’re former militants or ex-KGB who know their way around just enough not to get caught.”

As for Gonzalez, “by no means will catching him stop what’s going on out there,” Eisen said.

Consumers don’t have many options for monitoring whether the stores they frequent are good at protecting their card numbers. Stores aren’t given public grades on their computer security, like the scores restaurants get on their cleanliness in some places. The best advice: Regularly check your credit reports for suspicious activity, and set free fraud alerts with the credit-reporting agencies.

In this case, the thieves might have failed by being too successful. It’s hard to unload hundreds of millions of stolen credit card numbers on the black market.

Clements said criminals usually sell stolen card numbers in batches of 10,000 or less. That helps avoid drawing the attention of law enforcement and the card providers, which might replace cards pre-emptively if they see a mound of them being fenced. Many of the card numbers stolen in the breaches cited in the Gonzalez indictment have already been canceled and replaced.