Credit card data for sale i.d.card data next?

If you think this couldn't happen to your super dooper i.d. Card think again

US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards.

Officials say it is the biggest case of identity theft in American history.

They say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked into the payment systems of retailers, including the 7-Eleven chain.

Prosecutors say they aimed to sell the data on. If convicted, Mr Gonzalez faces up to 20 years in jail for wire fraud and five years for conspiracy.

He would also have to pay a fine of $250,000 (£150,000) for each of the two charges.

'Standard' attack


SQL INJECTION ATTACK

This is a fairly common way that fraudsters try to gain access to consumers' card details.
They scour the internet for weaknesses in companies' firewalls, which is simply a security wall designed to block unauthorised access to a computer network.
Once they find a weakness, they insert a specially designed code into the network that allows them to access card details.
There is little consumers can do to protect themselves from the effects of this type of attack.
The general advice to cardholders is to check bank statements carefully and report any suspicious transactions immediately.

Mr Gonzalez used a technique known as an "SQL injection attack" to access the databases and steal information, the US Department of Justice (DoJ) said.

Edward Wilding, a fraud investigator, told the BBC that this method was "a pretty standard way" for fraudsters to try to access personal data.

It "exploits any vulnerability in a firewall and inserts a code to gather information," he explained.

However, he added that this case probably "involved extremely well researched, especially configured codes, not standard attack codes downloaded from the internet".

Mr Wilding said there was little consumers could do to protect themselves against this kind of fraud.

"The real vulnerability [for cardholders], I suspect, is internet and telephone transactions. But this is a failure in the configuration of [corporate] firewalls," he said.

Michelle Whiteman, from anti-fraud organisation Financial Fraud Action UK, said that consumers must check their bank statements regularly and flag up any suspicious transactions to their bank.

She said that online, telephone and mail order fraud were on the increase, along with fraud committed abroad on UK cards, according to figures released in March.

But she stressed that any victim of fraud would "always be refunded in full".

Further charges


Mr Gonzales' corporate victims included Heartland Payment Systems - a card payment processor - convenience store 7-Eleven and Hannaford Brothers, a supermarket chain, the DoJ said.

According to the indictment, the group researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.

The data could then be sold on, enabling others to make fraudulent purchases, it said.

Mr Gonzalez, who had once been an informant for the US Secret Service helping to track hackers, is already in custody on separate charges of hacking into the computer systems of a national restaurant chain and eight major retailers, including TJ Maxx, involving the theft of data related to 40 million credit cards.

Mr Gonzales is scheduled to go on trial for these charges in 2010.

This latest case will raise fresh concerns about the security of credit and debit cards used in the United States.

Liveleak on Facebook

Advertisers