honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Thursday, August 20, 2009

Indictment won't halt ID thefts


By Jordan Robertson
Associated Press

SOME ISLE CUSTOMERS WERE ISSUED NEW CARDS

The work of Albert Gonzalez, a Miami hacker who once worked as a government mole tracking down identity thieves, touched people in Hawai'i, as some banks took precautionary measures to issue new cards to customers whose data may have been captured.

First Hawaiian Bank sent out replacement cards with new expiration and security numbers after receiving the names from Visa and Mastercard of those possibly affected by the breach.

"We did reissue cards as we deemed necessary to protect the customers," said First Hawaiian Senior Vice President Curt Otaguro.

He said the new cards were issued to less than one-third of its debit and credit card roster.

"We're always watching for suspicious activity."

— Advertiser staff

spacer spacer

Authorities have caught a hacker responsible for stealing more than 130 million credit and debit card numbers, including some possibly from Hawai'i, but the indictment doesn't necessarily make shoppers safer.

Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks.

Albert Gonzalez, a Miami hacker who once worked as a government mole tracking down identity thieves, is accused of playing a critical role in all the largest credit-card heists on record.

With Monday's indictment of Gonzalez on conspiracy charges in U.S. District Court in New Jersey, the Justice Department says he helped steal 130 million card numbers from payment processor Heartland Payment Systems, 4.2 million card numbers from East Coast grocery chain Hannaford Bros. and an undetermined number of cards from 7-Eleven.

Gonzalez is in jail and awaiting trial next month in New York for allegedly helping to hack the computer network of the Dave and Buster's chain. Attorneys for Gonzalez did not comment to The Associated Press.

The fact that hundreds of millions of card numbers could be stolen from retailers illustrates the flaws in a payment system that's built more for speed than security, as an Associated Press investigation found this year. For instance, credit and debit card numbers are not always encrypted as they move from retail stores to banks for approval.

Consumers don't directly pay the costs of most fraud. Banks and retailers eat those charges. But consumers bear it indirectly, in the form of higher prices.

According to prosecutors, Gonzalez and his associates exploited vulnerabilities that remain widespread. Among them: flaws in the way retailers' and restaurants' computers handle requests in the so-called Structured Query Language (SQL), which is used to manage data — such as credit card information — stored in databases. Hackers who detect these holes can trick databases into coughing up more information than they should.

The vulnerability sometimes can be exploited as simply as entering a specially crafted command into, say, a search box on a badly configured Web site. Instead of returning normal search results, the site would surrender confidential information or allow a hacker to place malicious programs on the site.

Authorities allege Gonzalez and the others infiltrated the Heartland, Hannaford and 7-Eleven computer networks using SQL-based attacks.