The SF Gate interviewed Wired.com editor Kevin Poulsen, author of Kingpin: How One Hacker Took Over the Billion Dollar Cybercrime Underground. The SF Gate notes the Information Age has spawned a new kind of criminal. Not one who knocks over banks through armed robbery. Instead, it’s the kind who sits at a laptop and sneaks inside digital vaults to steal money. In the last decade, San Francisco was home to one of the world’s most powerful cybercriminals. He was a man who oversaw a network of identity thieves who stole billions of dollars from credit card companies. But he wasn’t just a bad guy – he worked on both sides of the law, using his hacking skills to fix some system weaknesses even as he exploited others.
In a post-attack follow-up, the Register reports Shinji Hasejima, Sony’s CIO, in an apologetic news conference said that the attack was based on a “known vulnerability” in the non-specified Web application server platform used in the PSN. However, he declined to stipulate what platform/s were used or what vulnerability was exploited, on the basis that disclosure might expose other users to attack. Hasejima conceded that Sony management had not been aware of the vulnerability that was exploited, and said it is in response to this that the company has established a new executive-level security position, that of chief information security officer, “to improve and enhance such aspects.”
The Register reports Sony warned its millions of PlayStation Network (PSN) users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said.
The Register reports an American citizen has admitted to stealing data for more than 676,000 payment cards from databases he hacked into and netting more than $100,000 by selling them in underground bazaars online. Rogelio Hackett, 26, of Lithonia, Georgia, pleaded guilty to one count of access device fraud and one count of aggravated identity theft. He admitted a computer-hacking spree that started in the late 1990s and turned criminal in 2002, when he began carrying out SQL injection attacks on vulnerable websites that accepted credit cards to transact purchases. In 2007, he exploited the server of an unnamed online ticket seller and made off with data for some 360,000 cards, prosecutors said. He sold the stolen data on websites and IRC channels frequented by fellow credit card fraudsters, charging $20 to $25 per account.
Darkreading reports that a Malaysian citizen confessed to compromising servers at FedComp, the Federal Reserve Bank of Cleveland, and others to steal credit and debit card information. Lin Mun Poo, 32, a Malaysian citizen, pleaded guilty in federal court in Brooklyn to possessing stolen credit and debit card numbers. According to a detention letter and other documents filed with the court at the original indictment in November, Lin Mun Poo hacked servers belonging to financial institutions, defense contractors, and major corporations and then sold or traded the data.
Bank Info Security reports a U.S. District Court in Texas has granted motions made by Heartland Bank and KeyBank to dismiss civil actions brought against them for their involvement in the 2009 Heartland Payments Systems breach. The Heartland breach, the largest reported incident, impacted an estimated 130 million U.S. cards. Heartland Bank and KeyBank, acquiring banks, along with Heartland Payment Systems, a year ago filed motions with the District Court in Houston to dismiss, claiming the financial institution plaintiffs failed “to state a claim.” Heartland Bank also filed a motion to dismiss, based on lack of jurisdiction.
The Register reports Albert Gonzalez, mastermind of the infamous TJ Maxx hack, has sought to get a judge to set aside his earlier guilty plea and conviction in the case, by arguing he carried out the hack while working as a paid government informant. Gonzalez, 29, who escaped jail time in 2004 over his involvement in the sale of 1.5 million stolen credit and ATM card numbers while a member of the Shadowcrew group, by ratting out his erstwhile partners in cybercrime, went on to bigger and better things. While supposedly working for the Secret Service, he acted as ringleader in a massive credit card theft and laundering operation involving an estimated 170 million credit cards between around July 2005 and his arrest in May 2008.
SC Magazine writes the Massachusetts attorney general’s office has settled with a Boston restaurant group whose computer systems were compromised by hackers to steal some 125,000 customer credit card numbers. The Briar Group, which owns a dozen bars and restaurants, some of which are located in the popular Faneuil Hall Marketplace, agreed to pay $110,000 in penalties. Hackers in April 2009 infected The Briar Group’s network with malware, which enabled intruders to steal names and card numbers. A complaint filed by attorney general’s office alleged that the restaurant group committed a number of security stumbles, including failing to change default usernames and passwords on its point-of-sale systems, permitting multiple employees to share credentials and continuing to accept credit card purchases even after it knew of the breach.
Fox News Atlanta reports dozens of Oconee County residents have been faced with bank account problems after being the victims of debit card fraud. The unauthorized charges stem from dining out at a restaurant. Investigators are warning people to keep a close watch on their bank accounts since dozens of residents have noticed hundreds of dollars drained from their accounts. Investigators said only the card numbers are being used. The cards themselves are not being stolen. The one thing each victim has in common is that they used their cards at a local restaurant. Investigators say several restaurants in nearby Athens use the same debit card payment processor. They believe a scammer hacked into a database kept by that processing system and stole hundreds of numbers at once.
Madison-ct.patch.com reports that Adrian Mitan, 30, a citizen of Romania, pleaded guilty to one count of conspiracy to commit bank fraud stemming from his participation in a multistate ATM “skimming” scheme. According to court documents, Mitan and others conspired to install “skimming” devices on automated teller machines, and on card swipe access devices used by banks to control access to ATM lobby doors, in Connecticut, Pennsylvania, New York and New Jersey. The devices were able to capture the information encoded on the magnetic strips of bank cards used by ATM customers. The scheme resulted in a combined loss to all of the victim banks of more than $200,000.
