Feds seek to nab credit thieves in La., Miss.




BATON ROUGE, La. -- A ring of cyber-thieves has stolen tens of thousands of credit card numbers from Louisiana and Mississippi restaurants this year, leading to over $1 million in losses for the banks that issued them.


The restaurants began reporting the thefts beginning in March in Baton Rouge, followed by similar cases in Flowood, Miss., Lafayette, Lake Charles and West Monroe. The hackers have swiped credit and debit card numbers off 16 restaurants' computer systems, then sought to sell them for anywhere between $1 and $100 each, according to Special Agent Sean Connor of the U.S. Secret Service, an arm of the Treasury Department that investigates financial crimes.

"Once they get a big pile of credit card numbers, they turn around and sell them on the Internet," Connor said.

The cases appear connected and probably involve a criminal network that stretches overseas, which would be consistent with other identity theft cases, U.S. Attorney David Dugas said. A group indicted in a separate case earlier this month includes defendants from three continents.

Authorities have no total dollar figure for the losses sustained in the Louisiana-Mississippi cases because the victims _ local and national banks _ are still compiling figures, Connor said. The hardest hit is a bank reporting over $1.1 million in losses, he said.

One bright spot: it's easier to steal the credit information than it is to sell it, meaning the losses could have been much greater.

"Their methods for using the cards aren't as efficient as their methods for getting the numbers," Dugas said.

Jim Christy, a Maryland-based computer security expert with the Department of Defense, said such a scheme can get started by a thief with a laptop, driving around town until he finds a business with wireless computer networks. The thief breaches an insecure wireless network, then inserts malicious software _ similar to a wiretap _ in the merchant's computer that will collect customers' credit card numbers and send them to the thief's e-mail account.

Such identity theft operations began about five years ago and are becoming more common, he said.

"This is a worldwide problem today. Everything's networked and everything's going to wireless," said Christy, director of futures exploration for the Defense Department's Cybercrime Center.

The scheme is not sophisticated. Christy compared the hackers to teenage pranksters who get a garage-door opener and drive around the neighborhood, seeing how many garages they can open up by pushing the button. Eventually, they find one or two.

In the largest such identity theft case so far, 41 million credit and debit card numbers were stolen from chain retailers including Barnes and Noble, Sports Authority and OfficeMax. TJX Cos., which runs T.J. Maxx clothing stores, took $197 million in charges to cover losses from the security breach.

Eleven people _ from the U.S., Estonia, China, Ukraine and Belarus _ have been indicted in that case.

The big money for hackers may be in big chains, but the Louisiana-based case shows that small businesses can be targets, too. The targets included Roman's, a family owned Lebanese eatery in Baton Rouge, and Sammy's Grill, in the rural town of Zachary.

Restaurants are among the most common targets for hackers, experts said, because they often fail to update their antivirus software and other computer security systems. Credit card companies urge merchants to make sure they're not storing sensitive data on "point-of-sale" computers _ the modern equivalent of cash registers. The machines also need to be continuously upgraded to meet security standards, said Joe Majka, a senior business leader at Visa Inc. who focuses on computer security.

"We're working more to direct our attention to the merchant community, to make sure they are protecting their data correctly, so that these things don't occur," Majka said.

About 100 restaurant owners are expected at a meeting Monday in Baton Rouge, where Secret Service agents and representatives from Visa will explain how to protect against breaches.

Credit card contracts generally protect consumers from any fraudulent use of stolen card numbers. To protect against the inconvenience of credit card theft, the companies recommend that consumers be vigilant in checking charges that appear on credit or debit accounts _ and quickly report suspicious ones to the issuer of the card.

But Christy said there's little that credit users can do to protect themselves.

He said the threat of identity theft is "part of doing business today. You just hope businesses do what they're supposed to do to protect you."

Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Restaurants using Aloha

Vickone- What was your source on these being Aloha Users? Are the 100 restaurants going to this meeting Aloha Users?

I spoke to someone who attended the meeting outlined in the Associated Press article. The meeting was set up by the Lousiana Restaurant Association and was attended by the Secret Service agent on the case, a US Attorney and a represtative from Visa. During the meeting it was presented that the 15 breaches occured were all Aloha POS systems. It was stated that he hackers were able to breach the systems as the Remote support software were all using the same User Name and Password (this is against PCI requirements). The hackers installed a "sniffer" program that would capture credit card data on the Local LAN (ie private network). Also, during the meeting, one of the restaurants said that Chase/Paymentech already ACH'd $50,000 out of the restaurants bank account.

If that is the case, my bet it was the work of an ex-pos installer/support tech that knew the passwords and id's to that dealers client list.

Scary stuff...

 

 

Quality is NOT expensive, it's PRICELESS

 Trust is good, Control is BETTER

 It has become painfully clear, that IQ's should be required
 prior to issuance of a voters registration card!!

 

 

It could be, but that's a stretch. If Aloha used the same username and password for all their customers for remote access (which, BTW was not an uncommon practive by many POS providers up until PCI came out), all it took was a single ex-employee from any restaurant who might have known the remote access username & password.

Also, many times you can simply google "common username password" and find access codes for various systems. As a hacker, then all you need to know is what system your target is using and you have your first penetration test.

Moral of the story, make sure you do not EVER use vendor supplied passwords. Even if the vendor requires remote access, you should assign the password yourself and give it to the vendor. Also, best practice says to keep remote access turned off, only turn it on as needed, and then turn it off again when the issue is resolved.

Steve Sommers
Shift4 Corporation -- the next generation of Enterprise Electronic Payments ( blog )