Archive for the ‘eCommerce’ Category

Secret Service Paid TJX Hacker $75,000 a Year

March 23, 2010

Secret Service Paid TJX Hacker $75,000 a Year: “


Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez’s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt told Threat Level that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants. Gonzalez’s attorney did not respond to a call for comment.

‘It’s a significant amount of money to pay an informant but it’s not an outrageous amount to pay if the guy was working full time and delivering good results,’ says former federal prosecutor Mark Rasch. ‘It’s probably the only thing he was doing — other than hacking into TJX and making millions of dollars.’

Gonzalez’s salary highlights how entwined he was with the government at the time he participated in the largest identity theft crimes in U.S. history. Gonzalez, 28, is set for sentencing this week on three indictments covering nearly every headline-making bank-card theft in recent years, including intrusions at TJX, Office Max, Hannaford Brothers, 7-Eleven and Heartland Payment Systems (which alone exposed magstripe data on 130 million credit and debit cards). The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years.

Rasch says Gonzalez’s $75,000 is nothing compared to the million-dollar payouts some undercover informants get for high-risk, high-value cases such as Mafia investigations. But Gonzalez’s payments dwarf the meager handouts given previous computer crime informants.

Identity thief Brett Johnson, aka Gollumfun, said he earned $350 a week — the equivalent of about $18,000 a year — while working undercover in the Secret Service’s Columbia, South Carolina, field office helping catch card thieves. Johnson was recruited by the agency in 2005 after he was arrested buying merchandise with counterfeit cashier’s checks; his public service ended 10 months later when agents discovered that, like Gonzalez, Johnson was two-timing them, running a fraudulent tax-return scheme during his off hours that was bringing him an extra $5,000 to $6,000 each week.

Another carder, David ‘El Mariachi’ Thomas, worked undercover for 18 months for the FBI in 2003 and 2004 running a carding site called The Grifters out of a Seattle apartment. The bureau paid rent and expenses for him and his live-in girlfriend, and bought the computers he used to run the undercover operation, but didn’t pay him a salary.

In the 1990s, informant Justin ‘Agent Steal’ Petersen was reportedly paid $200 a week while helping the FBI build a case against Kevin Mitnick, then the number one hacker target on the government’s radar.

For his part, Gonzalez began working for the Secret Service when he was arrested making fraudulent ATM withdrawals in New York. Under the nickname ‘Cumbajohnny,’ he was a top administrator on a carding site called Shadowcrew. The agency cut him loose and put him to work undercover on the site, where he set up a VPN the carders could use to communicate — a supposedly secure communications channel that was actually wiretapped by the Secret Service’s New Jersey office.

That undercover operation, known as ‘Operation Firewall,’ led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to ‘Segvec’ and moved to Miami where he resumed his life of crime under the noses of the agents who were paying him. Authorities finally arrested him in May 2008. After many months, he directed them to a stash of more than $1 million in cash buried in a barrel in the backyard of his parents’ home.

Rasch says a number of factors determine what an informant is paid, such as whether they have specialized technical skills or have infiltrated an underground organization; whether they’re putting themselves or family members at risk; and whether the investigations they work involve stolen funds that the government has a good chance of recovering.

‘If I’m working on a case involving $20 million in fraud and the government is likely to get some of that money back, $75,000 is chump change,’ Rasch says. ‘They don’t use paid informants that often…. Criminals will ordinarily cooperate [without payment] in return for a non-prosecution’ or sentence reduction.

The Department of Justice publishes nonbinding guidelines that discuss the necessity of monitoring informants and assessing a criminal’s suitability to be one, but they don’t provide standards for doing so.

Per the attorney general’s guidelines, two law enforcement representatives are required to witness any payment made to a confidential informant and document the payment in the case files, indicating if it’s for information, services or expenses. The informant must also sign or initial a written receipt.

At the time of the payment, the law enforcement agents are required to advise the confidential informant that the payment may be taxable income that must be reported to the IRS and state agencies.

The Secret Service’s embrace of Gonzalez as a professional informant may have reinforced his criminal behavior. Gonzalez felt he’d been rewarded for his preoccupation with computers, according to a letter written by his sister to one of his sentencing judges.

‘All this seemed okay at the time, but psychologically it was feeding an obsession that in the end would become my brother’s downfall,’ Frances Gonzalez Lago told the court in December.

Gonzalez is set for sentencing Thursday in U.S. District Court in Boston for the TJX, Office Max, and Dave & Buster’s breaches. He appears in front of a different judge the next day for sentencing on the Heartland, Hannaford and 7-Eleven thefts. The government is seeking a sentence of 25 years in prison.

Photo of Albert Gonzalez courtesy of Stephen Watt

See Also:

(Via Wired: Threat Level.)

PCI Stresses Small Business and Web Hosting Companies

February 9, 2010

PCI Stresses Small Business and Web Hosting Companies: “

‘Mike,’ the owner of a midsized web-hosting company, talks about the effects of the Payment Card Industry Data Security Standard (PCI/DSS) on web hosting companies and small online merchants who are his customers.

s: If PCI/DSS were enforced today, what would happen?

m: Well, all the small businesses would lie. Right? If you’re a small outfit, and the choice is ‘Either I say yes to everything or my business is destroyed…’ What’s the choice?

s: When did you start taking PCI compliance seriously?

m: At some point just prior to fall of 2005, we concluded that PCI applied to us because we’re a merchant who accepts credit cards, and so we had Responsibilities. I don’t remember there being a good enough dialogue about it, or even any dialogue. Was there some point that I said, ‘Yes, I agree that if I would like to continue accepting credit cards as an Internet merchant I additionally agree to comply with this 100-point list?’ I don’t remember ever doing that. I don’t remember ever saying, ‘Dear VISA, yes, I agree, I’ll do it!’

s: What is the impact of PCI/DSS on small businesses?

m: Well, if it continues to be generally ignored by the vast majority of small merchants and small hosting companies, then the impact will be slow and steady.

It’s a matter of how aggressive the credit card processors and the PCI SSC themselves decide to get on their customers. Sure, my payment processing company… could decide to demand from me an attestation of compliance. They could hold this over my head and say, ‘we will REVOKE your credit-card processing privileges if you do not submit your attestation of compliance.’

Imagine us asking thousands and thousands of customers who have previously been on auto-pay to ‘please, hand-write me a check from now on.’ And customers in 40-something countries. Good luck.

s: It’s fair to say you would go out of business.

m: It might not kill us, but it would cripple us. But that credit card processor, in making that decision to revoke our privileges, would of course be cutting themselves out of thousands of dollars of revenue every month that we paid them. They would be killing one of their customers. So, they’re torn in two directions.

s: Do you feel that the PCI SSC took appropriate input from merchants?

m: In reality, 95% of the merchants would have not been capable of providing substantive technical feedback to the committee.

s: How come?

m: Because 95% of merchants are not technical operations. They are business that are selling coffee on the corner, or they’re selling widgets, and their cardholder data environment doesn’t consist of much but a plastic box with a phone line connected to it.

s: What do you think that implies for their ability to comply with PCI/DSS?

m: The jaw-dropping, gasp, oh-my-goodness implication of PCI/DSS is for all the ‘Laura’s Online Candle-Shop’ and ‘Best-Fishing-Lures-in-Arkansas Dot Com’ and the small Internet merchants with online shopping carts. These are my customers. I know a lot of them have shopping carts that are not million-dollar-a-month e-commerce operations. They are not Amazon. They are modestly successful online merchants.

Now these millions of small businesses, and the small-to medium-sized web hosting companies that are called upon by these small merchants, have a 100-point checklist of things that are not terribly understandable and are broadly interpretable and in many ways onerous to the point of absurdity for a small operation.

s: Do you think that PCI/DSS will cause consolidation in the web hosting industry, or that there will be fewer small businesses as a result?

m: I don’t think the American public or the international public is going to shed a tear if there is bloodletting consolidation of the web hosting industry. Where they would take up arms would be if Laura and Sam and Bob can’t open candle shops online. If that becomes impossible, or unrealistic, or incredibly expensive, there’s going to be pushback.

s: You think that people won’t miss the mom-and-pop web hosting companies?

m: Most web hosting companies are noticed by their customers when something breaks. The future of baseline web hosting is like the future of the electric company. Who gives a damn who you buy electricity from? You expect it to work 100% of the time. When it doesn’t, you’re annoyed and it’s disruptive. You don’t have a relationship with your electric company the way you do with your corner coffee shop or brewery.

s: Why is that?

m: The nature of commoditization, I guess.

s: Sounds like you’re suggesting that what will happen with the web hosting industry is similar to what happened in the telephone industry.

m: Sure, or any of the utilities that we all take for granted. Now, everyone assumes that cell phone service is going to work, your cable is going to work, there’s going to be water when you turn on the spigot. Web hosting companies will need to grapple with that commoditization and provide services that impress or delight or become more part of the daily workflow of the customer, rather than being part of some background thing that [you only notice when] something breaks.

s: Do you think there’s value for the public in having a variety of hosting options, or is it simpler to have it centralized?

m: The web hosting industry has got to be incredibly confusing for a customer right now. There are tens of thousands of hosting operations, many of which are 1, 2, 3, 4 dollars a month… Talk about a race for the bottom! How low can you go? It’s below the threshold of constituting commerce. A dollar a MONTH? I think the industry would benefit greatly from a culling.

I have in my mind that perhaps half of all ‘web hosting companies’ are a one-man show with someone who has another job, whether a student or some sort of professional. Those folks are in no way equipped to ensure the security of credit card data or to fix a server when it breaks. There’s such a low barrier to entry in the web hosting industry right now.

s: What do your peers in the industry think of PCI/DSS?

m: People are flabbergasted at the absurb impossibility of the vast majority of web hosts from ever approaching PCI/DSS compliance. Laura’s Candle Company? She’s required by PCI/DSS to ONLY host her web site that accepts credit cards in an environment that is itself PCI/DSS compliant. The only hosting that she’s allowed to use under PCI/DSS [requires 8 separate devices]: hardware firewall, application firewall, log audit system, and all that business. However, the vast majority of companies load up customers onto one box, and then get a new box. Then they load up customers on that, and then get a new box. And so on.

I know someone who has a hosting account with one of the top ten hosting companies. When she wants to FTP or SSH into her server, she goes to server 192 dot domain name dot com, and that machine hosts FTP, SSH, web, database, DNS, SSL, POP3, etc. It hosts all services. Bang, right off the bat, that’s not a PCI/DSS compliant hosting environment. For these web hosting companies, it’s a shaking of the foundation.

s: Do you think it’s realistic to expect small business owners to comply with PCI/DSS in the near future?

m: As a small business owner myself, I’m both the operations guy and the people manager. We have always hired new staff as we identified a clear and defined role, and more importantly, had the revenue to pay that person a fair wage and benefits. We’ve got this daily pop and crackle of operations plus customer service. We do not have the extra thousands or tens of thousans of dollars a month to, oh, just staff up!

Stopping customer service is not a viable option. Stopping operations pop and crackle is not a viable option. So who do I pull off? Where do I find the right staff or the right expertise to start working through the things that are required of PCI/DSS? I don’t know.

If I ran a technical operation that had 1000 operations employees, I could say, ‘Hey! pull team B-13 off of their raised floor construction project. They are now the PCI/DSS regulation security team.’ That sounds fine. That’s something that a big operation could pull off. If I was in a position to hire three new engineer sysadmins next week, then I’d surely put one or maybe two of them on PCI/DSS. ‘Hey, we’ve got to rewrite this code,’ or ‘Hey, we’ve got to reconfigure this network,’ We’ve got to do this, we’ve got to do that. But like many small businesses, we barely keep up with what’s going on right now.

s: This economy must be especially hard.

m: That’s right. We’re watching customers shut down their gardening blogs and their chess club web sites. These sites were important to them until they lost their jobs, and now they’ve got to figure out what the priorities are in terms of monthly expenses.

s: How much do you think this is going to cost you?

m: Well, of course if our credit card processor tells us it’s going to cost us an extra 1% of every transaction, that’s measurable. If they, like I’ve heard from other web hosts, decide that until we submit our attestation of compliance, we’ll have an extra $19.95 a month nuisance fee, then it’ll be $20 a month for the foreseeable future.

Another potential angle on cost: Will our customers begin demanding some sort of certification / attestation? ‘My credit card processor tells me that I’m only allowed to host with a PCI complant host so I really need to know.’ If our only answer is ‘no,’ we’ll lose customers. Our growth will be stifled, and we may shrink as an operation. So, we could wither, or be crippled or killed, or just be taxed by PCI/DSS.

s: Basically, you’re saying that PCI/DSS could cause small businesses to go under.

m: Yes, if it was enforced vigorously. I should go on record as saying that I support the general idea of having standards for how credit card data is handled on behalf of your customers. People should use secure best practices and due care to ensure that credit card data is not released to hackers in Des Moines or Denmark or Indonesia. We must avoid that. Good! Let’s have some standards.

s: What is the purpose of PCI/DSS?

m: To push cardholder data security downstream to the merchants who handle it first.

s: Do you think PCI/DSS is at all effectve?

m: Yes. I would say that PCI/DSS is effective in encouraging- let’s say urging or demanding- entities that handle personal information, including card holder data, card numbers and whatnot, to review the security procedures. It provides a not-valueless checklist of things to think about when handling this sensitive information.

s: What is the future of PCI/DSS?

m: First, I’ll say that no more than 20% credit card merchants will be PCI/DSS compliant, truly, in the next decade. It will be a slow and gradual process. At some point, a team of brilliant security engineers is going to come up with something that renders plaintext credit card numbers like telegraphs. There will no longer be a concept of entering some numbers that magically allow you to move money around.

s: You think our financial transaction system will evolve beyond credit cards into something different?

m: Yes, that is exactly what I mean. Even the biggest, most responsible badass security processors with awesome security practices keep getting compromised. The data at rest is inherently vulnerable, and so will continue to be a succulent target. We need to make the target less tasty. [We need] a transaction system that could- perhaps magically- ensure that the transation was legitimate, and it isn’t just a string of not very many magic numbers. When smart guys and gals invent that, we will begin forgetting about PCI/DSS compliance in its current form.

s: Do you think that the credit card companies should be focusing on changing the system?

m: For all I know they have teams of ten thousand in underground bunkers who are developing the next great payment transaction processing technology. If they are, that’s great. That’s awesome. I have no idea what they’re doing, but I hope they are. I hope they are not believing that a short string of numbers is the tool of the future.

Sherri Davidoff
PGP-signed text: 2010-02-08 (current)

Did you like this article? Share it!


(Via philosecurity.)