Fast Company

The Biggest Hack Exposed: How Safe is the Web Really?

Last week, the Department of Justice cracked the biggest case of credit card and identity theft in U.S. history. Oh, snap. Last Tuesday, Federal prosecutors charged 11 hackers with the theft and sale of more than 40 million credit and debit card numbers. The thieves charged with the crime allegedly hacked into the wireless networks of nine major retailers, including BJ’s Wholesale Club, OfficeMax, TJ Maxx, Boston Market, Barnes & Noble, and Sports Authority.

The 11 web marauders were part of an international, organized crime ring that had been waging a protracted war against major retail brands, tapping into their networks for processing credit card information. From the U.S., China, Estonia, Ukraine, and Belarus, these appallingly sophisticated hackers identified technical weaknesses in the security networks and installed “sniffer” programs from overseas designed to intercept PIN numbers and other personal information stored on the retailers’ database. They then directed the information to other computers within the U.S. to sell online, or they would simply imprint the numbers on blank cards, withdrawing hundreds of thousands from ATMs.

As if a ring of international, swashbuckling hackers stealing millions of dollars isn’t enough of a story, here’s the kicker: The Justice Department sheepishly revealed that the ringleader of these web bandits had been their very own informant. For over 5 years. Woops. Albert Gonzalez, 27, agreed to help federal agents identify hackers trafficking in stolen data in 2003 in order to avoid federal jail time. It turns out that he used his Secret Service informant status to tip-off his fellow collaborators. My God, Moneypenny, a double agent.

Jerry Bruckheimer will no doubt pay a pretty penny for the rights to this story.

In related news, even before a bellicose Russia began its bombing campaign in Georgia, the Georgian government was bombarded by a massive, coordinated assault on its servers. A veritable cyber-strike. An unknown party, assumed to be Russian, sent more than a million requests (or D.D.O.S. attacks) that essentially overloaded and shut down the government’s servers, rendering web communication fairly useless. According to experts, this is the first time a cyber attack and a ground war have occurred at the same time. Though Georgia is relatively new to the Internet, and so managed to escape serious damage, one can understand how a country with a larger share of its public systems tied to the Internet could suffer immensely from a cyber attack of this magnitude. Like, say, the old U.S. of A.

The news from home and abroad is fairly distressing when it comes to our vulnerability on the Internet. According to the Identity Theft Resource Center’s latest findings, the total number of data breaches (or hacks) reached an all-time high in 2008.  If 41 million stolen credit cards doesn’t rattle you, then this data will.

So I asked Scott Mitic, CEO of TrustedID, a private company dedicated to providing consumers with the strongest identity theft protection solutions available, what we might learn from the latest string of high-profile security breaches.

Research today shows that most consumers are still concerned about online shopping, even though it has proliferated for over ten years now, according to Mitic. Obviously, these high-profile crimes affect the psychology of the average web user and what we think is appropriate to do or buy on the Web, “Clearly it’s a major threat.  Anytime a small group of individuals can use off-the-shelf tools and consolidated brain power to compromise the identities of tens of millions of people, it’s a threat that every single person needs to understand and consider,” Mitic says.

All of the old rules still apply, the CEO said. We need to be wary of any individual, company, website, or communication that asks for our personal information. It is important to take proactive steps to protect our information, like placing anti-spyware on your computer and fraud flags on your credit reports, for example. It also wouldn’t hurt to do business with companies who are explicit about their investment in information security and privacy.

What is important to remember -- and certainly unsettling -- is that the goal of these new “pharming” attacks is not to spread viruses; they are not perpetrated for fun or for bragging rights as in the case of “trolls," they are about collecting sensitive personal information and thus financial gain -- they are about “exploiting technology for the benefit of their wallets.”

By doing the little things right, and by encouraging the media to cover web security news, we can stay ahead of the curve: “The media’s continued focus on the topic will help marshal the resources, both private and public, that can mitigate and potentially eliminate many of the most dangerous forms of web-crime we see today,” says Mitic.

We could all benefit from being a little more careful of what we share on the internet and how we do business there. Check out some related FastCompany.com content on the Black Market Code Industry and Gaurding Data in the Age of Terror.

Add New Comment

1 Comments

  • A. Lapre

    Thanks for writing about this. Yes, someday there will be an all-out cyber attack, and America is quite a target. On the consumer side, people should not blindly think that their data is safe. Perhaps investing in an identify theft insurance policy can supplements good habits such as carefully monitoring one’s credit card activity. As the rule goes, for every “solution” there comes a basketful of problems and issues.