How Hackers Commit Credit Card Fraud

Having dedicated the last two blog posts to credit card fraud via skimmers, we are dedicating this one to exploring the role of hackers in stealing identities and creating counterfeit credit cards in their name. We begin with the arrest of Albert Gonzalez, a resident of Miami who along with two Russian co-conspirators managed to steal 130 million credit card accounts. That is not 130 million dollars worth of fraudulent transactions – it is 130 million unique, individual account numbers. At the time of the arrest, in late summer of 2009, it was the largest data breach recorded, eclipsing the previous high of 45 million accounts reported compromised by TJX Companies, Inc., the parent company of Marshalls and TJ Maxx stores.

How did Gonzalez and his partners-in-crime manages such an astounding feat? By cleverly going for the choke point of credit card payment systems: the processors. These processors act as intermediaries between the business and the credit card companies. Heartland Payment Systems, the processor targeted by Gonzalez's attack, processed around 100 million credit card transactions a month, 40% of them from small and medium-sized restaurants. A hidden piece of software on Heartland's computers intercepted the card numbers and holder name; enough for the creation of a counterfeit credit card.

A similar method of attack was used in the TJX data breach. Hackers used unprotected corporate wireless networks to reach into the parts processing and transmitting customer credit card numbers. Just as in the Heartland case, TJX reportedly did not find out about the intrusion until months after it occurred.

If you are starting to see a pattern developing, you are very right. Technology is evolving faster than most executives can, with the unfortunate result of customer transactions sometimes being left quite vulnerable to cyber thieves. Sophisticated hacks similar to the one affecting Heartland represent a double danger: they can operate uninterfered for months and steal millions of accounts before ever being discovered. Barring major shake-ups in consumer behavior or payment card industry standards, this trend is unlikely to reverse itself anytime soon. Expect more data breaches both large and small, and more counterfeit credit cards arising from them.