Analysis: The biggest identity fraud in history

gallery

The figures are staggering. Tens of millions of credit and debit card numbers stolen and sold around the world. Tens of thousands of pounds stolen from cash machines.

One retailer has already been forced to pay £30 million to Visa and MasterCard to compensate them for the cost of handling complaints, refunding stolen money and replacing cards.

However, law enforcement has finally caught up with what is believed to be an international crime syndicate, which used unsecure Wi-Fi networks and laptop computers to access and steal valuable data from a number of retailers including TJX, which owns British clothing chain TK Maxx.

So how exactly was it possible for hackers to steal this much data and actually use it?

“It apparently involved quite sophisticated hacking of the retailers' wireless networks and the retrieval of large volumes of payment card data over an extended period of time,” said David Hobson, managing director of Global Secure Systems.

He said that if businesses were to avoid a similar situation occurring, they would need to make sure that all entry points to the corporate network were properly defended.

“That involves using lengthy encryption passwords and changing all the access points' passwords from their default settings,” he said

“It's all very well using complex encryption passwords, but if you've left the admin password on your wireless router at its default setting, you might as well not bother using encryption in the first place," he explained.

Ray Stanton, global head of business continuity at BT, argued that it doesn't matter whether an individual gained access through a wireless network or any other method. It's about what they can do when they are in.

Stanton claimed that in the end it was a failure of the organisations involved to implement basic controls as well as maintain and monitor them.

He said: “Looking back this past six months, nearly, if not all of the ‘notable’ issues have all been to do with a lack of and failure to implement and maintain ‘the basics’.

“Be it education of staff to taking care of information such as papers entrusted to them, to implementing technical controls and then monitoring and maintaining them.”

The data theft occurred over what was said to be an 18-month period and was routed through the US, China and Eastern Europe.

Although individuals have been charged, questions about what has happened to the stolen data, whether it is still being used, and whether it was still costing customers remain unanswered.

The latter has not been helped by retailers keeping quiet about incidents in the fear that they would lose business.

“This happened for a period of time. We have no idea whether this is happening in the UK and Europe now. It’s just not reported in the way that it mandatory in the US in a number of states,” said George Fyffe, director of operations for EMEA at Application Security.

Email to a friend

Print this page