Analysis: The biggest identity fraud in history

IT PRO looks at how millions of credit and debit card numbers were stolen from US and UK retailers, and examines how taking this case to court could help the international fight against identity theft.

The figures are staggering. Tens of millions of credit and debit card numbers stolen and sold around the world. Tens of thousands of pounds stolen from cash machines.

One retailer has already been forced to pay 30 million to Visa and MasterCard to compensate them for the cost of handling complaints, refunding stolen money and replacing cards.

However, law enforcement has finally caught up with what is believed to be an international crime syndicate, which used unsecure Wi-Fi networks and laptop computers to access and steal valuable data from a number of retailers including TJX, which owns British clothing chain TK Maxx.

So how exactly was it possible for hackers to steal this much data and actually use it?

"It apparently involved quite sophisticated hacking of the retailers' wireless networks and the retrieval of large volumes of payment card data over an extended period of time," said David Hobson, managing director of Global Secure Systems.

He said that if businesses were to avoid a similar situation occurring, they would need to make sure that all entry points to the corporate network were properly defended.

"That involves using lengthy encryption passwords and changing all the access points' passwords from their default settings," he said

"It's all very well using complex encryption passwords, but if you've left the admin password on your wireless router at its default setting, you might as well not bother using encryption in the first place," he explained.

Ray Stanton, global head of business continuity at BT, argued that it doesn't matter whether an individual gained access through a wireless network or any other method. It's about what they can do when they are in.

Stanton claimed that in the end it was a failure of the organisations involved to implement basic controls as well as maintain and monitor them.

He said: "Looking back this past six months, nearly, if not all of the notable' issues have all been to do with a lack of and failure to implement and maintain the basics'.

"Be it education of staff to taking care of information such as papers entrusted to them, to implementing technical controls and then monitoring and maintaining them."

The data theft occurred over what was said to be an 18-month period and was routed through the US, China and Eastern Europe.

Although individuals have been charged, questions about what has happened to the stolen data, whether it is still being used, and whether it was still costing customers remain unanswered.

The latter has not been helped by retailers keeping quiet about incidents in the fear that they would lose business.

"This happened for a period of time. We have no idea whether this is happening in the UK and Europe now. It's just not reported in the way that it mandatory in the US in a number of states," said George Fyffe, director of operations for EMEA at Application Security.

Fyffe said it was worrying that organisations like HM Revenue and Customs and other government departments thought that as data has not appeared, in effect the problem has gone away'.

"I'm not sure that's the case," said Fyffe. "If I had stolen that data, I think the last thing that I would want to do is to start using it while everyone is out there looking for it. I would sit back and wait. Let the dust settle and then begin to use it when people have forgotten about it."

David Emm, senior technology consultant at Kaspersky said that such a high profile case would put the problem back into the public eye the whole issue of personal data and how it was handled and looked after in the public domain.

He also said that the very fact that the criminals had been caught and charged from many countries showed that there was hope for the future even though there were still many barriers to consider when it came to countries working together.

Emm said: "It would be great if there was a cyber Interpol. The problem here is that we have crime without frontiers in the sense that the internet doesn't have political and or geographical boundaries.

"That said in the last five or ten years law enforcement agencies across the globe, particularly in the developed countries, have got skilled and experienced people working for them and they do cooperate to a large degree."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021