Analysis: The biggest identity fraud in history

IT PRO looks at how millions of credit and debit card numbers were stolen from US and UK retailers, and examines how taking this case to court could help the international fight against identity theft.

The figures are staggering. Tens of millions of credit and debit card numbers stolen and sold around the world. Tens of thousands of pounds stolen from cash machines.

One retailer has already been forced to pay 30 million to Visa and MasterCard to compensate them for the cost of handling complaints, refunding stolen money and replacing cards.

Advertisement - Article continues below

However, law enforcement has finally caught up with what is believed to be an international crime syndicate, which used unsecure Wi-Fi networks and laptop computers to access and steal valuable data from a number of retailers including TJX, which owns British clothing chain TK Maxx.

So how exactly was it possible for hackers to steal this much data and actually use it?

"It apparently involved quite sophisticated hacking of the retailers' wireless networks and the retrieval of large volumes of payment card data over an extended period of time," said David Hobson, managing director of Global Secure Systems.

He said that if businesses were to avoid a similar situation occurring, they would need to make sure that all entry points to the corporate network were properly defended.

"That involves using lengthy encryption passwords and changing all the access points' passwords from their default settings," he said

Advertisement - Article continues below

"It's all very well using complex encryption passwords, but if you've left the admin password on your wireless router at its default setting, you might as well not bother using encryption in the first place," he explained.

Advertisement - Article continues below

Ray Stanton, global head of business continuity at BT, argued that it doesn't matter whether an individual gained access through a wireless network or any other method. It's about what they can do when they are in.

Stanton claimed that in the end it was a failure of the organisations involved to implement basic controls as well as maintain and monitor them.

He said: "Looking back this past six months, nearly, if not all of the notable' issues have all been to do with a lack of and failure to implement and maintain the basics'.

"Be it education of staff to taking care of information such as papers entrusted to them, to implementing technical controls and then monitoring and maintaining them."

The data theft occurred over what was said to be an 18-month period and was routed through the US, China and Eastern Europe.

Although individuals have been charged, questions about what has happened to the stolen data, whether it is still being used, and whether it was still costing customers remain unanswered.

Advertisement - Article continues below

The latter has not been helped by retailers keeping quiet about incidents in the fear that they would lose business.

"This happened for a period of time. We have no idea whether this is happening in the UK and Europe now. It's just not reported in the way that it mandatory in the US in a number of states," said George Fyffe, director of operations for EMEA at Application Security.

Fyffe said it was worrying that organisations like HM Revenue and Customs and other government departments thought that as data has not appeared, in effect the problem has gone away'.

"I'm not sure that's the case," said Fyffe. "If I had stolen that data, I think the last thing that I would want to do is to start using it while everyone is out there looking for it. I would sit back and wait. Let the dust settle and then begin to use it when people have forgotten about it."

Advertisement - Article continues below

David Emm, senior technology consultant at Kaspersky said that such a high profile case would put the problem back into the public eye the whole issue of personal data and how it was handled and looked after in the public domain.

He also said that the very fact that the criminals had been caught and charged from many countries showed that there was hope for the future even though there were still many barriers to consider when it came to countries working together.

Emm said: "It would be great if there was a cyber Interpol. The problem here is that we have crime without frontiers in the sense that the internet doesn't have political and or geographical boundaries.

"That said in the last five or ten years law enforcement agencies across the globe, particularly in the developed countries, have got skilled and experienced people working for them and they do cooperate to a large degree."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020