Analysis: what is wardriving?

Eleven people alleged to have stolen the credit card details of up to 100 million shoppers, including customers of T.K. Maxx stores in Britain, have been charged in the biggest identity theft case in the US.

A virtual United Nations of criminal co-operation was revealed, with charges being laid against three Americans, three Ukrainians, two Chinese, an Estonian, a Belarussian and a suspect known only by his online name, Delpiero.

Security experts gave warning yesterday that many British retailers were unwilling to update their computer systems and were still unprepared for such attacks.

The suspected computer hackers are believed to have been led by a double-dealing US Secret Service informant in Miami, who is accused of continuing his criminal career even while helping authorities to pursue other cyber-criminals.

“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” Michael Mukasey, the US Attorney-General, said in Boston on Tuesday.

Members of the ring allegedly identified vulnerable wireless networks by “war-driving” around shopping centres in the Miami area with a laptop. Once they had hacked into the network, they installed “sniffers” to record credit and debit card information as it was transmitted within the company. The card information was sold to accomplices around the world via a website. The stolen data was then cloned on to the magnetic strips of blank credit cards, which were used to withdraw tens of thousands of dollars at a time from bank cash machines.

The breakthrough in the three-year undercover investigation came when several people were arrested in Florida last year trying to buy goods at Wal-Mart using credit cards encoded with data stolen from T.J. Maxx — the US version of T.K. Maxx.

They led investigators to members-only websites such as DumpsMarket, where hackers sold stolen card information. The alleged ringleader was Albert “Segvec” Gonzalez, who had been acting as an informant for the Secret Service since being arrested for hacking in 2003. Mr Gonzalez, now in custody in New York, allegedly made at least $1.7 million (£870,000) from the scam, buying himself a home in Miami, a BMW and a Glock handgun.

“Obviously we weren’t happy that someone we had working for us as an informant was double-dealing,” Mark Sullivan, the Secret Service director, said.

The stolen credit card details — the “Track 2 data” embedded on the magnetic strip — were allegedly sold by a Ukrainian named Maksym Yastremskiy, who is considered a major player in the black market for stolen card data.

Mr Yastremskiy, who was arrested while on holiday in Turkey, allegedly sold card data for more than $10 million on his website, in quantities ranging from several hundred thousand to several million. Prosecutors said that he had paid Mr Gonzalez at least $400,000 in 20 transfers of a cyber-currency called “e-Gold” to hide the illicit payments.

Among others charged are two Chinese nationals, who are accused of supplying blank credit cards to be encoded with stolen data.

Retailers targeted included not only T.K. Maxx, T.J. Maxx and Marshalls, another of its US sister stores, but also Boston Market, Sports Authority, BJ’s Wholesale Club, Forever 21, DSW, OfficeMax and Barnes & Noble, America’s largest bookstore chain.

TJX, the parent company of the 210 T.K. Maxx shops in Britain, has said that at least 45.7 million cards were exposed to possible fraud. Court filings by banks that sued the company put the number of cards affected at 100 million or more.

The company confirmed in March last year that 100 files were moved from its computer system in Watford in 2003, and that two files were later stolen. The information accessed on the TJX systems in Watford and at its corporate headquarters in Massachusetts in the US covered transactions as far back as December 2002. The company said that at least three quarters of the compromised cards were now past their expiry date or the data had been masked.

Apacs, the payments association, said that it was working with British retailers to upgrade the security on their systems, and that they were liable to fines of millions of pounds if the security on their systems was found to be insufficient. However, Paul Cronin, a security tester with the Reading company Pentura, said: “It’s easy to do this kind of hack nowadays — and with many retailers strapped for cash and put off the massive cost of ripping out their old infrastructure to install a new one, it’s become easier for criminals to exploit them.”

How to protect your PC

Times Recommends

• Rio Tinto four held as China prepares case
• Diplomats must keep heads down and trousers up
• When in Rome should one make like Berlusconi?