Friday, August 21, 2009
If convicted of both charges, Gonzales faces up to 20 years in prison and a $500,000 fine.
This is the third indictment for Gonzalez, who has been in federal custody in New York since May 2008. He is awaiting trial for charges on wire fraud, computer fraud, access device fraud, aggravated identity theft and conspiracy related to cyber attacks that victimized Heartland Payment Systems Inc., 7-Eleven Inc., BJ's Wholesale Club Inc., Office Max Inc., Barnes & Noble Inc., Hannaford Bros. Co., TJX Companies Inc. and Dave and Buster's Inc.
"There are some things to take into consideration here – and that is we don't know what we don't know, and that's the scary part," said Paul Martaus, President of payments industry consultancy Martaus & Associates. "This is what they call international cyber terrorism. This is not a joke, it's not a game. It's huge.
"That is why Visa, MasterCard, FBI and Secret Service have nondisclosure directives with regard to a data compromise because disclosing those breaches could significantly and materially damage their ability to go forward with an investigation if everybody knows about it. They want to keep the bad guys operating until they get tagged."
According to the Justice Department, the suspects used a sophisticated hacking technique called an SQL (structured query language) injection attack, a code injection technique designed to exploit security vulnerabilities by penetrating a network's firewall to gain access to networks and steal credit card information.
The indictment alleges the group researched their victims' credit and debit card systems, attacked the networks, and sent the card data to computer servers in California, Illinois, Latvia, the Netherlands and the Ukraine. The objective was to sell the data for use in making fraudulent purchases.
Gonzalez's first trial on the Dave and Buster charges is scheduled to begin in New York in September 2009; the second trial for charges related to the other retailers begins in 2010. A trial date for the two most recent charges has not yet been set. Federal authorities have also charged two unnamed Russian co-conspirators whose whereabouts are at this time unknown.
The Justice Department also reported that Gonzalez's new charges relate to "a different pattern of hacking activity." However, Martaus does not necessarily agree with this theory. "I personally am under the impression that the Russian methodology is one that employs a specific hacking technique, and it will be used until it is exhausted," Martaus said. "I suspect that the indictment of this guy will slow them down, but it sure won't stop them."
Martaus added that the ability to share information about breaches without violating nondisclosure agreements can be attributed to Heartland Chairman and Chief Executive Officer Robert O. Carr and the FS-ISAC (Financial Services - Information Sharing and Analysis Center), a payments industry forum for collaboration on critical security threats facing the financial services sector.
"The FS-ISAC approached Bob to start the PPISC [Payments Processing Information Sharing Council]," Martaus said. "Now all the major players are members of the PPISC, and one of the major strengths of this organization is that all parties can share hack-related information in real-time and anonymously without worrying about all the nondisclosure rules."
The PPISC is taking a proactive stance on the heels of the Gonzalez indictment. Its next meeting is Sept. 9 to 10, 2009, in Washington, D.C. and is open to all PPISC or FS-ISAC member organizations. Many new security and fraud issues have developed since the council's first meeting in May 2009, and the PPISC will address all of them.
"The forensic expert that distributed the malware at the meeting in May has got three new attack vectors that have been learned of since then, and he will be distributing those," Carr said. "We're also going to address network solution penetration that creates a lot of ACH [automated clearing house] fraud. There is also a new Trojan (malware) that's really difficult to find and deal with called the Mebroot. We'll discuss that, as well as Adobe vulnerabilities and other attack vectors.
"That is something that every business person needs to be absolutely concerned about. The bad guys are getting the credentials to wire transfer money out of business accounts and there is no restitution for companies when that happens. So we need to understand as much as possible about how to prevent the bad guys from putting us out of business."
Heartland has been working for the past several months on a true end-to-end encryption solution. However, the company is also working on a security solution called dynamic data for authentication that Carr said is even better than end-to-end. "That's going to be a hot topic going forward and there will be a lot more discussion on that within the next 60 days," he said.
And this is just the beginning. "The PPISC is having immense success in pulling people together, building and reinforcing that bridge between the payments industry, government, law enforcement and the other groups charged with apprehending the bad guys," said Jason Maloni, spokesman for Heartland. "And Heartland is extremely upbeat about their forthcoming encryption solution as well as the work of the PPISC. We're making strides, but the best is still yet to come."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
