Network News

X My Profile
View More Activity

Three Charged With Hacking Dave & Buster's Chain

Three men have been indicted for hacking into a number of cash registers at Dave & Buster's restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week.

The government's 27-count indictment unsealed this week names Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "JonnyHell," Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.

The government also unsealed a complaint against Albert "Segvec" Gonzalez of Miami, who, according to the U.S. Secret Service, was responsible for creating the software used to steal credit and debit card data.

The complaint alleges that sometime between April and September of 2007, Yastremskiy and Suvorov hacked into cash register terminals at 11 Dave & Buster's locations and installed Gonzalez's "sniffer" programs to steal payment data as it was being transmitted from the point-of-sale terminals to the company's corporate offices.

According to the government, Gonzalez wasn't that great of a programmer: His sniffer program contained a bug, which would fail to start each time an infected point-of-sale system was rebooted. The Justice Department says that Yastremskiy and Suvorov kept at it, and that their persistence paid off: At one restaurant location alone, the sniffer program captured data for approximately 5,000 credit and debit cards, data that was later resold to cyber thieves, who used the data to make fraudulent purchases.

The stolen card data, known as "Track 2" data, is stored in the magnetic stripe on the back of each credit and debit card. It's stored unencrypted and in plain text. Consequently, it can be read and re-encoded onto a counterfeit card that can then be used to make purchases at main street stores. It includes the customer's account number and expiration date, but not the cardholder's name or other personally identifiable information.

As a result, Dave & Busters had no way to notify the individual affected customers. Rather, in Sept. 2007, the company alerted its payment processor, Santa Monica, Calif., based Chased Paymentech Solutions, LLC, which in turn notified the credit card companies.

According to the U.S. government, "Turkish officials arrested Yastremskiy in Turkey in July 2007, and he remains in jail on potential violations of Turkish law. A formal request for extradition of Yastremskiy to the United States has been made to the Turkish government. At the request of the United States, Suvorov was arrested in March 2008 by German officials while he was visiting the country. He remains in jail in Germany, pending German action on a formal U.S. extradition request. U.S. Secret Service officials arrested Gonzalez in Miami in May 2008."

Avivah Litan, a fraud analyst with Gartner Inc., said stolen Track 2 data typically is not useful for online fraud, as Track 2 data thieves most often do not obtain the names and address of the victims whose account numbers have been stolen. That's an important distinction because most Internet stores use address verification systems (AVS) to ensure that the credit card offered by the purchaser matches the name and address on file for that card.

In physical, in-store transactions, the person operating the cash register will at best check to make sure the name on the card matches the name on the purchaser's drivers license, Litan said. As a result, fraudsters armed with Track 2 can simply encode that data onto the magnetic stripe of a new, fabricated card that lists the fraudster's real name, or at least one for which he has a matching photo ID.

This trick works remarkably well for fraudsters who have stolen debit card Track 2 data, Litan said.

"The scammer will go into a bank branch and say "Oh, my PIN doesn't work any more,' or 'I forgot my PIN,' and the teller will say, "Okay, let me see your driver's license.' In a lot of cases, as long as the name on the license matches the name on the card, they'll just say 'Okay, swipe your card through the reader and we'll reset your PIN."

By Brian Krebs  |  May 14, 2008; 5:15 PM ET
Categories:  Cyber Justice , Fraud , From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Patches Six Security Holes
Next: Debian and Ubuntu Users: Fix Your Keys


The phrase "personally identifiable information" is nonsense. I understand that a lot of people use it, but that's no reason to perpetuate it. Please endeavor to use language that has meaning. I would suggest "personal information" or "identifying information".

Posted by: aeschylus | May 15, 2008 9:16 AM | Report abuse


Yea, lets change the rest of the world to suit us. This is the standard type of language used. Get real!!!

Posted by: Bugs | May 15, 2008 11:14 AM | Report abuse

Regardless of the semantics involved, it sounds like the banks need to take action on a clearly exploitable system. It is in their financial interest, after all.

Posted by: C.B. | May 15, 2008 4:42 PM | Report abuse

The banks already have a very detailed set of requirements for computer systems at companies that accept credit transactions. One of those requirements is that the systems have to have their security software up to date and perform regular checks to ensure that nothing is added to sales terminals (such as this case). The credit card companies are already working on an updated set of requirements that will incorporate their experience with the latest tactics of thieves. It sounds like D&B was not fully compliant with the current PCI specs, since at the very least they should have had their sales terminals/registers locked down well enough to prevent the so-called "sniffer" program (likely a virus or trojan) from being uploaded to them.

Posted by: Robert | May 17, 2008 11:19 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company