Three Charged With Hacking Dave & Buster's Chain
Three men have been indicted for hacking into a number of cash registers at Dave & Buster's restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week.
The government's 27-count indictment unsealed this week names Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "JonnyHell," Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.
The government also unsealed a complaint against Albert "Segvec" Gonzalez of Miami, who, according to the U.S. Secret Service, was responsible for creating the software used to steal credit and debit card data.
The complaint alleges that sometime between April and September of 2007, Yastremskiy and Suvorov hacked into cash register terminals at 11 Dave & Buster's locations and installed Gonzalez's "sniffer" programs to steal payment data as it was being transmitted from the point-of-sale terminals to the company's corporate offices.
According to the government, Gonzalez wasn't that great of a programmer: His sniffer program contained a bug, which would fail to start each time an infected point-of-sale system was rebooted. The Justice Department says that Yastremskiy and Suvorov kept at it, and that their persistence paid off: At one restaurant location alone, the sniffer program captured data for approximately 5,000 credit and debit cards, data that was later resold to cyber thieves, who used the data to make fraudulent purchases.
The stolen card data, known as "Track 2" data, is stored in the magnetic stripe on the back of each credit and debit card. It's stored unencrypted and in plain text. Consequently, it can be read and re-encoded onto a counterfeit card that can then be used to make purchases at main street stores. It includes the customer's account number and expiration date, but not the cardholder's name or other personally identifiable information.
As a result, Dave & Busters had no way to notify the individual affected customers. Rather, in Sept. 2007, the company alerted its payment processor, Santa Monica, Calif., based Chased Paymentech Solutions, LLC, which in turn notified the credit card companies.
According to the U.S. government, "Turkish officials arrested Yastremskiy in Turkey in July 2007, and he remains in jail on potential violations of Turkish law. A formal request for extradition of Yastremskiy to the United States has been made to the Turkish government. At the request of the United States, Suvorov was arrested in March 2008 by German officials while he was visiting the country. He remains in jail in Germany, pending German action on a formal U.S. extradition request. U.S. Secret Service officials arrested Gonzalez in Miami in May 2008."
Avivah Litan, a fraud analyst with Gartner Inc., said stolen Track 2 data typically is not useful for online fraud, as Track 2 data thieves most often do not obtain the names and address of the victims whose account numbers have been stolen. That's an important distinction because most Internet stores use address verification systems (AVS) to ensure that the credit card offered by the purchaser matches the name and address on file for that card.
In physical, in-store transactions, the person operating the cash register will at best check to make sure the name on the card matches the name on the purchaser's drivers license, Litan said. As a result, fraudsters armed with Track 2 can simply encode that data onto the magnetic stripe of a new, fabricated card that lists the fraudster's real name, or at least one for which he has a matching photo ID.
This trick works remarkably well for fraudsters who have stolen debit card Track 2 data, Litan said.
"The scammer will go into a bank branch and say "Oh, my PIN doesn't work any more,' or 'I forgot my PIN,' and the teller will say, "Okay, let me see your driver's license.' In a lot of cases, as long as the name on the license matches the name on the card, they'll just say 'Okay, swipe your card through the reader and we'll reset your PIN."
May 14, 2008; 5:15 PM ET
Categories: Cyber Justice , Fraud , From the Bunker , U.S. Government
Save & Share: Previous: Microsoft Patches Six Security Holes
Next: Debian and Ubuntu Users: Fix Your Keys
Posted by: aeschylus | May 15, 2008 9:16 AM | Report abuse
Posted by: Bugs | May 15, 2008 11:14 AM | Report abuse
Posted by: C.B. | May 15, 2008 4:42 PM | Report abuse
Posted by: Robert | May 17, 2008 11:19 AM | Report abuse
The comments to this entry are closed.