Federal authorities are calling it the largest hacking and identity theft case yet. But this week's indictments of 11 people accused of plundering millions of payment card numbers might not seriously dent the underworld where such crimes occur.
Researchers at a hacking conference met the news with a bit of a shrug, saying the theft of credit and debit cards will still flourish.
“These guys were just persistent and lucky. And they got caught,” said Jim Christy, a longtime cyber crime investigator who now works in computer-security outreach for the Department of Defense. “There's probably a lot more stuff being stolen that's never been reported. A lot of smaller businesses are being raped and pillaged and plundered and they never know.”
The scope of the identity theft is breathtaking: More than 41 million debit and credit card numbers were stolen from major retailers, including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
It's also been costly. The hardest-hit retailer, TJX, which operates T.J. Maxx and Marshalls discount clothing chains, took $197 million in charges to cover losses from its breach, which began in 2005.
Yet security researchers had a humdrum reaction to Tuesday's indictments partly because identity theft is a booming, multibillion-dollar business. Dismantling a successful operation just means another one will pop up in its place.
Another reason is that the indictment revealed that the hackers' tactics were crude, suggesting they stumbled into a much bigger security hole than they anticipated.
The hackers allegedly found insecure wireless networks using a simple method known as “wardriving,” or driving around in a car with laptops or other devices, to look for stores' Wi-Fi connections with security holes. Once inside the networks, the hackers allegedly installed programs to capture credit and debit card numbers in transit from the stores to payment processors.
Given that huge data breaches have become so commonplace, consumers are advised to be vigilant. One idea is to set up free fraud alerts with the credit reporting agencies, and keep close watch over your credit card bills and bank statements. Another standby: Pay in cash when possible.