Eleven people who stole and distributed more than 40 million credit and debit card numbers from major US retailers have been charged with conspiracy, computer intrusion, fraud, identity theft and other crimes. But why are some security experts not impressed?

It could well be, as Attorney-General Michael B. Mukasey said, the largest hacking and identity theft case ever prosecuted by the US Department of Justice.  In a scheme that spanned from Southern Florida to Eastern Europe, eleven conspirators allegedly hacked through the unsecured wireless networks of some of the nation’s most popular retail chains, including TJ Maxx, Marshalls, OfficeMax, Barnes and Noble, Sports Authority, BJ’s Wholesale Club, Boston Market, and more. The four-year security breach yielded more than 40 million credit and debit card numbers. The perpetrators then reportedly stored the stolen data on computers in Eastern Europe and sold some of the information to criminals, and loaded the unsold data on blank ATM cards which they then used themselves.

Now, according to a recent announcement by Attorney General Mukasey, U.S. Attorney for the District of Massachusetts Michael J. Sullivan, U.S. Attorney for the Southern District of California Karen P. Hewitt, U.S. Attorney for the Eastern District of New York Benton J. Campbell and U.S. Secret Service Director Mark Sullivan, all eleven have been indicted for numerous crimes, including conspiracy, computer intrusion, fraud and identity theft.

Reflecting the global nature of computer crime, three defendants are U.S. citizens from Miami, one from Estonia, three from the Ukraine, two from the People’s Republic of China and one from Belarus. One individual, known only by his online alias, “Delpierro”, has not been located. Three have been arrested. The charges against the defendants include: computer fraud, wire fraud, access device fraud, aggravated identity theft, trafficking in and possession of unauthorized access devices, conspiracy to launder monetary instruments, and crimes related to the sale of the stolen credit card data that was illegally obtained.

Prosecutors have charged the eight overseas ring members in San Diego’s federal court and the three Miami men in Boston. The eight conspirators who have been identified are:

• Albert “Segvec” Gonzales, Christopher Scott and Damon Patrick Toey of Miami. Gonzales was a Secret Service informant who, instead of helping the agency, used sensitive law enforcement information to help his co-conspirators. He faces a maximum sentence of life in prison for his principal role in the scheme.
• Hung-Ming Chiu and Zhi Zhi Wang from the People’s Republic of China, and the person known as "Delpiero."
• Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia.
• Sergey Pavolvich of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine.

How the hackers did it.

According to the Boston indictment, Gonzalez and his co-conspirators obtained the credit and debit card numbers by "wardriving" – driving around in a car with laptops or other devices to look for stores’ Wi-Fi connections with security holes. Once they were able to hack into the vulnerable wireless networks, they installed "sniffer" programs that would capture card numbers, as well as password and account information, on their way from the stores to payment processors. But it was reported that the sheer number of cards being moved through the systems probably attracted notice and contributed to the discovery of the ID theft crimes. In fact, the scheme first came to the public’s attention when TJ Maxx owner TJX announced last year that credit and debit card information had been stolen from its computer systems that they had to pay Visa and MasterCard about $65 million to cover the fraud. In 2004, Boston Market also learned about a potential data compromise in one of its Florida branches. According to Attorney-General Mukasey, the immense scope of the conspiracy makes it impossible to quantify the amount of losses to banks, retailers and consumers.

How the Secret Service caught on to the ID theft scheme.

According to an article by Onell Soto on SignOnSanDiego.com, a lot of credit for this bust goes to the San Diego-based Secret Service agents. For three years, they communicated via the Internet with the thieves as part of an investigation that spread across the country and around the world and that led to the arrest and indictment of the perpetrators. The Secret Service, best known for protecting the president, was actually created in 1865 to fight money laundering, but has now expanded its mission to investigate identity thefts and cybercrime – crimes that can be committed in the US by those in other countries through the Internet. For example, Gonzalez and others were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe.

Just a blip in the ID theft radar?

To many security experts, however, the round-up of this identity theft ring, impressive as it is, amounts to just a small dent in the multi-billion-dollar global business that is identity theft. In a word, the defendants were just unlucky enough to get caught. Stopping one operation only means that another one is bound to take its place. Furthermore, many more businesses, especially small and medium-sized ones, continue to be victimized by ID thieves with the crimes remaining undetected and unreported.

But a dent is better than nothing. As U.S. Attorney for the Eastern District of New York Benton J. Campbell stated, "…Hackers who reach into our country from abroad will find no refuge from the reach of U.S. criminal justice."