Identity thieves taken down by white hat hackers

• Tweet

September 22nd, 2009 - Posted by Robert Siciliano

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Albert Gonzalez and his gang of criminal hackers were responsible for data breaches in retailers and payment processors, with some estimates saying they breached over 230 million records combined. Gonzalez, considered a proficient criminal hacker, provided "dumps," a term which refers to stolen credit card data, to "carders". "Carders" are the people who buy, sell, and trade stolen credit card data online. This video provides an example of an online forum where stolen data is bought and sold. Gonzalez pleaded guilty to his crimes and will be serving the next fifteen years in jail. He and his gang used a combination of schemes that have caused a significant increase in counterfeit fraud.

Hackers rely on a variety of techniques to obtain credit card data. One such technique is wardriving, in which criminals hack into wireless networks and install spyware. Another is phishing, in which spoofed emails prompt the victim to enter account information. Phexting or smishing are similar to phishing, but with text messages instead of emails. Some hackers use keylogging software to spy on victims' PCs. Others affix devices to the faces of ATMs and gas pumps in order to skim credit and debit card data.

Gonzalez and his gang used another, more advanced technique known as an "SQL injection." SQL stands for "Structured Query Language."  The term refers to a virus that infects an application by exploiting a security vulnerability. WordPress, a blogging platform, is an example of a commonly used application that has been found vulnerable to these types of attacks. There are hundreds of other applications that can fall victim to an SQL injection.

IBM Internet Security Systems discovered 50% more web pages infected in the last quarter of 2008 than in the entire year of 2007. In 2005, a now defunct third party payment processor called CardSystems suffered an SQL injection, compromising a reported 40 million credit cards.

While Gonzalez has gone down, carders are still very active. A group of white hat hackers that calls itself War Against Cyber Crime recently succeeded in breaking into Pakbugs.com, a Pakistan-based carder forum, and published a list of members' login details and email addresses. Pakbugs.com has since dropped offline.

With 213 million cardholders and 1.2 billion credit cards in the U.S., there's no shortage of opportunity for carders to maintain their current pace. When a carder uses one of your existing credit cards, it's called "account takeover." When they use your personal information to open up new credit accounts in your name, it's called "new account fraud" or "application fraud." Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I'm traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won't shut down my card while I'm on the road. Protecting yourself from new account fraud requires more effort.

You can attempt to protect your own identity by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each. You should also consider an identity theft protection service, which would employ several techniques to prevent and detect identity theft.

Robert Siciliano, identity theft speaker, discusses credit and debit card fraud on CNBC.

[youtube]http://www.youtube.com/watch?v=y88SEANRTr8[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com , an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.