×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Who's Selling Credit Cards From Target?

Soulskill posted about a year ago | from the it's-the-grinch dept.

Security 68

An anonymous reader writes "Brian Krebs has done some detective work to determine who is behind the recent Target credit card hack. Krebs sifted through posts from a series of shady forums, some dating back to 2008, to determine the likely real-life identity of one fraudster. He even turns down a $10,000 bribe offer to keep the information under wraps."

Sorry! There are no comments related to the filter you selected.

I smell a * (-1)

Anonymous Coward | about a year ago | (#45780899)

Anonymous Coward

PU... Good riddens!

OHHHH (-1)

Anonymous Coward | about a year ago | (#45780901)

YOU GOT SERVED

Good Journalsim, Good Article (4, Interesting)

retroworks (652802) | about a year ago | (#45780903)

Took about 5 minutes to read it. Didn't see any "first posts!" in the interim. Either others find it as fascinating, or I lack a life reading /. at midnight on Christmas eve.

Re:Good Journalsim, Good Article (1)

eWarz (610883) | about a year ago | (#45780919)

Primarily number two, it's been eerily quiet tonight..especially given your poor spelling of journalism. I expected the grammar Nazis to be out in full force.

Re:Good Journalsim, Good Article (4, Insightful)

Trepidity (597) | about a year ago | (#45780933)

Spelling is not properly within the jurisdiction of the Grammar Nazis; we apologize for any overstepping of boundaries in this regard that may have occurred in the past.

Re:Good Journalsim, Good Article (2)

Samantha Wright (1324923) | about a year ago | (#45780967)

Yeah, that's strictly the domain of the Orthografiejugend.

Re:Good Journalsim, Good Article (1)

mcneely.mike (927221) | about a year ago | (#45781367)

Gesundheit! :)

Re:Good Journalsim, Good Article (1)

mrmeval (662166) | about a year ago | (#45784949)

LOL

I fiddled with gtranslate and got

Rechtschreibung Jugendkorps

I'll use both. :)

Re:Good Journalsim, Good Article (0)

Anonymous Coward | about a year ago | (#45787407)

I googled too, it's two words, Orthografie jugend, "youth writing correctly" which is hilariously seldom seen.

Re:Good Journalsim, Good Article (1)

Belial6 (794905) | about a year ago | (#45780987)

Does that apply to its/it's? Since technically "Its Christmas." would be grammatically incorrect.

Re:Good Journalsim, Good Article (1)

TechyImmigrant (175943) | about a year ago | (#45781069)

Not since Noddy Holder verbally omitted the apostrophe in a song.
.

Re:Good Journalsim, Good Article (1)

ls671 (1122017) | about a year ago | (#45781241)

You've been so long
Well, it's been so long
And I've been putting out fire
with gasoline
putting out fire with gasoline

It's is a contraction for it is or it has.
http://garyes.stormloader.com/its.html [stormloader.com]

Re:Good Journalsim, Good Article (1)

K. S. Kyosuke (729550) | about a year ago | (#45781499)

That could depend on your POV. One might argue that the result happens to be ungrammatical in the written language, but since "it's" and "its" are homophones in spoken English, how do you propose to differentiate it from any other typo? It doesn't seem to be distinguishable without further knowledge of the mental process that led to it.

Re:Good Journalsim, Good Article (1)

Belial6 (794905) | about a year ago | (#45783429)

Which doesn't answer the question. Does it fall under the jurisdiction of the Grammar Nazis?

Re:Good Journalsim, Good Article (0)

Anonymous Coward | about a year ago | (#45787439)

The sentence structure will always clue you as to whether it's a posessive or a contraction. E.g., "Its hands are cold because its only ten degrees" should obviously be "Its hands are cold because it's only ten degrees" (he's, she's, it's; his, hers, its). It's the author showing his/her ignorance of his/her own language. Sad, but what's annoying is those other homophones that make you read the damned sentence three times to ficure out WTF the writer was saying. "Here the kittens purr" has a completely different meaning than "hear the kittens purr". It's amazing how many people at a nerd site, of all places, where you would expect bibliophiles to hang out who don't know the difference between lose and loose, and there their and they're. Now that's just sad.

Lysdexics untie!

Re:Good Journalsim, Good Article (0, Informative)

Anonymous Coward | about a year ago | (#45781471)

I expected the grammar Nazis to be out in full force.

An ellipsis is 3 dots, not 2, and it has a space before and after.

Re:Good Journalsim, Good Article (5, Insightful)

Spy Handler (822350) | about a year ago | (#45780993)

Yes it was very good, Krebs writes well and he seems to know his stuff.

That being said, was it really that easy? His steps to finding the perpetrator was:

-Scan underground sites that sell stolen credit cards
-Do a small buy to get a sample
-Found cards that matched the ones stolen from Target
-Dig through various forum/social network archives to see if any matched the owner of the underground site (from step #1)
-Contact the perp to see if he makes any incriminating statements (which he did by offering $10k bribe)

The perp may be an uber elite hacker, but he's very noob when it comes to hiding his tracks.

Re:Good Journalsim, Good Article (3, Informative)

SternisheFan (2529412) | about a year ago | (#45781081)

This morning ABC-TV news reported that they are zeroing in on the thieves (it may be Ukranian hackers), who are having trouble selling the info since there is a glut on the market, not enough buyers. It also reported that phony Target emails are getting sent to affected card holders, customers are being told to go directly to the official Target site to be sure.

Re:Good Journalsim, Good Article (1)

Anonymous Coward | about a year ago | (#45781165)

-Contact the perp to see if he makes any incriminating statements (which he did by offering $10k bribe)

That actually made me wonder if a journalist could make a living by not posting articles.

Re:Good Journalsim, Good Article (2)

wisnoskij (1206448) | about a year ago | (#45781403)

They can, they even have a special name for them: Blackmailer.

Re:Good Journalsim, Good Article (4, Insightful)

phayes (202222) | about a year ago | (#45781245)

Krebs does know his stuff & much like J Edgar Hoover, he's been in the business accumulating files on all the underground criminal sites for years. It is this database of info & intimate knowledge of how it all fits together that allows him to dig up the info that budding criminals left online in forums where they let their hair down (assuming that the others were all thieves with honour) and then tie it together with public records. Even "elite hackers" (assuming that the lowlife Krebs exposed really is one) were young once & rare is the teenager who knows not to brag...

Go Brian, you inspire us all...

Re:Good Journalsim, Good Article (3, Interesting)

berberine (1001975) | about a year ago | (#45781377)

rare is the teenager who knows not to brag...

Not quite on the same level, but my local paper recently ran a story of a convenience store robbery. The person who did it stole a lot of junk food and close to $1000. The police admitted they had no leads and were clueless about who did it. They were basically saying that the perpetrator was going to get away with it. Two days later, they arrest a 16-year old male because he was bragging to his classmates at school about how dumb everyone was and how smart he was because no one knew it was him.

I wonder what would happen if (0)

Anonymous Coward | about a year ago | (#45781691)

he took the $10k & then still released the info anyway.

No honor among thieves, right?

Re:Good Journalsim, Good Article (3, Interesting)

Anonymous Coward | about a year ago | (#45781695)

-Dig through various forum/social network archives to see if any matched the owner of the underground site (from step #1)

That probably was the more difficult step. Most of these chats had been deleted or archived. And most of it was in Russian. He probaby was on these sites for a while, also note that a lot of these chats are private chats between 3rd parties, so getting ahold of this was probably some work.

Re:Good Journalsim, Good Article (0)

Anonymous Coward | about a year ago | (#45783631)

Yes it was very good, Krebs writes well and he seems to know his stuff.

That being said, was it really that easy? His steps to finding the perpetrator was:

-Scan underground sites that sell stolen credit cards
-Do a small buy to get a sample
-Found cards that matched the ones stolen from Target
-Dig through various forum/social network archives to see if any matched the owner of the underground site (from step #1)
-Contact the perp to see if he makes any incriminating statements (which he did by offering $10k bribe)

The perp may be an uber elite hacker, but he's very noob when it comes to hiding his tracks.

What makes this even more funny, and even more simple minded, is how the target Krebs tracks down is dumb enough to ignore the basics of underground criminal 101. Never use photos or avatars, and never use the same fkin alias for anything, never use social websites then post your (what is guessed to be) a real name, and try not to just use basic Jane/John public internet in which you can be traced.

Seriously if Krebs could track the idiot down why is there no outrage or any police effort to nab the guy!!

That alone is what I found disturbing!!

Re: Good Journalsim, Good Article (1)

cusco (717999) | about a year ago | (#45783689)

Really, they don't become cops because they like working with computers. I don't know of a single large metropolitan police department that actually has a computer crimes division, even here in Seattle.

Re:Good Journalsim, Good Article (1)

godel_56 (1287256) | about a year ago | (#45783837)

Seriously if Krebs could track the idiot down why is there no outrage or any police effort to nab the guy!!

Um, possibly because he's in the Ukraine and paying the local cops a shedload of money to look the other way, and no-one expects any different.

Re:Good Journalsim, Good Article (0)

Anonymous Coward | about a year ago | (#45784227)

Yes it was very good, Krebs writes well and he seems to know his stuff.

That being said, was it really that easy? His steps to finding the perpetrator was:

-Scan underground sites that sell stolen credit cards
-Do a small buy to get a sample
-Found cards that matched the ones stolen from Target
-Dig through various forum/social network archives to see if any matched the owner of the underground site (from step #1)
-Contact the perp to see if he makes any incriminating statements (which he did by offering $10k bribe)

The perp may be an uber elite hacker, but he's very noob when it comes to hiding his tracks.

It's possible that this is actually a second or third tier re-seller, and not the original perp..

Re:Good Journalsim, Good Article (0)

Anonymous Coward | about a year ago | (#45781003)

Only if you celebrate xmas like some kind of religious and/or superficial nutjob..

Re:Good Journalsim, Good Article (1)

mark-t (151149) | about a year ago | (#45781487)

In most nations, celebration of Christmas is fairly ubiquitous and a person's recognition of that has nothing to do with that particular person's religious or materialistic views.

Re:Good Journalsim, Good Article (1)

Bite The Pillow (3087109) | about a year ago | (#45783509)

The "inside job" nutters are not posting here, but they seem to be alive in other threads. That cut down on the normal useless chatter, leaving it open for this useless chatter.

GNAA (-1)

Anonymous Coward | about a year ago | (#45780905)

FRIST POAST

hot grits.

SELENA GOMEZ

Banana (-1)

Anonymous Coward | about a year ago | (#45780925)

Banana.

Purview of NSA? (4, Insightful)

OffTheLip (636691) | about a year ago | (#45781045)

If the NSA/FBI/CIA/... was really interested in doing some good with all of the data mining they could solve or at least contribute to resolving cases like this. Prevention would even be better.

Re:Purview of NSA? (5, Informative)

TechyImmigrant (175943) | about a year ago | (#45781323)

Or the banks could switch to chip and pin cards and upgrade the crypto sufficiently to make it secure.

Re:Purview of NSA? (1)

bzipitidoo (647217) | about a year ago | (#45782033)

Just what I was thinking. I don't know if the banks are stupid, or if their cold calculations really do show that writing off a steady stream of fraudulent transactions is less expensive than upgrading the security. But given their recent track record, such as crashing the economy and causing the Great Recession, I'm of the opinion that smart cards would be less costly in the long run, and that banks are stupid and greedy for not using them. They might have to hire a few software engineers, maybe even some experts in crypto! And we just know there aren't any available, thanks to H1B limits. Seems Ukraine's system produces many such experts.

Re:Purview of NSA? (3, Interesting)

TechyImmigrant (175943) | about a year ago | (#45782277)

My understand is not that they like card fraud, but they do *really really* like the current situation regarding liability. I.E. The banks carry none of the liability. If they are provisioning strong crypto and credentials to ensure secure transactions, the liability landscape changes in way that are bound to be worse than the current optimal (as far as the bank is concerned) situation.
 

purview of banks investing in security (4, Insightful)

swschrad (312009) | about a year ago | (#45783365)

seeing as how the chipped cards cost 5 times as much, I think we can consider this discussion closed :-D you know, the mantra of Wall Street is "screw the future, what are you doing for us this quarter?"

Re:Purview of NSA? (1)

DeSigna (522207) | about a year ago | (#45785389)

I thought this was already the case.

At least here (AU), it's been practically impossible to get a MasterCard or Visa-backed card without a smartchip for half a decade, and in 2014 signatures will no longer be accepted to validate identity on credit purchases. There's been ads running for about a year requesting that people create a PIN for each of their cards. (AFR rundown [afr.com] )

Bank-issued cards (not store cards) always come with NFC as well now (doesn't seem to be any way to request otherwise). The last non-NFC card I had just expired and was replaced with a Visa PayWave. NFC & RFID is also very popular for specialist stuff : cabcharge cards, fuel cards, public transport.

Re:Purview of NSA? (1)

thejynxed (831517) | about a year ago | (#45789337)

What is disturbing, is that NFC/RFID chipped cards are basically just a band-aid, and fall to the exact same pitfalls of being able to be read and copied with relative ease using parts you can purchase and assemble at your local equivalent of Radioshack as your average NFC/RFID employee badge or door keycard.

The funny thing is, is that some of these parts are illegal to sell to the general public in the EU, but Canada, AUS, US, Mexico, etc all have them widely available.

There's already been demonstrations by university students & their professors, etc about the dangers of relying on chip & pin for anything (witness the fiasco a few years ago when they showed how easy it was to ride the tube in London for free by exploiting the inherent weaknesses in this particular combo).

Re:Purview of NSA? (1)

Jamie Ian Macgregor (3389757) | about a year ago | (#45791529)

that is weird, my CC was just replaced with a chip+pin non nfc (in NZ) but I was in Sydney the other week with my nearly expired chip+pin CC and when using it I was asked to sign instead of using pin...also, New Zealand McDonalds can take purchases under about $15 or something with no authentication whatsoever, I thought that was a bit off.

Re:Purview of NSA? (0)

Anonymous Coward | about a year ago | (#45782527)

Or the banks could switch to chip and pin cards and upgrade the crypto sufficiently to make it secure.

Europe has been using chip & pin for some time.

Based on their experience, it does make card fraud more difficult, but not impossible.

Re:Purview of NSA? (0)

Anonymous Coward | about a year ago | (#45784111)

Europe has been using chip & pin for some time.

Europe actually looks after it's citizens.

Re:Purview of NSA? (1)

interkin3tic (1469267) | about a year ago | (#45783685)

MORE secure, not just secure. Thieves won't commit suicide in frustration: there will still be thefts. They'll evolve. It's pedantic, but I think we all know the dangers of giving a false sense of security, even accidentally through word choices.

Re:Purview of NSA? (1)

TechyImmigrant (175943) | about a year ago | (#45783991)

The whole process will never be secure, since humans are involved and implementations will always have holes, but we do have the mathematics to define algorithms that are known secure in very specific ways and we know how to turn that math into algorithms that we can implement. The least we could do is the crypto bit, since it's not that hard to get right just once for the security of everyone using payment cards. Instead we get a whole bunch of stupid PCI-DSS rules that do nothing to enhance the security of payment card transactions.

 

Re:Purview of NSA? (2)

swb (14022) | about a year ago | (#45781361)

There's about a half-dozen ways to define this kind of crime as a legitimate national security concern, especially given the long history of criminal activity being used to finance insurgency (eg, drugs) or using economic means, such as counterfeiting, to disrupt economies.

It's not hard to make an argument that widespread credit fraud is more costly and economically damaging than counterfeiting in a modern economy even if the proceeds are only used by criminals for cocaine and hookers instead of funding armed insurgency. And that's not counting the collateral damage from other forms of cyber crime used to enable credit fraud activity.

It's really surprising there isn't more NSA focus on this stuff. If there was I think a lot of people who give the NSA a pass on some of their more intrusive surveillance (even though it's not warranted) -- it's kind of the same thing that happens when the local police beat the shit out of someone with a history of violent criminal activity; they might otherwise dislike heavy handed policing themselves, but so long as its used on the bad guy they're willing to overlook their own injustice.

Re: Purview of NSA? (2)

JWW (79176) | about a year ago | (#45781557)

This case could be a huge PR win for the NSA. If they could arrest 10-20 people involved in this using all their data, I think the country would be appreciative. At least they could make their case that their data collection is worth something.

Of course the NSA has done nothing about this because helping protect the citIzens isn't really their job, it's just their bogus excuse for their actions.

Re: Purview of NSA? (2)

Anonymous Coward | about a year ago | (#45782027)

I'm pretty sure you aren't being sarcastic, but its hard to believe you are being serious. People shouldn't appreciate spy agencies arresting people. Why not arrest 10-20 thousand people like the KGB used to for 1000X the appreciation? The NSA is part of the military. It has no business participating in law enforcement unless martial law has been declared. The "unless there is evidence of law being broken" exemption for whether spying on someone who is otherwise 51% likely to be a US person should be scrapped. Given the history of CIA involvement in narco-trafficking I'd like to keep our spy agencies as far away from crime as possible. Just think how much easier it would be for people in the NSA to pull this kind of heist than for some "elite hacker" from the Ukraine.

Re: Purview of NSA? (1)

Anonymous Coward | about a year ago | (#45782607)

It is against the law to use military forces for law enforcement purposes domestically.

it's called the 'Posse Comitatus Act

http://en.wikipedia.org/wiki/Posse_Comitatus_Act'

The NSA is a military organization ... therefore it is against the rules.

ADDITIONALLY because of this, none of the information that they collect can be used as evidence in any trial in the US.

NSA = Tempest in a teapot.

Re: Purview of NSA? (1)

colinnwn (677715) | about a year ago | (#45790011)

And it is against the law for them to spy on Americans on US soil. Didn't slow them down.

Re: Purview of NSA? (1)

Mabhatter (126906) | about a year ago | (#45783635)

The problem is that "terrorism" is more flashy for them. Data breeches of millions of people are just bait for their tracking units. I suppose that means "good for us" that they are spending more effort on "national security" and not misuse of credit cards.

Re:Purview of NSA? (1)

tomhath (637240) | about a year ago | (#45784311)

There's a good chance NSA does share some of what they find with the FBI and Interpol. They would never admit it though.

YuO fail it (-1)

Anonymous Coward | about a year ago | (#45781263)

to suvrvive 4t all

Accepting money from a criminal (2)

hey! (33014) | about a year ago | (#45781343)

to do something that furthers his criminal enterprises has a name. It's called "conspiracy".

So if you ever try your hand at hunting down criminals like this, be aware of the potential danger of tying yourself to the criminal's legal fate. If you've done business withhim that's the least bit shady, and he's overseas beyond the reach of local authorities, things could get quite ugly for you.

That's an insult (2)

jbmartin6 (1232050) | about a year ago | (#45781561)

$10,000 to risk his career, professional reputation, etc.? Shows the inexperience of the would-be briber that the sum was so small. 10k doesn't go that far these days...

Re:That's an insult (1)

mysidia (191772) | about a year ago | (#45781639)

$10k. is still a pretty sum.... after income taxes, you can almost afford a trip to disneyworld with it.

Re:That's an insult (0)

Anonymous Coward | about a year ago | (#45784141)

$10k. is still a pretty sum.... after income taxes, you can almost afford a trip to disneyworld with it.

I think about this every time I see one of those Disney "resort" commercials.

Only 1%'ers can afford it.

Re:That's an insult (1)

interkin3tic (1469267) | about a year ago | (#45783707)

I read it as desperation, or possibly being used to giving people bribes to make problems go away, not an insult. And perhaps $10K goes a lot further wherever the person offering the bribe is from than wherever Krebbs is from.

Re:That's an insult (0)

Anonymous Coward | about a year ago | (#45785605)

Considering that the goal in life of the bribing criminal is to buy a $30K celica, I would say that $10K is very generous from him.

even turns down (0)

Anonymous Coward | about a year ago | (#45781659)

Hehe. What do you mean 'even' turns down. Is that supposed to be above the standard? Probably not entirely thought out as it would be 'of course'. If you have any integrity you would never let some crim buy you off.

Interesting, but I heard another tale (2, Interesting)

Nyder (754090) | about a year ago | (#45781827)

I game with someone who works in a high position at one of the top finical firm. And when stuff like this happens, they hear about it and discuss it, since it affects them.

I can not back this up, this is what is I was told:

The credit card fraud was because some of the CC scanners have an extra chip in them, put in at a factory, that allows backdoor access to those machines. Not all the CC scanners have this, only some.

And of course, the extra chip isn't spec.

The person who told me is out of town till the end of week, so I can't hear any more updates till probably next week on it.

 

Re:Interesting, but I heard another tale (1)

wytcld (179112) | about a year ago | (#45781911)

If that's the case, that it's an extra chip in some of the scanners, how many other retailers use scanners from the same factory? Will it be Walmart's CC scans that get dumped on the market next time around?

Re:Interesting, but I heard another tale (0)

Anonymous Coward | about a year ago | (#45782637)

I heard a story from my sister's husband's uncle's cousin that was very similar. I confirm this as true!

Simple solution (0)

Anonymous Coward | about a year ago | (#45781985)

Every time something like this happens there's all this rending of clothes and wailing about it, but almost no one offers the simplest, most direct way to fix it: Impose high financial penalties on the companies who lose customer or patient data. Something like: If you, as a customer/patient incur any expense because of a breech you're entitled to reimbursement of 5 to 10 times the actual out of pocket cost.

Put a law like that on the books, and I guarantee that retailers, hospitals, insurance companies, etc. will lock down their systems and these stories will all but disappear.

Re:Simple solution (2)

NF6X (725054) | about a year ago | (#45782627)

Put a law like that on the books, and I guarantee that retailers, hospitals, insurance companies, etc. will do everything they can to cover up breaches of their systems and these stories will all but disappear.

Caveat Emptor! (1)

Anonymous Coward | about a year ago | (#45784093)

I pity the sucker who buys my credit card number.

How I counter these assholes... (0)

Anonymous Coward | about a year ago | (#45784655)

Simple. Pay with cash.

Quite frankly, I'd love to see all parties involved in this theft caught and executed live on f*cking PPV television.

but who actually cracked the Target network? (1)

WindBourne (631190) | about a year ago | (#45793165)

Just because this guy and others are selling them, does not mean that they did the work.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?