The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

Historic Hacks of the 2000s, Part 2

Heartland Payment Systems (2007)

 

Sometimes hackers hide in plain sight.Criminal masterminds don’t always operate in the shadows. Some, like Albert Gonzalez, pretend to don a white hat and work with authorities — all while practicing their nefarious craft.

 

Gonzalez was another highly intelligent child in need of supervision. He got his first computer at age 12 and soon showed off his talents by hacking NASA. He also had some serious organizational skills. At age 24, he masterminded the largest ever criminal breach of payment card data.

 

Amazingly, Gonzalez did his crime while hiding in plain sight. Arrested in 2003 on charges of ATM and debit card fraud and accused of being the kingpin of the underground marketplace, ShadowCrew, Gonzalez avoided prosecution by turning on his accomplices, helping to send 30 of them to jail.

 

Between 2005 and 2007, while assisting the U.S. Secret Service in their investigation, Gonzalez cobbled together a new team who wardrove the Miami area identifying unsecured Wi-Fi wireless networks of large retailers including the giant payment processing and technology provider Heartland Payment Systems.

 

Once an unsecured Wi-Fi network was identified, Gonzalez’s team would launch SQL injection attacks to create backdoors and plant packet sniffers in the systems. Over 18 months, they stole the digital information encoded onto the magnetic stripes from more the 170 million credit and debit cards. They would then create counterfeit cards and sell the data to other hackers.

 

Gonzalez made so much money that he buried more than $1 million in his parents’ backyard and once complained of having to count $340,000 by hand because his currency-counting machine broke.

 

The authorities eventually realized they were being played for suckers and arrested him in 2008. There was no turning informant this time and Gonzalez was eventually convicted and is presently serving concurrent 20-year sentences for his crimes. Twenty years may seem like a long time but compared to one of his confederates in crime, who received 30 years in a Turkish prison, Gonzalez got off easy.

 

Aftermath

 

Heartland took a serious hit, having to pay $145 million in compensation for fraudulent payments. They were also deemed “out of compliance” with the Payment Card Industry Data Security Standard (PCI DSS) and as a result not allowed to process payments from major credit card issuers for one year.

 

The Financial Services industry got real serious real fast about safeguarding customer account data. Security expertise and planning was emphasized for C-level executives and industry executives created the Processing Information Sharing Council (PPISC) to facilitate sharing of information about security threats.

 

Ongoing efforts to secure data in transit led to the development and eventual widespread implementation of end-to-end encryption, tokenization for card transactions and embedded chip technology.

 

 

Calvin Harper ABOUT THE AUTHOR

Calvin Harper is a writer, editor, and publisher who has covered a variety of topics across more than two decades in media. Calvin is a former GoCertify associate editor.