Three men were federally indicted on Monday for hacking into the electronic cash registers of a U.S. restaurant chain and stealing the credit and debit card numbers of customers.
The hack attacks occurred at 11 Dave and Buster's restaurants between May and August 2007. The cost of the breach is known at only the chain's Islandia, New York, restaurant. There, the hackers stole 5,000 credit and debit card numbers, which resulted in at least $600,000 in losses to the financial institutions that issued the cards, according to Business First of Columbus.
Wired's ThreatLevel blog explained how the hack worked:
The government said the Dave & Buster's hackers illegally accessed 11 of the national chain's servers and installed packet sniffers at each location. The sniffers vacuumed up "Track 2" data from the credit card magstripes as it traveled from the restaurant's servers to Dave & Buster's headquarters in Dallas, according to the indictment.
Track 2 data comprises only the credit or debit card's number, expiration date, and security code. Neither the cardholder's name nor any other personally identifable information such as Social Security numbers or bank account numbers were revealed.
Ken Pappas, a security strategist at Top Layer Networks, says these breaches typically occur because retailers fail to encrypt the card data at the point-of-swipe.
He said many companies don't encrypt card numbers sent from cash registers until they reach a centralized location, generally corporate headquarters, which then encrypts the numbers and sends them to a third-party vendor for verification. Until those numbers reach the centralized location, they "flow freely" and can be intercepted by hackers using packet sniffers and other freeware tools.
Pappas recommends companies invest in point-of-swipe encryption like Hannaford Supermarkets did recently after hackers stole 4.2 million credit and debit card numbers from customers between December 2007and March 2008 using packet sniffers.
Another interesting detail of this hacking ring was its internationalist bent. The Associated Press reports:
Maksym Yastremskiy, of Kharkov, Ukraine, and Aleksandr Suvorov, of Sillamae, Estonia, were charged in a 27-count indictment with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and interception of electronic communications .... Separately, a one-count complaint unsealed in Central Islip on Monday charged Albert Gonzalez of Miami with wire fraud conspiracy.
The hackers' division of labor broke down like this, prosecutors allege. Yastremskiy and Suvorov illegally breached the restaurant chain's computer system and installed a sniffing program, designed by Gonzalez, which lifted the credit and debit card numbers, which were then sold to third parties that made fraudulent purchases.
"This was not a sophisticated attack," Pappas said, adding that anyone with good computer skills and some time can find the tools online to carry out the hack attack the trio performed.
Two of the accused are already in foreign jails: Yastremskiy in Turkey and Suvorov in Germany. The United States has extradition proceedings pending.