Credit Cave

Every day hundreds of thousands of people have their identity stolen by criminals who then go on to use it to purchase goods and services fraudulently. In some cases the first time you learn about it is when your credit card company calls to ask why you just purchased a new computer in Jakarta.

What types of identity theft are there?
We will be mostly focusing on financial identity theft in this piece; however, it is widely accepted that there are 4 main and distinct types of identity theft:

1. Financial Identity Theft - thief steals and uses another person’s SSN, credit card.
2. Criminal Identity Theft - criminal identifies himself as another when arrested for crime.
3. Identity Cloning - a criminal assumes another person’s identity.
4. Commercial Identity Theft - a new business could use the trading name of another business to get credit.

What qualifies as a security breach?
In the broadest sense a security breach can be defined as an instance when a secure server or computer is compromised by illegally surmounting or bypassing existing security measures, exposing the data stored on the computer to those without permission to access it.

When are you told about a breach of security?
Many security breaches are made public long after they occur simply because the perpetrator has been capable of gaining access to a system without detection. Therefore, it is imperative that you keep a close eye on your accounts and credit cards and be ever vigilant for fraudulent activity.

Sadly this list is only scratching the tip of the financial identity theft iceberg; nearly every day there are more cases of large scale financial security theft made public. Those cases listed below are just a few of many.

1. CardSystems Solutions Inc. Hacked, 40 Million Credit Card Numbers Accessed
In one of the biggest security breach of it’s kind ever, 40 million credit card numbers were accessed when a hacker gained access to a facility owned by CardSystems Solutions Inc. in Tucson. Of the 40 million credit cards affected by the security breach, 13.9 million bore the MasterCard logo with a further 22 million bearing the Visa emblem. Visa and MasterCard blamed inadequacies in security at CardSystems Solutions for the breach.

The breach led to millions of pounds of fraudulent purchases and caused many consumers and businesses serious problems. CardSystems, now owned by Pay By Touch, settled charges with the FTC and was required to “implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.”

2. TJX Security Breach, 40 Million Credit Cards Potentially Compromised
In late January 2007, retail giant TJX revealed that 40 million credit cards used to make purchases at one of it’s stores are at risk from fraudulent activity as a result of a security breach at a payment processing system. TJX have stated that the breach dates back to July 2005.

The implications of this massive and far-reaching security breach are still uncertain, but it has had credit card issuers rushing to inform their customers as far afield as the UK and Ireland where TJX operate several discount stores. The scope of the investigation into how their credit / debit card and check payment system was compromised is ongoing, with 50 independent investigators working on the case.

3. Bank of America Loses 1.2 Million SmartPay Records
A small number of backup tapes containing the financial information of approximately 1 million government employees were lost during shipment to a data backup center in 2005. The data on the backup tapes was pertaining to those enrolled in the US government’s SmartPay System, a way of charging for travel and purchases on behalf of the federal government.

It is thought that no criminal elements were involved in the loss of the account details. Since the loss was announced no misuse or fraudulent activity has been reported to officials. However, misplacing such valuable sets of data has seriously damaged the reputation of the Bank of America.

4. 180,000 Card Holders Affected By Ralph Lauren / HSBC Breach
In the fall of 2004 Ralph Lauren was the target of a data breach that exploited a faulty POS system used in their national chain of stores; however, details were not posted about it until April 2005. The security breach resulted in HSBC North America issuing a warning to 180,000 customers who owned a General Motors branded MasterCard urging them to cancel their card and organize a replacement.

It is not currently known just how much, if any fraudulent financial activity came about due to the security breach. Ralph Lauren clarified its position in a statement given to Computer World:

“The company did learn that certain credit card information may have been retained and stored in its point of sale software. The company took immediate steps to purge this data and cure the problem.”

5. MoneyGram International Server Hacked, 80,000 Customers Affected
In January 2007, MoneyGram International went public with details on an “isolated server security incident” where hackers managed to breach security protecting a server used to store customer details.

Approximately 80,000 customers who had used MoneyGram were affected by the breach with the hackers potentially making off with their names, addresses, phone numbers, biller account numbers and bank account numbers. According to MoneyGram, the hackers did not gain access to any customer Social Security, driver’s license and state identification numbers.

6. Intuit Computers Stolen, 47,000 Customer Credit Cards At Risk
One of the true big players in the financial services sector announced that several computers were stolen after it’s Omaha premises were broken into during 2004. Some 47,000 customers who had purchased Intuit’s ItsDeductible software between December 2002 and November 2003 were at risk from fraudulent activity on their credit cards as a result of the breach in security.

Fortunately for the 47,000 customers affected, the thieves seemed fairly low tech and were only interested in the value of the hardware they had stolen. It seems that no fraudulent purchases were made using any of the stolen credit card details contained on the stolen computers.

7. Joliet Criminal Ring Smashed, 10,000 Credit Cards Involved
Detectives found more than 150 stolen credit cards when they smashed a criminal ring based in Joliet and Romeoville, IL. Owners and staff at 2 Holiday Inn Express franchises, 3 Super 8s, 1 Ramada and 1 Budget Inn were involved in the scam that involved up to 10,000 credit cards over a 6 year period.

The arrested were charged with a range of offenses including ID theft, computer fraud and unlawful use of account numbers not belonging to themselves. Prosecutors in the case maintain that the hotel chains were not involved in the theft of the credit cards and customer identities. So far detectives have not established just how much was fraudulently charged to the stolen credit cards.

8. 2,000 MasterCard Credit Cards Compromised in UK
Approximately 4,000 UK consumers were affected in 2006 when their bank-issued MasterCards became embroiled in a security lapse that occurred after an as yet unnamed online retailer’s database was compromised. Banks affected by the security lapse included the Clydesdale Bank and Morgan Stanley, but other credit card issuers were thought to have been involved also.

MasterCard were not responsible for the security breach; however, card holders affected were advised to close their account and open a new card.

9. Thieves Hack ATMs, Steal $700,000 From 800 Retail Customers
In mid 2006 a group of cyber criminals hacked into the Dollar Tree payment system and made off with $700,000 from personal banking accounts. Approximately 800 customers who had used their personal banking card to make a purchase at Dollar Tree stores in Modesto and Carmichael, CA, and Ashland, OR were affected by the breach in security. Officials investigating the case believe that it was an inside job where an employee aided the criminals in hacking into the payment system.

10. 100s of Citibank Customers Caught In ATM Network Hack
In March 2006 fraudsters gained access to the ATM network after hacking into a retail store server, which allowed them to steal a block of PIN numbers and their encryption keys. The criminals were then able to clone a credit card and fraudulently withdraw cash from an ATM.

Analysts believe that this breach in security could have been avoided had the cards been using the Chip and PIN system, which is “hard to duplicate.”

The investigation is still ongoing and due to the complexity of the crime there has been very little progress made on how the hackers actually managed to compromise the network and make off with so much money.

This entry was posted on Thursday, February 22nd, 2007 at 6:05 pm and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.