Threat Research

130 Million Credit/Debit Cards Stolen

Vince Steckler, 18 August 2009

130 Million Credit/Debit Cards Stolen

I read an interesting article today:

It is about the leader of a hacking ring being indicted for stealing the details of 130 million credit and debit cards in the US. This is not necessarily a new development as he was actually already in jail on similar previous charges dating back to 2006. But the sheer size is astounding. Some of the highlights and lessons for us:

  • He and his "gang" were not necessarily sophisticated. They were not the "expert hackers" that could remotely break into credit card networks and sniff for credit cards. Instead they took the simpler approach. They drove around with a laptop looking for unprotected networks.
  • Once they were into the local office/network they would then attempt to hack into the corporate systems to get the data. There is a big black market of course for stolen credit card numbers.
  • Restaurants were apparently prime targets as they "fail to update their antivirus and other computer systems."
  • At the same time he was stealing, he was also working for the US Secret Service as an informant. This is a prime reason why avast! and all security companies I know refuse to hire "reformed" blackhats or hackers.

So even though none of us have millions of credit cards on our home computers, we do have our own personal information. Just as these restaurants, retail stores, etc., were vulnerable to such attacks, we are also if we don't take the right precautions:

  • Keep your antivirus/security up to date. With avast! this is easy to check: make sure the little blue globe with the "a" inside (it is in your system tray in the lower right of your display) is spinning when you open files or web pages.
  • Make sure your firewall is turned on. For avast! users, make sure your Windows (or 3rd party) firewall is turned on. The upcoming Version 5 suite will include a firewall to make this easier for you.
  • Make sure your wireless network is protected—use the encryption and as an added deterrent, do not broadcast the SSID. Wireless networks broadcast further than we may think. I am actually writing this entry, doing email, and web browsing from a courtyard café in Prague not too far from my apartment—and I am accessing the internet through the wireless in my apartment.
  • Don't share your files. You may have information in your personal files that you don't even want other legitimate users of your home network to see. And there is no sense in allowing any illegitimate of your network to see them.
  • Believe avast!'s security alerts—especially ones about websites. Just because the website is real—a restaurant, florist, newspaper, etc.—do not assume it is good. If avast! alerts on the website, it most likely has been hijacked. This is now the most common threat we see. As the article points out or alludes to, smaller sites tend to have less protection and are more easily hijacked. You may not think they are as tempting a target as a bank, but they can be great portals through which thieves steal information.

Now those in the US may be a little "spoiled" in regards to credit card theft and loss. We generally are only responsible for $50 of loss—and usually it seems the banks waive even that. But it is not like that in other parts of the world. For example here is an article from Singapore ( where a woman's credit card was stolen and she was held responsible for about $12,000 in charges because she failed to lock her car doors or notice her card had been stolen. Failing to have security on your home computer is probably similar to failing to lock your car doors.

So, lock your car doors…..and lock your computer.