Federal authorities are calling it the largest hacking and identity theft case yet. But this week's indictments of 11 people who allegedly plundered millions of payment card numbers might not seriously dent the underworld where such crimes occur.
Researchers at a hacking conference here met the news with a bit of a shrug, saying the theft of credit and debit cards still will flourish.
"These guys were just persistent and lucky. And they got caught," said Jim Christy, a longtime cyber crime investigator who now works in computer-security outreach for the Department of Defense. "There's probably a lot more stuff being stolen that's never been reported. A lot of smaller businesses are being raped and pillaged and plundered and they never know."
The scope of the identity theft is breathtaking: more than 41 million debit and credit card numbers were stolen from major retailers, including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
It's also been costly. The hardest-hit retailer, TJX, which operates the T.J. Maxx and Marshalls discount clothing chains, took $197 million in charges to cover losses from its breach, which began in July 2005.
Yet security researchers had a humdrum reaction to Tuesday's indictments partly because identity theft is a booming, multibillion-dollar business. Dismantling a successful operation just means another one will pop up in its place.
Another reason is that the indictment revealed that the hackers' tactics were crude, suggesting they stumbled into a much bigger security hole than they anticipated.
The hackers allegedly found insecure wireless networks using a simple method known as "wardriving," or driving around in a car with laptops or other devices, to look for stores' Wi-Fi connections with security holes. Once inside the networks, the hackers allegedly installed programs to capture credit and debit card numbers in transit from the stores to payment processors.
"It's not rocket science," Christy said.
The vastness of the security vulnerability may have actually helped hasten the hackers' demise, since stolen card numbers are typically sold in batches of thousands or in some cases tens of thousands. Unloading millions of card numbers is likely to be spotted.
Even if the cards are broken up into smaller chunks, banks and payment processors are likely to notice a large number of cards getting hit with the same "test" charges at once, typically a nominal amount to determine whether the card still works.
"It's almost an embarrassment of riches — how do you move 41 million credit card numbers?" asked Jeff Moss, founder of the Black Hat and DefCon hacker conferences, which draw thousands of researchers to Las Vegas every year to learn about the latest vulnerabilities. "That's like trying to rob Fort Knox by yourself."
The alleged ringleader — Albert Gonzalez of Miami — is a former U.S. Secret Service informant, previously arrested on fraud charges but later found to have been involved in the data-theft scheme, authorities said. He faces a maximum penalty of life in prison if convicted of all charges.
Of the 11 defendants, three are U.S. citizens. The others are from places such as Estonia, Ukraine, Belarus and China, a hodgepodge that reflects the international nature of organized computer crime. Many stolen card numbers are sold by outfits in Eastern Europe.
Given that huge data breaches have become so commonplace, consumers are advised to be vigilant. One idea is to set up free fraud alerts with the credit reporting agencies, and keep close watch over your credit card bills and bank statements. Another standby: Pay in cash when possible.