U.S. District Judge Patti Saris sentenced computer hacker Albert Gonzalez to 20 years in prison for his role in stealing 40 million debit and credit card numbers that resulted in an economic loss of US$200 million, according to the U.S. government’s best estimate. The sentence closes what was the largest credit and debit card theft in U.S. banking history.
Gonzalez could have been sentenced to 35 years for 19 federal counts, filed in two separate courts, to which he pled guilty last August. He accrued these charges over the course of a decade-long crime spree, during which he also served as an informant to the Secret Service.
Gonzalez pled guilty to hacking into the customer accounts of Barnes & Noble, OfficeMax, BJs Wholesale Club, TJ Maxx and other retailers via Heartland Payment, which handled the credit card transactions for these and other retailers.
He also targeted stores by hacking into their systems through their wireless networks, which he infiltrated using a laptop from a nearby location.
The sentence, among the stiffest handed down for a computer hacking crime, has made the credit card and retail industry very happy, said Tom Patterson, chief security officer for Magtek.
“Catching these criminals can be difficult — especially when they are operating overseas — so when the authorities do, it is good to see the justice system pass down an appropriate punishment,” Patterson told the E-Commerce Times.
These are not kids hacking into systems in their parents’ basement, he said. Rather, “this was a sophisticated organized crime that cost the financial service companies and retailers a lot of money.”
Sentences for similar crimes and ID theft are too lenient, with some perpetrators getting out of jail within months or a few years, said Michael Sutton, VP of security research at Zscaler.
Then there is this to consider: “As an attacker the odds are in your favor,” Sutton told the E-Commerce Times. “Even if a stiff jail sentence awaits you, it is unlikely that you’ll ever be caught.”
Security countermeasures have not been able to stem many attacks, noted Sutton — in large part, due to the sheer scale of the onslaught.
“While regulations such as PCI are slowly moving vendors toward more secure systems, the growth in cybercrime is easily outpacing efforts to defend against it,” Sutton said.
Consumers are under attack as well, with thieves doing everything they can to angle for their credit card information, said Roger Thompson, chief research officer at AVG.
“In other words, they might lose their credit cards one at a time, and they might also lose them by the million if a merchant falls,” he told the E-Commerce Times.
The credit and debit card industry has not given up though, Patterson noted. It has put in place a number of deterrents over the years, including raising the print on the cards, employing security codes and, most recently, a magnetic “fingerprint” embedded in the card.
“If the card company records that fingerprint before it is sent to the consumer, they can tell if it or a counterfeit is being used in a transaction,” said Patterson.
The payments industry is working to implement new technologies that remove credit card data from networks and databases, either by encrypting it or by storing proxy “tokens,” said Terence Spies, chief technology officer for Voltage Security.
“These techniques give an attacker that breaks into a merchant or processor environment nothing but useless random numbers,” Spies told the E-Commerce Times.
“Rolling these technologies out will not be trivial by any means,” he acknowledged, “but technology suppliers, merchants, processors and standards groups are all working together to make these systems strong and cost-efficient to implement.”