Three international hackers have been indicted for allegedly using "college-level knowledge of computer programming skills" to steal and sell credit card numbers from customers of Dave & Buster's restaurant chain, the Justice Department said Monday.
One of the men arrested, Maksym Yastremskiy, of Ukraine, was found in possession of millions of stolen credit card numbers, unrelated to the restaurant, on his laptop when the Turkish National Police arrested him in July. The indictments were unsealed Monday in the Eastern District of New York, and cover a 5-month-long intrusion last year into the Dallas-based eatery.
The case is the latest in a string of retail capers in which hackers burrowed into a company's network to intercept credit card transactions in real time. A similar attack, on a larger scale, played out at shoe retailer DSW in 2005, compromising 1.4 million customer records. And a prolonged infiltration of retail giant T.J. Maxx revealed last year exposed at least 45 million customers.
The government said the Dave & Buster's hackers illegally accessed 11 of the national chain's servers and installed packet sniffers at each location. The sniffers vacuumed up "Track 2" data from the credit card magstripes as it traveled from the restaurant's servers to Dave & Buster's headquarters in Dallas, according to the indictment.
At some point, the restaurant detected the intrusions and alerted authorities.
The authorities said a defect in the hackers' software program required them to regularly reactivate the packet sniffers when the restaurant's computers rebooted.
Track 2 data does not include an account holder's name but contains an account number, expiration date and security code contained in the second of two "tracks" inside a magnetic stripe on the back of a credit or debit card.
At one point, according to the indictment, the hackers scored 5,000 credit and debit card numbers from a Dave & Buster's restaurant in Islandia, NY. That information was allegedly sold to "others who, in turn, used the data to make fraudulent purchases at various retail locations and from various online merchants, causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards."
Albert Gonzalez, whose home country was not immediately available, was accused of "supplying" the custom packet sniffer used in the caper. He was arrested in Miami days ago. An arrest warrant for Gonzalez describes the sniffer program as "efficient, well designed, and uses some algorithms and data structures that reflect college-level knowledge of computer programming skills, whether acquired through self-study ... or formal training."
A third defendant accused of the break-in, Aleksandr Suvorov, of Estonia, was arrested in March when he was in Germany. The United States is seeking his and Yastremskiy's extradition, the Justice Department said.
No comments:
Post a Comment