Why Did Gonzales Hackers Like European Cards So Much Better?Written by Frank Hayes
Last Thursday’s (July 25) indictment of five more Albert Gonzalez gang members by federal prosecutors in New Jersey is a reminder of how big that operation was (and may still be) and how far authorities still have to go before they have it wrapped up—after all, only one of the five is in U.S. custody, with a second one awaiting extradition in the Netherlands. But a sharp-eyed Washington Post reporter noticed an oddity in the indictment that has less to do with cops and robbers than with mag-stripe and chip-and-PIN: Stolen European card numbers were sold for $50 each, while U.S. numbers fetched a mere $10.
Why? In part, it’s supply and demand: Stolen U.S. card numbers are in much more plentiful supply on the black market, so they’re cheaper. But it’s the fact that U.S. banks and merchants overwhelmingly haven’t implemented chip-and-PIN, along with a weekends-off approach to fraud prevention by some European banks, that makes those cards more valuable to thieves.
And in fact the indictment unsealed last week revealed that those indicted specifically targeted some European banks and chains. The four Russian nationals and one Ukrainian indicted included two individuals who were identified in Gonzalez’s own indictment as only “Hacker 1” and “Hacker 2.” Last week they were named: Alexandr Kalinin (Hacker 1) and Vladimir Drinkman (Hacker 2) did the hacking into corporate networks, frequently using SQL injection attacks that never should have worked—basic secure programming should have blocked the buffer overflows that make SQL injection possible.
The other three indicted were Roman Kotov, who mined those breached networks for data; Dmitriy Smilianets, who sold the stolen card information for the gang; and Mikhail Rytikov (the Ukrainian), who provided the gang with anonymous web-hosting to hide their activities.
Only Smilianets is in U.S. custody. He and Drinkman were arrested in the Netherlands last year, and Smilianets was extradited last September. Drinkman is still in Dutch custody awaiting an extradition hearing. The remaining three are still at large.
(Albert Gonzalez himself, who was sentenced in 2010, is officially an unindicted co-conspirator here, but he shows up all through the indictment in transcripts of online conversations. It’s almost like he’s still around.)
The indictment also identifies a more complete list of organizations the gang breached, including the NASDAQ electronic stock exchange, Dow Jones and JetBlue—but also French retail giant Carrefour (2 million card numbers), U.K. payments processor Commidea (30 million cards) and Belgian bank Dexia (number of cards unknown).
Assuming all the European breaches yielded European cards, that means as few as 20 percent of the stolen card numbers were European—but at five times the black-market value, they may have been worth more than the much larger haul of U.S. cards.
That brings us back to that Post reporter and the $50-to-$10 difference.