TJX Thieves Deployed Their Own Security Measures

Written by Eric Athas
August 8th, 2008

Before federal authorities cracked down on a multi-national 11-person cyber-crime ring, the group created its own VPN to, ironically, protect their stolen data as it was transmitted from Florida to Latvia.

But now, the security of the accused thieves’ data loot is the least of their problems. Indictments and informations released Tuesday (Aug. 5) charge the 11 conspirators with stealing 41 million credit and debit card numbers from major retailers including TJX.

The government dubbed this the largest hacking and identity theft case ever prosecuted by the Department of Justice. The data thieves were able to grab credit and debit card information from TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW, the statement said.

Of the 11 who were charged, only three—Maksym "Maksik" Yastremskiy, of Kharkov; Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia; and Albert Gonzalez, of the United States—are in custody.

Gonzalez was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for his role in the scheme.

He had been arrested by the Secret Service in 2003 for access device fraud. While he was working as a Secret Service confidential informant on this case, officials said, he started illegally leaking information to other suspects involved. Gonzalez faces a maximum penalty of life in prison if he is convicted of all the charges.

Gonzalez "used sensitive law enforcement information, obtained by Gonzalez during the course of his ‘cooperation’ in a U.S. Secret Service undercover investigation, to warn off conspirators and ensure that they would not be identified and arrested in the course of that investigation," the indictment said.

Two other men, Christopher Scott and Damon Toey, also of the United States, were charged by informations, not indictments. An information is a federal charging mechanism that is similar to an indictment but does not require a grand jury. Typically, it is used either with federal misdemeanors or with federal felony cases that are expected to plea bargain imminently.

In this case, both Scott and Toey are cooperating with the investigation, said Michael Sullivan, the U.S. Attorney for Massachusetts.

"We’re absolutely confident that we know precisely where those two defendants are," Sullivan said. "And we’re absolutely confident that those two defendants, when they’re required to appear before the court, will appear before the court to be arraigned."

The other five conspirers—Hung-Ming Chiu and Zhi Zhi Wang, both of the People’s Republic of China; Sergey Pavolvich, of Belarus; and Dzmitry Burak and Sergey Storchak, both of Ukraine—are at large.

There’s also an indictment against a person known only by the online nickname "Delpiero" and an alias Fnu Lnu.

For at least five years, the 11 conspirers used several tactics to gain access to retailers’ networks. They breached networks using wireless access points, sniffers to monitor and steal password and account information, and cashed out stolen track 2 data by encoding the data on the magnetic stripes of blank credit/debit cards and using them at ATMs, according to the Gonzalez indictment.

Federal authorities applauded the sophistication of the group’s operational structure. But they found the techniques they used to not be sophisticated at all. It was more a matter of the security of the retailers being especially weak, rather than the technology of the defendants being particularly strong.

At some point in 2003, Gonzalez found payment card data that was accessible at an unencrypted wireless access point utilized by a BJ’s store. Gonzalez and Scott then used this point to obtain track 2 data of BJ’s customers, according to the indictment.

The next year Scott used the same tactic to breach a Miami Office Max. "The pair were able to locate and download customers’ track 2 debit card data, including encrypted PINs, on OfficeMax’s payment card transaction processing network."

The breach of TJX data began on July 12 and 18, 2005, when Scott compromised two wireless access points operated by TJX at Marshalls department stores in Miami, Fla., and then transmitted computer commands to the company’s servers that process and store payment card transaction data in Framingham, Mass.

They later downloaded payment card information that was stored in TJX data. In mid-2006, Scott "installed and configured a VPN connection from a TJX payment card transaction processing server to a sever obtained by Gonzalez."

By August 2007, Toey and Gonzalez began focusing on Internet-based attacks and one of their targets was Forever 21, while continuing to use wireless access points. They were so good, that they almost got in and out without any of the retailers ever discovering them.

Although when the thieves attacked one retailer–not coincidently the final one–they did trip the alarm. That retailer was the only one not named in the indictment.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.