Saturday, September 13, 2008

Hacker 11 Update...1 Down, 10 to Go

Man accused in TJX data breach pleads guilty
September 12, 2008 (Computerworld) One of the 11 people arrested last month in connection with the massive data theft at TJX Companies Inc., BJ Wholesale Clubs Inc. and several other retailers pleaded guilty yesterday to four felony counts, including wire and credit card fraud and aggravated identity theft.

Damon Patrick Toey is scheduled to be sentenced on Dec. 10 in U.S. District Court in Boston. He faces a maximum prison term of five years and a fine of $250,000 on each of the counts. In addition, under the terms of the plea agreement, Toey has to forfeit all of the money he earned for his role in the data theft. It is not clear how much he may have made from the attacks, although he had about $9,500 in his possession when he was arrested in May.

Toey was one of 11 alleged hackers arrested last month in connection with a series of data thefts and attempted data thefts at TJX and numerous other companies. Besides TJX and BJ's, the list of publicly identified victims of the hackers includes DSW, OfficeMax, Boston Market, Barnes and Noble, Sports Authority and Forever 21.

In a court filing yesterday, Assistant U.S. Attorney Stephen Heymann said that there is "forensic and/or testimonial evidence" that Toey and his co-conspirators broke into "numerous" other businesses that have not been publicly identified. Heymann said he would be willing to submit the full list "in camera" to the court if needed.

The ID theft ring stole data involving more than 45 million payment cards, leaving 100 or so financial institutions vulnerable to losses from fraud, Heymann said.

The breach was made public in January 2007 by Framingham, Mass.-based TJX, which later reported in a filing with the U.S. Securities and Exchange Commission that 45.6 million credit card numbers were affected -- the largest such breach on record eclipsing the June 2005 CardSystems breach.

(CardSystems was later purchased by Solidus Networks/Pay By Touch)

The alleged thefts by Toey and his companions occurred over a five-year period, from 2003 to 2008, and were largely perpetrated -- at least, initially -- by taking advantage of vulnerabilities in the wireless networks used at retail store locations. Around mid-2007, the group, largely with the help of Toey, started launching online attacks on Web servers and databases handling payment card data. Accused gang leader Albert Gonzalez allegedly invited Toey to move into his condominium in Miami, where he stayed for free and received periodic payments in return for collaborating on the Internet-base attacks.

Many of the Internet attacks that Toey facilitated were SQL injection attacks, according to court documents.

The documents described Gonzalez, Toey and others as going "war-driving" (see War-Driving 101) in commercial areas of Miami looking for vulnerable retail networks they could attack. Once they broke into a network, they would locate and steal "Track 2" data from the magnetic stripe on the back of payment cards as well as PIN-block data associated with debit cards.

The gang allegedly used sophisticated "sniffer" programs to capture password and user account information, which they would then use to break into other corporate servers containing payment card data. The gang also had access to tools that allowed its members to decipher encrypted PINs. The stolen data was then either sold to cybercriminals in Eastern Europe and the U.S. or used to make fraudulent credit and debit cards.

Toey and his gang allegedly maintained servers in the U.S., Latvia and Ukraine that were used to store tens of millions of stolen credit and debit card numbers, according to court documents.

A spokeswoman for the prosecutor's office today said that Gonzalez made his initial court appearance yesterday and pleaded innocent to the charges against him. He remains in custody without bail. His next hearing is scheduled for sometime next month.

The next person scheduled to make a court appearance in connection with the case is Christopher Scott who appears to have played a major role in the data theft at TJX. Scott faces five felony counts, including unlawful access to computers, wire fraud, aggravated identity theft and money laundering.

On two separate occasions in July 2005, Scott compromised two wireless access points at a TJX-owned Marshall's store in Miami. He used the access to download various commands onto TJX servers containing payment card data. In September 2005, Scott and Gonzalez first started downloading payment card data from TJX servers in Framingham.

About a year after gaining access to the TJX network, Scott established a VPN connection between a TJX payment card transaction processing server and a malicious server owned by Gonzalez. That connection, in turn, was used to upload various sniffer programs to the server to capture transaction data as it was being processed.

Scott collected about $400,000 for his part in the data theft and at the time of his arrest, authorities seized about $6,000 in cash, a Rolex watch and nearly two dozen pieces of electronic equipment -- including several laptop computers, storage devices, PDAs and video recorders.

Newly Formed: International Council of Payment Network Operators

International Council of Payment Network Operators Established

International Council of Payment Network Operators Established to Set Common Standards and Rules for Interoperability

Press Dispensary - Representatives of European and North American payment networks will attend the inaugural meeting of the International Council of Payment Network Operators (ICPNO) in London on September 22, 2008.

The ICPNO brings together payment networks from around the world addressing growing demand for a safer way to transact online. The ICPNO was established in 2008 to set common standards and rules for global interoperability of payment networks.

These payment network operators offer a new form of alternate payment which is rapidly gaining market and consumer acceptance, allowing consumers to make payments to online merchants using their chosen financial institution’s online banking website.

The adoption of alternate payment networks has been driven by consumer demand for easier, private and more secure online payment options. The new payment type sponsored by banks uses the existing banking system, including online consumer authentication, cash management and settlement services.

The council’s mandate is to create a framework that allows global interoperability of national networks, providing access to consumers and merchants on other networks and resulting in greater transactional volume for all participating networks.

Global network interoperability is key to allowing a consumer in one country on one network to purchase goods or services from a merchant in another country on another network. Global network interoperability will be facilitated by agreeing common standards and rules covering critical issues such as legal compliance, security, international settlement, fee structure, exchange rate mechanisms, technology integration and communications.

Council membership is open to representatives from payment network operators around the globe or to organisations looking to establish networks in their country.

Benefits of council membership include access to new merchants and consumers in other countries resulting in increased transaction volume and revenue opportunities. Other advantages include gaining knowledge and experience from international network operators, as well as sharing technology and infrastructure. Membership of the global payment network also creates additional incentives for banks and merchants to join a regional network.

“Members of the International Council of Payment Network Operators are transforming online payments around the world. Their success has been driven by a focus on privacy and security while providing consumers with more payment control and flexibility. The ICPNO benefits everyone by setting common standards and rules for global network interoperability,” says Richard Brierley-Jones of the ICPNO.

The first meeting in September will be sponsored by VocaLink, a leading European payment transaction specialist, and chaired by Alex Grinberg of eWise Systems, NACHA’s partner for the Secure Vault Payments network in the USA. Registrations for September’s meeting will close on September 15th, 2008.
About ICPNO – International Council of Payment Network Operators

The International Council of Payment Network Operators was established in 2008 to set common standards and rules for interoperability. The council’s mandate is to create a framework that allows global interoperability of national networks, providing access to consumers and merchants on other networks and resulting in greater transactional volume for all participating networks. Council membership is open to representatives from payment network operators around the globe or to organisations looking to establish networks in their country. See

About VocaLink

VocaLink is a specialist provider of transaction services to banks, their corporate customers and government departments. It processes domestic and international automated payments and provides ATM switching services. On a peak day, the VocaLink automated payment system processes over 90 million transactions and over half a billion in a month. Its switching platform connects the world’s busiest ATM network of over 60,000 ATMs. Its Real-Time Payments platform underpins the UK Faster Payments service. VocaLink is working with BGC to provide outsourced processing for the majority of Sweden’s domestic payments.


For further information, please contact:
Richard Brierley-Jones , ICPNO
Tel: +1 720 224 3501

Old Web Idea of Micropayments Finally Finds a Home

Sci-Tech Today – USA By Barbara Ortutay Instead of charging for each virtual item separately, companies sell chunks of credits -- through PayPal, credit card transactions or ...

Fiserv Launches All-in-One Mobile Banking and Payments Solution to ...
MarketWatch – USA a leading provider of information technology services to the financial industry, today launched Fiserv Mobile MoneySM, the industry's most complete mobile

Like It or Not, New Facebook Look Is Here to Stay
Since he started Facebook in college 4 1/2 years ago, Mark Zuckerberg has learned -- sometimes painfully -- that he can't make significant changes to the popular online hangout without triggering an uproar among indignant users who preferred the status quo. But Zuckerberg, still only 24, is hoping he has found a way to ease the journey down a different road so he won't have to issue public apologies.

DoJ Interest in Google-Yahoo Deal Intensifies
Yahoo's plans to boost its profits in an online advertising partnership with rival Google could be moving into the crosshairs of the U.S. Justice Department, which has hired an antitrust litigator to review evidence for a possible legal challenge to the deal. "This is turning into a very serious investigation," said Internet industry consultant Scott Cleland.

Guard ID Systems raises $11M
San Mateo-based Guard ID Systems has secured an $11 million second round of funding for its service that specializes in providing online identity security for consumers. Prism VentureWorks led the round, which also included participation from original investor Trinity Ventures.

American Airlines Offers Special Introductory Fares and AAdvantage ...
MarketWatch – USA A portion of travel booked on American Airlines may be operated by American Eagle or an American Connection airline. American Eagle is operated by American

iPhones, GPS and Paypal give car pooling Web 2.0 makeover
Business Green - London, England, UK ... it enables drivers to accept passengers who then pay for their ride on a per-mile basis, using Paypal, or direct credit card payments.

Juniper Forecasts 700 MM Mobile Phone Users with NFC in 5 Years
A new analysis of the NFC mobile payments opportunity by Juniper Research forecasts that "700m mobile subscribers globally will have phones equipped with NFC contactless technology by 2013. NFC will enable users to make payments with their mobile phones for relatively low value purchases (such as refreshments, tickets and food)."

Alipay, Shenzhen Airlines agree on a payment system
China Knowledge Online – Singapore 11, 2008 (China Knowledge) -, a Chinese online payment service provider under the Alibaba goup, announced that it has formally started

Temperatures Rise in Canadian Merchant Protest over Card Fees
Digital Transactions - Hoffman Estates,IL,USA ... costlier for merchants to accept, and also warned of looming changes in Canada’s low-cost Interac PIN-debit network (Digital Transactions News, Sept.

The web once more outpaces store sales at Kohl's
For the second quarter ended Aug. 2, e-commerce revenue for Kohl's (No. 63) increased by 34.1% to $65.6 million. In comparison, total sales rose by 3.6% and comparable store sales dropped 4.6%. and Rite Aid write a new e-commerce agreement
Under the deal Rite Aid will launch its own e-commerce site for over-the-counter products later this year, but will utilize's (No. 41) technology platform. will feature well-known over-the-counter and its own private label brands.The Xbox 360 should win this console war
CNET News - San Francisco,CA,USA ... platform and third-party games (aside from Guitar Hero) sell better on the other platforms, can we forget that online gaming is practically non-existent

Revolution Money and CardinalCommerce Offer RevolutionCard to ...
Earthtimes (press release) - London,UK "CardinalCommerce is an industry leader in enabling new payment types for online merchants," said Duncan Evans , SVP and General Manager of the

SWIFT Targets $15 Billion a Year Lost Revenue Opportunity
Participants named in workers’ remittances pilot; U.S. banks largely absent. BS&T has learned the names of 16 banks committed to participating in a SWIFT global pilot starting next month that aims to increase banks' involvement in the lucrative worker remittance market. At least a couple of major U.S. banks are expected to join the 16 that have allowed their names to be released, before the test of new SWIFT communication formats for interbank remittance processing starts.

Man accused in TJX data breach pleads guilty

Computerworld - Framingham,MA,USA Once they broke into a network, they would locate and steal "Track 2" data from the magnetic stripe on the back of payment cards as well as PIN-block data

Sprinting Toward Change
Forbes - NY,USA What's your take on your friend Bill Gates' new Microsoft commercial with Jerry Seinfeld? I haven't seen it. I'll have to go on YouTube and look for it.

Holidays at risk as more airlines face bankruptcy

Times Online – UK The Times has learnt that as many as 80 of the 120 airlines operating out of the UK have fallen behind in payments of departure tax receipts to the

Disqus for ePayment News