Mr Gonzalez used a technique known as an "SQL injection attack" to access the databases and steal information

SQL injection attack

' OR 1=1

:) just checking

Call your credit card company now, and have your info & cc# changed asap!

Heheheh, Albert is going to get dropped down a very deep, very dark hole.

He's the ringleader behind the TJ Max ring. He's been in custody for a while now. They just keep piling the charges onto him. The Feds are looking to close a whole pile of open cases on this one guy.

The best part? The entire time he was doing this, he was a paid "Confidential Informant" of the Secret Service [lawvibe.com]. Your tax dollars hard at work.

So the U.S. government is stealing credit card numbers to finance their debt? Doesn't surprise me. :)

Mxracer170 posted about this yesterday:

[webmasterworld.com...]

I hope the companies that couldn't configure a firewall or stop a SQL injection get punished as well because the hackers success depended on the IT departments ineptitude.

"I hope the companies that couldn't configure a firewall or stop a SQL injection get punished as well because the hackers success depended on the IT departments ineptitude."

What about small mom and pop operations that don't have an IT department? Do you want them punished when they're already probably struggling to survive?

it wasnt the mom and pop sites that got hacked ..
it was the big dogs whose IT people were too busy "lunching" to do their jobs correctly..

What about small mom and pop operations that don't have an IT department?

Personally, I like to see them outsource the transaction processing to a reputable biller like PayPal or 2CO. The smaller a site is, the less comfortable I am giving them my card number.

Leosghost actually it was the Mom and Pop site that were targeted first to use mule servers to do their work.

Today we had to block the Planet from our servers due to a continued attack from servers hosted there.

I called the owner of the IP address and guess what he asked me. "Was this attack yesterday" I replied no it was today and he said "Oh man we been hacked again"

He has no knowledge on servers yet he is on a dedicated server that continues to get hacked and his hacked server then becomes a tool for the hacker to attack our servers.

The attack was so strong it effected our server performance so we banned the Planets IP from access.

if it took you till now to ban the planet ..!

this guy goes back years ..and some of us have watched the bad guys for years

and anyone interested in security should have banned the planet years ago ..i wont go on about it due to TOS here ..but they always were a haven for spammers scammers and badware and illegal data ..way before they bought EV1 who were never too choosy either..

5 years ago you could rent an entire server from planet for $30.oo per month ..as long as the jacked credit card didnt "tilt" ..you had it for as long as you wanted ..who needs to hack a mom and pop account to make a zombie when you could run an entire graveyard for $30.oo per month and no questions asked ..

[edited by: Leosghost at 10:09 pm (utc) on Aug. 18, 2009]

antiflood glitch ..sorry guys

[edited by: Leosghost at 10:02 pm (utc) on Aug. 18, 2009]

What about small mom and pop operations that don't have an IT department? Do you want them punished when they're already probably struggling to survive?

For practical purposes, I'm 'mom and pop'. That is no excuse for outright recklessness regarding 'minimum best practices' for protecting sensitive customer information. Though possessing some knowledge, I am NOT a server expert, I am NOT a database expert, but I pay good money to people who are.

The average mom and pop doesn't even pretend to properly secure customer data. Yes, they should be hammered. I've done a lot of work for mom and pop businesses. Business practices tend to be appalling. Underfunded, understaffed, and ought not be in business at all. Most aren't after a while.

BTW on a practical note ..this "story" broke two days ago in Europe ( I kept waiting for someone to post it ..I was surprised..nay amazed that no one did so ..then again it's been sunny in The UK ..and unaccustomed as the inhabitants of the Sceptered Isles are to that ...Engine was probably topping up 'is vitamin E ..;) neh N ? )..comes to us all with age :))

the Euro press ( and even aunty beebs IT wonk ..who for want of a missplaced vowel missed his calling ) all agreed that the US system for dealing with credit cards is laughable ..no chip and pin ..and almost mickey mouse verification systems for "card holder not present" ..hardly surprising that Alby and the boys got in and out so easy ..and that the blag was 130.000.000. ..( that amounts to about 1/3 of the US population ..but probably to less than 10% of the US credit cards ) In Europe it would be closer to 1/3 of the population ..and 1/3 of the credit cards ( Brits excepted ..they probably hold 10% of the worlds credit cards all to themselves :(() ..

it was waiting to happen ..because in the credit card industry in the USA things are sloppy ( not the US members here who post on the subject..who are on the whole ..on the ball )..but the average citizen , company , hoster , diner , restaurant , IT guy need a wake up call ..

well it just happened ....

Oh and the other day ( about 7 days ago ..a vietnamese site running out of ho chi city spammed here with US credit cards details for sale ..all details down to the cvv and the passwords, addys ,dogs name eye colour etc etc ..thousands ..and links to the mother site ..daytime post ( eastern day time )..looking for buyers ..some of you may be on it's list of "US credit card details for sale" ? ..

I followed it ,stickied admins ..and gave the site and it's follow links to interpol here ..how many of you were too busy perfecting your next whinging ( "my clicks are down ..g is unfair ) adsense post to see it go by ...? it was real .

security does not mean buying norton ( or even worse getting it pre installed )..or putting your hand over the keypad on the ATM ..

<rant off>

I personally know the intimate details of a business that is small, but well beyond mom and pop status that deliberately retains CVV codes with the CC data, a practice so negligent that I would wonder if it could be used to pierce the corporate shield and go after the owners' personal assets if there was a breach.

Thousands of cards stored on QB online version.

It is convenient for the owner and if there is no problem - they have no interest in changing how they do business. They truly don't care what is required in the merchant account agreement or 'best practices'. Zero interest. Other things to do.

And simply no need whatsoever to handle security like this. None.

The payment processors have attempted to take the credit card out of the hands of the mom and pop just for this reason.

I pass off the transaction to my payment processor. I get all the customer details for mailing purposes, but the payment processor is the only place where the credit card details are ever collected and stored.

I do recurring billing and it's all handled inside the payment processor, which obscures the credit card information. I can enter new CC info to replace the expired, but I have zero access to the existing data.

The payment processor supplies a full service backend to issue credits, refunds, new sales, etc. but it's all 100% secure and off my servers so if anyone gets hacked it's not me and not my problem ;)

Therefore, the hackers can do whatever they want to my servers but they cannot breach a single credit card as I don't store it, I only store the authorization or denial information.

That's how you easily and simply secure your mom and pop transactions away from the hackers.

"That's how you easily and simply secure your mom and pop transactions away from the hackers."

seems like a no brainer to me :)

is this a single service provider that stored 130M credit cards, all of which were still valid? over what kind of timespan were this 130M card details collected?

incrediBILL - so you are saying you use a "proxy" or "boomerang" style of processor? By that I mean paypal, aut.net SIM, google or otherwise? Your cart doesnt have fields to take cc# and expiry date?

Leosghost Thanks I relly never get to much involved in the IT area until recently mainly all SEO. I have more than enough to keep me busy, but when our server performance began to suffer I got involved with the IT department and began working with them on finding out the root of the server issue.

I think incrediBILL nailed our IT department but when I got involved IT woke up and we began to look at the possible issues. Issue was large scale attacks on SQL injection hacks took up most of our SQL ports.

Per your information Leosghost we will keep them banned. Thanks.

i bet it was an MySQL DB that was hacked.

i bet it was an MySQL DB that was hacked.

Worse. They got a lot of the information from TJMax an The Source by sitting in the parking lots of those stores. Apparently, both had their Till Point of Sale systems set up on un-encrypted Wi-Fi.