It's getting to the point where you can't even go out and get a good Cajun meal anymore...

A ring of cyber-thieves has stolen tens of thousands of credit card numbers from Louisiana and Mississippi restaurants this year, leading to over $1 million in losses for the banks that issued them.

The restaurants began reporting the thefts beginning in March in Baton Rouge, followed by similar cases in Flowood, Miss., Lafayette, Lake Charles and West Monroe. The hackers have swiped credit and debit card numbers off 16 restaurants' computer systems, then sought to sell them for anywhere between $1 and $100 each, according to Special Agent Sean Connor of the U.S. Secret Service, an arm of the Department of Homeland Security that investigates financial crimes.

"Once they get a big pile of credit card numbers, they turn around and sell them on the Internet," Connor said.

The cases appear connected and probably involve a criminal network that stretches overseas, which would be consistent with other identity theft cases, U.S. Attorney David Dugas said. A group indicted in a separate case earlier this month includes defendants from three continents.

Authorities have no total dollar figure for the losses sustained in the Louisiana-Mississippi cases because the victims _ local and national banks _ are still compiling figures, Connor said. The hardest hit is a bank reporting over $1.1 million in losses, he said.

One bright spot: it's easier to steal the credit information than it is to sell it, meaning the losses could have been much greater. "Their methods for using the cards aren't as efficient as their methods for getting the numbers," Dugas said.

Jim Christy, a Maryland-based computer security expert with the Department of Defense, said such a scheme can get started by a thief with a laptop, driving around town until he finds a business with wireless computer networks.

The thief breaches an insecure wireless network, then inserts malicious software...similar to a wiretap...in the merchant's computer that will collect customers' credit card numbers and send them to the thief's e-mail account. Such identity theft operations began about five years ago and are becoming more common, he said.

"This is a worldwide problem today. Everything's networked and everything's going to wireless," said Christy, director of futures exploration for the Defense Department's Cybercrime Center.

The scheme is not sophisticated. Christy compared the hackers to teenage pranksters who get a garage-door opener and drive around the neighborhood, seeing how many garages they can open up by pushing the button. Eventually, they find one or two.

In the largest such identity theft case so far, 41 million credit and debit card numbers were stolen from chain retailers including Barnes and Noble, Sports Authority and OfficeMax. TJX Cos., which runs T.J. Maxx clothing stores, took $197 million in charges to cover losses from the security breach.  Eleven people _ from the U.S., Estonia, China, Ukraine and Belarus _ have been indicted in that case.

The big money for hackers may be in big chains, but the Louisiana-based case shows that small businesses can be targets, too. The targets included Roman's, a family owned Lebanese eatery in Baton Rouge, and Sammy's Grill, in the rural town of Zachary.

Restaurants are among the most common targets for hackers, experts said, because they often fail to update their antivirus software and other computer security systems. Credit card companies urge merchants to make sure they're not storing sensitive data on "point-of-sale" computers _ the modern equivalent of cash registers. The machines also need to be continuously upgraded to meet security standards, said Joe Majka, a senior business leader at Visa Inc. who focuses on computer security.  "We're working more to direct our attention to the merchant community, to make sure they are protecting their data correctly, so that these things don't occur," Majka said.

About 100 restaurant owners are expected at a meeting Monday in Baton Rouge, where Secret Service agents and representatives from Visa will explain how to protect against breaches.

Credit card contracts generally protect consumers from any fraudulent use of stolen card numbers. To protect against the inconvenience of credit card theft, the companies recommend that consumers be vigilant in checking charges that appear on credit or debit accounts _ and quickly report suspicious ones to the issuer of the card.But Christy said there's little that credit users can do to protect themselves.  He said the threat of identity theft is "part of doing business today. You just hope businesses do what they're supposed to do to protect you."

Posted by John B. Frank Tuesday, August 19, 2008

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers