Recently the large story to hit the news, the thing people are all reading and writing about, is the story about how 1 guy (and 2-5 accomplices) were able to steal 130 million payment-cards in over three years, and finally got caught. The question is, what if Albert “Segvec” Gonzalez (aka. Cumbajohnny) is an outlier? A statistical anomaly.
Facts of the Case
Rich Mogull has a good overview of the indictment. Wired magazine, the Washington Post (Brian Krebs), and the Wall Street Journal all have coverage. Rich has an interesting comment that:
In the “drama” category, we learn that the main perpetrator is the same person who hacked TJX (and multiple other retailers), and was the Secret Service informant who helped bring down the Shadowcrew.
…
This indictment covers breaches of Heartland, Hannaford, 7-Eleven, and two “major retailers” breached in 2007 and early 2008.
…
This is the same Albert Gonzales who was indicted last year for breaches of TJ Maxx, Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, Office Max, and Sports Authority.
…
The attacks both sniffed traffic and attempted to identify stored card numbers. They targeted data at rest and in motion.
The Wired article adds:
But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies.
…
Using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network in August 2007, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.
…
Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003.
…
Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.” As Wired.com previously reported, he spent $75,000 on a birthday party for himself and once complained to associates that he had to manually count $340,000 in stolen $20 bills after his counting machine broke.
Stephen Watt, a 25-year-old programmer who was working for Morgan Stanley, created a sniffing program dubbed “blabla” that Gonzalez’s gang used to allegedly siphon credit and debit card numbers from TJX and other companies and is facing sentencing this month.
The Wall Street Journal adds:
The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years.
For the techie in each of you, I’d recommend Rich’s summary of the Visa/FBI/USSS data breach report in February 2009.
Allegations
From all accounts it appears that many of the major payment-card data breaches in the last three years can be attributed to a small handful of people, and perhaps one ringleader. Could this be a normal attack pattern, or were these individuals outliers? If they were the crest of an even bigger wave of attacks, it does not bode well for corporate America, but if they are statistical anomalies then what would the world look like if we ignored them when measuring the success of the PCI program?
In 2003, Gonzalez, a carder in his own right, was arrested by the Secret Service and turned into a mole to allow them inside of CardersMarket, one of the largest carding rings in the world. Though Gonzalez was outed at the time by Dave Thomas (aka. Ethics or El Mariachi), many people did not listen to his rants at TheGrifters.net. Allegedly, Dave Thomas was at the time an informant for the FBI on the same operation. Later that year, Gonzalez would replace Kim Taylor (aka. MacGyver) as the board manager.
In March 2004, Gonzalez expanded his domain by replacing Dmitry Golubov (aka Script) as board manager for CardersPlanet.
In 2008, Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey were indited and accused of hacking into TJX Companies and thus exposing 40 million payment-cards. This 2008 indictment named Aleksandr Suvorov (aka JonnyHell) of Estonia and Maksym Yastremskiy of Ukraine. Could these be the two “Russian” conspirators that are mentioned in the current indictment of Gonzalez?
But Gonzalez would not have gotten very far had it not been for his friendship with Stephen Watt. Mr. Watt, a 7 foot tall, 25-year-old programmer, wrote the packet sniffer “blabla” for Gonzalez to capture transactions as they traversed the corporate networks. Interestingly enough, Watt “graduated from high school at 16 with a 4.37 grade point average and from college at 19”, but had a bug in the software that caused it to deactivate each time the POS was rebooted.
Outliers
Again, I begin to wonder what the world would be like if these personalities had not met or operated in unison. What would the payment-card world be like without Gonzalez? It may be a stretch to speculate that this one individual and his actions equate to outlier status. By this measure military dictators and oppressive regimes could also be named outliers even though their affect is quite impactful.
What we are really measuring here is the difference between potential energy and kinetic energy and the catalyst to convert matter from one to the other. We can assume that there are vulnerabilities in every system and the grater the number the higher the potential energy. The catalyst, in this case Gonzalez, plays the role in converting that potential energy (vulnerabilities) into kinetic energy (stolen cards and then cash.) Without the catalyst the measured state would stay the same and as such represent a seemingly stable statistic.
We can ignore this alleged stability in the system by stating that all vulnerabilities have the potential of being converted into cash, but until they are such statements are meaningless (outside of theory modeling.) To this point we measure vulnerabilities not by their size in population but by how frequently they are exploited. Without a catalyst to convert the vulnerabilities they contain little value from a metrics perspective of data compromises.
Statistics
According to DataLossDB.org the number of payment-card numbers lost between 2007-2009 equates to the following:
2007: 111,957,179 records
2008: 13,439,242 records
2009: 130,965,494 records (to date)
The total number of records for (almost) three years time = 256,361,915 records. So, let’s see what these numbers look like if we remove Gonzalez from the picture. That’s right, let’s throw out the catalyst for the outliers and see what the world of data breaches looks like for the Payment Card Industry.
If we count up the number of records lost due to Gonzalez between 2007-2009 we have the following respectively: 94,000,000 (2007), 4,303,930 (2008), and 130,000,000 (2009). The revised data for those three years would look as following:
2007: 17,957,179 records (down 84%)
2008: 9,135,312 records (down 32%)
2009: 965,494 records (down 99%)
Analysis
What can we learn from this data? Well, one can speculate that in the absence of outliers like Gonzalez, the overall volume of credit card fraud is dropping. In fact, without him we would be coasting through 2009 with very few payment-card related data breaches at all! I won’t make the mistake you anticipate and confuse correlation with causation.
One could also conclude that payment-card related fraud does not follow a normal Gaussian distribution. In fact, it appears that payment-card related theft and fraud is statistically closer related to the probability distribution of terrorism than traditional crime statistics.
Taking a business perspective one still needs to be on the lookout for attackers and carders who wish to target your business in an effort to “get rich or dye tryin”. Wherever there is financial or payment-card data there will be those who wish to plunder and capitalize on it. One thing we must remember is that underground carding is a business model, albeit an illegal one.
An interesting post.
I had not considered the concept of breaches in which A Gonzalez was involved as a “statistical anomaly.” Perhaps it is because the result was real…but, regardless of the impact, the logic of his activities (especially due to the involvement in so many high profile cases) as an outlier is both intriguing and compelling. Definitely worthy of greater discussion and contemplation.
Quite possibly the most compelling portion of the post though is the final sentence. Carding is, in fact, a business model. Distasteful? Yes. Frustrating? Yes. Illegal? Of course…but a business nonetheless.
-tyler
Great insight into this important and intriguing topic. I am a little bit sceptical of Gonzalez’s role as a “ring-leader” in this operation. In fact if you look at the indictments it would seem that his take in the scheme is far less than others that are involved. For example look at Maksym Yastremskiy the trafficker of the dumps. The forfieter claim stated that Maksym had:
$846,762.18 in E-Gold accounts
$ 87,517.36 in Parex Bank account
$3,781,436.36 in an Asia Universal Bank account
$4,862,884.96 in Western Union money transfers
$1,931,047 in US currency
And this is just what they could find – I would think that he had a much greater role in the conspiracy than Gonzalez did, and I would even guess that there are many other “Gonzalezes” out there. What are your thoughts?
Great read…I wonder how many CISOs, CSOs, Security Professionals, etc. have used the hammer of TJX, Hannaford, Heartland, etc. to push their agenda / budget across the board rooms of corporate America. So, without Gonzalez or whomever, would PCI have the teeth or traction today?
Tyler, I mention these actions as an outlier only because they fall outside the spectrum of typical assumptions of crime. When we think of crime many times we talk about distributions like physical crime patterns in the city. We don’t always imagine the singularities that occur at regular intervals. Gonzalez is not really an outlier any more than Maksym is, but they are both outside the normal attack patterns we work to protect against.
Mark, your comment is a very compelling argument and I’m prone to think you may be right. Maksym and Gonzalez both appear to have a similar pattern of occurrence and profiteering. I think regardless of which is the more wealthy convict, they both fit into the same spectrum of targeted attacks rather than the generic scanning-for-dollars approach.
I think this brings up a very compelling argument in that most small merchants that are compromised are done as a target of opportunity. The flip side is that most large companies that are a target of choice.
Rob, I think you missed the point of this post. Potential energy can be converted to kinetic energy with the proper catalyst. If a company has a vulnerability they should not ignore it because a cracker hasn’t exploited it yet. Corporate board rooms should be aware of the inherent risk in storing, processing, or transmitting payment-card data. Therein they should work to remove or protect that data. The failure to do so, after one major criminal is put away, would be improper.
Pingback: A Discussion You Might Want to Follow – Security Threat Research News