Recently the large story to hit the news, the thing people are all reading and writing about, is the story about how 1 guy (and 2-5 accomplices) were able to steal 130 million payment-cards in over three years, and finally got caught.  The question is, what if Albert “Segvec” Gonzalez (aka. Cumbajohnny) is an outlier?  A statistical anomaly.

Facts of the Case

Rich Mogull has a good overview of the indictmentWired magazine, the Washington Post (Brian Krebs), and the Wall Street Journal all have coverage.  Rich has an interesting comment that:

In the “drama” category, we learn that the main perpetrator is the same person who hacked TJX (and multiple other retailers), and was the Secret Service informant who helped bring down the Shadowcrew.

This indictment covers breaches of Heartland, Hannaford, 7-Eleven, and two “major retailers” breached in 2007 and early 2008.

This is the same Albert Gonzales who was indicted last year for breaches of TJ Maxx, Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, Office Max, and Sports Authority.

The attacks both sniffed traffic and attempted to identify stored card numbers. They targeted data at rest and in motion.

The Wired article adds:

But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies.

Using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network in August 2007, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.

Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003.

Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.” As Wired.com previously reported, he spent $75,000 on a birthday party for himself and once complained to associates that he had to manually count $340,000 in stolen $20 bills after his counting machine broke.

Stephen Watt, a 25-year-old programmer who was working for Morgan Stanley, created a sniffing program dubbed “blabla” that Gonzalez’s gang used to allegedly siphon credit and debit card numbers from TJX and other companies and is facing sentencing this month.

The Wall Street Journal adds:

The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years.

For the techie in each of you, I’d recommend Rich’s summary of the Visa/FBI/USSS data breach report in February 2009.

Allegations

From all accounts it appears that many of the major payment-card data breaches in the last three years can be attributed to a small handful of people, and perhaps one ringleader. Could this be a normal attack pattern, or were these individuals outliers?  If they were the crest of an even bigger wave of attacks, it does not bode well for corporate America, but if they are statistical anomalies then what would the world look like if we ignored them when measuring the success of the PCI program?

In 2003, Gonzalez, a carder in his own right, was arrested by the Secret Service and turned into a mole to allow them inside of CardersMarket, one of the largest carding rings in the world.  Though Gonzalez was outed at the time by Dave Thomas (aka. Ethics or El Mariachi), many people did not listen to his rants at TheGrifters.net.  Allegedly, Dave Thomas was at the time an informant for the FBI on the same operation.  Later that year, Gonzalez would replace Kim Taylor (aka. MacGyver) as the board manager.

In March 2004, Gonzalez expanded his domain by replacing Dmitry Golubov (aka Script) as board manager for CardersPlanet.

In 2008, Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey were indited and accused of hacking into TJX Companies and thus exposing 40 million payment-cards.  This 2008 indictment named Aleksandr Suvorov (aka JonnyHell) of Estonia and Maksym Yastremskiy of Ukraine.  Could these be the two “Russian” conspirators that are mentioned in the current indictment of Gonzalez?

But Gonzalez would not have gotten very far had it not been for his friendship with Stephen Watt.  Mr. Watt, a 7 foot tall, 25-year-old programmer, wrote the packet sniffer “blabla” for Gonzalez to capture transactions as they traversed the corporate networks.  Interestingly enough, Watt “graduated from high school at 16 with a 4.37 grade point average and from college at 19”, but had a bug in the software that caused it to deactivate each time the POS was rebooted.

Outliers

Again, I begin to wonder what the world would be like if these personalities had not met or operated in unison.  What would the payment-card world be like without Gonzalez?  It may be a stretch to speculate that this one individual and his actions equate to outlier status. By this measure military dictators and oppressive regimes could also be named outliers even though their affect is quite impactful.

What we are really measuring here is the difference between potential energy and kinetic energy and the catalyst to convert matter from one to the other.  We can assume that there are vulnerabilities in every system and the grater the number the higher the potential energy.  The catalyst, in this case Gonzalez, plays the role in converting that potential energy (vulnerabilities) into kinetic energy (stolen cards and then cash.)  Without the catalyst the measured state would stay the same and as such represent a seemingly stable statistic.

We can ignore this alleged stability in the system by stating that all vulnerabilities have the potential of being converted into cash, but until they are such statements are meaningless (outside of theory modeling.)  To this point we measure vulnerabilities not by their size in population but by how frequently they are exploited.  Without a catalyst to convert the vulnerabilities they contain little value from a metrics perspective of data compromises.

Statistics

According to DataLossDB.org the number of payment-card numbers lost between 2007-2009 equates to the following:

2007: 111,957,179 records

2008: 13,439,242 records

2009: 130,965,494 records (to date)

The total number of records for (almost) three years time = 256,361,915 records.  So, let’s see what these numbers look like if we remove Gonzalez from the picture.  That’s right, let’s throw out the catalyst for the outliers and see what the world of data breaches looks like for the Payment Card Industry.

If we count up the number of records lost due to Gonzalez between 2007-2009 we have the following respectively: 94,000,000 (2007), 4,303,930 (2008), and 130,000,000 (2009).  The revised data for those three years would look as following:

2007: 17,957,179 records (down 84%)

2008: 9,135,312 records (down 32%)

2009:  965,494 records (down 99%)

Analysis

What can we learn from this data?  Well, one can speculate that in the absence of outliers like Gonzalez, the overall volume of credit card fraud is dropping.  In fact, without him we would be coasting through 2009 with very few payment-card related data breaches at all!  I won’t make the mistake you anticipate and confuse correlation with causation.

One could also conclude that payment-card related fraud does not follow a normal Gaussian distribution.  In fact, it appears that payment-card related theft and fraud is statistically closer related to the probability distribution of terrorism than traditional crime statistics.

Taking a business perspective one still needs to be on the lookout for attackers and carders who wish to target your business in an effort to “get rich or dye tryin”.  Wherever there is financial or payment-card data there will be those who wish to plunder and capitalize on it.  One thing we must remember is that underground carding is a business model, albeit an illegal one.