Is your credit / debit card safe? News that 11 people, including a US Secret Service informant, have been charged with the hacking of nine major retailers and the theft and sale of more than 41 million credit and debit card numbers would not give cause for confidence.

But, then again, the fact that the perpetrators were identified after an extensive investigation spanning around the globe shows that authorities are increasingly becoming knowledgeable of such high-technology crimes.
 
The eleven people charged by the US Justice Department today are considered to have been part of the largest hacking and identity theft ring ever exposed. The suspects have been charged with conspiracy, computer intrusion, fraud and identity theft.

Underscoring the multinational, collaborative aspect of organised crime today, three of the defendants are US citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. The name and whereabouts of the final defendant are unknown. Moreover, the stolen information was stored on two servers in Ukraine and Latvia - one with more than 25 million credit and debit card numbers and another with more than 16 million numbers.

The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.

Federal officials said a principal organiser of the ring was Albert Gonzalez, a man from Miami who was indicted on charges of computer fraud, wire fraud, aggravated identity theft, conspiracy and other charges. If convicted on all counts, Gonzalez would face life in prison.

Gonzalez was then drafted as a US Secret Service informant who helped the agency take over a web site being used to transmit stolen identifiers and stolen credit card numbers. But prosecutors said that Gonzalez continued his criminal activities and tried to warn one of his conspirators, Damon Patrick Toey, to ensure that Toey would not be identified or arrested in the operation against ShadowCrew. Toey was among those indicted on Tuesday in Massachusetts.

"They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Attorney General Michael Mukasey said at a news conference. "And in total, they caused widespread losses by banks, retailers, and consumers."

Mukasey called the total dollar amount of the alleged theft "impossible to quantify at this point." Underscoring the vulnerability of modern systems that have made life easier, he added, ''Computer networks and the Internet are an indispensable part of the world economy. But even as they provide extraordinary opportunities for legitimate commerce and communication, they also provide extraordinary opportunities for criminals.''

US Attorney Michael J Sullivan said that while most of the victims were in the United States, officials still haven't identified all the people who had a card number stolen.

"I suspect that a lot of people are unaware that their identifying information has been compromised," he said.

Sullivan said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs", obtained from collaborators overseas.

Those programs tapped into the retailers' networks for processing credit cards and intercepted customers' PINs and debit and credit numbers that were stored there, which were then sent off for storage on remote servers.

To sell card numbers on the black market, the group turned to Maksym Yastremskiy of Ukraine and Aleksandr Suvorov of Estonia, who were also charged, according to prosecutors.

Yastremskiy, thought to be a major figure in the international sale of stolen credit card information, was apprehended in July 2007 on vacation in Turkey and is in prison awaiting trial on charges including credit card theft. The United States has asked Turkey to extradite him.

The indictments shed more light on the breach into the stores of TJX, the owner of T J Maxx. In 2005, Christopher Scott, another man who was charged, compromised wireless access points at a Marshalls in Miami and used them to download payment information from computers at TJX headquarters in Framingham, Massachusetts, prosecutors said.

The following year, prosecutors said, the conspirators established a virtual private network connection into TJX's payment processing server and successfully uploaded a sniffer program.

In public financial filings, TJX said it had spent around $130 million on matters related to the break-in, including legal settlements, and it expected to spend an additional $23 million in the 2009 fiscal year.