I-Team: Confessions of a former hacker; expert says computer systems still not adequately protected
11:28 PM, Feb 5, 2014
10:05 AM, Feb 6, 2014
TAMPA, Fla. -
Confidential financial information belonging to more than 100 million Americans was recently accessed by hackers targeting retail stores.
ABC Action News talked to one experienced hacker, Dave, who considers exploiting the vulnerabilities in the credit card processing system one of the nation's largest retailers easy. He is currently on federal probation for his role in a scheme to commit $2.5 million in credit card fraud. While he said he never actually tried to steal, two of his friends did.
"I never had any intent to commit fraud or steal anything, just merely to get in and see what I could do," said the hacker.
"At some point, they're like, 'The whole system is a kind of a game,'" he said of his friends.
The crimes date to 2003, but Dave said recent events show not much has changed in how data is protected.
Back then, Dave and his co-defendants drove around town, using their laptops to find holes in companies' servers. Hackers call this process "wardriving," he said.
During one wardriving session, they hit pay dirt in a Lowe's parking lot.
"They had the entire corporate network from this one store," he said. "And from there, they were able to get into every cash register in the United States in every Lowe's. And from that, they were able to write software."
Dave said his friends implanted the software inside Lowe's own servers, so that every credit card customers used would be intercepted and its information copied before being passed onto the credit card company.
Their scheme was detected by Lowe's security, who contacted the FBI before actual money was stolen.
Lowe's said it has since increased security, but that type of hacking, called "the man in the middle" attack, is what authorities believe was used to Target and Neiman Marcus servers recently.
"This is the form that we sat down and we had to fill out," said Paula Hall, showing dozens of pages of forms she received from her credit union.
Hall doesn't know if she is the victim of one of those attacks, but she told Hillsborough County Sheriff's deputies her debit card was used four times in one day to steal more than $2,700.
"I have no idea how they got me, how they got my number," Hall said. "My card was in my possession the whole time."
Dave said you don't have to physically have the card to wipe out the owner's bank account.
"You can actually make a new credit card that will actually swipe and validate," he said. "And the data is worth a significant amount of money."
Credit card numbers can be sold in bulk to organized crime groups or one at a time over internet sites.
Hall's card was used at the Tampa Hard Rock Casino and a Walmart. Since then she's invested dozens of hours trying to straighten it all out.
"They're not hacking into big companies," Hall said. "They're taking the money of ordinary people. You and me. We work hard for our money."
Dave said people will continue to be victimized until all of the holes in the system are plugged.
"Changing it would be a major undertaking," he said. "And while if should be done, a lot of companies just go, ‘That's not how I want to spend that several million dollars this quarter. We should put it off for next year.' And next year never comes.'"
Authorities say there are some ways to protect yourself and minimize potential damages.
Check your bank and credit card accounts daily for any unauthorized activity. Instead of using your debit card, use your credit cards whenever possible, because they offer more protection. And always safeguard your banking information.
For more ways to protect yourself, read the Federal Trade Commission's recommendations