US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards.
Officials say it is the biggest case of identity theft in American history.
They say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked into the payment systems of retailers, including the 7-Eleven chain.
Prosecutors say they aimed to sell the data on. If convicted, Mr Gonzalez faces up to 20 years in jail for wire fraud and five years for conspiracy.
He would also have to pay a fine of $250,000 (£150,000) for each of the two charges.
Mr Gonzalez used a technique known as an "SQL injection attack" to access the databases and steal information, the US Department of Justice (DoJ) said.
Edward Wilding, a fraud investigator, told the BBC that this method was "a pretty standard way" for fraudsters to try to access personal data.
It "exploits any vulnerability in a firewall and inserts a code to gather information," he explained.
However, he added that this case probably "involved extremely well researched, especially configured codes, not standard attack codes downloaded from the internet".
Mr Wilding said that chip-and-pin did provide some protection against SQL attacks, but there was little consumers could do to protect themselves against this kind of fraud.
"The real vulnerability, I suspect, is internet and telephone transactions. But this is a failure in the configuration of [corporate] firewalls," he said.
Michelle Whiteman, from anti-fraud organisation Financial Fraud Action UK, said that consumers must check their bank statements regularly and flag up any suspicious transactions to their bank.
She said that online, telephone and mail order fraud were on the increase, along with fraud committed abroad on UK cards, according to figures released in March.
But she stressed that any victim of fraud would "always be refunded in full".
Mr Gonzales' corporate victims included Heartland Payment Systems - a card payment processor - convenience store 7-Eleven and Hannaford Brothers, a supermarket chain, the DoJ said.
According to the indictment, the group researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.
The data could then be sold on, enabling others to make fraudulent purchases, it said.
Mr Gonzalez, who had once been an informant for the US Secret Service helping to track hackers, is already in custody on separate charges of hacking into the computer systems of a national restaurant chain and eight major retailers, including TJ Maxx, involving the theft of data related to 40 million credit cards.
Mr Gonzales is scheduled to go on trial for these charges in 2010.
This latest case will raise fresh concerns about the security of credit and debit cards used in the United States, the BBC's Greg Wood reports.
» No Comments
There are no comments up to now.
» Post Comment