Ex-hacker details scheme to steal scores of credit cards from major retail chain
Ross Jones, WXYZ
2:15 PM, Feb 11, 2014
12:34 PM, Feb 18, 2014
DETROIT (WXYZ) - As more and more details are revealed about how hackers gained access to millions of consumers’ financial information at stores like Target, major card companies announced big changes coming in 2015.
Target announced the company will invest $100 million in technology that will allow consumers to use chip-and-pin cards from Mastercard and Visa.
Experts say chip-and-pin cards reduce fraud and prevent hackers from gaining access to sensitive information.
Today’s magnetic swipe cards are easy to duplicate, which means easy access for hackers.
"I acknowledge some of the things done were illegal," he told reporter Ross Jones.
For a time, he was a cyber-hacker and played a role in a scheme to steal millions of credit card numbers from one of the largest companies in America. For this story, we'll call him Derrick.
"I never had any intent to commit fraud or steal anything," he said. "Just merely to get in and see what I could do. It was the actions of other defendants that was the actual defrauding."
The other defendants were Derrick's friends, and their story begins on a night in 2003 when the trio was driving around town with their laptops, looking for weak spots in nearby companies' computer servers. In the cyber world, it's called "wardriving."
"And one of the ones we noticed was outside of a Lowe's store," he said. "We looked around in there and we were like, 'Wow.'"
What he saw was that the some of the company's most precious consumer data was open for the taking.
"They have the entire corporate network from this one store. And from there they were able to get into every cash register in the United States in every Lowe's," he said.
"That's a line I didn't mentally cross.”
“But they did," Jones said, referring to Derrick's friends.
"Right," he responded.
At the time, Derrick's friends were stuck in low-paying, dead-end jobs. Their plan was to steal the data and then sell it on the black market in web forums, much like we're seeing today with credit cards stolen from Target, Neiman Marcus and other stores.
"That data is worth a significant amount of money," Derrick said. "It was enough where they were willing to give up their lives and leave the country, were they successful."
Their scheme was to implant special software inside Lowe's own servers so that every card used would be intercepted--in real time--and copied, before being passed on to the credit card company. In the hacker world, it's called a "man in the middle" attack.
"So as they're discussing this grand plan, what are you saying?" Jones asked.
"This is a terrible idea, and I'm pretty sure you'll get caught," Derrick replied.
He was right. Lowe's detected that the trio had been inside their servers and called the FBI. On a day while Derrick was being driven to the airport, he saw some flashing lights in the rear view mirror. They were for him.
"Six Southfield police cars surrounded the vehicle and forced it off the road. They all get out and stand behind their doors with guns drawn," he recalled.
Lowe's detected the security breach before any credit card information was compromised.
Derrick was taken into custody by FBI agents and simultaneously, so were his friends. The three were indicted by a grand jury, accused of trying to commit $2.5 million worth of credit card fraud and facing decades in prison.
Two of the defendants wound up serving time: one for two years while the ringleader got nine. But Derrick received only probation.
In the eight years since his prosecution, Derrick has tried to atone for his mistake. He has a job in computers, but his hacking days are over. He says he's troubled though, that so many major companies haven't taken the steps to protect consumer data from the kinds of hackers he used to be.
"A lot of companies just go, 'That's not how I wanted to spend that several million dollars this quarter. We should put that off for next year,'” he said.