In late March, before Schnuck Markets Inc. knew the extent of a breach that compromised as many as 2.4 million debit and credit cards, a Wal-Mart employee in Plano, Texas, saw something strange.
The employee, a loss prevention officer, noticed a woman acting oddly. She was trying to use several different payment cards at the register, and she was buying gift cards. Both of those things raised red flags, so the officer took the woman aside.
Later that day, the woman was charged with credit card forgery. And sometime that same day, law enforcement authorities made a link: The 44-year-old Fort Worth, Texas, woman was attempting to shop with counterfeit cards containing data that had been stripped from a card used at a Schnucks grocery store, hundreds of miles away and probably months beforehand.
While thousands of fraudulent transactions linked to the breach happened all over the country, the woman’s arrest is one of only a possible handful made so far — and it was something of a fluke. The fact is, experts say, it’s not likely that many people will be called to account for their criminal connections to the breach.
The woman may have been what cyber-crime investigators consider a mule or a runner — a person who takes fake cards encoded with stolen data and attempts to see if the cards work, reporting success or failure to higher-ups. Or she may have bought the cards on the black market, hoping to get away with fraudulently purchased loot, or in this case, gift cards. (Often, investigators say, criminals buy these stored-value cards with fraudulent payment cards, then sell them on the street for cash, usually taking less than what the card is worth.)
In other words, she is small potatoes — not the person investigators are after. The people investigators really want are likely thousands of miles away, possibly in Eastern Europe, and they may never catch them. Those thieves, experts say, have probably closed up shop and moved on, vanishing without a trace, leaving people such as the woman charged in Plano holding the proverbial bag.
Schnuck has said it first noticed on March 15 questionable activity on 12 cards used at its stores. Four days later, the company hired respected forensics firm Mandiant to conduct an investigation. Police in Maryland Heights, Mo., where Schnuck Markets Inc. is headquartered, along with other area departments, started taking reports from shoppers saying their cards had been hacked. The U.S. Secret Service, the FBI and the Missouri attorney general got involved.
When word got out, customers panicked. Some stopped shopping at the store. Law enforcement authorities advised shoppers to pay in cash. Banks began canceling and issuing new cards. As the situation crested, everyone, it seemed, knew someone whose card had been hacked.
On April 14, Schnuck revealed just how widespread the attack had been: The Mandiant investigation, the company said, revealed that as many as 2.4 million cards may have been breached from December 2012 to March 2013.
By that point the company had said the problem had been “found and contained.” Customers, however, still continued seeing fraudulent charges on their accounts because the information was stolen and sold long before the company, or anyone else, realized the hack had occurred.
Schnuck has declined, repeatedly, to answer detailed questions about the breach, saying it does not want to provide a “road map” to cyber criminals. It will not share the Mandiant report.
The company has said, however, the information was lifted from the company’s “processing environment” as the cards were awaiting approval, and that the criminals accessed the data by inserting malware into the company’s system.
Cyber-crime experts interviewed by the St. Louis Post-Dispatch said that, given that information — and given what they know from cyber-sleuth circles — the data were lifted just after cards were swiped at the point of sale. Several said the likely culprit was a Romanian cyber gang.
“The Schnucks breach was the result of random access memory malware,” explained Al Pascual, a senior analyst of security risk and fraud at Javelin Strategy & Research, a California company that advises the payment industry. “That means there’s malicious software at the point of sale. After a card is swiped, the data goes into the register, then it goes to random access memory on the computer itself, and this malware pulls it right off the memory before it’s transmitted somewhere else.”
Industry rules state that merchants are not allowed to store card data. But, in this case, it appears the information was taken as it was moving through the system. Because it wasn’t encrypted — and is not required to be at that point, Pascual said — the thieves had complete access. The only solution is to encrypt the information as it travels, which is more costly and difficult.
Typically, after information is stolen, it gets sold in batches on the Internet. The thieves send the data to an IP address — Internet Protocol address — where other thieves can buy the information. This used to happen on what’s known as the “dark Web,” beyond the reach of online search engines, but now, experts said, a prospective buyer can find stolen data fairly easily.
“It used to be you had to know where to go,” Pascual said. “But it’s made its way into the mainstream. Now you can actually Google the information, and you’ll find forums. There are even groups on Facebook.”
After buyers get their hands on the information, they often encode it into cards, often blank cards — known as “white plastics” in the industry — or on gift cards that they recode with the stolen information. The data also can be used to buy merchandise online in “card not present” transactions.
By the time these cards make their way down the food chain — from the hackers, through the syndicates that sell the data, to the low-level mule or buyer on the street — the IP address where the information was sent has long gone dark, and the criminals have essentially vanished.
“They bounce information from different IP addresses, and then they burn them — they don’t use them again,” explained Jim McKee of Red Sky Alliance, a network of cyber-security experts based in St. Louis. “So you have a dead end. The hackers sold all the credit card numbers, they’ve made their money, and they’ve moved on.”
At the local level, police departments don’t have the time or resources to devote to tracking down cyber-crime at the street level. “They can’t chase down every surveillance photo in a drugstore of someone buying a stored-value card,” McKee said. “They’re never going to find that guy.”
The Maryland Heights Police Department, for one, is calling the Schnuck matter a “cold case.”
At the federal level, investigative efforts could be frustrated by distance. Even if investigators can trace a breach back to a particular person or gang, diplomatic relations often stand in the way.
“Our FBI and Secret Service have no power over anything, and these Eastern European governments aren’t going to cooperate with anyone,” McKee said.
But Kristina Schmidt of the St. Louis Secret Service office said the agency, along with the FBI, is still working on the case.
“You can try to work through diplomatic routes,” she said. “You can certainly present a prosecution in the U.S. against people who don’t live here. But whether you can get those people arrested depends on diplomatic relations with those countries.
“Many of these countries are partners,” Schmidt added. “They’re interested in tracking this down as well.”
Indeed, investigators can point to some major successes. In 2008, the FBI made 56 arrests after a two-year undercover investigation revealed a massive global cyber-criminal ring had stolen financial and credit card data. A federal grand jury in New Jersey, in 2009, also indicted three people in connection with a massive hack of Heartland Payment Systems, a New Jersey-based card processing company, in which hackers were accused of stealing more than 130 million payment card numbers — the largest case prosecuted to date.
Under agreements with the credit card companies, card-issuing banks are required to reimburse card holders for fraudulent charges. But even though card holders are made whole, the banks and merchants say, that doesn’t make credit-card hacking a victimless crime.
The issuing bank has to pay the consumer, but then they go to the merchant’s bank to recoup the money, and that bank often goes to the merchant itself, asking for compensation. Sometimes the banks sue the merchant, saying they’re not doing enough to protect consumers’ card data.
“Banks are blaming the retailers,” Pascual said. “Retailers and banks typically have contentious relationships anyway, so they’re more likely to go after the retailer as a result.”