Suspect named in TJX credit card probe Ukrainian's arrest seen as break in record fraud case
By Ross Kerber, Globe Staff | August 21, 2007
Authorities have zeroed in on a Ukrainian man they suspect played a key role in the sale of many credit card numbers stolen from TJX Cos. in what is considered the biggest corporate data breach to date.
Officials hope the recent arrest of Maksym Yastremskiy will be a breakthrough in the investigation of who hacked into systems at TJX and other companies, said Greg Crabb, a program manager in the global investigations division of the US Postal Inspection Service. The service is among various law enforcement agencies trying to track down hackers who made off with more than 45 million credit and debit card numbers from TJX starting in 2005.
Crabb said Yastremskiy allegedly sold card numbers through online forums hosted overseas, sometimes in Cyrillic or that were password protected. He is likely the largest seller of stolen TJX numbers, Crabb said.
Prices ranged from $20 to $100 per stolen card, and the cards were sold in batches of up to 10,000, depending on factors like the credit limits of the consumer accounts being traded. Crabb said Yastremskiy is associated with at least one other Ukrainian man previously charged with similar crimes, though unrelated to the TJX case.
...
The world is an unforgiving place when Americans assume that "our" morality is supposed to apply everywhere. While "Authorities" may hope that arresting one alleged criminal will "cure" the problem, it's just a PR move to assuage fears of identity theft.
The Internet supports _all_ facets of a global economy, including the criminal ones, and if we assume that a man in Nigeria is going to care about the so-called penalites of online theft, then we're being naive.
On the one hand, a potential "419'er" can count on thousands of dollars of free money, available just for knowing how to type on a computer at a cyber cafe in Lagos. On the other hand, the possibility of having to bribe your way out of getting caught, or even spending a few months in jail.
Mr. Yastremskiy is probably not from Lagos or anywhere else in Nigeria. It doesn't matter. The 419'ers were just the tip of the cyber-crime iceberge, but U.S. corporations, ever eager to make a sale, have ignored the basic security measures that would have protected the credit-card data which TJX effectively gave away to the first person and/or group smarter than the least intelligent of TJX's computer security staff.
Make no mistake: U.S. companies that we entrust with our financial data are a convoy of Titanics headed for the coldest, hardest dose of reality in the world: nobody respects "private" property when it's "protected" by a social contract they're not party to.
The fact is that we - the U.S. public - have been babes in the woods as far as our personal info is concerned. It is only the statutory limit on credit-card fraud liability (IIRC, $300) that has enabled TJX and other corporations to be so negligent. Although that limit doesn't apply to debit cards, the public doesn't _know_ that, and so they continue to hand over their plastic whenever it's asked for, without any thought of possible consequences.
Of course, the corporate leaders who allowed this to happen have protected themselves behind an impenetrable wall of sincerity: impenetrable, that is, by all who think words on a piece of paper are a substitute for cold, hard cash on the counter of the money agent in Lagos or whereever. And, to add insult to injury, they're right: although $300 is not chump change, it's still small enough to keep most credit cards in use. Sooner or later, however, the cyberthieves will figure a way into the EFT system, and then the only limit on liability will be the amount for which the victim is insured. Until Bruce Schnier's prediction comes true, and the underwriters have to bear major insurance loses, there won't be any meaningful security in U.S. Electronic Commerce.
YMMV.
Bill Horne Temporary Moderator