Why Did Gonzales Hackers Like European Cards So Much Better?

Last Thursday's (July 25) indictment of five more Albert Gonzalez gang members by federal prosecutors in New Jersey is a reminder of how big that operation was (and may still be) and how far authorities still have to go before they have it wrapped up—after all, only one of the five is in U.S. custody, with a second one awaiting extradition in the Netherlands. But a sharp-eyed Washington Post reporter noticed an oddity in the indictment that has less to do with cops and robbers than with mag-stripe and chip-and-PIN: Stolen European card numbers were sold for $50 each, while U.S. numbers fetched a mere $10.

Why? In part, it's supply and demand: Stolen U.S. card numbers are in much more plentiful supply on the black market, so they're cheaper. But it's the fact that U.S. banks and merchants overwhelmingly haven't implemented chip-and-PIN, along with a weekends-off approach to fraud prevention by some European banks, that makes those cards more valuable to thieves.

And in fact the indictment unsealed last week revealed that those indicted specifically targeted some European banks and chains. The four Russian nationals and one Ukrainian indicted included two individuals who were identified in Gonzalez's own indictment as only "Hacker 1" and "Hacker 2." Last week they were named: Alexandr Kalinin (Hacker 1) and Vladimir Drinkman (Hacker 2) did the hacking into corporate networks, frequently using SQL injection attacks that never should have worked—basic secure programming should have blocked the buffer overflows that make SQL injection possible.

The other three indicted were Roman Kotov, who mined those breached networks for data; Dmitriy Smilianets, who sold the stolen card information for the gang; and Mikhail Rytikov (the Ukrainian), who provided the gang with anonymous web-hosting to hide their activities.

Only Smilianets is in U.S. custody. He and Drinkman were arrested in the Netherlands last year, and Smilianets was extradited last September. Drinkman is still in Dutch custody awaiting an extradition hearing. The remaining three are still at large.

(Albert Gonzalez himself, who was sentenced in 2010, is officially an unindicted co-conspirator here, but he shows up all through the indictment in transcripts of online conversations. It's almost like he's still around.)

The indictment also identifies a more complete list of organizations the gang breached, including the NASDAQ electronic stock exchange, Dow Jones and JetBlue—but also French retail giant Carrefour (2 million card numbers), U.K. payments processor Commidea (30 million cards) and Belgian bank Dexia (number of cards unknown).

Assuming all the European breaches yielded European cards, that means as few as 20 percent of the stolen card numbers were European—but at five times the black-market value, they may have been worth more than the much larger haul of U.S. cards.

That brings us back to that Post reporter and the $50-to-$10 difference.That brings us back to Post reporter Andrea Peterson, who asked former U.S. Secret Service agent Levi Gundertabout the $50-to-$10 difference. Gundert's answer: European merchants rely on chip-and-PIN cards, which are more secure and also harder to copy than the easily clonable U.S.-standard mag-stripe cards. But many European cards also still have a mag stripe, so in the U.S. they're still easy to exploit.

But there's another factor: Some European banks have a delay in processing transactions over weekends, Gundert said. That means the "cashers" in the U.S. who actually get money from ATMs or buy pricey merchandise to cash out the stolen card numbers can wait until the weekend and then run as many transactions as possible, capitalizing on that delay. As soon as fraud analytics catches the cashing out, the accounts can be blocked—but by then, the cashers have their cash and merchandise.

That weekends-off approach to fraud prevention may sound crazy, but it wouldn't be if chip-and-PIN-capable merchants weren't so rare in the U.S. If U.S. merchants used chip-and-PIN, even side-by-side with mag-stripe, the lower-intensity European antifraud efforts wouldn't matter. Who'd want to work so hard to steal card numbers that couldn't be cashed out?

(And despite the fact that increasing numbers of PIN pads have chip-card slots as standard equipment, U.S. chains aren't using them. We've been making informal surveys of big-chain stores that regularly get cross-border Canadian shoppers. Most of the stores have slots for chip-and-PIN cards, but none of them we've seen yet have the capability turned on. "The first thing they always do is stick the card in the slot," one associate told us. "Then we have to tell them to swipe it.")

If chip-equipped cards didn't have to be swiped, they'd be much harder for cashers to cash out. Rare or not, the value of stolen European cards would plummet. Instead, the no-chips-we're-American policy means both that U.S. cards are less secure and so are European cards.

Yes, there are still practical and legal barriers to chip-and-PIN getting a U.S. foothold—including the Durbin requirement that multiple processing networks have to be available, which means a chip-only debit card would require two separate debit networks that both support chip transactions, along with potentially two debit networks that support legacy mag-stripe transactions. At that point it sounds like implementing chip-and-PIN in the U.S. will never be practical.

But it will, and the sooner the better. As long as the U.S. is a casher's paradise, U.S. retailers will bear a sizable part of the financial hit from gangs like Gonzalez's—no matter how many Hacker 1s and Hacker 2s the feds manage to find.