Despite Gonzalez Indictment, No Easy Answers for Merchants

This week's indictment of the alleged criminal mastermind behind the biggest and most notorious data breaches the card industry has ever sustained isn't likely to deter others from stealing card information. Indeed, merchants and processors counting on the charges brought on Monday against Albert Gonzalez (Digital Transactions News, Aug. 17) to slow the rapidly growing data-breach trend are very much mistaken, says Andrew Lauter, chief technology officer at Accertify Inc., a vendor of anti-fraud software. “Okay, they caught one guy,” says Lauter. “I don't think one criminal getting caught deters criminal behavior.” Making matters worse, he adds, is that media accounts of Gonzalez's indictment include descriptions of how he and unnamed confederates broke into the data centers of Heartland Payment Systems Inc., Hannaford Bros. Inc., 7-Eleven Inc., and other victims, as well as how much money he made from selling the stolen card data and how he was caught. This advertises an incentive for would-be imitators and allows them to refine their methods, Lauter argues. Such imitators are making their presence felt. In the latest development, Radisson Hotels & Resorts, which operates more than 400 hotels in 68 countries, said on Wednesday its computer system had been breached, affecting an unknown number of people who stayed at properties in the U.S. and Canada. The company said it informed customers and added information including credit card numbers may have been exposed in the breach, which occurred between May and November last year. Despite Monday's good news, merchants continue to face a number of challenges. One is that no comprehensive, current lists of compromised cards are available to merchants so they can check incoming orders against card information known to have been stolen, says Lauter. The card networks notify issuers when they detect suspicious activity on certain cards, prompting banks to cancel some or sometimes all of the cards listed. But these lists are not distributed to merchants. This is a challenge that isn't likely to go away any time soon. Citing the risk of fraud, Lauter argues such lists should not be disseminated beyond the issuer involved. “If I were to release that list, I have just sent out people's credit card numbers, and the possibility of risk goes up dramatically,” he says. One way to address the problem is for the networks and issuers to post an alert on authorization messages linked to cards the issuers don't cancel outright. He says he's not seen such signaling in the e-commerce channel, the market Accertify serves, though the networks have in recent years overhauled their authorization systems to include more information. “I don't know how a merchant would get notified [currently],” Lauter says. “There's a balancing act for the foreseeable future between the card associations and merchants. There's still a fairly big problem out there.” Gonzalez, 28, and two others were indicted by the U.S. attorney in New Jersey for stealing at least 134 million card numbers, some 130 million from Heartland alone. He had already been charged last year in connection with breaches at the Dave & Buster's restaurant chain and at TJX Cos. Inc. The latest indictment charges Gonzalez with one count of conspiracy involving computers and one count of conspiracy to commit wire fraud between October 2006 and May 2008, when he was arrested. If convicted on both counts, he could be handed a sentence of 35 years in prison and hit with fines of $250,000 on the first count and $1 million or twice the stolen amount on the second.