11 charged in theft of 41 million card numbers

Federal authorities say they have cracked what appears to be the largest hacking and identity theft ring ever exposed.
(From The New York Times)

The story "11 charged in theft of 41 million card numbers" published August 6, 2008 at 6:57 AM is no longer available on CNET News.

Content from The New York Times expires after 7 days.

[jamalystic]

So what should be done now for the victims of this cybercrime? Are they not suppose to be compensated? How many such practices are still on-going and elusive to the security apparatus remains the mystery question now?Unprepared to Fight Worldwide Cyber Crime(http://www.internetevolution.com/author.asp?section_id=593&doc_id=147027&F_src=flftwo)

[Imalittleteapot]

This is like the tenth time I've asked this. Can we please NOW GET RID OF CREDIT CARDS? They are inherently insecure. The number is plastered on the front of the card for any retail clerk to read it right off, and that's all they need to use it or duplicate it. How stupid is that? We have better technology now. You don't even have to be in possession of someone's card to use it, such as on the net.

Can we please finally replace them with smart devices that use internal electronics to do public/private key encryption or something similar SO THAT THE DEVICE CANNOT BE USED WHEN NOT PRESENT AND CAN NOT BE DUPLICATED UNLESS THE ORIGINAL DEVICE IS STOLEN? Like I've said before, a simple encryption device that contained a private key that never ever ever ever left the device could digitally sign transaction data that could be authorized by a bank computer that contained the matching public key. It would be just a simple device to digitally sign your transactions like a smart card or something else. Strap a USB adapter on it and net shopping away you go.

The middle man such as Walmart's terminal device or Amazon's network would never see this key. Therefore someone hacking Walmart's network couldn't dup your card because even Walmart doesn't know your key. All it sees is the signed transaction that gets shuffled off to the authorization server that ALSO doesn't know your private key. Even the computer that authorizes you would be totally clueless. It would only have the matching public key that verifies the transaction was indeed signed by your device. Even bank computers get compromised so their computers cannot know you're secret number either, but the math on how to do this is already known.

This would eliminate the ability for people to steal thousands of credit card numbers at a one time. The only way to get the private key would be to steal each device separately. As soon as your reach in your pocket and realize it has been stolen you make a call to the bank and deactivate it. Then simply get issued another one with a new private key built in. The criminals would have to steal one at a time and they'd only work for a day or two. How much crime would that end?

I can see how they could get debit/credit card numbers but the PINs are supposed to be encrypted before they leave the pinpad (keyboard) of the POS or ATM. The hardware had to be hacked or they also had the PIN encryption keys !

[ittesi259]

In corporate America "supposed to" means its not happening. People still ask to see ID's even though its a violation of Visa/Mastercard rules these days.

[Seaspray0]

I agree with Imalittleteapot. A public/private key would work much, much better.