Michael Mukasey, the attorney-general, said: “They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves.”
“And in total, they caused widespread losses by banks, retailers, and consumers.”
Mukasey called the total dollar amount of the alleged theft “impossible to quantify at this point”.
‘Not computer geniuses’
Michael J Sullivan, a US attorney, said that while most of the victims were in the US, officials have not identified all the people who had a card number stolen.
“I suspect that a lot of people are unaware that their identifying information has been compromised,” he said.
Sullivan also said that the alleged thieves were not computer geniuses, but opportunists who used a technique called “wardriving”, which involved looking for accessible wireless internet signals.
Once they located a vulnerable network, they installed so-called “sniffer programs”, that captured credit and debit card numbers as they moved through a retailer’s processing networks.
The information was stored on two servers in Ukraine and Latvia – one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said.
Seetharaman Raghavan, the CEO of Doha Bank, told Al Jazeera that the relative ease of penetrating unsecure networks is problematic.
“This is the crux of the matter – getting through to a network in which these retailers operate – thereby making these companies extremely vulnerable to violations such as this,” he said.
“It obviously was not hard to detect an unsecure network via wireless means, but the alert raised in response to this violation came too late unfortunately, and perhaps too slow, considering the massive damage alleged to have been done on the part of these operators.”
Albert “Segvec” Gonzalez, the alleged ringleader of the operation, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. He faces a maximum penalty of life in prison if he is convicted of all the charges.
Mark Sullivan, the US secret service director, said Gonzalez was a secret service informant who helped the agency take over a website being used to transmit stolen identifiers and stolen credit card numbers.
He also said that the organisation later found out that Gonzalez had also been feeding criminals information about ongoing investigations – even warning off at least one person.
“Obviously, we weren’t happy that a person working for us as an informant was double-dealing,” he said.
Michael Chertoff, the homeland security secretary, said the non-US citizens under indictment were part of an international stolen credit card ring.
According to Chertoff, the ring operated in mainly in eastern Europe, the Phillipines, China and Thailand, and the alleged foreign conspirators remained outside the US.
He also said that the alleged crimes demonstrated the weaknesses of cybersecurity in the US.
“Today’s indictments are a reminder of a growing threat that every American faces in the 21st century – the fact that each individual’s greatest asset is their names, their identity,” Chertoff said.