Just an update from my story of a few days ago. Hacker Albert Gonzalez got a sentence of 20 years on the first guilty plea, entered in Massachusetts, to unauthorized computer access. Two more cases (and guilty please) in New York and New Jersey will be finalized next week in Boston, when additional sentences will be pronounced.
It’s probably not enough, but it sends a really strong message, that’s for sure. Keep your hands of what isn’t yours.
Albert Gonzalez, a former government informant charged last year with hacking into credit card systems of nearly a dozen major retailers, along with the U.S.’s largest credit/debit card processing firm, is set to be sentenced for pleading guilty to the hack. His lawyers say he should get no more than 15 years, the government wants 25.
I want to see more than just a prison sentence, personally, because my credit/debit information was among the 200 million that were stolen by Gonzalez as he hacked. Proceeds from his hacking include cars, jewelry, houses, in addition to a luxury lifestyle that included trips, designer clothing, and stays at fancy hotels. All on my dime (and the dimes of others that were ripped off). While that money didn’t come directly from my bank account, I (and everyone else who shops) is paying for this as prices increase to cover the losses these companies suffered in the hack. And not only did he make money, he was also a repeat offender. He had been caught hacking in 2003 and turned government informer in order to avoid prosecution and jail time, then continued his hacking activities while providing information to the government about other hackers’ activities!
No, a term in jail is not enough. Gonzalez should be banned from computers for life. Even after he’s served his time, he will re-offend, I’m sure of that. There aren’t enough firewalls and security in place to keep this guy out of servers if he can get access to a computer. This was more than him just trying out a “proof of concept” about hacking. He stole all of that information and used it for personal gain, and even tried to sell portions of his accumulated information overseas as well. There is not enough in a jail sentence, in my mind. What this guy did, and what he taught others, makes all of us more vulnerable to theft in the future. And there’s not a lot we can do about it; this is not a cash-based society any more. I use my debit card hundreds of times a month. I rarely write checks, and rarely use cash for anything other than small purchases (like my morning Diet Coke from the gas station on the way to work). If people like Mr. Gonzalez can continue to gain footholds in gaining our plastic information, and not face any long-term consequences, then we all continue to be at risk.
And while we should expect that retailers and credit/debit card processors will continue to exercise due-diligence in keeping our information safe, we cannot call that any kind of guarantee. We just have to continue to be diligent. And make punishment for hacking a harsh and irrevocable measure that will make hacking a lot less enticing to criminals in the first place.
What punishment do you think Mr. Gonzalez should get?
Dumb: ATM owners who use the default password for administering their ATM’s, allowing hackers to get into the machines easily by locating the default password online from vendor sites.
Dumber: ATM owners who don’t change the default password after the machine is hacked and used to give out more money than it was supposed to.
A pair of crooks got caught using the default password on an ATM for the fourth time. They weren’t caught the first three times, but by the fourth time, the police had information from surveillance cameras and had alerted the store manager (where the ATM was located) to the identity of the thieves. So when they tried it for the fourth time, they got caught.
I’m wondering why the ATM owner didn’t just change the default password on the administrative functions of the ATM so it couldn’t be hacked a second time. That would have been the smarter thing to do, wouldn’t you think?
Who’s dumber, the criminal or the ATM owner? I’m thinking it’s the latter.