Those tuning into the news this weekend probably heard that Albert Gonzalez, the hacker who sometimes went by the handle of “soupnazi,” has pleaded guilty to stealing stealing 170 million credit card and debit card numbers. He is, of course, going to jail for quite some time after ganking credit card numbers from such supposedly secure vendors as OfficeMax, TJX Companies, BJ’s Wholesale Club, 7-Eleven, Heartland Payment Systems Boston Market, Hannaford Brothers, Barnes & Noble, Sports Authority and Dave & Buster’s.

Does that list frighten you? Have you made a purchase at any of these stores or a store like them recently? In reality, you shouldn’t be too worried – after all, federal law states that you are only liable for $50 of fraudulent charges, as long as you report them ASAP. But given Gonzalez’s methods, there are some things that these businesses could’ve done to prevent them (and their customers) from becoming statistics.

Compromised Wi-Fi

The main method by which Gonzalez and his cohorts broke into the system of their victims was through wireless access points. According to Computerworld, Gonzalez’s croines compromised two access points at a TJX and used these servers to upload their malicious software that would sniff out credit card information. After gaining this access, Gonzalez, et al. created a secure VPN connection with TJX and their own credit card thieving server. So, essentially, it was the same as when you dial in to work on your employer’s network. Gonzalez used a combination of packet sniffing and SQL injection attacks (a database exploit) to reap millions of credit card numbers.

War Driving

One of the methods that Gonzalez used to gain access to wireless networks was a technique known as “war driving.” This is a “brute force” method of finding weakly secured networks by literally driving through a neighborhood looking for that one WiFi network that doesn’t have the proper encryption. When a hacker finds an unsecured network, he can simply hop on to your network and use your Internet and rifle through your computer files as if he were sitting right in your living room. This includes intercepting sensitive data such as usernames, passwords, Social Security numbers and, of course, credit card information.

The simple solution to this is to keep your WiFi network secure. First of all, you don’t want you neighbors leeching your bandwidth and you certainly don’t want hackers going on a shopping spree with your credit card. Here’s what you need to do:

1. Learn how to log in to your router. You can usually do this by typing in 192.168.0.1 or 192.168.1.1 into your browser, though this address will vary depending on manufacturer. You’ll be prompted to enter a username and password – if you haven’t set one, it’s probably the default – something like username: admin and password: admin. If you are stumped, just Google the model and manufacturer of your router for instructions.
2. Change your default password. Make it something unique (at least something more unique than the default, which is something anyone can Google). This will prevent anyone from undoing the changes you are about to make.
3. Change your default SSID and cloak it. This is an option you can change after logging into your router. For instance, a Netgear router is, by default, simply “NETGEAR.” Neighbors and hackers will see it pop up on their list when looking for available networks. If you cloak it, no one can see it, but if you haven’t changed it from the default, they can easily guess the SSID to type in manually. Change it to something unique and cloak it.
4. Enable encryption. WEP is good, but EAP is better.
5. Enable MAC Filtering. This is somewhat of an intensive process, but it will essentially bar anyone but you from connecting your network. Read a tutorial for MAC filtering here.
6. Password protect file sharing. Or disable it all together. File sharing includes p2p networks, iTunes libraries, home networks and other services that make your computer searchable to others on your network. Of course, it makes your computer viewable by anyone who busts their way into your network as well.

Protect Your Business

These measures are important for residences, but moreso for businesses. After all, Gonzalez lifted most of their numbers directly from commercial databases. If you are an office or even a fast food restaurant, it’s your responsibility to keep a lockdown on your wireless security. Take all the above measures and, of course, be diligent to protect against physical breaches as well. Too many chains that rely on a workforce of teenagers are lax about access to their backroom areas and allow off-duty and non-employees to come and go as they please. Keep your router in an office where only managers can access it. After all, no amount of wireless security will stop a user from jacking in with a cable and uploading whatever they please. And depending on how your infrastructure is setup, a compromised router in one store can mean a chain-wide breach of security.

Read Your Statement

Gonzalez was loaded. The Fed seized millions of dollars, a BMW and a thousands of dollars worth of jewelry from him. With 170 million credit cards at his disposal, he would only need to take af few dollars from each account in order to fund his lavish lifestyle. This is how most identity thieves operate – so it’s imperative that you carefully read over your statement each month. Anything fishy – even if it’s only a $2.50 charge should be investigated. It’s either A) Some new fee that your bank is charging B) Some purchase you forgot about C) Evidence of identity theft or D) A straightup error. In any case, you’ll want to get to the bottom of it.

If you suspect you are a victim of identity theft, report it right away. There is usually a 24-hour 800 number on the back of your credit card. Call it. The sooner you report the theft, the less you are liable for. For more tips, read MYC’s guide to identity theft prevention.

And as always, exercise common sense when disclosing your credit card information. Granted, all of the businesses that fell victim to Gonzalez were respectable and legitimate. But there’s no sense in making it easy on the hackers and phishers. Never disclose personal information through e-mail, always check URLs to make sure they make sense (i.e. http://www.wellsfargo.com and not http://www.welslfargo.com) and avoid clicking links in e-mails that lead to login portals. And, of course, let your fellow readers know about any other common sense credit card safety measures that you use to protect yourself from identity theft in the comments.

Photo by bixentro.

Related posts:

1. How to Avoid Getting Scammed in College
2. Identity Theft Part I: Tricks of the Trade
3. 6 Simple Ways to Prevent Identity Theft
4. Identity Theft III: The Aftermath
5. Identity Theft Part II: Detection