US man 'stole 130m card numbers'

The card details were allegedly stolen from three firms, including 7-Eleven

US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards.

Officials say it is the biggest case of identity theft in American history.

They say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked into the payment systems of retailers, including the 7-Eleven chain.

Prosecutors say they aimed to sell the data on. If convicted, Mr Gonzalez faces up to 20 years in jail for wire fraud and five years for conspiracy.

He would also have to pay a fine of $250,000 (£150,000) for each of the two charges.

'Standard' attack

SQL INJECTION ATTACK This is a fairly common way that fraudsters try to gain access to consumers' card details. They scour the internet for weaknesses in companies' programming which allows them to get behind protection measures. Once they find a weakness, they insert a specially designed code into the network that allows them to access card details. There is little consumers can do to protect themselves from the effects of this type of attack. The general advice to cardholders is to check bank statements carefully and report any suspicious transactions immediately. How secure is your card info?

Mr Gonzalez used a technique known as an "SQL injection attack" to access the databases and steal information, the US Department of Justice (DoJ) said.

The method is believed to involve exploiting errors in programming to access data.

Edward Wilding, a fraud investigator, told the BBC that this method was "a pretty standard way" for fraudsters to try to access personal data.

He added that this case probably "involved extremely well researched, especially configured codes, not standard attack codes downloaded from the internet".

Mr Wilding said there was little consumers could do to protect themselves against this kind of fraud.

Internet and telephone transactions using credit cards were most vulnerable, he said, though added it was a failure of corporations, not customers.

Michelle Whiteman, from anti-fraud organisation Financial Fraud Action UK, said that consumers must check their bank statements regularly and flag up any suspicious transactions to their bank.

She said that online, telephone and mail order fraud were on the increase, along with fraud committed abroad on UK cards, according to figures released in March.

But she stressed that any victim of fraud would "always be refunded in full".

Further charges

FROM THE TODAY PROGRAMME More from Today programme

Mr Gonzales' corporate victims included Heartland Payment Systems - a card payment processor - convenience store 7-Eleven and Hannaford Brothers, a supermarket chain, the DoJ said.

"We are pleased that the authorities have aggressively pursued this case to be in a position to bring an indictment against the alleged perpetrators of the crime," said Michael Norton, spokesperson for Hannaford Brothers.

Meanwhile, 7-Eleven said the attack affected cash machines operated by a third party inside its stores, and had lasted for 12 days in 2007.

According to the indictment, the group researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.

The data could then be sold on, enabling others to make fraudulent purchases, it said.

Mr Gonzalez, who had once been an informant for the US Secret Service helping to track hackers, is already in custody on separate charges of hacking into the computer systems of a national restaurant chain and eight major retailers, including TJ Maxx, involving the theft of data related to 40 million credit cards.

Mr Gonzales is scheduled to go on trial for these charges in 2010.

This latest case will raise fresh concerns about the security of credit and debit cards used in the United States, the BBC's Greg Wood reports.