Gonzalez is in jail and awaiting trial next month in New York for allegedly helping to hack the computer network of the Dave and Buster’s restaurant chain. Attorneys for Gonzalez did not comment to The Associated Press.
The fact that hundreds of millions of card numbers could be stolen from retailers illustrates the flaws in a payment system that’s built more for speed than security, as an Associated Press investigation found this year. For instance, credit and debit card numbers are not always encrypted as they move from retail stores to banks for approval.
Consumers don’t directly pay the costs of most fraud. Banks and retailers eat those charges. But consumers bear it indirectly, in the form of higher prices.
According to prosecutors, Gonzalez and his associates exploited vulnerabilities that remain widespread. Among them: flaws in the way retailers’ computers handle requests in the so-called Structured Query Language (SQL), which is used to manage data — such as credit card information — stored in databases. Hackers who detect these holes can trick databases into coughing up more information than they should.
The vulnerability sometimes can be exploited as simply as entering a specially crafted command into, say, a search box on a badly configured Web site. Instead of returning normal search results, the site would surrender confidential information or allow a hacker to place malicious programs on the site.