Big credit card scam at Wal-Mart was a child of the TJX breach

USA Today is running a story about some huge ID theft resulting from the TJX data breach (looks like these guys did some serious shopping at Wal-Mart stores). This story shows a few different instances of security problems.

They crooks got the credit cards from some guy who was caught with a bunch of credit card scanners, each with enough memory to hold data on a thousand credit cards.

Then we have some good old fashioned social engineering. The ring leader "posed as the owner of an import/export business and befriended female employees". Nothing like getting to know the people you are robbing.

Then you have the fact that the crooks knew how to avoid arousing suspicions and how to get around built-in security measures. First of all, they had people running all over the same store on the same day making merchandise and purchases with different cashiers, often with the same credit card (seems like that should have rung a bell, but oh well). They also bought boat loads of $400 gift cards ($500 gift cards need manager approval). And they shopped during the hectic holiday season to cover their tracks.

But the biggest problem of all is the TJX breach itself. Though TJX has fully disclosed what happened, many are thinking it was a wireless breach. However it happened, the plain fact is that someone screwed up. But even bigger than that is the people who hacked TJX in the first place.

John Pironti, a computer-security expert who consults financial institutions, says those arrested in the Wal-Mart scam were merely the last link in a long chain of criminals. "The hackers are 10 ways removed from this," he said.

Those guys probably made a bunch of money, and they have kicked off an even bigger chain of crime, which typically ends in a few people at the end of that chain going to jail. It is those guys at the top who need to be in jail. But that is often the hardest link to break.