Seattle police are investigating a group of criminals who they say have been cruising around town in a black Mercedes stealing credit card data by tapping into wireless networks belonging to area businesses.
The group has been at it for about five years, according to an affidavit signed by Detective Chris Hansen, a fraud investigator with the Seattle Police Department.
“A number of area small and medium-sized businesses have been targeted in these network intrusions, which have also involved a pattern of financial and personal identifying information (such as credit card information),” Hansen wrote in his affidavit, dated April 13. He declined to comment for this story.
Hansen believes the group has been “wardriving” the Seattle area in a customized 1988 Mercedes Benz, looking for companies using an unsecure Wi-Fi standard called Wired Equivalent Privacy (WEP). WEP has well-documented security flaws and has been considered for years to be unsecure, but was widely used in routers built between about 2000 and 2005. Many consumers and small businesses still use it.
Because WEP’s encryption can be cracked using easy-to-find tools, even unsophisticated hackers can break into WEP networks and mine them for data.
Wardrivers typically use long-range antennas connected to laptops to compile lists and locations of wireless networks, driving from street to street and logging the Wi-Fi activity that they find.
WEP flaws have cost retailers money before. Last year, Albert Gonzalez was convicted of stealing more than 130 million credit card numbers. He used various methods, but got many of the card numbers by wardriving retailers including TJX Companies, OfficeMax and Barnes & Noble. Once he found a vulnerable network, he would hack in and install credit card-stealing programs.
Many big retailers have beefed up security since 2008, when Gonzalez was hacking, but small companies are often at risk. In its annual Data Breach Investigations Report earlier this week, Verizon said criminals are increasingly hitting smaller businesses as it becomes harder to steal financial data from big companies.
Police impounded the Mercedes last October after arresting its owner for allegedly using stolen gift cards at a local wine bar. In the car they found a range-boosting antenna and a Wi-Fi-enabled laptop with a passenger-seat mount, so that it could be used while driving. Except for the front, all windows in the car were heavily tinted, making it difficult to see what was going on inside.
Investigators had been tracking the black Mercedes since at least February 2010, Hansen said in a court filing requesting permission to seize the car. A spokeswoman with the U.S. Department of Justice would not say whether charges had been brought against any of the suspects.
The gang is thought to have stolen more than US$750,000 worth of items, according to the Seattle Post Intelligencer, which first reported the story.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is firstname.lastname@example.org