Ex-hacker details scheme to steal scores of credit cards from major retail chain
Ross Jones, WXYZ
5:09 PM, Feb 6, 2014
7:58 PM, Feb 6, 2014
He agreed to only speak in shadow. He doesn't want you to know his name or see his face. But, he wants you to know what he did.
"I acknowledge some of the things done were illegal," he said.
For a time, he was a cyber hacker and played a role in a scheme to steal millions of credit card numbers from one of the largest companies in America. For this story, we'll call him Derrick.
"I never had any intent to commit fraud or steal anything," he said. "Just merely to get in and see what I could do. It was the actions of other defendants that was the actual defrauding."
The other defendants were Derrick's friends, and their story begins on a night in 2003 when the trio was driving around town with their laptops, looking for weak spots in nearby companies' computer servers. In the cyber world, it's called "wardriving."
"And one of the ones we noticed was outside of a Lowe's store," he said. "We looked around in there and we were like, 'Wow.' "
What he saw was that the some of the company's most precious consumer data was open for the taking.
"They have the entire corporate network from this one store. And from there they were able to get into every cash register in the United State's in every Lowe's," he said.
"That's a line I didn't mentally cross."
At the time, Derrick's friends were stuck in low-paying, dead-end jobs. Their plan was to steal the data and then sell it on the black market in web forums, much like we're seeing today with credit cards stolen from Target, Neiman Marcus and other stores.
"That data is worth a significant amount of money," Derrick said. "It was enough where they were willing to give up their lives and leave the country, were they successful. "
Their scheme was to implant special software inside Lowe's own servers so that every card used would be intercepted—in real time—and copied, before being passed on to the credit card company. In the hacker world, it's called a "man in the middle" attack.
"This is a terrible idea, and I'm pretty sure you'll get caught," Derrick said.
He was right. Lowe's detected that the trio had been inside their servers and called the FBI. On a day while Derrick was being driven to the airport, he saw some flashing lights in the rear view mirror. They were for him.
"Six Southfield (Michigan) police cars surrounded the vehicle and forced it off the road. They all get out and stand behind their doors with guns drawn," he recalled.
Lowe's detected the security breach before any credit card information was compromised.
Derrick was taken into custody by FBI agents and, simultaneously, so were his friends. The three were indicted by a grand jury, accused of trying to commit $2.5 million worth of credit card fraud and facing decades in prison.
Two of the defendants wound up serving time: one for 2 years while the ringleader got 9. But Derrick received only probation.
In the 8 years since his prosecution, Derrick has tried to atone for his mistake. He has a job in computers, but his hacking days are over. He says he's troubled, though, that so many major companies haven't taken the steps to protect consumer data from the kinds of hackers he used to be.
"A lot of companies just go, 'That's not how I wanted to spend that several million dollars this quarter. We should put that off for next year,' " he said.