Ex-hacker details scheme to steal scores of credit cards from major retail chain

Agreeing only to speak in shadow, the man talking in this story doesn't want you to know his name or see his face. But he wants you to know what he did.

"I acknowledge some of the things done were illegal," he says.

For a time, he was a cyber hacker and played a role in a scheme to steal millions of credit card numbers from one of the largest companies in America.

For this story, we'll call him Derrick.

"I never had any intent to commit fraud or steal anything," he said. "Just merely to get in and see what I could do. It was the actions of other defendants that was the actual defrauding."

The other defendants were Derrick's friends, and their story begins on a night in 2003 when the trio was driving around town with their laptops, looking for weak spots in nearby companies' computer servers. 

In the cyber world, it's called "wardriving."

"And one of the ones we noticed was outside of a Lowe's store," he said. "We looked around in there and we were like, 'Wow.' "

What he saw was that the some of the company's most precious consumer data was open for the taking. 

"They have the entire corporate network from this one store. And from there they were able to get into every cash register in the United State's in every Lowe's," he said.

"That's a line I didn't mentally cross."

But Derrick says his friends did.

At the time, Derrick's friends were stuck in low-paying, dead end jobs. Their plan was to steal the data and then sell it on the black market in web forums, much like we're seeing today with credit cards stolen from Target, Neiman Marcus and other stores.  

"That data is worth a significant amount of money," Derrick said. "It was enough where they were willing to give up their lives and leave the country, were they successful. "

Their scheme was to implant special software inside Lowe's own servers so that every card used would be intercepted—in real time—and copied, before being passed on to the credit card company. 

In the hacker world, it's called a "man in the middle" attack.

Derrick says it was a terrible idea. He was pretty sure they'd get caught.

He was so proven right.

Lowe's had detected the security breach before any credit card information was compromised and called the FBI. On a day while Derrick was being driven to the airport, he saw some flashing lights in the rear view mirror. They were for him.

Six Southfield, Michigan police cars surrounded his vehicle and forced it off the road.

Derrick was taken into custody by FBI agents and, simultaneously, so were his friends.

The three were indicted by a grand jury, accused of trying to commit $2.5 million worth of credit card fraud and facing decades in prison.

Two of the defendants wound up serving time: one for two years while the ringleader got nine. But Derrick received only probation.

In the eight years since his prosecution, Derrick has tried to atone for his mistake. 

He has a job in computers, but his hacking days are over.  He says he's troubled, though, that so many major companies haven't taken the steps to protect consumer data from the kinds of hackers he used to be.

"A lot of companies just go, 'That's not how I wanted to spend that several million dollars this quarter. We should put that off for next year,' " he said.

"And next year never comes."

By the way, beyond the data encryption offered by reputable merchants like Lowe’s, there are other ways to protect your credit card information.

Always be sure to sign the back of your credit card. That way, if anyone does nab your information, the credit card company can’t your raise your personal liability. You followed all the rules.   

Look for personal finance services like Mint.com. That way you can instantly track all your credit card transactions.

Shred any and all credit card statements. Never, ever throw them in the trash. You be amazed how many crooks will actually dumpster dive looking for your private info.

When buying products online be wary of public Wi-Fi connections. They’re relatively easy to hack. If you must use public Wi-Fi consider getting a VPN. They’re far more secure.

And, in the unlikely event your info is stolen in a commercial data breach notify your bank ASAP. Call and write so nothing slips through the cracks.  

Print this article Back to Top