In late March, before Maryland Heights, Mo.-based Schnuck Markets Inc. knew the extent of a breach that compromised as many as 2.4 million debit and credit cards, a Wal-Mart employee in Plano, Texas, saw something strange.
The employee, a loss prevention officer, noticed a woman acting oddly. She was trying to use several different payment cards at the register, and she was buying gift cards. Both of those things raised red flags, so the officer took the woman aside.
Later that day, the woman was charged with credit card forgery. And sometime that same day, law enforcement authorities made a link: The 44-year-old Fort Worth, Texas, woman was attempting to shop with counterfeit cards containing data that had been stripped from a card used at a Schnucks grocery store, hundreds of miles away and probably months beforehand.
The woman may have been what cybercrime investigators consider a mule or a runner -- a person who takes fake cards encoded with stolen data and attempts to see if the cards work, reporting success or failure to higher-ups. Or she may have bought the cards on the black market, hoping to get away with fraudulently purchased loot, or in this case, gift cards.
In other words, she is small potatoes -- not the person investigators are after. The people investigators really want are likely thousands of miles away, possibly in Eastern Europe, and they may never catch them. Those thieves, experts say, have probably closed up shop and moved on, vanishing without a trace, leaving people such as the woman charged in Plano holding the proverbial bag.
Schnuck has declined, repeatedly, to answer detailed questions about the breach, saying it does not want to provide a "road map" to cybercriminals.
"The Schnucks breach was the result of random access memory malware," explained Al Pascual, a senior analyst of security risk and fraud at Javelin Strategy & Research, a California company that advises the payment industry. "That means there's malicious software at the point of sale. After a card is swiped, the data goes into the register, then it goes to random access memory on the computer itself, and this malware pulls it right off the memory before it's transmitted somewhere else."
Industry rules state that merchants are not allowed to store card data. But, in this case, it appears the information was taken as it was moving through the system. Because it wasn't encrypted -- and is not required to be at that point, Mr. Pascual said -- the thieves had complete access. The only solution is to encrypt the information as it travels, which is more costly and difficult.
Typically, after information is stolen, it gets sold in batches on the Internet. The thieves send the data to an IP address -- Internet Protocol address -- where other thieves can buy the information. This used to happen on what's known as the "dark Web," beyond the reach of online search engines; but now, experts said, a prospective buyer can find stolen data fairly easily.
After buyers get their hands on the information, they often encode it into cards, often blank cards -- known as "white plastics" in the industry -- or on gift cards that they recode with the stolen information. The data also can be used to buy merchandise online in "card not present" transactions.
By the time these cards make their way down the food chain -- from the hackers, through the syndicates that sell the data, to the low-level mule or buyer on the street -- the IP address where the information was sent has long gone dark, and the criminals have essentially vanished.
"They bounce information from different IP addresses, and then they burn them -- they don't use them again," explained Jim McKee of Red Sky Alliance, a network of cybersecurity experts based in St. Louis. "So you have a dead end. The hackers sold all the credit card numbers, they've made their money, and they've moved on."
At the federal level, investigative efforts could be frustrated by distance. Even if investigators can trace a breach back to a particular person or gang, diplomatic relations often stand in the way.
"Our FBI and Secret Service have no power over anything, and these Eastern European governments aren't going to cooperate with anyone," Mr. McKee said.
Under agreements with the credit card companies, card-issuing banks are required to reimburse cardholders for fraudulent charges. But even though cardholders are made whole, the banks and merchants say, that doesn't make credit card hacking a victimless crime.
The issuing bank has to pay the consumer, but then they go to the merchant's bank to recoup the money, and that bank often goes to the merchant itself, asking for compensation. Sometimes the banks sue the merchant, saying they're not doing enough to protect consumers' card data.
In the end, though, everyone ends up paying because, critics say, credit card companies jack up rates and fees throughout the processing system.
"It's a hopeless situation," Mr. McKee said. "But the electronic world is here, and we can't buy stuff with cash on the Internet."