Hacker Indictment Greeted With Muted Response

U.S. authorities are calling it the largest hacking and identity theft case yet. But this week's indictments of 11 people who allegedly plundered millions of payment card numbers might not seriously dent the underworld where such crimes occur.

Researchers at a hacking conference [in Las Vegas] met the news with a bit of a shrug, saying the theft of credit and debit cards still will flourish.

"These guys were just persistent and lucky. And they got caught," said Jim Christy, a longtime cyber crime investigator who now works in computer-security outreach for the Department of Defense. "There's probably a lot more stuff being stolen that's never been reported. A lot of smaller businesses are being raped and pillaged and plundered and they never know."

The scope of the identity theft is breathtaking: more than 41 million debit and credit card numbers were stolen from major retailers, including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

It's also been costly. The hardest-hit retailer, TJX, which operates the T.J. Maxx and Marshalls discount clothing chains, took $197 million in charges to cover losses from its breach, which began in July 2005.

Of the 11 defendants, three are U.S. citizens. The others are from places such as Estonia, Ukraine, Belarus and China, a hodgepodge that reflects the international nature of organized computer crime. Many stolen card numbers are sold by outfits in Eastern Europe.

Security researchers had a humdrum reaction to Tuesday's indictments partly because identity theft is a booming, multibillion-dollar business. Dismantling a successful operation just means another one will pop up in its place.

Another reason is that the indictment revealed that the hackers' tactics were crude, suggesting they stumbled into a much bigger security hole than they anticipated.

The hackers allegedly found insecure wireless networks using a simple method...