Synopsis: SQL Injection

Let's discuss a common attacking technique used by hackers in this lesson.

In March 2010, serial computer hacker Albert Gonzalez was convicted for his role in the largest identity theft in history. He acquired an estimated 130 million credit and debit card numbers by hacking into ATM machines and payment systems of several major retail store chains and the credit card processing companies that served them.

Gonzales broke the previous record, which he also held, for stealing 45.6 million credit and debit card numbers in 2006. He performed that earlier crime by exploiting vulnerable wireless networks.

How did Gonzalez nearly triple his own record? We imagine a daring plot from a James Bond movie, with black-clad agents rappelling down elevator shafts, using supercomputers to crack state-of-the-art encrypted passwords, or sabotaging electrical power to an entire city.

The indictment describes a more mundane reality. Gonzalez exploited a vulnerability that is one of the most common security weaknesses on the Internet. He was able to use an attack technique called SQL Injection to gain privileged access to upload files to the corporate victims’ servers. The indictment states that after Gonzalez and his co-conspirators gained this access:

…they would install “sniffer” programs that would capture credit and debit card numbers, corresponding Card Data, and other information on a real-time basis as the information moved through the Corporate Victims’ credit and debit card processing networks, and then periodically transmit that information to the co-conspirators.

Get hands-on with 1400+ tech skills courses.