TJX Breach Began With WEP Crack

An anonymous reader sends us to the Wall Street Journal for a detailed report on what is known to date about the TJX data breach. It seems that the loss of over 45 million credit card numbers and more than 450,000 SSNs, driver's license numbers, and military identifications began with someone using a "telescope-shaped" antenna at a wireless link at a Marshall's near St. Paul, Minnesota in July 2005. The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion — not including the numerous lawsuits filed against the retailer.

Why isn't WEP recalled?

[krbvroc1]

WEP is seriously flawed. What hasn't it been recalled and all router manufacturers forced to replace the hardware (or firmware)?
In most industries if you ship such a flawed product, the manufacturer has some liability. They are still selling them today too.

Of course shame on TJ Max and the whole handling of this fiasco. Not that I ever did previously, but I would never shop there.

Re:Why isn't WEP recalled?

I don't think you understand just how bad WEP is. It's not a matter of calculating, throwing hardware at it, or anything like that. You just wait for the right packets to get sent and look for the keys.

Re:Why isn't WEP recalled?

Have YOU bothered to read the article?

        The security issue was not the existence of WEP on the network. The issue was having a wireless network with full access to the rest of the network including financial systems etc.. (plus, as the article vaguely mentions, not implementing some other security they had available... VPN? SSL? Who knows.)

          WPA (particularly WPA-PSK, which is a relatively common form of WPA, due to less support for WPA-Radius etc.) is not crack-proof. It's stronger than WEP, but with a payday of millions of CC #s, it would be worth these guys' time to burn some CPU cycles for a WPA crack.

          Most of the old WEP-only bar code scanners etc. these guys are talking about are not the ones at checkout counters, they are the little inventory-control barcode scanners. Someone could crack in then and tell how much stuff you have in your store. But, if properly setup, I would think the financial systems would be accessible only from an internal *wired* network, not via Internet or wireless.

          I've seen some slop though.. a local store, who shall remain nameless.. well, it was Hy-Vee.. setup a rig like this. They ran an extension cord out into the parking lot where flowers were being sold, and plugged a register into it. With CC reader. They did not run ethernet (or serial? Some of the registers look pretty old) out to it. I had my notebook in the car.. yup, they were running WEP. I wasn't about to crack it but I did advise the people with me to pay cash.

Re:Why isn't WEP recalled?

[jd]

Oh, certainly. 802.1x isn't perfect, by any means. The first rule of IT security, though, is to always be two steps ahead of those doing the compromising. One step means that you're secure when you install, but will have indefinite periods of uncertainty when you COULD be vulnerable. This is typically the way things are done, and it is stupid beyond belief.

No, the logical method is to expect some component - any component - of the security to be compromised between now and the end of use. You then have a second, wholly independent, component which must simultaneously be compromised in order to be vulnerable. You upgrade when EITHER fails. It is then virtually certain that both have not failed, so everything remains intact, and you use that lead time to perform the upgrade.

You could regard this as a variant on the Byzantine General's Problem. There, some number of components are "traitors" (in this case, compromised), yet you have to make sure that the orders (data) received come from an authorized source alone. Other variants of this problem deal with making sure that that data does not fall into the wrong hands, such as using Byzantine key distribution.

Three algorithms, three block ciphers, three hashing functions. Any one of those gets broken, simply roll onto the next in the list. If you're sneaky enough, you have some mechanism for automatically switching combinations when the key is refreshed, making it much harder for an attacker to know which combination is actually being used at the time.

Security doesn't have to be perfect to be truly secure, it just has to be impassable in the time you detect an attacker bypassing one component and the time you can replace what has been broken. The defender in a real-time situation always has the advantage when it comes to what happens next. The attacker ONLY has the advantage when it comes to what has already happened. So long as there is no usable relationship, the attacker must always lose.

Sue?

[PetriBORG]

So, as someone who had at least their CC number stolen thanks to these ass hats, when can we sue them and take a major chunk out of their ass? People in TJX should be jailed...

Well, I Wouldn't Shop With Them - Ever

[segedunum]

Just read through the article more thoroughly, and several things worry me:

TJX declined to comment on those numbers, but says it is undertaking a "thorough, painstaking investigation of the breach," hiring a team of 50 data security experts in December and taking a charge of $5 million in its first fiscal quarter.

Well, we all know how brilliant data security experts are, and I really hope that sentence doesn't mean that they are simply throwing $5 million at them. You know what consultants are like - give them enough money and they will tell you everything you want to hear, even if the reality is a horror show.

It says it will also pay for a credit-card fraud monitoring service to help avert identity theft for customers whose Social Security numbers were stolen. "We believe customers should feel safe shopping in our stores," says a letter from Chief Executive Carol Meyrowitz posted on TJX's Web site.

The whole bloody point of this is that you don't get to that point in the first place. Stable door, horse bolted?

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators.

What the hell were they using this wireless network for?

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory.

So they were using an unsecured wireless network to enable hand-held equipment to function - and they used this to run their day-to-day business?! Christ. At first I thought this was just some wireless network someone had plugged into the network somewhere arbitrarily, not something they actually used in day-to-day operations.

The company says the hackers may even have lifted bank-card information as customers making purchases waited for their transactions to be approved. TJX transmitted that data to banks "without encryption," it acknowledged in an SEC filing.

I'm not 100% sure what system is used for credit card purchases in the US now, but this highlights why I like using cash a bit more with the advent of chip and pin. I would also never, ever use a debit card in one of these things. You transmit your card details, and the pin as well. Brilliant. Access to your bank account, and that hard earned pay that just went in today. I'm slightly confused though, because surely this communication with banks would all happen on another network?

At that point, TJX hired forensics experts from International Business Machines Corp. and General Dynamics Corp. and notified the U.S. Secret Service, which spent a month trying to catch the hackers in the act.

So you take no responsibility for your own systems, and you have no internal expertise? Wonderful.

Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said in March he believes Congress will move to require a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards.

That's probably the only way, because some companies simply believe they don't have to take responsibility for IT, data, security and especially wireless security. It's something that is best swept under the carpet, and setting up a wireless network is as easy as spending a bit of money on a little access point you've seen at a local store, right? Why spend money doing it properly?

Put Management's Data In The Databases

[NeverVotedBush]

And shareholder's data. Make a law that puts the money-grubbing CEO and other officer's data in the databases with the customer's data. Then sit back and see what kind of directives management gives to their IT departments to secure data, networks, and workstations. But put their personal data to the same risk as what they deem is sufficient for all the people they don't know or care about. Then see how responsible they get.

RBC Visa

[jjohnson]

pre-emptively changed my Visa card number a couple months before this became public. I found out that I was not affected by this break-in later, so I'm unsure whether or not it was in response to

The question in my mind is, given the basic vulnerability of a long-term CC number, why they don't move to something like SecureId token one-time passwords? If you can have a different six digit number every sixty seconds for five years on one device, surely the same (now public domain) algorithms could be embedded in a credit card. The infrastructure for real-time verification is already in place. With one stroke, the whole CC# theft business could be out of business, and the first mover CC company on this would have a huge marketing advantage: "No one can ever steal your Visa number again".