Slashdot Mirror

← Back to Stories (view on slashdot.org)

TJX Breach Began With WEP Crack

Posted by kdawson on from the pwn3d-by-Pringles dept.

An anonymous reader sends us to the Wall Street Journal for a detailed report on what is known to date about the TJX data breach. It seems that the loss of over 45 million credit card numbers and more than 450,000 SSNs, driver's license numbers, and military identifications began with someone using a "telescope-shaped" antenna at a wireless link at a Marshall's near St. Paul, Minnesota in July 2005. The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion — not including the numerous lawsuits filed against the retailer.

2 of 164 comments (clear)

  1. Put Management's Data In The Databases by NeverVotedBush · · Score: 5, Interesting

    And shareholder's data. Make a law that puts the money-grubbing CEO and other officer's data in the databases with the customer's data. Then sit back and see what kind of directives management gives to their IT departments to secure data, networks, and workstations. But put their personal data to the same risk as what they deem is sufficient for all the people they don't know or care about. Then see how responsible they get.

  2. RBC Visa by jjohnson · · Score: 4, Interesting

    pre-emptively changed my Visa card number a couple months before this became public. I found out that I was not affected by this break-in later, so I'm unsure whether or not it was in response to

    The question in my mind is, given the basic vulnerability of a long-term CC number, why they don't move to something like SecureId token one-time passwords? If you can have a different six digit number every sixty seconds for five years on one device, surely the same (now public domain) algorithms could be embedded in a credit card. The infrastructure for real-time verification is already in place. With one stroke, the whole CC# theft business could be out of business, and the first mover CC company on this would have a huge marketing advantage: "No one can ever steal your Visa number again".

    --
    Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.