Encryption Faulted in TJX Hacking,

David G. Koontz david_koontz at xtra.co.nz
Wed Sep 26 07:05:18 EDT 2007 

http://www.physorg.com/news109963481.html  25 Sep 2007

 (AP) -- Hackers stole millions of credit card numbers from discount
retailer TJX Cos. by intercepting wireless transfers of customer information
at two Miami-area Marshalls stores, according to an eight-month
investigation by the Canadian government.

The probe led by Canadian Privacy Commissioner Jennifer Stoddart faulted TJX
for failing to upgrade its data encryption system by the time the electronic
eavesdropping began in July 2005. The break-in ultimately gave hackers
undetected access to TJX's central databases for a year and a half, exposing
at least 45 million credit and debit cards to potential fraud.

 ...
Retail wireless networks collect and transmit data via radio waves so
information about purchases and returns can be shared between cash registers
and store computers. Wireless transmissions can be intercepted by antennas,
and high-power models can sometimes intercept wireless traffic from miles away.

While such data is typically scrambled, Canadian officials said TJX used an
encryption method that was outdated and vulnerable. The investigators said
it took TJX two years to convert from Wireless Encryption Protocol to more
sophisticated Wi-Fi Protected Access, although many retailers had done so.

Lang said TJX's systems complied with industry standards when the breach
started. She said TJX chose in 2005 to make the conversion and needed more
time than some retailers because its systems weren't compatible with the WPA
standard.

 ---

WLAN Security Service Aims to Boost PCI Compliance   August 31, 2007
http://www.wi-fiplanet.com/news/article.php/3697436?

?Never rely exclusively on wired equivalent privacy (WEP) to protect
confidentiality and access to a wireless LAN.  If WEP is used, do the following:


    * Use with a minimum 104-bit encryption key and 24 bit-initialization value
    * Use ONLY in conjunction with WPA, WPA2, VPN, or SSL/TLS
    * Rotate shared WEP keys quarterly (or automatically) [and] whenever
there are changes in personnel with access to keys
    * Restrict access based on media access code (MAC) address.?

 ---

The emphasis on the 'in conjunction' part.  There's a cascade effect of
course,  The security of the WLAN is dependent on the strength of the
password of the satellite router, router configuration, register
administrators password, and so on.

There's another article or two on TJX, makes interesting reading, might even
have been worth a book if they'd only been on to the theft.

http://www.physorg.com/news94480989.html  March 30, 2007

http://www.physorg.com/news94568787.html  March 31, 2007, wherein there's a
feeble attempt to paint the problem as single DES as being weak in speculation.


T.J. Maxx Data Theft Likely Due To Wireless 'Wardriving'
http://www.informationweek.com/news/showArticle.jhtml?articleID=199500385&subSection=All+Stories


TJX
http://updates.zdnet.com/tags/TJX.html

WEP Security + Pringles-Can = $1 Billion TJX Loss?
http://msmvps.com/blogs/harrywaldron/archive/2007/05/09/wep-security-pringles-can-1-billion-tjx-loss.aspx

May 10th, 2007
Retailers haven?t learned from TJX - still running WEP
http://blogs.zdnet.com/Ou/?p=487


There was a slashdot article on 15 May.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list