Wireless security and the TJX breach
Over at the Wall Street Journal there is an excellent summary of the ever-worsening TJX credit card fiasco where attackers downloaded “at least 45.7 million credit- and debit-card numbers from about a year’s worth of records”.
Interesting points:
- TJX had 802.11 wireless network in stores to support handheld inventory devices, but these were only protected by easily cracked WEP encryption. The company’s network was reportedly infiltrated in 2005 by attackers though these wireless networks.
- Once inside, a lack of firewalls and other layers of defence permitted the attackers to backdoor the network and record data in transit.
- The intrusion went undetected for at least 18 months.
- Around $20 million in fraudulent transactions are expected from the breach, with total costs for clean-up, lawyers and restoring the firm’s reputation possibly exceeding $1 billion over five years.
- Attackers also copied driver license numbers, military identification and Social Security numbers of some 451,000 customers.
- It was organized crime, not kids. The WSJ article says the intrusion “has the hallmarks” of Romanian and Russian crime groups (wonder if they were related to the group that was installing cameras and card readers on ATMs across Canada in 2005?)
The WSJ article says that by 2003 many merchants were switching from WEP to WPA encryption for wireless networks, but that may be a little unfair. For one, when bars, gas stations and other retailers first started using wireless devices for card capture and inventory, it was common practice to send data in the clear. Second, the technology available in embedded devices usually lags far behind desktop and server systems… when WPA became available, most handhelds didn’t have the CPU power to implement it.
In 2005 I did an assessment for a project at National Defence that wanted to use one of the ruggedized wireless inventory handhelds made by Symbol, one of the most popular vendors of these devices. Though the proposed handheld was new and from a major vendor, it still ran an older version of Windows CE and could only do basic WEP encryption. Since the data to be transmitted were fairly sensitive and no alternative safeguard (like a VPN client) was viable, we couldn’t recommend using the device.
It sounds like TJX should have made a similar assessment. Regardless of the weakness of their wireless terminals, it shouldn’t have been so easy for the the attackers to gain further access into the network and remain undetected for so long. The WSJ article reports that they attackers were able to create their own user accounts and move some fairly large files around, which even basic monitoring should have been able to flag. Defence in depth, anyone?
The media is calling the TJX breach the largest ever, but who knows? Retailers and banks have every reason to keep these things quiet… it’s only through mandatory disclosure laws enacted by some U.S. states that the TJX breach became public. It’s likely there have been worse breaches and will be again, but when they happen in jurisdictions without disclosure laws the public will never hear about them.
Related posts: