Saturday, May 05, 2007
Here's what happened at TJ Maxx/Marshall's
There was an enormous data breach that exposed millions of credit card numbers, and up to now all the explanations were so vague and made so little sense that security professionals were irritated by them.
The TJX breach started with an insecure wireless network. They had storewide wireless networks protected only with an obsolete standard called WEP, which was cracked in 2001. Since first being cracked, it has been broken, then smashed, and by now has been reduced to powder.
The intruders, using some widely available software, were then able to eavesdrop on all the credit card information flying around the store. But wait, there's more.
The TJX intruders got access to the chain's central database. Apparently people were logging into the central database over the insecure wireless network. The thieves then had passwords to the central database.
The intruders then had the keys to the kingdom and made themselves at home for a year and a half.
TJX made a lot of serious mistakes but they deserve credit for doing the investigation and publishing the results. Bismarck said that the wise man doesn't learn from his mistakes, but instead learns from other people's mistakes. The only way we can have wise security is if other people publish their mistakes so we can learn from them.
If you've shopped at T.J. Maxx, Marshalls, HomeGoods or A.J. Wright, it's not overkill to cancel your credit card. Stolen ones have already been used for fraudulent charges, often to buy gift cards. Don't assume you're safe just because nothing's happened to you yet: smart crooks may delay using a credit card to throw off investigators.
Oh, and wherever you shop, credit cards are safer than debit cards.
|
The TJX breach started with an insecure wireless network. They had storewide wireless networks protected only with an obsolete standard called WEP, which was cracked in 2001. Since first being cracked, it has been broken, then smashed, and by now has been reduced to powder.
The intruders, using some widely available software, were then able to eavesdrop on all the credit card information flying around the store. But wait, there's more.
The TJX intruders got access to the chain's central database. Apparently people were logging into the central database over the insecure wireless network. The thieves then had passwords to the central database.
The intruders then had the keys to the kingdom and made themselves at home for a year and a half.
TJX made a lot of serious mistakes but they deserve credit for doing the investigation and publishing the results. Bismarck said that the wise man doesn't learn from his mistakes, but instead learns from other people's mistakes. The only way we can have wise security is if other people publish their mistakes so we can learn from them.
If you've shopped at T.J. Maxx, Marshalls, HomeGoods or A.J. Wright, it's not overkill to cancel your credit card. Stolen ones have already been used for fraudulent charges, often to buy gift cards. Don't assume you're safe just because nothing's happened to you yet: smart crooks may delay using a credit card to throw off investigators.
Oh, and wherever you shop, credit cards are safer than debit cards.
# posted by Frederick @ 10:45 PM Email to a friend:
Haloscan: they provide trackback