Industry analysts suggest some 45 million credit and debit card data could have been poached from a thief with a laptop, a telescope antenna, and a wireless LAN adapter.

Larry Greenemeier, Contributor

May 9, 2007

7 Min Read

TJX, the parent company of T.J. Maxx, Marshalls, and other retailers, has not acknowledged how data on more than 45 million credit and debit card users who had shopped at the company's retail locations was stolen and sold to fraudsters.

Still, a recent article in the Wall Street Journal fingering a wireless data poaching tactic known as "wardriving" and the deficiencies of an aging wireless security protocol known as Wired Equivalent Privacy as the culprits has ignited a storm of speculation among security researchers over how the crime was pulled off and who's to blame.

It's likely that the cyber attacker or attackers who stole millions of customer records from TJX stumbled across a vulnerable store location while staking out a strip mall or shopping center from their car using a laptop, a telescope antenna, and an 802.11 wireless LAN adapter. "The cyber thieves most likely went to a strip mall shopping center and pointed it at the different stores," says Mark Loveless, senior security researcher for network-access control technology vendor Vernier, who goes by the online handle of "Simple Nomad." While the TJX store wasn't likely at the top of their list, they found that it was accessible and yielded information they could use to further penetrate TJX's IT systems. "The allure was too good to pass up," he adds.

Wardriving describes the practice of driving one's car around with laptop and antenna to detect wireless access points and see how they're configured. When a global positioning system receiver is added, a map can be made of the different access points. A telescope antenna lets wireless poachers attack their targets from miles away; they don't even have to be sitting in the store's parking lot. Competitions at past Black Hat security conferences have seen some wardriving systems detect wireless data up to 45 miles away, Loveless says.

"Once the attacker is connected into the wireless network, they can sniff traffic to see what data's going where," Loveless says. For example, an attacker might see that all applications are being logged to a central server, such as barcode scanning software accessing a SQL database. "So that's where you concentrate your efforts," he adds. Eventually, an attacker is able to compromise a PC, domain name system server, or VPN servers.

This sort of attack happens all the time, according to Loveless and a number of other security researchers. What makes the TJX hit so special is the sheer volume of information stolen. This meant that time is also a factor in understanding how the attack was perpetrated. Given that data can only moves across a network so fast, it would have taken the cyber thieves hours to sit in their parked car and download tens of millions of records. More likely, "they set up a machine at home or on the Net that used some of the stolen information to break in and steal more," Loveless says.

"If they indeed break into the system through this Marshall's store (as reported), one can easily imagine the store was not storing 45 million credit card records there," agrees Cedric Blancher, head of European Aeronautic Defence and Space Company's computer security research department in France and a specialist in wireless security.

Further, since the initial attack against TJX required the cyber thieves to be in the proximity of a TJX store, it's unlikely that they were involved in an international conspiracy to steal customer data. "I highly doubt that the Russian mafia flew overseas and sat with a directional antenna trying to grab this information," Loveless says. "It was probably done by people living right here in this country." Once the information was stolen, however, all bets are off, as the customer data could have appeared in countless underground marketplaces where purloined data is bought and sold.

Yet wardriving is not foolproof. In fact, it relies on weak security to be effective. Often, "when a company puts in wireless, they don't put it in securely," Loveless says. "They forget that wireless is yet another way in. inviting people to come in through a side window."

Security researchers say that, if TJX was securing the Marshalls location using Wired Equivalent Privacy, or WEP, they were using an outdated protocol that's notorious for allowing small amounts of data to leak from data packets flowing across a wireless network. "If you sniff the traffic, you'll find those bits going back and forth across the network," Loveless says. Companies that have already invested in access points supporting WEP might be reluctant to replace this equipment with new equipment that supports WPA or WPA2, he acknowledges.

Still, security pros have for years know about WEP's deficiencies, in particular its propensity to give up its encryption key when attacked. While the technology has improved over the years, so have the techniques for attacking it. In April, an attack published by security researchers to the Web reduced the time to crack WEP encryption from about 30 minutes to as quickly as one minute, Blancher says. "In standard WEP, every device uses the same key," he adds. "If an attacker breaks the key, he has complete control of network." Shortly after WEP was released in 1999, Wi-Fi Alliance published the Wi-Fi Protected Access, WPA, security protocol based on 802.11i. A year later, in 2004, IEEE published its WPA2. Both provide stronger authentication and a new schedule for rotating encryption keys, making them harder for intruders to obtain. "WPA was intended to be backward compatible, so from a strict hardware point of view, any adapter or access point supporting WEP's 104-bit encryption can also support WPA," Blancher says. Still, that supposes a vendor actually updates its firmware and drivers to include necessary software to run WPA. "Unlike personal computers, for which WPA support is available for quite some time, devices like barcode readers are not often updated," he adds.

Advocates of the Payment Card Industry (PCI) Data Security Standard created by Visa and MasterCard say that adherence to this standard takes companies a long way toward protecting their customers from wireless poachers. Section 4.1.1, for example, states that wireless networks transmitting cardholder data must encrypt the transmissions by using Wi-Fi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. "Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN," the standard says. Companies are only allowed to use WEP if it's used in conjunction with WPA, WPA2, VPN, or SSL/TLS security technology, and the WEP must use a minimum 104-bit encryption key and 24 bit-initialization value.

"When the PCI data security standard first came out, there was only WEP," says Bob Russo, general manager of the PCI Security Standards Council, a group of payment card and other businesses that serve as stewards over the standard. "As the threats became more apparent and WEP became less and less affective, we changed the standard to keep up with what the bad guys are doing."

As more information is revealed about how TJX was attacked, the situation increasingly resembles the pickle that BJ's Wholesale Club Inc. found itself in a few years ago, when it had to settle with the Federal Trade Commission on charges that the company failed to adequately protect customer data. The FTC accused BJ's of failing to encrypt customer data when transmitted or stored on BJ's computers, keeping that data in files accessible using default passwords, and running insecure, insufficiently monitored wireless networks. The FTC has likewise launched an investigation into TJX's data breach.

Like TJX, BJ's was sued by financial institutions affected by fraud when customer data was stolen and spent millions of dollars to hire lawyers and then fix the problem. BJ's was forced to implement a comprehensive information-security program subject to third-party audits every other year for the next two decades. The FTC also required BJ's to designate at least one employee to coordinate and be accountable for the company's information-security program, which identifies risks to customer data, designs and implementations safeguards for that data, and ensures the company is compliant with the FTC's demands.

Meanwhile, banks, retailers, and payment organizations like Visa and MasterCard aren't likely to have seen the last of the fraudulent activity resulting from the TJX attack. A CFO for one West Coast credit union told InformationWeek that on Tuesday he received a notice from Visa advising him that Visa Investigations & Incident Management may in the coming days report more compromised accounts associated with the incident. "It looks like TJX and Visa have identified more fraudulent card use and are sending out yet another list of compromised cards," the CFO says. "This notification from Visa is basically saying. Get ready, here comes some more.'"

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights