The TJX card fraud - how the hackers did it

The Wall St Journal has the background story on how hackers downloaded cardholder details for at least 45.7 million credit and debit cards (and maybe up to 200 million – if they accessed a full database of four years of card transactions from Marshall’s discount store [division of TJX]).

How they did it:

They cracked the WEP security key used on the WiFi LAN at one Marshall’s branch (which takes about 2 minutes*), and once inside the network they monitored the traffic until they grabbed user ID’s and passwords for the parent companies data warehouse in Framington, MA – which was accessible over the net. This enabled them to download customer card transaction / identity details and bingo!

“TJX's breach-related bill could surpass $1 billion over five years -- including costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities -- estimates Forrester Research, a market and technology research firm in Cambridge, Mass. The security upgrade alone could cost $100 million, says Jon Olstik, a senior analyst for Enterprise Strategy Group, a Milford, Mass., consulting firm, based on his conversations with industry experts and people familiar with the work being done”. (WSJ)

This is so preventable.

(a) Retailers have no business storing customers’ payment card numbers – they should be using transaction reference numbers to provide an audit trail to deal with chargebacks and queries from banks. There is absolutely no excuse whatsoever for storing these data for four years or more in a retailers’ database. Using the EMV system the card number should go encrypted end to end from the customers’ card chip to the bank payments system – giving the retailer no opportunity to steal the cardholder details – as happens in France.

(b) The staff at French retail chains – eg FNAC – have to use multi-factor authentication to get into the company IT system - even for simple tasks such as "do we have that DVD player in black" in stock. This would prevent people who break into networks from sniffing a usable login ID – because with multifactor authentication the ID changes every minute. Steve Gibson has just done a netcast on multifactor authentication – you can listen to it here:

http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/SN-090.mp3

Multifactor authentication also prevents keyboard loggers (found in many internet cafes and hotel “free” internet business centres) from thieving user credentials.

An increasing number of retailers in Ireland are thieving card numbers from customers’ EMV cards by first skimming the magnetic stripe of the card and then putting it into the chip reader. While EU law makes them financially responsible for fraudulent transactions carried out at their own establishment – there is nothing to stop them printing out customer card details and putting them in a skip outside back every night if they want to. Retailers should be made legally liable for any consequential loss arising from customers’ card numbers escaping into the wild due to their security breaches. This would quickly put a stop to retailer data theft - they wouldn't want to know your card number - and the practice of squirreling away of cardholder data for marketing and other purposes.

.probe

http://online.wsj.com/article/SB117824446226991797.html

* http://db.tidbits.com/article/8942