TJX Intruders Sought Any Wireless Port In A Storm

Written by Evan Schuman
May 6th, 2007

With a new report that the TJX data breach began with wireless communications between handheld price checkers, IT is being reminded that “convenient” is usually code for “insecure maximus.”

Throughout the five-month public history of the TJX data breach fallout, the industry has repeatedly tried to simplify it, to label one cause as the explanation, whether it was incompetent IT execution, an inside job, an open wireless port or some other clean explanation.

But the TJX situation is complex, complicated and defies a simple explanation, just as their intruders were a lot more sophisticated, creative, relentless, daring and professional than anyone in the industry wants to believe.

On Friday, the Wall Street Journal reported the TJX data breach started with a wireless breakin at a Minnesota Marshalls. The story went into remarkable detail about intercepted communications between wireless price-checking handheld units “during peak sales periods to capture lots of data.”

The Journal reported that the cyber thieves then “used that data to crack the encryption code” and then they “digitally eavesdropped on employees logging into TJX’s central database in Framingham and stole one or more user names and passwords. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access.

A 5-second glance at those latest details?assuming they ultimately prove to be true?has led many people to dismiss this as another wireless problem. The truth is that TJX offered intruders a generous smorgasbord of security holes, enabling the intruders to plant a trojan horse, steal an encryption key, sidestep less-than-diligently-monitored traffic logs and be able to grab credit card data before it was to be encrypted. So let’s not paint TJX as security Eagle Scouts who happened to let their guards down on wireless.

That all said, the TJX Intruder Welcome Mat did start with a wireless hole and the wireless hole helped enabled the rest of the operation. Cyber thieves don’t need much, especially when they’re looking for any wireless port in a storm.

Reportedly, TJX had been slow to move to WPA and was still using WEP at the time of the breakins. If that was the sole offense here, TJX would be in good company, as major corporations?along with more than its fair share of retail chains?tended to be slow to upgrade wireless security.

A crucial reason for that is lack of understanding. Few managers took the time to understand how much the wireless network was accessing. Just because a unit is designed to do pricechecks, it was seen as innocuous. This has the same feel to it as when IT was remarkably slow to appreciate that intelligent network printers were wonderfully clever gateways to the rest of the network.

Why? Because for many years, printers were harmless. When they suddenly started getting a lot more CPU, hard-disk and RAM and became fully networked, it took years before the security threat sunk in.

Most retailers have a strong appreciation for wireless security challenges, but many revolve around looking for rogue wireless networks. Wireless security cameras are another example, with thieves having used them to “case” a retailer while sitting in their parking lot.

Theory: the TJX case is likely going to crack wide open by this summer. The laundry list of unanswered questions will get a lot shorter as the Massachusetts weather gets warmer. A U.S. House congressional hearing had been slated for May, but it’s now slipped until at least June, according to one congressional aide working on the scheduling. But whether that hearing will take an aggressive stance and truly try and get closure on the most interesting unanswered questions is unknown.

The class-action lawsuits are also supposed to start getting discovery within a few months and the state Attorneys General probe can’t really continue much beyond this summer. The incident was discovered in mid-December and all break-in activity pretty much stopped by early January. It’s now five months later With no active suspects, it’s questionable how much more time the probers would need.

The defining moment will be when TJX comes out from the shadows, calls a news conference and gets their side of this out. I’m not holding my breath, but if it’s clear that they’ll have to answer the questions publicly anyway, they might as well at least do it in their own forum.

The big-picture takeaway on this, however, is that the perpetrators of the TJX attack were doing exactly what every retailer is afraid they were doing. Planning a multi-staged attack, using a wide range of tools and tactics. In their attacks, they did what every retailer should have done in their defense: use multiple redundancy.

In other words, the attackers didn’t assume that a particular tactic would work, so they had multiple backup plans. If only TJX had done the same, we wouldn’t be having this conversation.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.