TJX should have had stronger Wi-Fi encryption, say Canadian officials

By Robert Westervelt, News Editor 25 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The TJX Cos., collected far too much consumer data for far too long and failed to upgrade its Wi-Fi security to the stronger WPA encryption protocol, according to the findings of a report issued Tuesday by Canadian privacy officials.

When the technology exists to protect data, we expect companies to move quickly to adopt that technology. Frank Work, Information and Privacy Commissioner, Alberta, Canada

"The technology that TJX was using at the time was not up to the task and in fact the credit card industry has suggested that industries in its sector migrate to a higher level of encryption technology," said Jennifer Stoddart, the Privacy Commissioner of Canada in a press conference following the release of the report.

At the time of the breach, TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.

TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The attackers began their assault on TJX by exploiting Wi-Fi weaknesses. The Canadian officials said Tuesday that the point of entry for the attackers was two Marshals stores in Miami.

TJX maintains that it acted within a reasonable amount of time and acted earlier than other retailers to enable Wi-Fi encryption. TJX started a WPA conversion project in October 2005 and completed it in mid-January 2007. The final conversion to a higher level of encryption will be completed soon, according to the report.

WPA encryption: WEP crack demonstrates need for WPA2: A new paper highlighting the weakness of Wired Equivalent Privacy (WEP) is a call to all users to switch to the more secure Wi-Fi Protected Access 2 (WPA2). Getting from here to there: WPA2 migration: WEP has been cracked, WPA is a band-aid, and your CSO recommends upgrading to WPA2. Do WEP weaknesses call for an upgrade to WPA2 encryption? Should security professionals upgrade their wireless gear to support WPA encryption? 'It's the responsible thing to do,' says network security expert Mike Chapple.

Investigators believe the thieves aimed a telescope-shaped antenna at the store and used a laptop, cracking the WEP encryption to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of TJX, where they would repeatedly rob the system of sensitive customer data.

The Canadian report also recommends that the retailer institute a hashing system to avoid using driver license numbers to track fraudulent returns. TJX said it was collecting the data to track customers who returned items without a receipt. The hashing technique would transform the string of characters into a shorter fixed-length value or key that represents the original driver license number.

"When the technology exists to protect data, we expect companies to move quickly to adopt that technology," said Frank Work, the Information and Privacy Commissioner of Alberta.

The Canadian officials said the report is intended to guide other merchants to enable proper security protocols and technologies. They said merchants should be proactive in meeting the Payment Card Industry Data Security Standards (PCI-DSS), but acknowledged that medium and smaller businesses don't have the resources to adopt the latest security technologies. Finally, the privacy officials also said that consumers need to ultimately keep a tighter grip on their personal information.

"We're not interested in beating up on TJX," Work said. "They got burned but so did a lot of other institutions and a lot of customers also got burned. The criminals are good and we just have to be better."

The Canadian report was issued within days of a tentative settlement reached by TJX in a class-action lawsuit with customers who were victims of the breach. TJX is offering affected customers three years of credit monitoring services and identity theft insurance, according to a public statement released by company president and CEO Carol Meyrowitz.

Tags: Wireless Network Protocols and Standards,  Identity Theft and Data Security Breaches,  Data Privacy and Protection,  FFIEC Regulations and Guidelines,  FISMA,  HIPAA,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless Network Protocols and Standards GSM cell phone encryption crack may force operators to upgrade Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Data Privacy and Protection New data protection laws MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation Information security book excerpts and reviews Quiz: Compliance-driven role management Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Wired Equivalent Privacy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary