TJX should have had stronger Wi-Fi encryption, say Canadian officials

By Robert Westervelt, News Editor 25 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The TJX Cos., collected far too much consumer data for far too long and failed to upgrade its Wi-Fi security to the stronger WPA encryption protocol, according to the findings of a report issued Tuesday by Canadian privacy officials.

When the technology exists to protect data, we expect companies to move quickly to adopt that technology. Frank Work, Information and Privacy Commissioner, Alberta, Canada

"The technology that TJX was using at the time was not up to the task and in fact the credit card industry has suggested that industries in its sector migrate to a higher level of encryption technology," said Jennifer Stoddart, the Privacy Commissioner of Canada in a press conference following the release of the report.

At the time of the breach, TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.

TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The attackers began their assault on TJX by exploiting Wi-Fi weaknesses. The Canadian officials said Tuesday that the point of entry for the attackers was two Marshals stores in Miami.

TJX maintains that it acted within a reasonable amount of time and acted earlier than other retailers to enable Wi-Fi encryption. TJX started a WPA conversion project in October 2005 and completed it in mid-January 2007. The final conversion to a higher level of encryption will be completed soon, according to the report.

WPA encryption: WEP crack demonstrates need for WPA2: A new paper highlighting the weakness of Wired Equivalent Privacy (WEP) is a call to all users to switch to the more secure Wi-Fi Protected Access 2 (WPA2). Getting from here to there: WPA2 migration: WEP has been cracked, WPA is a band-aid, and your CSO recommends upgrading to WPA2. Do WEP weaknesses call for an upgrade to WPA2 encryption? Should security professionals upgrade their wireless gear to support WPA encryption? 'It's the responsible thing to do,' says network security expert Mike Chapple.

Investigators believe the thieves aimed a telescope-shaped antenna at the store and used a laptop, cracking the WEP encryption to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of TJX, where they would repeatedly rob the system of sensitive customer data.

The Canadian report also recommends that the retailer institute a hashing system to avoid using driver license numbers to track fraudulent returns. TJX said it was collecting the data to track customers who returned items without a receipt. The hashing technique would transform the string of characters into a shorter fixed-length value or key that represents the original driver license number.

"When the technology exists to protect data, we expect companies to move quickly to adopt that technology," said Frank Work, the Information and Privacy Commissioner of Alberta.

The Canadian officials said the report is intended to guide other merchants to enable proper security protocols and technologies. They said merchants should be proactive in meeting the Payment Card Industry Data Security Standards (PCI-DSS), but acknowledged that medium and smaller businesses don't have the resources to adopt the latest security technologies. Finally, the privacy officials also said that consumers need to ultimately keep a tighter grip on their personal information.

"We're not interested in beating up on TJX," Work said. "They got burned but so did a lot of other institutions and a lot of customers also got burned. The criminals are good and we just have to be better."

The Canadian report was issued within days of a tentative settlement reached by TJX in a class-action lawsuit with customers who were victims of the breach. TJX is offering affected customers three years of credit monitoring services and identity theft insurance, according to a public statement released by company president and CEO Carol Meyrowitz.

Tags: Wireless Network Protocols and Standards,  Identity Theft and Data Security Breaches,  Identity Theft and Data Security Breaches,  Data Privacy and Protection,  FFIEC Regulations and Guidelines,  FISMA,  HIPAA,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless Network Protocols and Standards Wireless Security Lunchtime Learning An introduction to wireless security A wireless network vulnerability assessment checklist Lesson 1: How to counter wireless threats and vulnerabilities Lesson 1 quiz: Risky business Wireless Security Lunchtime Learning Entrance Exam Risky Business: Understanding WiFi threats Study reveals lack of financial wireless computer security Preparing enterprise Wi-Fi networks for PCI compliance Cracks in WPA? How to continue protecting Wi-Fi networks Identity Theft and Data Security Breaches TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Identity Theft and Data Security Breaches How to prevent and build protection against online identity theft Heartland breach highlights PCI limitations FBI investigates coordinated ATM scam Encrypt now to meet new Mass. data protection law Recovery plans essential for preventing data loss disasters Internal auditors and CISOs mitigate similar risks Cybersecurity expert sees PCI DSS problems ahead for retailers PCI is about eliminating data, not securing it, former QSA says Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes Identity Theft and Data Security Breaches Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary