Blown To Bits

The TJX – Barnes&Noble – etc. Data Breach

Wednesday, August 6th, 2008 by Harry Lewis

Every major news source is carrying the story of the indictment of 11 persons for a massive data theft, in which more than 45 million credit card records were stolen — perhaps many more. We explain on page 176 of Blown to Bits that part of the problem was that in 2005 TJC was still using WEP encryption for its wireless communications, even though WEP had been known to be insecure for three years by that time, and a substitute was widely available.

Today’s accounts indicate that the alleged crimes go much beyond that business of the 45 million credit card records. It is a bit hard to discern what actually happened, however. The Wall Street Journal describes the defendants as having “hacked into a wireless computer system at an unidentified BJ’s Wholesale Club store.” “Hacked” is one of those portmanteau words which journalists use to describe almost anything. In its original sense it isn’t even derogatory — it just meant a clever, contrarian piece of programming. “Hacked into” suggests something quite aggressive and destructive, but it seems that what really happened may be nothing more than someone driving around listening for wireless routers and finding one that hadn’t upgraded its encryption software — and then using the by then well known methods for decrypting WEP. (I am not defending it — it’s a crime, and should be — but the language would then be a bit like saying that someone had “broken into” a house by opening the door and walking in. Bad thing to do, but not the way it sounds.

But this was far from the end of the story. The defendants in this action are alleged to have “gained access to the computer system used at a Marshall’s department store” and then, “With access to the server, the defendants installed ‘sniffer programs’ that captured data.” At that point they could, and allegedly did, pretty much help themselves to whatever the company had in the way of customer financial data.

It’s the “gained access” that interests me. It could be a software error, but my gut tells me: inside job. The easiest way to “gain access” to a computer system is to have someone give you a password, or give you physical access to the machine. It’s not the only way, but if I were bent on “gaining access” to a computer, I’d try the easy way first — perhaps bribing someone using the money I’d already made with those credit card numbers.

Finally, all this data wound up on international servers, as part of a shadowy underground bits economy. This fascinating report by Symantec details the operation of these sites from which credit card numbers and and other sensitive data can be bought in bulk. The table on page 32 reports that US credit card numbers cost $1-$6, UK credit card numbers twice as much (apparently the return on the investment is better). Email addresses, by the way, go for $5 per 20,000. Lots of other good information about the ways that computers can be compromised, and where the attacks seem to be coming from.

4 Responses to “The TJX – Barnes&Noble – etc. Data Breach”

  1. Benjamin Wright Says:

    Harry: Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. –Ben

  2. Harry Lewis Says:

    Ben, this is pretty well thrashed out on your own site. You say: “[TJX] used WEP encryption to protect wireless in stores. I realize WEP is not perfect; perfect security does not exist. But WEP is more than zero.” In response to an earlier post of yours on this topic, Michael Janke says, “WEP was cracked in 2001. The store was still running WEP in 2005. By 2005, WEP was not considered a valid form of encryption by anyone, anywhere.” The fallacy of “WEP is better than nothing” is exactly the point we stress in Chapter 5 of Blown to Bits. Four years is just too long to be responsibly using an encryption method that has been broken. I have no reason to doubt your judgment that TJX was making an honest mistake, and have no opinion about the FTC’s response. But it was a serious mistake, of a kind that behind-the-times cryptographers have made throughout history, sometimes with tragic consequences.

  3. Jasmine M. Mendoza Says:

    Hello, perhaps this entry may be off topic but anyhow, I’ve been surfing around your site and it appears genuinely cool. It is obvious that you know the subject and you appear fervent about it. I’m building a new blog and I am striving to make it look great, plus provide the best posts. I have gleaned a good deal from your site and I anticipate further posts and will be returning soon. Many thanks.

  4. Roald Dahl Books Says:

    Hey what is the best way to sign up for updates to your site?