http://www.
physorg.com/news109963481.html 25 Sep 2007
(AP) -- Hackers stole millions of credit card numbers from
discount
retailer TJX Cos. by intercepting wireless transfers of
customer information
at two Miami-area Marshalls stores, according to an
eight-month
investigation by the Canadian government.
The probe led by Canadian Privacy Commissioner Jennifer
Stoddart faulted TJX
for failing to upgrade its data encryption system by the
time the electronic
eavesdropping began in July 2005. The break-in ultimately
gave hackers
undetected access to TJX's central databases for a year and
a half, exposing
at least 45 million credit and debit cards to potential
fraud.
...
Retail wireless networks collect and transmit data via radio
waves so
information about purchases and returns can be shared
between cash registers
and store computers. Wireless transmissions can be
intercepted by antennas,
and high-power models can sometimes intercept wireless
traffic from miles away.
While such data is typically scrambled, Canadian officials
said TJX used an
encryption method that was outdated and vulnerable. The
investigators said
it took TJX two years to convert from Wireless Encryption
Protocol to more
sophisticated Wi-Fi Protected Access, although many
retailers had done so.
Lang said TJX's systems complied with industry standards
when the breach
started. She said TJX chose in 2005 to make the conversion
and needed more
time than some retailers because its systems weren't
compatible with the WPA
standard.
---
WLAN Security Service Aims to Boost PCI Compliance August
31, 2007
http://www.wi-fiplanet.com/news/article.php/3697436?
?Never rely exclusively on wired equivalent privacy (WEP) to
protect
confidentiality and access to a wireless LAN. If WEP is
used, do the following:
* Use with a minimum 104-bit encryption key and 24
bit-initialization value
* Use ONLY in conjunction with WPA, WPA2, VPN, or
SSL/TLS
* Rotate shared WEP keys quarterly (or automatically)
[and] whenever
there are changes in personnel with access to keys
* Restrict access based on media access code (MAC)
address.?
---
The emphasis on the 'in conjunction' part. There's a
cascade effect of
course, The security of the WLAN is dependent on the
strength of the
password of the satellite router, router configuration,
register
administrators password, and so on.
There's another article or two on TJX, makes interesting
reading, might even
have been worth a book if they'd only been on to the theft.
http://www.p
hysorg.com/news94480989.html March 30, 2007
http://www.p
hysorg.com/news94568787.html March 31, 2007, wherein
there's a
feeble attempt to paint the problem as single DES as being
weak in speculation.
T.J. Maxx Data Theft Likely Due To Wireless 'Wardriving'
http://www.i
nformationweek.com/news/showArticle.jhtml?articleID=19950038
5&subSection=All+Stories
TJX
http://updates
.zdnet.com/tags/TJX.html
WEP Security + Pringles-Can = $1 Billion TJX Loss?
http://
msmvps.com/blogs/harrywaldron/archive/2007/05/09/wep-securit
y-pringles-can-1-billion-tjx-loss.aspx
May 10th, 2007
Retailers haven?t learned from TJX - still running WEP
http://blogs.zdnet.c
om/Ou/?p=487
There was a slashdot article on 15 May.
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomo metzdowd.com
|
