  |
 |
|
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: | ||
 |
|
WIRELESS HACKERS SUSPECTED IN TJ MAXX BREACHSource: ConsumerAffairs.comPosted on May 10, 2007 Cyber-thieves using a telescoping wireless antenna to intercept payment information may be responsible for the "biggest data breach ever," investigators theorize. The Wall Street Journal reported that hackers in St. Paul, Minnesota, parked outside a Marshalls' department store and used the antenna to decode data between hand-held payment scanners, enabling them to break into parent company TJX's database and make off with credit and debit card records of nearly 47 million customers. Drive-by hacking, or "wardriving," was the first major threat to Internet access over wireless connections. Wardrivers drive by or park near Wi-Fi hotspots or open networks and use various means to siphon off data from unsuspecting users. The TJX network was alleged to have less wireless network security protection than the networks of many home users. The hackers are believed to have had access to the network for as long as two years, going back to at least July 2005. TJX was also alleged to be using the older Wireless Equivalent Privacy (WEP) protocol for its network, which has been largely discredited for the ease with which it can be broken. Security researchers in Germany recently published a paper documenting how WEP can be broken in as little as 60 seconds. Most security experts recommend upgrading to the stronger Wi-Fi Protected Access (WPA) protocol, but TJX was apparently slow to adopt the new system. Although TJX refused to comment on the wardriving allegations, the company previously acknowledged that it failed to meet security procedures mandated by the credit card industry. The company admitted to transferring credit card payment information to banks without any sort of encryption, making it easier for the wardrivers to pick up the information as they surfed the TJX network. The hackers then most likely sold the purloined customer data in the "underground economy" of black-market chats that specialize in the trading and selling of personal information. Data connected to the TJX breach turned up in a Florida fraud case involving credit cards "cloned" with the stolen personal information. The fraudsters then used the clone cards to purchase gift cards from Wal-Mart, which they then redeemed for thousands of dollars in high-priced merchandise. Although the TJX corporation claims its strong first-quarter sales numbers show that its shoppers don't care about the data breach, the company is still fending off numerous lawsuits from state Attorneys General and class-actions from irate customers. Most recently, a coalition of banks in Massachusetts, Colorado, and Maine filed suit against TJX for forcing them to absorb the costs of canceling and reissuing thousands of credit and debit cards exposed in the breach. The TJX breach has also spurred numerous bills in Congress to mandate stronger data security standards for both government agencies and private companies, and to ensure affected individuals are notified if a breach occurs. Many of the bills are flawed, however, as they preempt stronger state data breach laws and enable numerous exemptions for law enforcement agencies to delay consumer notification of breaches, privacy advocates say.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
|
ALERT  WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |