Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


WIRELESS HACKERS SUSPECTED IN TJ MAXX BREACH

Source: ConsumerAffairs.com

Posted on May 10, 2007

      Cyber-thieves using a telescoping wireless antenna to intercept payment information may be responsible for the "biggest data breach ever," investigators theorize.

      The Wall Street Journal reported that hackers in St. Paul, Minnesota, parked outside a Marshalls' department store and used the antenna to decode data between hand-held payment scanners, enabling them to break into parent company TJX's database and make off with credit and debit card records of nearly 47 million customers.

      Drive-by hacking, or "wardriving," was the first major threat to Internet access over wireless connections. Wardrivers drive by or park near Wi-Fi hotspots or open networks and use various means to siphon off data from unsuspecting users.

      The TJX network was alleged to have less wireless network security protection than the networks of many home users. The hackers are believed to have had access to the network for as long as two years, going back to at least July 2005.

      TJX was also alleged to be using the older Wireless Equivalent Privacy (WEP) protocol for its network, which has been largely discredited for the ease with which it can be broken. Security researchers in Germany recently published a paper documenting how WEP can be broken in as little as 60 seconds.

      Most security experts recommend upgrading to the stronger Wi-Fi Protected Access (WPA) protocol, but TJX was apparently slow to adopt the new system.

      Although TJX refused to comment on the wardriving allegations, the company previously acknowledged that it failed to meet security procedures mandated by the credit card industry. The company admitted to transferring credit card payment information to banks without any sort of encryption, making it easier for the wardrivers to pick up the information as they surfed the TJX network.

      The hackers then most likely sold the purloined customer data in the "underground economy" of black-market chats that specialize in the trading and selling of personal information. Data connected to the TJX breach turned up in a Florida fraud case involving credit cards "cloned" with the stolen personal information.

      The fraudsters then used the clone cards to purchase gift cards from Wal-Mart, which they then redeemed for thousands of dollars in high-priced merchandise.

      Although the TJX corporation claims its strong first-quarter sales numbers show that its shoppers don't care about the data breach, the company is still fending off numerous lawsuits from state Attorneys General and class-actions from irate customers.

      Most recently, a coalition of banks in Massachusetts, Colorado, and Maine filed suit against TJX for forcing them to absorb the costs of canceling and reissuing thousands of credit and debit cards exposed in the breach.

      The TJX breach has also spurred numerous bills in Congress to mandate stronger data security standards for both government agencies and private companies, and to ensure affected individuals are notified if a breach occurs.

      Many of the bills are flawed, however, as they preempt stronger state data breach laws and enable numerous exemptions for law enforcement agencies to delay consumer notification of breaches, privacy advocates say.




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.