Schneier on Security
A blog covering security and security technology.
« Threat Modeling at Microsoft |
| Staged Attack Causes Generator to Self-Destruct »
October 1, 2007
TJX Hack Blamed on Poor Encryption
Remember the TJX hack from May 2007?
Seems that the credit card information was stolen by eavesdropping on wireless traffic at two Marshals stores in Miami. More details from the Canadian privacy commissioner:
"The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it -- putting the privacy of millions of its customers at risk," said Stoddart, who serves as an ombudsman and advocate to protect Canadians' privacy rights.
Retail wireless networks collect and transmit data via radio waves so information about purchases and returns can be shared between cash registers and store computers. Wireless transmissions can be intercepted by antennas, and high-power models can sometimes intercept wireless traffic from miles away.
While such data is typically scrambled, Canadian officials said TJX used an encryption method that was outdated and vulnerable. The investigators said it took TJX two years to convert from Wireless Encryption Protocol to more sophisticated Wi-Fi Protected Access, although many retailers had done so.
Posted on October 1, 2007 at 2:37 PM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Given the ease of encrypting data at the application layer (using ssh, for example, or relying on *ssl libraries), it strikes me as just lazy to rely entirely on wireless link layer security, even if one has the wit to choose WPA over WEP (which TJX didn't). The notion of security in depth evidently doesn't carry enough weight with business application programmers and network designers.
I think it's a cop-out to blame it on WEP. TJX obviously has security issues from front to back if unprivileged access to their wireless network was all it took to access millions upon millions of personal records.
Gosh - I wonder where that leaves one of the local grocery store chains here (which runs *unencrypted* WiFi on their POS systems)?
Hopefully they were wise enough to deploy WPA2 with CCMP and a strong EAP type. I've seen too many merchants define their security policy around the limited capabilities of bar code scanners.
Dumb - and alas, quite typical. SSL-based VPN's over WiFi (or IPSec) is the only solution that affords confidence here: And with such huge exposure - they should have known that.
But hey: never mind, they say that corporate expenditure on Security is decreasing currently. Let's hope there's another exposure that comes to the fore soon - maybe then the "proposed budgets" will be expended on those who are Security-Minded, before it's again too late.
I work in the retail field. I agree that the majority of retail systems right now are very insecure. As with everything, though, there isn't a simple answer. Retailers aren't just running one program or system. I know of a major tier-1 retailer that is running over 280 programs *at each location* they do business at. That includes over 50 in-house programs, and doesn't include hundreds of hardware drivers. Running on multiple server OSes, some local and some remote, interfacing with credit and debit card processors, traveler's cheque clearing houses, third party gift card and coupon systems, monitoring inventory shipment status, tracking invoices to suppliers, etc, etc.
When I joined the field I was amazed at how complex retail systems are, and how many different things they need to control and interface with.
So is securing a retail system possible? probably. But it isn't nearly as easy as most people would assume. And in my opinion, the biggest risk is internal. Retailers go through a lot of low-paid employees that need a lot of access to the system.
Seriously? Who does their Risk-Analysis? That's a lot of apps to present a stupidly large attack-surface.
Better folks, Question: Did they ever have a outside group conduct a Red Team Exercise to test these areas? If yes-- Liability to that company also. If no, they must have a bunch of NO MINDS running the security there!
Businesses pay a great deal of attention to risk and risk-analysis. The single biggest factor that they count as a risk is the risk that people won't give them business. This counts for a whole lot more than nebulous risks such as weak systems.
I'm not familiar with TJX. Have they lost much business from this? More generally, how many readers, even in this forum, stop and assess the security of a retail store before chosing whether to buy from it?
Why do we blame their risk-analysis, not their customers risk analysis? Or maybe this is just a price of doing business?
"Seriously? Who does their Risk-Analysis? That's a lot of apps to present a stupidly large attack-surface."
I agree completely. It's amazing how overly-complicated their solutions are (I could go on about that, but I digress) The problem is the usual one: business needs always trump security concerns (at least in retail for the most part). Hopefully with more of these publicised cases, they will wake up and spend more on security, and part of that will be doing better risk analysis.
At the same time, retail is a complex enterprise. So it will always be a difficult balancing act.
"When CC companies decide that fraud is a big deal, they'll fix it and they'll drag retail outlets like TJX along."
You're correct: they are the ones that can really force the change through. Most retailers have to go through a series of certifications with the payment processors in order to do business (If you want to accept Amex, you need to either complete their review process or outsource the work to a third party). So if the card issuers and processors push back, the retailers will (reluctantly) follow.
Besides the CC needs, most businesses keep customer data for their own marketing purposes. If the company has its own private-label card, it will often keep data that would allow it to cherry-pick which customers to offer their private-label cards.
As long as they are allowed to decide on their own which data to keep and how long, these kinds of breaches will continue. When consumers' data is considered their private property (to be used only by their express permission, with legal and financial consequences for companies that violate the rules), there will no longer be banks and retailers (including telemarketers, mail order, and e-commerce) that have incentives toward weakening security.
I guarantee that if TJX had to repay every questionable charge for the next five years on those individuals' accounts, they would never again make this kind of mistake.
I have a theory that says "If it's a big deal, you'll handle it. If it's not a big deal, you won't do anything about it." Think about credit card fraud in this vein
1) The article was, at least in parts, poorly written. I'm sure millions of records weren't flying over WiFi; it was however what they "tapped" to get in and the reporter (or the people telling the story to the reporter) should've made clearer;
2) It's obvious from the outside and from the bits and pieces like the Wall Street Journal article there was a systemic failure involved -- from architecture to auditing. When there are reports of accounts being created and messages being shared on the system between hackers...the controls and the mitigating controls both failed.
I understand how complex these systems can be; I've worked places I was amazed such simple ideas ended up being passed between so many systems to get things "just right."
But that's where detection systems can be put in place to limit the amount of time the breach has remained opened.
3) Like some of the other posters stated, at what cost?
A disaster is not that you can't sell your product.
A disaster is that you can't sell your product...while your competitor across the street is.
TJX is having same-store sales increases, so it hasn't hampered that part of the business.
Current cost estimates for TJX (including future liabilities) stand at $256 Million. http://www.boston.com/business/globe/articles/...
At the same time (2007) the TJX Board has authorized spending $1 Billion in stock re-purchases. Doesn't seem like the data breach has hurt their business, they have the cash to absorb the losses, and the cash to buy back enough shares to offset any impact on stock price the reduction in earnings due to the cost of the breach will have.
My understanding is that Credit-Card companies deal with this problem by sticking the small merchants with the fraudulent tab.
As in Person A shops at company B. B has poor security. As a result, A's card number is stolen, and subsequently employed fraudulently by a thief at shop C.
Now one of two things can happen:
Either Person A didn't notice the charges, and pays them out of their own pocket. (There's a lot to be said for robbing 1,000,000 people of $2 apiece rather than 1 person for $2,000,000.)
Or Person A does notice the charges, contests them, and shopkeeper C gets stuck with the bill. (Shopkeeper C now has no money and their goods are long gone.)
Either way, Credit-Card companies continue making their money. And with the financial resources available to them, our laws are unlikely to improve anytime soon.
"Or Person A does notice the charges, contests them, and shopkeeper C gets stuck with the bill."
Not so in the US for Visa and MasterCard card-present *credit* transactions. If shopkeeper C made the authorization phone call (which is required except for less than $25 at convenience venues [fast food, parking, etc.]) and received approval, then C gets his money and the loss is eaten by the issuer of A's card. That's in practice (and not if fraud by C, etc.) The *law* allows A to be on the hook for $50, or *unlimited* amounts if the card contains A's photo! So, *NEVER* get a credit card with your photo on it!!!
Who does their Risk-Analysis?
Their risk analysis is probably spot on---cost of disclosure is an externality. Marshall's isn't a credit-card company; they don't have to pay customers' costs from this breach. _Their_ only cost is in (quickly forgotten) bad publicity. Whatever custom they lose is down at the noise level. Why should they care?
"The *law* allows A to be on the hook for $50, or *unlimited* amounts if the card contains A's photo! So, *NEVER* get a credit card with your photo on it!!!"
Can you direct me to this law or a discussion on it, because I can't find anything about it. It's counterinuitive too. Why on earth would having your picture on your card make YOU more liable? I can see where it would make a merchant more liable, because they'd have your photo in front of them to help verify your identity. If they don't do so they should be liable, and you absolutely should not be.
>The *law* allows A to be on the hook for $50,
>or *unlimited* amounts if the card contains
>A's photo! So, *NEVER* get a credit card
>with your photo on it!!!
Link please? That makes exactly zero sense.
From the article: "The investigators said it took TJX two years to convert from Wireless Encryption Protocol to more sophisticated Wi-Fi Protected Access, although many retailers had done so."
Okay, so I'll be the pedant who points out surely they meant "Wired Equivalent Privacy," not "Wireless Encryption Protocol."
The reporter may have misunderstood WEP, but the original report gets it right. The report also includes a number of technical details some of you may find interesting.
Despite the best efforts of PCI, I believe incidents like this will only get worse for several reasons. The biggest two are that (1) the information is spread among too many places. Even 99% compliance leaves large gaps. And (2) Check truncation will put checking account information in the same data pools to be compromised the same manner as cardz.
My solution? I don't need cards, I'll revert to cash. That way, I only have to be concerned with a local attacker.
"My solution? I don't need cards, I'll revert to cash. That way, I only have to be concerned with a local attacker."
And you'll be a much larger target to a local attacker. And once you have been robbed, your money is gone (unless you want to pay an insurance deductible on your Homeowner's insurance or something).
With they way Amex and Visa treat me as a customer (and my experiences have been very good when disputing charges), I'll stick with my cards, thank you.
I worked in TJX's IT department a few years before the hack happened. (Different department, my apps dealt with employees, not customers.)
TJX management made it quite clear to the devs that there was to be no time "wasted" on security. Their prime security document was a masterpiece of CYA, without budgeting any time or any money to protecting the data.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.