TJX Hack Blamed on Poor Encryption
Remember the TJX hack from May 2007?
Seems that the credit card information was stolen by eavesdropping on wireless traffic at two Marshals stores in Miami. More details from the Canadian privacy commissioner:
“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it—putting the privacy of millions of its customers at risk,” said Stoddart, who serves as an ombudsman and advocate to protect Canadians’ privacy rights.
[…]
Retail wireless networks collect and transmit data via radio waves so information about purchases and returns can be shared between cash registers and store computers. Wireless transmissions can be intercepted by antennas, and high-power models can sometimes intercept wireless traffic from miles away.
While such data is typically scrambled, Canadian officials said TJX used an encryption method that was outdated and vulnerable. The investigators said it took TJX two years to convert from Wireless Encryption Protocol to more sophisticated Wi-Fi Protected Access, although many retailers had done so.
Carlo Graziani • October 1, 2007 3:23 PM
Given the ease of encrypting data at the application layer (using ssh, for example, or relying on *ssl libraries), it strikes me as just lazy to rely entirely on wireless link layer security, even if one has the wit to choose WPA over WEP (which TJX didn’t). The notion of security in depth evidently doesn’t carry enough weight with business application programmers and network designers.