Other Stores May Be Just As Vulnurable To Hacking As TJ Maxx

The Wall Street Journal is reporting that the most likely scenario for how the hackers stole an estimated 200 million card numbers is as simple as a person with a laptop breaking into the wifi network of a store:

The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.

There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. That helped them hack into the central database of Marshalls’ parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

The $17.4-billion retailer’s wireless network had less security than many people have on their home networks, and for 18 months the company — which also owns T.J. Maxx, Home Goods and A.J. Wright– had no idea what was going on.

Gee, whiz! George Ou at ZDnet heard that and wondered which other stores might be running insecure wireless networks that could allow someone with a big antenna and a laptop to steal 200 million credit card numbers. So he went out and learned as much as he could without breaking the law. What he found was disturbing.

The type of network George was looking for is called WEP, and it’s not that difficult to crack. It’s about the same level of security that most people have on their home networks. It’s probably fine for your needs, but a corporation needs something, uh, more robust.

The following stores were mentioned by George as having the potential to be hacked. Naturally, he didn’t try to break in because he’s not an evil douchebag and he doesn’t want to go to jail. So keep that in mind.

Lowes:
I saw a combination of WPA and WEP coming from Lowes Home Improvement store. The problem is that almost all of the wireless clients were connected using WEP and actively transmitting data. Even if no one is using WEP but the WEP network exists and gets broken into, the hacker will come in via WEP and it doesn’t matter if WPA is mostly being used

JCPenny:
JCPenny only used WEP on their network and it was actively being used by many wireless LAN clients. It does not look good at all.

Macy’s:
Macy’s only used WEP on their network and it was very active. I could see a lot of Cisco and Symbol clients connected to the access points. These clients may be the cash registers. Macy’s does not look good.

Best Buy:
Best Buy was sort of an odd case. The first network I saw from them was labeled “BestBuy” for the SSID and it was in the clear with zero security. I walked in to ask them if they were offering free Wi-Fi access and the nice employ told me no. Then he wanted to be helpful so told me to go ahead and try to get on the network to get access and I had to hold my laughter back.

PetSmart pet store:
PetSmart only showed a WPA network. However, WEP and WEP40 compatibility was also detected so it isn’t clear what the risk is without doing a penetration test which I can’t legally do.

Office Depot:
Office Depot actually had a “Free Wi-Fi” sign with a two-page instruction sheet on how to get free Wi-Fi service in their store. I didn’t see any customers using it but I found it strange that so many devices where actively using it.

Yikes! This is all very disturbing because, obviously, the sucess of the TJX massacre will no doubt encourage other similar-minded individuals to try the same thing on other stores. Sounds like Macy’s is a good place to start.—MEGHANN MARCO

Retailers haven’t learned from TJX – still running WEP [ZDNet]
TJX’s failure to secure Wi-Fi could cost $1B [ZDNet]
How Credit-Card Data Went Out Wireless Door [WSJ]
(Photo: pierre lascott)

Comments

Edit Your Comment

  1. tz says:

    WEP is really badly broken. For details, listen to the podcast or read the paper. Most sites cracked in under 1 minute.

    See episode 89 (and some much earlier) of security now:

    http://www.grc.com/SecurityNow.htm

    The new (and much more serious crack) is detailed at:

    http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/

    Consider WEP to be the same as None.

  2. gamble says:

    Despite being illegal and really, really wrong to go and steal peoples’ credit card numbers, I have to say, the people who did it are exceedingly clever.

    I’m impressed.

  3. joopiter says:

    Don’t use checks because they’ve got all your banking information printed on them.

    Don’t use credit cards or debit cards because hackers can break into unsecured wi-fi networks.

    Don’t carry loads of cash lest you be mugged.

    I say we go back to the bartering system.

  4. mac-phisto says:

    i would imagine that a big problem behind this is the age of the equipment used in most of these stores. how many times have you walked into a store utilizing 10 year old computers running a dos-emulated pos system on a winnt platform? it was probably a hassle just to get wep to interface, let alone something more robust.

  5. 44 in a Row says:

    You think credit card numbers are bad? At Macy’s, the cash registers often ask people for their drivers license numbers when using a Macy’s card. Which then goes across the network and is transmitted to the Macy’s central system. How many times a day do you think people submit to such a request?

  6. destijl says:

    What about pharmacies? All that information…not just credit card #s at the register, but insurance information, ssn’s, medical info; all that info that’s used to communicate to insurance companies in order to process claims… it’s likely flying through the air too, unsecured.

  7. thrillhouse says:

    @mac-phisto:

    You’re right, Mac-Phisto, tho 10 years old may be a tad generous:) It is amazing how old and decrepit some POS machines are. Then again, maybe you’re safer there with little or no wireless?

  8. zibby says:

    WEP? What is this, 1999? Most privte users I know use better – although a few use nothing at all, good luck with that.

  9. andyj76 says:

    Wireless security is broken.
    If you must use wireless, then the best solution is to set up the wireless network as an untrusted LAN and then use a VPN to connect authorised devices to the wired network.
    But that’s not likely to happen, is it… :-S

  10. IC18 says:

    @zibby I agree. the last time I used WEP encryption on my home network was like back in 2000, the jurasic age in tech years.

  11. mac-phisto says:

    @zibby, @IC18: ahh, well then you squares obviously do not have a nintendo ds in your house!

    that’s the only example that i’m currently having issues with, but i’ve heard of others – cameras, network storage, etc. mostly older equipment, but still.

    you can have your security all you want. i’ll take my handheld super mario kart online multiplayer thank you very much!

  12. Gamby says:

    44 in a row thats nothing. I was with my mother around Christmas time at the mall. I think we were at JCPenny and she didnt have her member card on her. It was ok though all she had to do was type her Social Security number in a keypad in open site in a crowded area.

  13. pestie says:

    As I sit here in my office with my ancient Pentium 166 laptop next to me, which is dedicated to wireless network tinkering, running Kismet (a wireless network monitoring tool, and the “wardriving” tool of choice), looking at all the wide-open access points I can see around me in this commercial district, I read this headline and say to myself – “Duh! Gee, ya think??”

    It’s amazing, but people – businesses and individuals – really don’t know and/or care about wireless security.

  14. I want to know how in the hell I am supposed to get into the Marshalls store pictured above.

  15. Nytmare says:

    Wireless networking is more expensive, more complex, and totally insecure. Why use it at all? Do managers have to carry laptops around doing inventory while connecting to the network?

  16. @mac-phisto: I have the very same problem with my handheld as well. Wireless needs to be broken for certain devices and I believe that this is the same issue affecting these stores.

    Olde equipment and their bottom line is to make money. Not lose money trying to protect your information. There is no incentive for these companies to take any sort of precautionary measures except for maybe PR but even then it is more profitable to ignore it.

    Look at TJMaxx. For years they had been leaking information and they probably even knew about it. But why would they invest in security measures when there is absolutely no turn around on that investment?

  17. Pupator says:

    Best Buy’s is actually safe – this is one of the few things they get right. Best Buy does not allow any wireless equipment to be attached to the intranet (in fact, no unauthorized wired computers can be either). So Best Buy stores also have a cable internet connection – just like home users do. This connection is run through a proxy and is used by the Geek Squad and the Computers departments so that they can connect as necessary (for example – Geek Squad connects customer’s computer to the net to do Window’s Updates; computer salesmen do it to demonstrate the internet browsing on the display computers.)

    In short – the Best Buy wireless is unsecured because it doesn’t connect to anything in the store – only the internet, and that through a proxy. Even if you get the proxy address and “break in,” there’s nothing there you want.