Other Stores May Be Just As Vulnurable To Hacking As TJ Maxx

The Wall Street Journal is reporting that the most likely scenario for how the hackers stole an estimated 200 million card numbers is as simple as a person with a laptop breaking into the wifi network of a store:

The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.

There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. That helped them hack into the central database of Marshalls’ parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

The $17.4-billion retailer’s wireless network had less security than many people have on their home networks, and for 18 months the company — which also owns T.J. Maxx, Home Goods and A.J. Wright– had no idea what was going on.

Gee, whiz! George Ou at ZDnet heard that and wondered which other stores might be running insecure wireless networks that could allow someone with a big antenna and a laptop to steal 200 million credit card numbers. So he went out and learned as much as he could without breaking the law. What he found was disturbing.

The type of network George was looking for is called WEP, and it’s not that difficult to crack. It’s about the same level of security that most people have on their home networks. It’s probably fine for your needs, but a corporation needs something, uh, more robust.

The following stores were mentioned by George as having the potential to be hacked. Naturally, he didn’t try to break in because he’s not an evil douchebag and he doesn’t want to go to jail. So keep that in mind.

I saw a combination of WPA and WEP coming from Lowes Home Improvement store. The problem is that almost all of the wireless clients were connected using WEP and actively transmitting data. Even if no one is using WEP but the WEP network exists and gets broken into, the hacker will come in via WEP and it doesn’t matter if WPA is mostly being used

JCPenny only used WEP on their network and it was actively being used by many wireless LAN clients. It does not look good at all.

Macy’s only used WEP on their network and it was very active. I could see a lot of Cisco and Symbol clients connected to the access points. These clients may be the cash registers. Macy’s does not look good.

Best Buy:
Best Buy was sort of an odd case. The first network I saw from them was labeled “BestBuy” for the SSID and it was in the clear with zero security. I walked in to ask them if they were offering free Wi-Fi access and the nice employ told me no. Then he wanted to be helpful so told me to go ahead and try to get on the network to get access and I had to hold my laughter back.

PetSmart pet store:
PetSmart only showed a WPA network. However, WEP and WEP40 compatibility was also detected so it isn’t clear what the risk is without doing a penetration test which I can’t legally do.

Office Depot:
Office Depot actually had a “Free Wi-Fi” sign with a two-page instruction sheet on how to get free Wi-Fi service in their store. I didn’t see any customers using it but I found it strange that so many devices where actively using it.

Yikes! This is all very disturbing because, obviously, the sucess of the TJX massacre will no doubt encourage other similar-minded individuals to try the same thing on other stores. Sounds like Macy’s is a good place to start.—MEGHANN MARCO

Retailers haven’t learned from TJX – still running WEP [ZDNet]
TJX’s failure to secure Wi-Fi could cost $1B [ZDNet]
How Credit-Card Data Went Out Wireless Door [WSJ]
(Photo: pierre lascott)