According to an article in the Wall Street Journal (subscription required), the seeds of the nation's largest identity theft operation involving customers of TJX Companies (owners of TJ Maxx, Marshalls, and other discount stores) began in the parking lot outside a Marshalls discount clothing store in St. Paul, Minnesota. Criminal hackers, using a directional antenna, sat in their car and eavesdropped on wireless communications within the store. Over an unspecified period of time, the thieves were able to capture everything from the use of wireless handheld price-checking devices to wireless cash register transactions. But it was the wireless network for the store's main computers that ultimately allowed the criminal hackers into TJX. Once inside that network they were able to download millions of credit card numbers, some which have shown up on carder networks in eight different countries.
Credit data out the window
Over a period of two years, the hackers, still unknown, were able to download 45.7 million credit card numbers, with estimates in the Wall Street Journal article suggesting it might reach 200 million, spanning a period of more than four years. Clearly this is a big deal. Whether we shopped at these stores or not, we are all paying for this credit theft. Banks are having to reissue credit cards (this costs the banks), and investigators in eight countries are pursuing the use of these numbers (this diminishes the law enforcement available to fight other cybercrimes).
According to Secure Computing Magazine, the Marshalls store was using WEP encryption, but this form of encryption has shown to be weak against a targeted attack. German security researchers recently broke 802.11g-based WEP in just under 20 seconds. (The TJX attack occurred sometime ago, possibly starting as early as 2003.) WPA or WPA2 encryption is now recommended for home or corporate use.
 |
Over a period of two years, the hackers, still unknown, were able to download 45.7 million credit card numbers, with estimates in the Wall Street Journal article suggesting it might reach 200 million, spanning a period of more than four years. Clearly this is a big deal.
|
|
Not the first time
But TJX Co is not alone. I wrote previously about a similar hack at Lowe's, the nationwide hardware store in the spring of 2003. At the time, Paul Timmins, then 23, and Adam Botbyl, then 20, were members of Michigan 2600, a group of local hackers that discourages its members from illegally accessing networks or committing any crimes in general and who meet periodically over Coke and pizza to share new techniques and skills. While out wardriving, that is looking for open wireless networks, in Southfield, Michigan, they came upon a Lowe's hardware store with an open wireless network. Timmins later admitted to Kevin Poulsen at Security Focus that what he did next was technically illegal: he used Lowe's wireless network to check his e-mail. When he realized it was Lowe's private network, however, Timmins says, he disconnected.
On November 5, 2003, in a parking lot of a Lowe's in Southfield, Michigan, a third person, Brian Salcedo, and Adam Botbyl returned to the wireless network, and this time attempted to load an unspecified malicious program created by Salcedo on several computers in a Long Beach, California, store. It might have been an early attempt to capture credit card transactions, but the app crashed several point-of-sale machines at the store. Two days later, the FBI arrested the group.
|
In the United Kingdom, there have been a few recent arrests and sentences of individuals caught using a laptop to secure the wireless networks of others.
|
|
|
Watch your neighbors
It's not just big business that are getting hacked, homes are as well. In the United Kingdom there have been a few recent arrests and sentences of individuals caught using a laptop to secure the wireless networks of others. According to the BBC, Gregory Straszkiewicz used the Wi-Fi services of an Ealing resident while sitting in his parked car. It wasn't Straszkiewicz's first time. Neighbors had phoned the police before regarding suspicious activity, having seen Straszkiewicz on and off over a period of three months. Prosecuted under the Communications Act, part of the Computer Misuse Act, for dishonestly obtaining an electronic communications service, Straszkiewicz was ordered to pay 500 pounds and also had to forfeit his laptop and wireless card. That sentence seems light compared with Salcedo, the first person sentenced for a wireless attack in the United States. He was sentenced to nine years for hacking into Lowe's (Timmins and Botbyl received lesser sentences).
Bottom line, you should encrypt your wireless network, home, or office, and if possible restrict your wireless network to only work with the MAC addresses of devices you own. Layering WEP, WPA, or WPA2 with MAC address permissions and stealthing one's SSID can further keep your home network safe. For more details, see my slide show on how to secure your home wireless network.
This column was updated on 05/15/07 to clarify the involvement of those involved in the Lowes wireless attack.
Is your home wireless network secure? Do you even know? Talk back to me
8.7 CNET Review - Dell XPS630
E-mail to a friend
Send us feedback
TalkBack:
del.icio.us
Digg this
