[ISN] The TJX Effect

From: InfoSec News (alerts@private)
Date: Mon Aug 13 2007 - 00:14:12 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=201400171

By Larry Greenemeier
InformationWeek
August 11, 2007

TJX will be glad when this year is over. The $17 billion-a-year parent 
company of T.J. Maxx, Marshall's, and several other discount retail 
chains has spent the past eight months dealing with the largest breach 
of customer data in U.S. history, the details of which are starting to 
come to light.

Last December, TJX says it alerted law enforcement that data thieves had 
made off with more than 45 million customer records. Since that time, at 
least one business, Wal-Mart, has lost millions of dollars as a result 
of the theft, while TJX has spent more than $20 million investigating 
the breach, notifying customers, and hiring lawyers to handle dozens of 
lawsuits from customers and financial institutions. Should TJX lose in 
the courts, it could be on the hook for millions more in damages.

But there's an even broader TJX Effect: The data breach, which actually 
took place over a period of years, has put the entire retail industry on 
the defensive and stirred up demands for all businesses that handle 
payment card information to do a better job of protecting it. 
Legislators are invoking TJX's name to fast-track data-security bills.

Few details of the TJX debacle have been made public by the company or 
investigators. As recently as June, TJX said in a regulatory filing that 
it didn't know "who took this action, whether there were one or more 
intruders involved, or whether there was one continuing intrusion or 
multiple, separate intrusions." Still, important details can be gleaned 
from internal and external sources.

Poorly secured in-store computer kiosks are at least partly to blame for 
acting as gateways to the company's IT systems, InformationWeek has 
learned. According to a source familiar with the investigation who 
requested anonymity, the kiosks, located in many of TJX's retail stores, 
let people apply for jobs electronically but also allowed direct access 
to the company's network, as they weren't protected by firewalls. "The 
people who started the breach opened up the back of those terminals and 
used USB drives to load software onto those terminals," says the source. 
In a March filing with the Securities and Exchange Commission,TJX 
acknowledged finding "suspicious software" on its computer systems.

The USB drives contained a utility program that let the intruder or 
intruders take control of these computer kiosks and turn them into 
remote terminals that connected into TJX's networks, according to the 
source. The firewalls on TJX's main network weren't set to defend 
against malicious traffic coming from the kiosks, the source says. 
Typically, the USB drives in the computer kiosks are used to plug in 
mice or printers. The kiosks "shouldn't have been on the corporate LAN, 
and the USB ports should have been disabled," the source says.

In May, The Wall Street Journal cited a separate entry point, reporting 
that data thieves had accessed an improperly secured Wi-Fi network from 
the parking lot of a Marshall's store in St. Paul, Minn. The thieves 
reportedly used a wireless data poaching tactic called "wardriving" and 
exploited the deficiencies of the aging Wired Equivalent Privacy 
wireless security protocol.

The Wall Street Journal cited sources close to the investigation, and 
TJX wouldn't comment. Mark Loveless, senior security researcher for 
network-access control vendor Vernier, who goes by the online handle of 
"Simple Nomad," says it's possible the cyberattackers stumbled across a 
vulnerable store location while patrolling a strip mall or shopping 
center in their car using a laptop, a telescope antenna, and an 802.11 
wireless LAN adapter. While the TJX store wasn't likely at the top of 
their list, they found that it was accessible and yielded information 
they could use to further penetrate TJX's IT systems. "The allure was 
too good to pass up," he posits.

TJX admits that some of the data was stolen during the payment card 
approval process, in which data is transmitted to payment card issuers 
without encryption. That might refer to a hacking technique called 
"skimming," a variation of which was used to steal 238 payment card 
account numbers earlier this year from four 24-hour Stop & Shop stores 
in Rhode Island and one in Massachusetts.

That scam worked like this: When the data thieves entered a store, one 
of them distracted a clerk while another swapped the store's PIN-pad 
terminal with a nearly identical device that had been electronically 
altered to capture customers' account numbers and PINs. The switch took 
as little as 12 seconds, according to the U.S. Attorney's Office for the 
District of Rhode Island. Several days later, the thieves returned to 
the store, replaced the original terminal, and made off with the altered 
one containing customers' account information.

TJX says it was first tipped to a security problem on Dec. 18, 2006. 
Incident response experts from General Dynamics and IBM confirmed within 
a few days that there had in fact been an intrusion.

However, some financial institutions say they noticed an increase in 
fraudulent activity on cards in their networks in November, which would 
put the break-in, or break-ins, earlier--probably much earlier. "We were 
notified of the TJX compromise by Visa--as well as in the news--in 
January," says the CFO of one credit union, which then reissued payment 
cards to the customers whose data might have been stolen.

TJX says that "due to the type of technology used in the intrusion as 
well as deletions of transaction data in the ordinary course of 
business," it may never be able to identify "much of the information 
believed stolen." The company says the stolen data includes account 
information for about 45.7 million separate payment cards, though TJX 
claims that 75% of those cards were either expired at the time of the 
theft or the stolen information didn't include the security code data 
from the magnetic stripe on the cards. The company thinks that driver's 
license numbers, military IDs, and state IDs for 455,000 customers, 
together with their names and addresses, also were stolen.


STANDARDS WORK -- IF THEY'RE FOLLOWED

To adequately protect cardholder data, companies that handle this 
information need a secure network, some way of securing cardholder data 
during storage and transmission (such as encryption), a process for 
identifying and patching software vulnerabilities, and well enforced 
access control measures. So says the Payment Card Industry data security 
standard introduced by American Express, MasterCard Worldwide, Visa 
International, and other credit card providers two years before TJX 
announced its data breach.

Of course, PCI improves security only if retailers follow the standard 
closely. TJX said in its 2006 annual report that it "generally" had 
stopped storing magnetic-stripe data after Sept. 2, 2003; "generally" 
encrypted all payment card, check transaction, and personal information 
after April 7, 2004; and "generally" had masked payment card PINs as 
well as portions of payment card transaction and check transaction 
information after April 3, 2006.

However, Visa indicated in February, through a number of documents sent 
to financial institutions that issue cards and manage Visa transactions, 
that TJX was storing card number, expiration date, and card verification 
value codes, all of which are prohibited by PCI. As for its efforts at 
encryption, "We believe the intruder had access to the decryption 
algorithm for the encryption software we utilize," TJX said in its 
annual report.

PCI also covers wireless network security, stating that wireless 
networks transmitting cardholder data must encrypt transmissions by 
using Wi-Fi-protected access (WPA or WPA2) technology, IPsec VPN, or 
SSL/TLS. "Never rely exclusively on wired equivalent privacy (WEP) to 
protect confidentiality and access to a wireless LAN," the standard 
states.


SUNSHINE STATE

Other retailers are starting to feel the TJX Effect. In March, some of 
the stolen data surfaced in Florida, where thieves used it to make phony 
credit cards to steal about $8 million in merchandise from Wal-Mart 
stores in 50 Florida counties. In July, the U.S. Secret Service tied 
stolen TJX customer data to another south Florida fraud ring (see story, 
"The Face Of Identity Theft" [1]).

Banks and transaction processors are pushing back against having to 
cover fraud losses when the poor security practices of others are to 
blame. Several financial institutions have taken the unusual step of 
filing lawsuits against TJX, claiming that the retailer acted 
negligently by storing unprotected credit card holders' information and 
failing to install firewalls to protect sensitive financial databases. 
The Massachusetts Bankers Association filed a class-action suit against 
TJX that will seek to recover damages in the "tens of millions of 
dollars." The Connecticut Bankers Association and the Maine Association 
of Community Banks joined the Massachusetts association's suit as 
co-plaintiffs. TJX is based in Framingham, Mass.

Although aimed at TJX, these lawsuits aren't good news for retailers in 
general. "You don't usually sue merchants," says Mark Macheska, a VP of 
card risk prevention at Citizens Bank, but "the banks are taking all of 
the losses." Payment card information for hundreds of thousands of 
Citizens Bank customers may have been compromised as part of the TJX 
breach.

Lawmakers have used the TJX debacle to push data security legislation. 
On Aug. 1, the Plastic Card Security Act of Minnesota took effect, 
making the state the first to shift the costs associated with data 
breaches from financial institutions to the retailers that mishandle 
consumers' financial data. The law makes it illegal for Minnesota 
businesses to store a customer's PIN, security code, or magnetic-stripe 
information for more than 48 hours after a transaction is authorized. 
Next year, penalties are set to kick in that would give Minnesota 
financial institutions, such as banks and credit unions, the ability to 
sue merchants caught keeping private financial data if there's a 
security breach.

Massachusetts passed a data breach notification law this month, partly 
in reaction to TJX, joining some 30 states that require organizations to 
notify those affected when their personal data has been compromised. But 
not every state is rushing in. In May, Texas shot down a bill that would 
have compelled businesses to better protect and safeguard sensitive 
personal information contained in their customer records.

Still, the passage of the Minnesota law indicates that the TJX data 
breach is "the straw that broke the camel's back" in terms of the 
public's patience with lax data security, says PayPal chief information 
security officer Michael Barrett. "If more states don't pass laws like 
Minnesota did," Barrett says, "we'll just be waiting for the next 
incident before we act."


A PARADOX

There's an interesting paradox in the TJX Effect, and it has to do with 
the company's financial performance. While at least a dozen customers 
have sued the company for not properly protecting their payment 
information--the cases are being consolidated into class-action suits 
and venues are still being chosen--many more are still shopping at its 
stores.

Financial analysts continue to raise their expectations for the 
company's stock price, as first-quarter 2008 sales were up about 6% 
compared with the year-earlier quarter, to $4.1 billion. Net income was 
down less than 2% from a year ago, to $162.1 million--not bad 
considering the $20 million charge TJX had to take.

In a February survey of 1,200 debit card holders by Javelin Strategy & 
Research, three out of four said they wouldn't continue shopping at a 
merchant where a data breach had occurred, says Mary Monahan, a Javelin 
analyst, and 84% said they would shop at merchants that said they were 
security leaders. But the reality seems quite different. "As Americans, 
we're a very convenience-oriented society," says James Lee, public and 
consumer affairs officer for ChoicePoint, a provider of identification 
and credential verification services. In 2005, ChoicePoint reported that 
identity thieves had stolen about 163,000 customer records.

TJX also may be benefiting from reports that identity fraud isn't as 
rampant as many think. Of the 24 data breaches analyzed by the U.S. 
Government Accountability Office in a report issued last month, only 
three included evidence of resulting fraud on existing accounts and only 
one included evidence of an unauthorized creation of a new account. The 
GAO report states that for the 18, "no clear evidence had been uncovered 
linking them to identity theft; and for the remaining two, there was not 
sufficient information to make a determination."


WATERSHED CASE

However, the magnitude of the TJX data breach, and the fact that stolen 
data is starting to surface, may change that perception. "TJX is a 
watershed case in this regard," PayPal's Barrett says. When customer 
data is stolen, as opposed to lost, you can be sure that someone's 
looking to use that information for financial gain. "Having an 
information breach is now an extremely significant operational risk," 
Barrett says. "There are very few risks that are worse than that."

Are executives nationwide worried about the TJX Effect? "Absolutely," 
says Andre Gold, head of technology risk management at ING U.S. 
Financial Services and former director of information security for 
Continental Airlines. "That's the kind of info that my executives are in 
tune to, because they want to make sure we're aware of this so that the 
same thing doesn't happen to us." The main takeaway: Look for weak links 
within your organization, because if you don't find them, someone else 
will.

ChoicePoint's Lee says the TJX data breach will force companies to be 
more transparent about the customer data they keep and how they protect 
it. ChoicePoint has accelerated a project to automate the way it 
discloses personal information to consumers who request it. Right now, 
if consumers want to know what information ChoicePoint has on them, the 
company puts together a report manually and mails it to them. To keep up 
with TJX-inspired demand, Lee's working to automate the system, a 
project that could take up to 26 weeks to complete, he says.

The National Retail Federation, whose eight-member executive committee 
includes CEOs from Ethan Allen Interiors, J.C. Penney, and Liz 
Claiborne, advocates several measures to prevent another data breach on 
the scale of TJX's. Rather than retain credit card information after a 
transaction is completed in order to settle disputes and handle 
chargebacks for returned merchandise, federation CIO Dave Hogan 
recommends retaining only information about the transaction 
itself--store number, time and date stamp, register number, and 
authorization number. "That would minimize, if not stop, payment card 
fraud," he says.

At the very least, retailers should require customers to enter a PIN for 
debit and credit purchases to be processed. This doesn't solve the data 
theft problem, but it does reduce risk, Hogan says. Even better, credit 
card companies will eventually replace magnetic-stripe cards in favor of 
those with embedded chips that require PINs whenever they're used.

For others, the lesson is simple. "Get serious about getting PCI 
certified," says PayPal's Barrett. To get that seal, you must have your 
IT systems inspected by a Qualified Security Assessor or an Approved 
Scanning Vendor that's been blessed by American Express, Discover, JCB, 
MasterCard Worldwide, and Visa International--all founding members of 
the PCI Security Standards Council. The inspector checks an 
organization's IT systems against the criteria published in the PCI data 
security standard. There are dozens of QSAs and ASVs, including Deloitte 
& Touche and Dimension Data.

With any luck, the TJX Effect will teach retailers this basic lesson: 
Thieves can't steal sensitive customer data if retailers aren't storing 
it.

[1] http://www.informationweek.com/story/showArticle.jhtml?articleID=201400172

Copyright © 2007 CMP Media LLC

 

____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Mon Aug 13 2007 - 00:30:04 PDT