The announcement on Tuesday that indicted 11 people for “the largest data breach in history” was an interesting read:
The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.
What was the common technical denominator of the attacks? Wireless networks. Think wireless cash registers, connecting to local servers, and from there transmitting the information to corporate databases.
TJX had no firewall between their insecure wireless network and their corporate network. They were using WEP, a wireless protocol that can be cracked with trivial (10 minutes) effort.
BJ’s failed to encrypt customer data when transmitted or stored on BJ’s computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks. (There was an unsecured access point at a store).
Although the Attorney General said that “They used sophisticated computer hacking techniques that would allow them to breach security systems,” later on the Feds commented that
“The alleged thieves weren’t computer geniuses, just opportunists who used a technique called “wardriving,” which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called “sniffer programs” that captured credit and debit card numbers as they moved through a retailer’s processing networks.”
So they drive around, found the signal they could crack, installed sniffers and probably got all the way into corporate networks. You have to know that sniffing would not capture millions of numbers – I’m still betting they got into corporate databases. All it takes is one open wireless access point if you don’t have them secured from your network.
Sadly, of the 11 people indicted, only three are in custody in the United States.