Thursday, August 07, 2008

What You Can Learn from the TJX Credit Card Mess

Just to be clear, while this credit card heist will likely forever be know as the TJX case, it only started with TJX, and eventually spread to eight other retailers, including TJX Cos, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

The Department of Justice announced charges on Tuesday, involving 11 people and over 40 million credit and debit cards.

The hackers broke into systems by "wardriving" --- driving around and looking for unsecured wireless networks, then hacking into them.

Once in, the hackers installed programs designed to capture card numbers, passwords and other account information, and then stored the data in encrypted computer servers in Eastern Europe and the U.S. Fun stuff.

Eleven have been charged, but only three are in custody: Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey, all from Miami.

Others indicted are Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia, Hung-Ming Chiu and Zhi Zhi Wang of China, Sergey Pavolvich of Belarus and Dzmitry Burak and Sergey Storchak, both of the Ukraine, and finally a person known only by the online nickname "Delpiero."

Although TJX was the first retailer hacked, it's interesting that it was using encryption on its wireless network. However, it was using WEP, an old protocol shown to be easily hacked.

So what can the public learn from this case, aside from don't use credit cards (which ain't gonna happen) or use 24x7 credit monitoring (which ain't going to happen for most people, anyway)? You don't need to go around feeling like you're in constant danger, but as I said, the criminals went around looking for unsecured wireless networks. Duh, easy step: secure your home network.

Even now, I can see at least one unsecured home network in the area of my home. And don't use WEP. Use WPA or WPA-2. It's not that hard; your router should have instructions, or if you are still confused Google for something like "set WPA linksys router" which would lead you to this article, for example.

And, don't forget to change the administrator password for your router. They all come with default passwords and they are well-known.

Finally, don't forget: when you're surfing at someplace with free wi-fi, besides being free, it's also unsecured. The retailer doesn't have the time to go around setting the key for your wi-fi card, so they leave it open. So don't do anything critical or login to your bank there.

And yes, places that charge for wi-fi access, such as Starbucks, generally have some sort of encryption, so you're safe there.

Now about that 24x7 credit monitoring ...

No comments: