Yesterday's U.S. Department of Justice indictment ought to come as a relief to the TJX, the Massachusetts-based retailer who's been the corporate whipping boy for slack wireless security for nearly three years.
That's because it's now evident that TJX isn't the only security screwup in retail.
At a top-heavy press conference in Boston, Attorney General Michael Mukasey, with various US Attorney and the Secret Service, revealed that 11 perps virtually ransacked nine major U.S. retailers, apparently in almost every case by wardriving to snoop more or less open wireless LANs, and then planting sniffer programs on internal computers to collect credit card and other data. Over 40 million credit card accounts were compromised. Besides, TJX, the others named were: BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW. A New York restaurant chain, Dave & Busters, was another victim named in one of the indictments.
The real victims are, well, us. Even assuming the credit card companies covered the unauthorized withdrawals and purchases made on the purloined card accounts, the credit and debit card companies, and the retailers, are on the hook for Godaloneknows how many millions. Just one alleged conspirator, Maksym Yastremskiy, of the Ukraine, reaped over $11 million from his crimes, according to DOJ.
The indictment doesn't go into details on how these retailers apparently almost invited these attacks: that's certainly the case with TJX, where WLAN security was almost non-existent. And apparently still is appallingly slack in the retail industry: early this year, wireless security vendor AirDefense reported on its own New York City war drive, which found that one third of the 800 stores scanned had no, zero, zip WLAN security, another third had only weak protection.
That guarantees plenty of future photo-ops for federal crimefighters, and plenty of future losses and bad press for companies that still don't take wireless security seriously.
Cox is a senior editor at Network World.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
break-in over-reaction
John: Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. The TJX break-in was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
Yes, no - bad?
Yes, the consequences were not as bad as the hype let the public to assume but..
Let's see - if these companies have any "certified" security people in their payroll - what happened? Who dropped the ball? Laws, regulations and compliance are one thing - real security is another ballgame. Especially in this case - even simple home devices support "high" security, not talking what they should use in big business. And once again, it is not difficult or expensive IF thought upfront.
No security can be 100% but working in / with security over 30 years I can tell that this kind of security breaches should not happen. People blaming the technology or whatever don't really realize that any "new" technology at any time has had the same problems - it is "new"! And come on - social security penetration has been used since "Trojan horse".
The strange thing is that the people who made the decisions to skip even the simplest security (yes, it is a decision!) are not the ones taking the hit - people who work there and had nothing to do with this mess are fired because now it is expensive(!) and "we have to cut the expenses" or whatever..
Post new comment