TJX Breach

Ryan Paulsen Chris Lafferty Nilesh Nipane

What happened?

Intruders gained access to credit card information between 2005-2007

~50 million credit card and debit card numbers stolen ½ million driver’s license and SSN stolen

Largest theft to date Previous was 1.5 million credit card

numbers

What happened?

WEP key crack at St. Paul Marshalls store Hackers monitor and gather network

traffic Gather data and crack encryption key for

traffic destined for central database Gathered usernames and password from

decrypted traffic Created accounts in TJX systems

What happened?

Create accounts on central database systems in Framingham, MA Gathered historical data from storage systems▪ Used by TJX to track returns

Install specially made blabla sniffer tool gathering credit card numbers before they were encrypted▪ Hackers then logged into the systems and

transferred data files off of the system Used in Wal-Mart gift card scam ($1

Million)

Impact

Monetary Cost/Loss for nearly all involved Customers may lose money/time or

other resources directly Banks lose customers or reputation

points TJX loses substantial amounts of money ▪ Approximately $1.5 billion to fees,

settlements, and new security measures mandated by FTC▪ More than $195 million in new security

equipment and training

Impact

Reputation/Business costs Customer confidence Federal Trade Commission’s response

Ethical and Policy Implications/Movements Ethical concerns of information

protection, misuse of resources, privacy, etc.

Impact

Impacts still being felt and analyzed… Legal Issues / Legislation insufficiencies The full extent of these attacks and just

how many systems were attacked by the same people (still finding out of new cases today)

The actions and lack of actions being taken in response by other companies

Why did this attack succeed? 2004 audit found failure of 9/12

criterion for credit card merchants Misconfigured wireless networks Poor antivirus protected Weak intrusion detection Easily crackable usernames and

passwords Poor log maintenance Failed to install data encryption software

Why did this attack succeed? Initial Breach

Due to deficiencies in the wireless network and WEP encryption scheme▪ WEP is known to be broken since 2001. (FMS

attack) Collected data transmitted by handheld

devices used to communicate price markdowns and to manage inventory▪ Used that data to crack the encryption code.

Why did this attack succeed? Other Vulnerabilities

Kiosks, equipped with USB drives, were located in many of TJX's retail stores▪ Allowed direct access to the company's

network and were not protected by firewall

Aftermath: Criminal

Feds tracked down and arrested 11 coconspirators

Discovered credit theft ring known as “Operation Get Rich or Die Trying” Led by Albert Gonzalez Ring responsible for most major credit

card thefts in US▪ Including Homestead breach which is now the

largest of its kind

Aftermath: Legal

Class Action Lawsuits TJX reluctant to disclose data on the

breach Failed to detect for 7 months, took another

month to disclose Prosecutors hope to show negligence

Watershed Case Companies now must be more open and

transparent about how they protect customer data

Making Systems Less Vulnerable PCI Security Standards Council Data

Security Standard (DSS) Special recommendations published July

2009 for wireless networks Covers best practices in relation to

processing credit card information around wireless networks

Making Systems Less Vulnerable Wireless Intrusion

Detection/Prevention System (IDS/IPS) Investigate and classify wireless

networks and their access to customer data

Create automatic alerts of rouge wireless connections

Response plans to remove rouge connections

Making Systems Less Vulnerable Filter wireless networks that do not

need access to customer data with firewall Do NOT use VLAN

separation Monitor rules

every 6 months

From Information Supplement: PCI DSS Wireless Guideline

Making Systems Less Vulnerable Protect wireless networks that

transmit card holder data Physical protection▪ Secure access points so no one can reset to

factory defaults▪ Make sure access points aren’t stolen▪ Don’t store PSKs in obvious locations

Making Systems Less Vulnerable Protect wireless networks that

transmit card holder data Change default configuration▪ Use enterprise mode when possible▪ Do not advertise company name in SSID▪ Only use SNMPv3▪ Disable unnecessary ports and protocols

Making Systems Less Vulnerable Protect wireless networks that

transmit card holder data Logging and Monitoring▪ Store event logs for 90 days▪ Maintain updates to network topology

Security▪ Use AES when possible▪ Use enterprise security when possible▪ 13 character PSK

Making Systems Less Vulnerable Protect wireless networks that

transmit card holder data Encryption▪ Use SSLv3 with 256 bit

encryption▪ Treat wireless networks

as outside network

From Information Supplement: PCI DSS Wireless Guideline

Book Chapters

Chapter 6 – Database SecurityChapter 7 – Security in

Computing Chapter 9 – Economics of

Cybersecurity Chapter 10 – Privacy Chapter 11 – Cryptography

Explained

Sources http://news.cnet.com/2100-7348_3-6169450.ht

ml https://www.pcisecuritystandards.org/pdfs/PCI_D

SS_Wireless_Guidelines.pdf http://www.wired.com/threatlevel/2008/08/11-ch

arged-in-m/ http://www.wired.com/threatlevel/2009/07/pci/ http://www.wired.com/threatlevel/2007/10/tjx-fai

led-to-n/ http://searchsecurity.techtarget.com/news/articl

e/0,289142,sid14_gci1249421,00.html http://searchsecurity.techtarget.com/news/articl

e/0,289142,sid14_gci1245727,00.html http://searchsecurity.techtarget.com/news/articl

e/0,289142,sid14_gci1239711,00.html http://hardware.slashdot.org/article.pl?sid=07/0

5/05/1812254 http://www.informationweek.com/shared/printab

leArticle.jhtml;jsessionid=AW4H134JQ43VXQE1GHOSKHWATMY32JVN?articleID=201400171

http://www.wired.com/threatlevel/2009/06/watt/ http://www.wired.com/threatlevel/2009/08/tjx-ha

cker-charged-with-heartland/