From: Joe Hunt 

Perhaps it will take a class action lawsuit against a company such as TJX. 
I'm not a fan of class actions, but this is a case where it might be
necessary.  As of now, the banks and credit card companies are responsible
for losses.

I know that the WSJ  is a subscriber-only site, and I don't usually post
large segments of its copyrighted articles, but I'm not sure how widely
circulated this story is.

Joe

--------

http://online.wsj.com/article/SB117824446226991797-search.html?KEYWORDS=TJX+st.
+paul&COLLECTION=wsjie/6month

BREAKING THE CODE
How Credit-Card Data
Went Out Wireless Door
Biggest Known Theft
Came from Retailer
With Old, Weak Security
By JOSEPH PEREIRA
May 4, 2007; Page A1

The biggest known theft of credit-card numbers in history began two summers
ago outside a Marshalls discount clothing store near St. Paul, Minn.

There, investigators now believe, hackers pointed a telescope-shaped
antenna toward the store and used a laptop computer to decode data
streaming through the air between hand-held price-checking devices, cash
registers and the store's computers. That helped them hack into the central
database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly
purloin information about customers.

The $17.4-billion retailer's wireless network had less security than many
people have on their home networks, and for 18 months the company
-- which also owns T.J. Maxx, Home Goods and A.J. Wright -- had no
idea what was going on. The hackers, who have not been found, downloaded at
least 45.7 million credit- and debit-card numbers from about a year's worth
of records, the company says. A person familiar with the firm's internal
investigation says they may have grabbed as many as 200 million card
numbers all told from four years' records.



When wireless data networks exploded in popularity starting around 2000,
the data was largely shielded by a flawed encoding system called Wired
Equivalent Privacy, or WEP, that was quickly pierced. The danger became
evident as soon as 2001, when security experts issued warnings that they
were able to crack the encryption systems of several major retailers.

By 2003, the wireless industry was offering a more secure system called
Wi-Fi Protected Access or WPA, with more complex encryption. Many merchants
beefed up their security, but others including TJX were slower to make the
change. An auditor later found the company also failed to install firewalls
and data encryption on many of its computers using the wireless network,
and didn't properly install another layer of security software it had
bought. The company declined to comment on its security measures.

The hackers in Minnesota took advantage starting in July 2005. Though their
identities aren't known, their operation has the hallmarks of gangs made up
of Romanian hackers and members of Russian organized crime groups that also
are suspected in at least two other U.S. cases over the past two years,
security experts say. Investigators say these gangs are known for scoping
out the least secure targets and being methodical in their intrusions, in
contrast with hacker groups known in the trade as "Bonnie and
Clydes" who often enter and exit quickly and clumsily, sometimes
strewing clues behind them.

The TJX hackers did leave some electronic footprints that show most of
their break-ins were done during peak sales periods to capture lots of
data, according to investigators. They first tapped into data transmitted
by hand-held equipment that stores use to communicate price markdowns and
to manage inventory. "It was as easy as breaking into a house through
a side window that was wide open," according to one person familiar
with TJX's internal probe. The devices communicate with computers in store
cash registers as well as routers that transmit certain housekeeping data.

After they used that data to crack the encryption code the hackers
digitally eavesdropped on employees logging into TJX's central database in
Framingham and stole one or more user names and passwords, investigators
believe. With that information, they set up their own accounts in the TJX
system and collected transaction data including credit-card numbers into
about 100 large files for their own access. They were able to go into the
TJX system remotely from any computer on the Internet, probers say.



On Sun, 6 May 2007 23:20:49 -0400, "Geo."  wrote:

>"mike"  wrote in message
>news:misr33l1ng9iccul18t9kbrurr1tttbtsq{at}4ax.com...
>
>> service.  The SSID is the Verizon account number of the DSL subscriber,
>> and no security is set up to reduce support calls.....
>
>I run my wireless wide open so that it's less trouble getting additional
>devices connected, it doesn't do wpa/2 so why bother?
>
>But I think the question of why these devices allow wide open at all is
>something that should be asked.  Why don't wireless routers come without the
>option to not use encryption? For that matter, why doesn't every cisco
>router (1700 series on up) and every dns server come preconfigured to block
>passing RFC1918 space?
>
>Geo.

--- BBBS/NT v4.01 Flag-5