Lessons from TJX

November 10, 2008 — Leave a comment

TJX provides an excellent case study on how cybercrime operates – which in turn provides significant justification for the companies you call on to be assessing security.  As I work with various resellers around the country I am hearing two things; companies are cutting back IT budgets and putting large projects on hold; at the same time, companies are engaging in security assessment initiatives.  The economy is driving the cutbacks.  At the same time, cybercrime trends are driving companies to take action where there is a fear of loss.  It is helpful to understand how the TJX crimes took place as you work with data owners.  Following are some of the facts:

·         Albert Gonzalez was the apparent leader of the TJX credit card crimes – he is serving a sentence through 2012 at which time he faces deportation back to Venezuela.

·         Gonzalez is the same individual who helped investigators infiltrate the original Shadowcrew group that I wrote about in the House & the Cloud –(my book on using risk to drive technology sales).

·         This hack was accomplished using Trojan software provided by a 25 year old New Yorker, Stephen Watt.  The initial hack started when these men gained access to insecure wireless networks, installing malware between the point of sales systems and backend processing systems.

·         Together, these men are charged (along with 7 others) in stealing more than 40 million credit and debit card numbers (The numbers vary but this seems to be the most frequently quoted number in recent articles).  The crime took place between 2003 and 2007 targeting retailers including TJX, DSW and BJ’s Wholesale Club.

·         Irving Jose Escobar along with six accomplices (including his wife and mother) acquired stolen data from Gonzales using fraudulent credit cards containing stolen information.  It is unknown how Escobar is related to Gonzales other than he took possession of the cards – perhaps as a buyer of stolen information.  He then converted these cards into Wal*Mart gift cards which were then used to buy electronics – a way of laundering the money.

A few important lessons should be noted:  The crime leverages insecure wireless networks – an easy target.  We should be out there working with companies to make sure their wireless networks are secure.   While we often think encryption is the answer, WEP has long been considered insecure, and recent discoveries indicate that newer WPA encryption may be vulnerable: Read about recent discoveries in Germany.

It took three years to discover the problem.  A common misconception is the idea that IT workers will see security intrusions.  IT did not discover the TJX attacks – these thieves were discovered through sloppy money laundering.

Protecting the perimeter did not stop these people.  A process of detection and response is essential when it comes to discovering today’s attacks.  Constant assessments are part of the program that companies need to secure data.

What are you using to justify sales in this economy?  Learn the sound bites and leverage them – Security is an obvious way to gain the attention of those you are working with.

Advertisements

No Comments

Be the first to start the conversation!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s