1 / 21

TJX Breach

Ryan Paulsen Chris Lafferty Nilesh Nipane. TJX Breach. What happened?. Intruders gained access to credit card information between 2005-2007 ~50 million credit card and debit card numbers stolen ½ million driver’s license and SSN stolen Largest theft to date

valmai
Download Presentation

TJX Breach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ryan Paulsen Chris Lafferty NileshNipane TJX Breach

  2. What happened? • Intruders gained access to credit card information between 2005-2007 • ~50 million credit card and debit card numbers stolen • ½ million driver’s license and SSN stolen • Largest theft to date • Previous was 1.5 million credit card numbers

  3. What happened? • WEP key crack at St. Paul Marshalls store • Hackers monitor and gather network traffic • Gather data and crack encryption key for traffic destined for central database • Gathered usernames and password from decrypted traffic • Created accounts in TJX systems

  4. What happened? • Create accounts on central database systems in Framingham, MA • Gathered historical data from storage systems • Used by TJX to track returns • Install specially made blablasniffer tool gathering credit card numbers before they were encrypted • Hackers then logged into the systems and transferred data files off of the system • Used in Wal-Mart gift card scam ($1 Million)

  5. Impact • Monetary Cost/Loss for nearly all involved • Customers may lose money/time or other resources directly • Banks lose customers or reputation points • TJX loses substantial amounts of money • Approximately $1.5 billion to fees, settlements, and new security measures mandated by FTC • More than $195 million in new security equipment and training

  6. Impact • Reputation/Business costs • Customer confidence • Federal Trade Commission’s response • Ethical and Policy Implications/Movements • Ethical concerns of information protection, misuse of resources, privacy, etc.

  7. Impact • Impacts still being felt and analyzed… • Legal Issues / Legislation insufficiencies • The full extent of these attacks and just how many systems were attacked by the same people (still finding out of new cases today) • The actions and lack of actions being taken in response by other companies

  8. Why did this attack succeed? • 2004 audit found failure of 9/12 criterion for credit card merchants • Misconfigured wireless networks • Poor antivirus protected • Weak intrusion detection • Easily crackable usernames and passwords • Poor log maintenance • Failed to install data encryption software

  9. Why did this attack succeed? • Initial Breach • Due to deficiencies in the wireless network and WEP encryption scheme • WEP is known to be broken since 2001. (FMS attack) • Collected data transmitted by handheld devices used to communicate price markdowns and to manage inventory • Used that data to crack the encryption code.

  10. Why did this attack succeed? • Other Vulnerabilities • Kiosks, equipped with USB drives, were located in many of TJX's retail stores • Allowed direct access to the company's network and were not protected by firewall

  11. Aftermath: Criminal • Feds tracked down and arrested 11 coconspirators • Discovered credit theft ring known as “Operation Get Rich or Die Trying” • Led by Albert Gonzalez • Ring responsible for most major credit card thefts in US • Including Homestead breach which is now the largest of its kind

  12. Aftermath: Legal • Class Action Lawsuits • TJX reluctant to disclose data on the breach • Failed to detect for 7 months, took another month to disclose • Prosecutors hope to show negligence • Watershed Case • Companies now must be more open and transparent about how they protect customer data

  13. Making Systems Less Vulnerable • PCI Security Standards Council Data Security Standard (DSS) • Special recommendations published July 2009 for wireless networks • Covers best practices in relation to processing credit card information around wireless networks

  14. Making Systems Less Vulnerable • Wireless Intrusion Detection/Prevention System (IDS/IPS) • Investigate and classify wireless networks and their access to customer data • Create automatic alerts of rouge wireless connections • Response plans to remove rouge connections

  15. Making Systems Less Vulnerable • Filter wireless networks that do not need access to customer data with firewall • Do NOT use VLANseparation • Monitor rulesevery 6 months From Information Supplement: PCI DSS Wireless Guideline

  16. Making Systems Less Vulnerable • Protect wireless networks that transmit card holder data • Physical protection • Secure access points so no one can reset to factory defaults • Make sure access points aren’t stolen • Don’t store PSKs in obvious locations

  17. Making Systems Less Vulnerable • Protect wireless networks that transmit card holder data • Change default configuration • Use enterprise mode when possible • Do not advertise company name in SSID • Only use SNMPv3 • Disable unnecessary ports and protocols

  18. Making Systems Less Vulnerable • Protect wireless networks that transmit card holder data • Logging and Monitoring • Store event logs for 90 days • Maintain updates to network topology • Security • Use AES when possible • Use enterprise security when possible • 13 character PSK

  19. Making Systems Less Vulnerable • Protect wireless networks that transmit card holder data • Encryption • Use SSLv3 with 256 bit encryption • Treat wireless networks as outside network From Information Supplement: PCI DSS Wireless Guideline

  20. Book Chapters • Chapter 6 – Database Security • Chapter 7 – Security in Computing • Chapter 9 – Economics of Cybersecurity • Chapter 10 – Privacy • Chapter 11 – Cryptography Explained

  21. Sources • http://news.cnet.com/2100-7348_3-6169450.html • https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf • http://www.wired.com/threatlevel/2008/08/11-charged-in-m/ • http://www.wired.com/threatlevel/2009/07/pci/ • http://www.wired.com/threatlevel/2007/10/tjx-failed-to-n/ • http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1249421,00.html • http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1245727,00.html • http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1239711,00.html • http://hardware.slashdot.org/article.pl?sid=07/05/05/1812254 • http://www.informationweek.com/shared/printableArticle.jhtml;jsessionid=AW4H134JQ43VXQE1GHOSKHWATMY32JVN?articleID=201400171 • http://www.wired.com/threatlevel/2009/06/watt/ • http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/

More Related