Monday, November 12, 2007

Lessons learnt from TJ Maxx data breach and credit card fraud

The main security lesson that credit card issuers learnt from TJ Maxx companies 95 million credit cards data loss and 1 Million USD transaction fraud is the need to require merchants to secure the weakest ring of the chain: the WLAN connection between POS (Point Of Sale) terminal and branch servers . Merchants should learn from POS vulenarbilities and apply the right countermeasures like the ones identified in the research paper herein http://www.hackerfactor.com/papers/cc-pos-20.pdf. Now, despite the major exposure of the TJ Maxx security incident was due to weak wireless encryption such as WEP (Wired Equivalent Privacy) http://online.wsj.com/article_email/SB117824446226991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html) there are still a large amount of retailers that either do not secure their WLAN at all or still use the flawed Wired Equivalent Privacy (WEP) protocol or the pre-shared key mode of the Wi-Fi Protected Access (WPA PSK) specification, which was originally intended as basic security for home or SOHO WLANs:http://www.pcworld.com/article/id,141429-c,privacysecurity/article.html

The other lesson is that VISA PCI compliance is more a vehicle to recoup fraud losses rather then proactive security. In the case of TJX Maxx VISA fined 53rd Bank (the TJ Maxx VISA Card processor) 880,000 USD for non being not in compliance with PCI in light of 2005 incidents but gave the credit card processor a 2008 deadline to comply http://www.scmagazineus.com/Visa-fines-TJX-credit-card-processor/article/58255/ Now 1 ML fraud vs. 880,000 fine still seem to repay VISA for most of the losses.

The other lesson is that law suits are not a strong enough deterrent for being secure in case of large retailers such as TJX Maxx. The 257 Million USD law suit that TJX Maxx settled with smaller banks http://www.boston.com/business/globe/articles/2007/10/24/court_filing_in_tjx_breach_doubles_toll/?page=2 certainly did not put TJX out of business: http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=137756&f_src=darkreading_section_403

In Italian we have a say that "il rischio non vale la candela" (the risk does not warrant lighting the candle) saying if the air smells like the all environment is about to explode probably is better not to light the candle. Now in this case I think retailers will probably continue not being compliant with PCI standard while the fraudsters that are still uncaught and out in the wild we will continue to light the candles.

No comments: