TJMaxx Hacker Gets 20 Years

Remember the largest personal data theft in history? The guy that supposedly was behind it was sentenced this week to 20 years in prison. 

Albert Gonzalez, who operated under the hacker alias SoupNazi, pleaded guilty last year to slipping into the computer networks of major retailers such as TJ Maxx, BJ's Wholesale Club, Barnes & Noble, OfficeMax and Boston Market.

To pull off the caper, Gonzalez, 28, would hack into the Heartland Payment systems that handled credit card transactions for major retailers. Then the Miami resident got creative. He would cruise by stores with his laptop and infiltrate wireless Internet signals.

A Trojan Horse program would be planted in the store's network and Gonzalez would later vacuum out credit and debit numbers.

Authorities say Gonzalez operated with two co-conspirators and operated overseas as well. All told, the operation stole more than $200 million. The Secret Service estimated that the potential economic loss could be in the billions. Gonzalez personally amassed $2.8 million.

Of course, there was some fault of the retailers involved, as they were using WEP encryption, known for years prior to the data theft to be easily hacked and thus insecure, to wirelessly transmit transaction data between registers and the store office. Gonzalez and his crew were then able to repeatedly tap into the store systems this way, and learned how to login into the corporate computer system of TJX, parent company of TJ Maxx, BJ's Wholesale Club, Barnes & Noble, OfficeMax and Boston Market. Since TJX evidently was storing customer data in violation of PCI Data Security Standards, Gonzalez and crew were able to steal some 46 million customer credit cards from this company.
Amazingly, PCI standards will not ban the use of WEP in credit card systems until June 30, 2010 (although it has prohibited new systems that use WEP from being installed since March 31, 2009.)

Study Shows Online Privacy Concerns Are Rising

In the wake of the Facebook Beacon and Sears Manage My Home privacy snafus, you would expect more Americans to state they are concerned about online privacy. Interestingly, according to this study it is mainly people who don't shop online and those who are new to shopping online who express concern over privacy. I would be surprised if more than a few of those polled had heard of either incident, both of which got limited mainstream news coverage.
However, you don't even have to be online to have your privacy or identity threatened. Anyone who purchased items from a Sears store, for example, where Sears had a record of the purchaser's name and address was potentially vulnerable to that purchasing history being exposed on the web in the recent Manage My Home debacle. The largest data breach yet known was due to TJ Maxx stores not properly securing their intra-store wireless, allowing anyone with a laptop and 30 seconds to hack the signal in the parking lot. Thieves then were able to access TJ Maxx's main databases for months, stealing 46 million credit card numbers.
And yesterday, JC Penny reported their data storage company lost a backup tape that contains information on 650,000 customers, including Social Security numbers for about 150,000 people. So you don't have to shop or bank online to be subject to identity theft or privacy breaches. (If you get a letter from GEMoney, open it.)
It's no wonder that more consumers are now closely monitoring their credit or joining identity protection services like LifeLock.
Scary.

read more | digg story

Dirty Secrets of Debit Cards

New post over at Consumerbits.
There are lots of misconceptions consumers have about debit and credit cards.
read more

Mystery eBay 'Hack' Exposes 1,200 Accounts

Folks, if you use eBay, get the $5 security key from Paypal and be done with this nonsense. Don't live in fear of your Paypal or eBay accounts being hacked. And learn to protect yourself from online scams! Here is a list of over 30 well-known eBay scams.
From arstechnica:

eBay is one of the most successful Internet-only ventures of all time, so it's not surprising that it has come under near-constant attack by fraudsters and hackers. In the latest attempt, a hacker logged on to the eBay Trust and Security forums and pretended to post as 1,200 separate users, making it appear as if he had actually logged in with each user's account. The posts contained the users' names, contact information, and credit card numbers.
read more | digg story

Have You Ever Shopped at TJ Maxx? Uh-oh!

In what is reported as the biggest breach of personal data ever, at least 45.7 million credit and debit card numbers were stolen by hackers who accessed the computer systems at the TJX Cos. at its headquarters in Framingham and in the United Kingdom over a period of several years.
TJX operates 826 T.J. Maxx, 751 Marshalls, 271 HomeGoods, and 162 A.J. Wright stores, as well as 36 Bob's Stores, in the United States. In Canada, the company runs 184 Winners and 68 HomeSense stores, and in Europe, 212 T.K. Maxx stores.
Holy Cow.
Oh, and by the way, this was discovered before Christmas 2006. Lovely.
But wait, theres more!
TJX now believes portions of the credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores -- excluding debit card transactions with cards issued by Canadian banks -- from January 2003 through June 2004 were compromised.
Oh, but notice the small tidbit in this article from Information Week.
"TJX has also likely run afoul of the Payment Card Industry Data Security Standard created by Visa and MasterCard, as a number of documents sent by Visa to financial institutions that issue cards and manage Visa transactions indicate TJX was storing credit and debit card data in violation of the standard."
You see, companies are supposed to comply with the industry standard for retaining this data and it seems our friends at TJMaxx have been keeping transaction and other data for far longer than they are supposed to. But other companies may be doing the same thing.
If you have used a credit/debit card at any of the above stores in the last 4 years, call the helpline TJX has set up at 866-484-6978.