If you consider yourself even a little bit of a geek, you would never trust your home wireless network to WEP encryption simply because it can be cracked in a matter of minutes. I insist on better protection for my iTunes share on my local network. Would you trust it to protect your customers’ personal and credit card information? I don’t think so, but the TJX Companies thought it was OK. As a result they got burned.
It’s not a secret that WEP is not secure, and the IT management for TJX must have known it. Now I’m sure it’s expensive to upgrade the wireless systems in however many stores they operate, but security isn’t a “don’t fix it if it ain’t broken” type of thing. Keeping your security current has to be a priority, because you can guarantee that attackers are looking for any vulnerability they can find. They’re looking for the path of least resistance, and WEP ain’t very resistant.
The hackers who ransacked TJX Companies Inc.’s computer network and exposed at least 45.7 million credit and debit card holders to identity fraud reportedly began their assault by exploiting Wi-Fi weaknesses at a Marshalls clothing store near St. Paul, Minn.
I don’t believe the use of WEP is the only lax security issue TJX was guilty of either. Why keep so much customer personal data for so long? I believe that’s part of the issue. The fact that the major credit card companies require merchants to keep the card number for transactions simply adds to the problem. I realize it’s saved in the case of a disputed charge, but that doesn’t change the fact that it’s a honey pot to attackers. If the credit card number doesn’t have to be stored, then there’s no threat of customers being affected by a security breach.
So here’s my proposal. Associate a second number with a credit card, and store that number in the merchants’ systems. This number isn’t useful by itself, but it can be used by VISA or MasterCard to determine the card holder. If the merchant’s system is compromised, the secondary number can’t be used to make purchases or just about anything else for that matter. It’s only useful to the credit card company when a charge is disputed. Does this sound plausible to you?
There’s always cash though.
Leave a Reply