'60 Minutes' on TJX computer security
A story on 60 Minutes focuses on TJX's poor Wi-Fi security and keeping sensitive customer information for much too long.
I just finished watching Leslie Stahl do a piece called "Hi-Tech Heist" on 60 Minutes in which she describes the theft of credit card and other personal information from TJX. These are a couple quick Defensive Computing thoughts on the subject.
I can't imagine using a credit card at T.J. Maxx, Marshall's, Bob's Stores or any of the other stores owned by TJX. In the 60 Minutes piece, the focus was on the poor Wi-Fi security and keeping sensitive customer information for much too long. But, after the hackers got into the Wi-Fi network, they were able to get to the master database of customer information, meaning that there were many other security problems along the way.
And, as was mentioned in the story, the bad guys poked around the internal TJX computers for about a year and half without getting noticed. The word inexcusable doesn't begin to describe the many security problems. Unless I hear that TJX has laid off people responsible for computer security, they will never see a credit card of mine again.
The story ends on a happy note, TJX has upgraded all their Wi-Fi to use the newer, better type of encryption known as WPA. But this is far from the end of the story. It may not be well known, but WPA encryption can be good or bad.
Because it is vulnerable to a brute force attack, the crucial point is the length of the password. A short password, or a word in the dictionary, offers no better security than the much maligned WEP encryption. But a really loooooooooong password is very secure. WPA supports passwords up to 63 characters long. You can think of it as a "pass sentence" rather than a password.
The WPA password only needs to be entered once on each computer, so there is no excuse not to use a long password. If you can't think of one yourself, then Steve Gibson has a Web page that will generate long passwords.
The WPA encryption may also be turned off if a WEP-using computer joins the network. Many consumer grade routers can do either WEP or WPA but not both at the same time.
Finally, if WEP is still being used at retailers, as the story pointed out, then online purchases may very well be more secure than brick and mortar.
Update: Robert Vamosi of CNET wrote an interesting story on this in his Security Watch column - What's behind retail data breaches
Update November 25: A reader comment mentioned WPA-PSK and WPA2 Enterprise. Let me explain the terms. The simplest way of using WPA encryption involves a single password for the entire network. It is entered once when configuring the router and once at each computer accessing the wireless network. This mode of operation is called "Pre-Shared Key" or "PSK" or "Personal" and is what I was referring to.
Companies with the necessary technical skill, can use WPA in such a way that each user gets his or her own password. The software that validates passwords is a Radius server. This mode of operation has multiple names. An old Belkin router calls it simply "WPA with Radius Server", it has also been called "WPA Enterprise" and "server-based infrastructure mode".