40+ Million Credit Cards Stolen Using Wardriving…This Is Nothing New, Folks!

Okay, lots and LOTS has already been written about the DoJ press release yesterday, “Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers: More Than 40 Million Credit and Debit Card Numbers Stolen.
But, I still want to put a few thoughts out about this…

First, how they stole the credit card numbers…OVER 40 MILLION…was by exploiting the lack of security in wireless networks.

“The Boston indictment alleges that during the course of the sophisticated conspiracy, Gonzalez and his co-conspirators obtained the credit and debit card numbers by “wardriving” and hacking into the wireless computer networks of major retailers — including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Once inside the networks, they installed “sniffer” programs that would capture card numbers, as well as password and account information, as they moved through the retailers’ credit and debit processing networks.”

Come on, folks! This could have been prevented so easily! This type of hacking is nothing new.
And it’s not like this is any type of new way to steal information. Ever since wireless has been used, it has been possible to steal the information from the wireless transmissions. Back in 2002 Best Buy made the news for having their credit card transactions stolen from their stores in basically the same way.
It would be interesting to see how many physical retail stores actually have effective security in place. Earlier this year I blogged about how many unsecured wireless access points my 8- and 11-year-old sons found just by driving to their day camps; see here and here.
Too little attention to security is given within physical stores and small to medium sized businesses (SMBs).
Second, too many business owners and business execs are willing to gamble that they will not be targetted, so they choose to not invest in security.
Since the mid-1990’s I’ve heard CxOs, and SMBs, often use the argument, “How likely is it for something to happen if we don’t install the you want us to invest in? If it’s not that likely, then why waste the money?”
Use this wireless hacking case, which stole OVER 40 MILLION CREDIT CARD NUMBERS, as an example of how easy it is for the bad guys to commit crime when security…basic, simply implemented security…is not put into place. The execs whose card numbers were taken should now understand the need for security better…you would think.
Third, this also shows that, while the PCI DSS is good for contractually trying to ensure security is addressed, and places responsibility for implementing security upon the businesses processing credit card payments, PCI DSS, in and of itself, is not a panacea.
Too many execs say, “We’re following PCI DSS. We’re secure; we’re invulnerable.”
PCI DSS is a security standard. It is not the *actual practice* of security that is required within all businesses. This case demonstrates this.
PCI DSS is a good set of general rules for organizations to follow, but it does not address the day-to-day execution of security within all locations where credit cards are processed. Just because an organization is certified as being PCI DSS at one point in time does not mean that security is addressed and being actively enforced by all personnel on an ongoing basis. More reason why training and ongoing awareness must be provided.
All these merchants were supposed to have been PCI DSS compliant. However, apparently 100’s, if not 1000’s, of the retail locations either…
1) simply did not understand security enough to know that wireless transmissions of payments must be strongly encrypted, or (probably more likely),
2) chose not to spend the time and comparatively low dollar investment to actually implement the security controls with the belief that it wasn’t likely that bad things would happen, or
3) stopped addressing security once they got their PCI DSS seal of approval.

Tags: , , , , , , , , , , ,

Leave a Reply