Hi-Tech Heist

How Hi-Tech Thieves Stole Millions Of Customer Financial Records

(CBS)  Do you think twice when typing in your credit card number online, but have no problem handing over your plastic card at a store? Well actually, you may have it backward. Your personal information may be more secure in cyberspace than at the mall down the road.

That's because it's easier for dot-coms to protect the data. And most stores in America underestimate how vulnerable they are.

As correspondent Lesley Stahl reports, it's becoming a big problem. The retail industry got a wake-up call earlier this year, when TJX, the parent company of T.J. Maxx and Marshalls, disclosed it had suffered the worst high-tech heist in shopping history. Hackers raided the company's computer system, taking off with tens of millions of records. And what we have learned is: TJX could have prevented it.

---

"They collected too much personal information. They kept it too long. And finally, they didn't keep it according to appropriate security standards," says Canadian Privacy Commissioner Jennifer Stoddart, who led the investigation of the TJX theft for the Canadian government and the Province of Alberta, and released her findings before investigations in the U.S. are finished. TJX operates chains in both countries.

Asked if there's an actual place where the crime took place, Stoddart tells Stahl, "Yes, it seems that the intrusion happened at two Marshalls stores in the Miami area."

"Did the crime happen inside the stores or outside the store?" Stahl asks.

"This was a case of penetrating the network from without the stores because it is…a wireless network. You can then capture the wireless transmissions if they're not sufficiently encrypted," Stoddart says.

When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls.

Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data.

"So you and I are in this parking lot, and we park in front of one of these big stores. We can just pluck it, is what you're saying, right through the wall," Stahl remarked.

"Absolutely," Harms replied.

All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results.

"Right now, we're right in front of Best Buy," Stahl remarked.

"Right so, Best Buy has a wireless network," Harms explained.

The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.

"It doesn't say Home Depot, but it says 'Orange,'" Stahl noted.

Those three stores told 60 Minutes the wireless signals Harms and Stahl detected do not link to their customer data-banks. But sometimes similar signals do lead hackers to computer systems where the data is held. Harms told 60 Minutes that stores should have security to prevent that.

"When wireless first became a technology for people to use, they realized that they needed a way to protect that data that's flying around in this cloud. So they designed WEP," Harms explains.

WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes.

Now, there's much better encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded.

"It’s saying WEP or WPA. That’s telling you if they have good encryption devices," Stahl remarked, looking at Harms’ computer.

"That’s right," Harms replied.

"It's actually telling you that right on your computer?" Stahl asked.

"Absolutely," Harms said.

"That’s amazing," Stahl said. "So are you able, with what you have right here in the car with us, to crack WEP right now?"

"Executing the attack is as simple as clicking a button and making it happen," Harms said. "You have pierced the first wall of what, hopefully is many."

[johnat60]

Lesley: I spent $125 CAD getting my wireless network checked out today and WEP can be used coupled with software that disengaged the connection once a hacker attempts to enter 3 incorrect passwords. The system automatically turns back on automatically as soon as it has disengaged the connection. Further more, I have learned that although WPA encryption is better than WEP, hackers will have a program in the next weeks to crack WPA just as easily as WEP is being cracked today. It would be helpful to your viewers to add this comment at then end of your next show as I can see how you might panic many of your viewers who have little or no clue on how this technology works. Afterall, journalism''s purpose is to uncover all the facts even after the original story is aired. Thank you for your consideration.

[stardustmo]

Ramman 13876....you missed the boat, brother. You don''t think the people that use a card in your store and purchase the goods YOU provide aren''t YOUR customers too? It''s difficult to be diplomatic when I see that level of ignorance and avoiding responsibility. If you really, really believe that.....you are a sorry representative of the retail industry. Very sorry.

[DebGage]

Doesn''t 60 Minutes do original reporting anymore? There is nothing in this story that wasn''t covered elsewhere weeks or months ago. Given Ms. Stahl''s incredulity during the piece, I guess she didn''t know that. A competent summary of already published material, but I expect more than that from 60 Minutes.

[b-easy63]

At the POS online you have the ability to know if your transaction is secure (via SSL) Posted by vbnvbnvbn at 07:46 PM : Nov 26, 2007

Actually, that is no longer true. Online, particularly online auctions (like ebay) there are fake sellers who use fake 3rd party checkouts and clearing houses. The criminals are sooo savvy now that they can pretend to sell an item, direct people to a fake checkout and then to a fake paypal site replete with fake secure emblems. the new "secure" sight is really secure, but can be accessed by the person who set it up. What they are trying to capture are passwords to the auction, passwords to paypal and from there, access to accounts and credit card and bank data.

Spammers and others have taken "phishing" to a whole new level and paypal is constantly having to warn users to be on the look out for bogus paypal sites or emails. the good news is, if a person is familiar with paypal they can spot the fake due to spelling errors or the logos not being quite right. The bad news is--both ebay and the criminals are constantly changing format so there is no way to tell when a site is truly bogus and the criminals are getting better....

[b-easy63]

A lot of the people at TJ Maxx are illegals from Eastern Europe. Maybe they stole the ids to help bring more over or into the store- We can''t really fault them for how they maintain records--it is how they probably did it in the Old country. Often, in Iowa or Indiana, you go in a TJ Maxx and you have to wait until they find someone who can speak English to help. NO reason to fire up at these people though, the Government has lost millions in vets and other personal records, including ss cards and benefit information, in 2005, Wells Fargo lost info twice...as did several hospitals. I believe it is all a scam. They want as many bogus sources for who has the info--so that when the government snoops and screws us over, we can''t just finger one source for giving it to them. ON the other hand, much more of this and we''ll be ready for those indelible micro chips to be inserted in our foreheads or right hands so that we can work, buy and sell without worrying about id theft. Just scan and go. Mark of the Beast--here we come!!! ONe world, one currency and it all is in the chip!!! Global markets indeed.

[mastermind_j]

Your charges made online can be made almost fraud proof by using Visa''s Verified by Visa, and Mastercard''s Shop Safe. These programs use give you a number not related to you card number that can only be used a certain merchant, for a set dollar amount at a set time. T.J. Maxx is definately not the only merchant this has happened too. DSW shoes was another large leak.

[mastermind_j]

The issue with your whole card number on your recepit is an issue with the merchants using old POS ''Point of Sale'' terminals. Back when the system was created this information was used as check against the card provided.

[stardustmo]

Part 2
Dave Hogan (from the Natl Retail Fed) was a riot, don''t you think? Seriously, he gave so much bogus information, it was laughable. He opined that card companies are not serious about security. Pule-e-e-eze. What a joke ....spoken like a true lobbyist for the retailers It doesn''t take much research on Google to see the folly of his statement. His accusation that card companies use fines to increase revenues is simply not a credible statement (pule-e-e-e-ze again) to even the casual observer. Fines, like traffic fines, like all fines, are tools to change behavior that needs changing. Who wrote that line for him to parrot on the air anyway? (Ya just gotta shake your head...) I will admit though that Hogan was effective in conveying the point that the security problem "ain''t my fault". Point that ol'' finger of yours, Big Dave, and blame everyone else. That''s really effective in solving the problem, ol'' buddy. (Not a single productive thing came out of his mouth.) I could go on and on.

The issues of security are very serious and the solution will not be easily or quickly accomplished. They are complex and, yes, can be expensive to implement. But, it is absolutely critical that it be taken to heart. There are a number of productive efforts that are in place that should be embraced and adopted by those entities entrusted with protecting their customers personal information. It''s past time to get on board and quit playing the blame game.

[stardustmo]

I salute the effort by CBS to bring this matter front and center, because it is more of an issue than most begin to know. Your segment made it pretty clear about the state of security with the "drive thru" in the parking lots near retailers. I''m sure that is just the tip of the iceberg. We can all be sure that there is another, perhaps several more, TJX''s that will occur or are occurring now (just not discovered).

The email from the TJX vice president, I would venture to guess again, is probably not an uncommon sentiment in that or similar environments. The fact that TJX says their security was comparable to other retailers was likely accurate. Not very reassuring to the consumer who entrusts his or her personal data to the care of the merchant. Who is suppose to be responsible for safeguarding the consumers'' personal information? Not too hard to figure out.

[rayboy21]

Overall program was excellent and informative.
BUT I was troubled by the fact Chris Harms, the forensic investigator, was using his computer WHILE DRIVING. That sets a very bad example and was unnecessary. His eyes constantly went back and forth from the screen to the street. It sets a bad example especially in this day of cell phone and text usage!

[chasdye]

It''s outrageous that Lesley Stahl would end the segment with the comments ". . . many other chains have closed their security gaps, though most stores are still vulnerable."

She made a big point of showing Best Buy and Home Depot, and mentioning Staples. Have THEY closed their security gaps? Who are the other chains? And what does "most stores" mean?

This is sloppy reporting.

[chasdye]

It''s outrageous that Lesley Stahl would end the segment with the comments ". . . many other chains have closed their security gaps, though most stores are still vulnerable."

She made a big point of showing Best Buy and Home Depot, and mentioning Staples. Have THEY closed their security gaps? Who are the other chains? And what does "most stores" mean?

This is sloppy reporting.

[chasdye]

It''s outrageous that Lesley Stahl would end the segment with the comments ". . . many other chains have closed their security gaps, though most stores are still vulnerable."

She made a big point of showing Best Buy and Home Depot, and mentioning Staples. Have THEY closed their security gaps? Who are the other chains? And what does "most stores" mean?

This is sloppy reporting.

[Wookiee-1138]

Wardriving is perfectly legal. It''s the store''s fault for not taking basic precautions.

[gary.dennis]

Two months before the airing of this segment on credit card fraud, the 60 Minutes staff received a PDF containing copies of the registered letters sent to board members at banks, credit card processing companies, congress men and women, credit reporting agencies and the justice department. These letters described a technology capable of preventing identity theft and fraud.

In effect, the technology permits individuals to simply turn asset like a credit card, bank account or personal credit off and on within seconds. Moreover, the entire process can be voice verified. Fully deployed, the technology would drive fraud artists up the wall.

Hurray to 60 Minutes for joining a long procession of other news and business organizations that couldn''t recognize sea change technology if it ran over them.

The real story on ID theft is that so much money is made because of identity theft and ID fraud that solving the problem or nearly solving it would shut down about 4 billion in annual sales for ID theft "snake-oil" remedies now sold to the American consumer.

[gary.dennis]

Two months before the airing of this segment on credit card fraud, the 60 Minutes staff received a PDF containing copies of the registered letters sent to board members at banks, credit card processing companies, congress men and women, credit reporting agencies and the justice department. These letters described a technology capable of preventing identity theft and fraud.

In effect, the technology permits individuals to simply turn asset like a credit card, bank account or personal credit off and on within seconds. Moreover, the entire process can be voice verified. Fully deployed, the technology would drive fraud artists up the wall.

Hurray to 60 Minutes for joining a long procession of other news and business organizations that couldn''t recognize sea change technology if it ran over them.

The real story on ID theft is that so much money is made because of identity theft and ID fraud that solving the problem or nearly solving it would shut down about 4 billion in annual sales for ID theft "snake-oil" remedies now sold to the American consumer.

[denn034]

The story has it backwards. Your credit card is safer in stores than online. The hackers all but demands the view. Sorry but, I disagree CBS.

[addasdc]

I found it unreal that CBS did not interview anyone from the Payment Card Industry (PCI) Council. The US Retail Council spokesman should be sued for grossly misrepresenting that the credit card companies are to blame for forcing merchants to store and maintain credit card data. Shameful reporting, but if it spurs retailers to improve, we''re all better off - but I don''t think the means justifies the ends totally.

[Netterz]

Use CASH. No way will your info be leaked, no credit card co will be making $ off you, and you remain safe. Technology isnt all its cracked up to being.

[Netterz]

Just ignore it.... I am far more concerned with the news articles than the spammer. The more you ignite against him, he more it antagonizes the spam. People will vote on what they prefer, so pushing, spamming, name calling and hat ever,just ignites it all. Comment on the article your reading, and ignore the other posts.