Hi-Tech Heist

How Hi-Tech Thieves Stole Millions Of Customer Financial Records

(CBS)  At the time of its break-in in 2005, TJX did have a security system. The problem was it was the outdated encryption code WEP.

"Was TJX aware that they were using a system that was pretty much useless? Did they know that?" Stahl asks Jennifer Stoddart.

"If you're running a huge wireless network, it's your business to know about encryption standards. So they should have known that," she says.

TJX did know, but in a letter told 60 Minutes - in their defense, that they believe "our security was comparable to many major retailers."

Yet internal company documents suggest they were warned it was risky to use outdated encryption. In 2005, a TJX vice president sent his bosses this email: "We are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money."

By then, the hackers had already broken in, and once in, raided not only the two Miami stores, but over 2,400 TJX stores in the U.S., England, and Canada, walking away with close to 100 million credit card numbers.

"Because all the stores are networked to a central server. And so by getting in at any part of the network, they could then make their way virtually to the central server and siphon off the information for a year and a half undisturbed," Stoddart says.

On top of the credit card numbers, the hackers got hundreds of thousands of drivers' licenses and Social Security numbers, and military IDs -- personal records about their customers kept for years after the purchases were made.

"And what's the justification for holding onto the information for so long? Is it just that it's too expensive to cull it out?" Stahl asks.

"It costs money to dispose securely of personal information so it was just easier to keep it," Stoddart says. "I think it's that kind of a -- perhaps unwise business decision.

Credit card numbers stolen from TJX keep popping up around the globe. Security Camera images from stores in Florida were used to convict a ring of thieves who made fake cards from TJX numbers and bought over a million dollars' worth of merchandise.

And if you’re wondering how the thieves got the stolen card numbers, here’s how: illegal online auction sites, where millions of stolen card numbers are bought and sold.

Shawn Henry, the FBI's top cyber-crime agent, showed 60 Minutes how a thief auctions off a stolen credit card.

"A person can buy this credit card, and they bid on it like it's eBay? eBay for bad guys?" Stahl asks.

"They actually would enter into a negotiation with the individual," Henry explains.

60 Minutes and Stahl were allowed to watch while an FBI undercover agent entered into just such a negotiation.

"What you see here is somebody who's actually offered to sell credit card numbers," Henry explained. "In this particular case, what we have is an undercover agent who is engaged in a conversation with somebody who’s selling four full identities. For $100 for four full identities."

"I'll take four verifiables by Visa for 25 dollars," the undercover agent types in his computer, placing his bid.

Henry says the seller could be anywhere in the world.

The chances of ever finding these crooks are remote, but the FBI tries to establish a relationship. So, after some Internet banter, the agent jokes: "I'll smile when I get Visas;” he deposits money into the seller’s online bank account asking, "You do take e-gold, right?" Answer: "Yes." Now they wait for the deal to go down.

A little later, an e-mail with four people's personal information landed in the in-box.

What popped up were complete files on four Americans, one of them "Pam," along with her address, her Social Security, credit card and ATM pin numbers. Even the answer to that security question "What's your mother's maiden name?" was there.

If you consider all this kind of theft, the cost to the American economy is huge.

"There are some estimates that estimate it in multiple billions of dollars per year of loss," Henry explains.

Leading to a multi-billion dollar blame game between the retail industry and the credit card companies.

"Is there growing tension between the two sides now?" Stahl asks Dave Hogan, who handles computer technology at the National Retail Federation.

"Lesley, absolutely, there's growing tension between the two sides," he replies.

Hogan says credit card companies should change how they do business. "If we could just force Visa and MasterCard to not require retailers to store credit card data, this issue would disappear overnight," he argues.

Hogan says card companies force retailers to store customer data in case there are charge disputes. He thinks the card companies should hold the data, not the stores.

"Honestly, we can eliminate this problem within a few days," Hogan says.

"If it's that easy, why hasn't it been done?" Stahl asks.

"I'm not too sure how vested the credit companies are as far as securing customers' data," Hogan says.

"And you’re saying that the credit card companies are the one’s who are not security conscious?" Stahl asks.

"In my humble opinion, no," Hogan replies.

He accuses the card companies of using this issue as a way to make money. Visa, for example, has started fining large chains that do not have up-to-date security $25,000 a month.

"If you do the math on it, this could be a windfall of $200 million annually for the credit card companies as far as a revenue stream," Hogan says.

Visa chose not to respond. However, along with other credit card companies, it has issued strict guidelines to retailers on how to protect customer data. But most stores just don’t comply.

"The retail industry is not doing enough to prevent these breaches," says Mark Rasch, the former head of the cyber-crime unit at the Justice Department and currently a managing director at FTI, a business consulting firm.

Rasch says this is a war the hackers are winning. Consider the worthless encryption code WEP.

"I had heard that there are retailers who installed WEP even after it was known it didn't work. Now, is that true?" Stahl asks.

"There are retailers who've installed it after. There are some installing it today," Rasch says.

He says stores keep making the same mistakes TJX made, like using passwords any hacker can figure out.

Like what?

"Oh, like 'password,'" Rasch says.

"The password is 'password' and everybody … knows it," Stahl remarks. "I don’t know why anybody who looks into would ever use a credit card, ever."

"Because it’s a lot more convenient than walking around with piles of cash in your pocket," Rasch explains.

This is the season for big-time shopping, for consumers and for the criminals who are going after the data, among them the TJX hackers, who are still at large.

"Retailers need to adopt the next appropriate technology, and the next one, and the next one, and the one after that, because they want people to keep buying from them," Rasch says.

"So it's just an ongoing, escalating expense. That's all it is," Stahl remarks.

"This is an arms race," Rasch replies.

---

TJX told 60 Minutes they no longer store unneeded data, and that now all of their stores in the United States use the upgraded encryption code. Since TJX disclosed the theft, many other chains have also closed their security gaps, though most stores are still vulnerable.

[johnat60]

Lesley: I spent $125 CAD getting my wireless network checked out today and WEP can be used coupled with software that disengaged the connection once a hacker attempts to enter 3 incorrect passwords. The system automatically turns back on automatically as soon as it has disengaged the connection. Further more, I have learned that although WPA encryption is better than WEP, hackers will have a program in the next weeks to crack WPA just as easily as WEP is being cracked today. It would be helpful to your viewers to add this comment at then end of your next show as I can see how you might panic many of your viewers who have little or no clue on how this technology works. Afterall, journalism''s purpose is to uncover all the facts even after the original story is aired. Thank you for your consideration.

[stardustmo]

Ramman 13876....you missed the boat, brother. You don''t think the people that use a card in your store and purchase the goods YOU provide aren''t YOUR customers too? It''s difficult to be diplomatic when I see that level of ignorance and avoiding responsibility. If you really, really believe that.....you are a sorry representative of the retail industry. Very sorry.

[DebGage]

Doesn''t 60 Minutes do original reporting anymore? There is nothing in this story that wasn''t covered elsewhere weeks or months ago. Given Ms. Stahl''s incredulity during the piece, I guess she didn''t know that. A competent summary of already published material, but I expect more than that from 60 Minutes.

[b-easy63]

At the POS online you have the ability to know if your transaction is secure (via SSL) Posted by vbnvbnvbn at 07:46 PM : Nov 26, 2007

Actually, that is no longer true. Online, particularly online auctions (like ebay) there are fake sellers who use fake 3rd party checkouts and clearing houses. The criminals are sooo savvy now that they can pretend to sell an item, direct people to a fake checkout and then to a fake paypal site replete with fake secure emblems. the new "secure" sight is really secure, but can be accessed by the person who set it up. What they are trying to capture are passwords to the auction, passwords to paypal and from there, access to accounts and credit card and bank data.

Spammers and others have taken "phishing" to a whole new level and paypal is constantly having to warn users to be on the look out for bogus paypal sites or emails. the good news is, if a person is familiar with paypal they can spot the fake due to spelling errors or the logos not being quite right. The bad news is--both ebay and the criminals are constantly changing format so there is no way to tell when a site is truly bogus and the criminals are getting better....

[b-easy63]

A lot of the people at TJ Maxx are illegals from Eastern Europe. Maybe they stole the ids to help bring more over or into the store- We can''t really fault them for how they maintain records--it is how they probably did it in the Old country. Often, in Iowa or Indiana, you go in a TJ Maxx and you have to wait until they find someone who can speak English to help. NO reason to fire up at these people though, the Government has lost millions in vets and other personal records, including ss cards and benefit information, in 2005, Wells Fargo lost info twice...as did several hospitals. I believe it is all a scam. They want as many bogus sources for who has the info--so that when the government snoops and screws us over, we can''t just finger one source for giving it to them. ON the other hand, much more of this and we''ll be ready for those indelible micro chips to be inserted in our foreheads or right hands so that we can work, buy and sell without worrying about id theft. Just scan and go. Mark of the Beast--here we come!!! ONe world, one currency and it all is in the chip!!! Global markets indeed.

[mastermind_j]

Your charges made online can be made almost fraud proof by using Visa''s Verified by Visa, and Mastercard''s Shop Safe. These programs use give you a number not related to you card number that can only be used a certain merchant, for a set dollar amount at a set time. T.J. Maxx is definately not the only merchant this has happened too. DSW shoes was another large leak.

[mastermind_j]

The issue with your whole card number on your recepit is an issue with the merchants using old POS ''Point of Sale'' terminals. Back when the system was created this information was used as check against the card provided.

[stardustmo]

Part 2
Dave Hogan (from the Natl Retail Fed) was a riot, don''t you think? Seriously, he gave so much bogus information, it was laughable. He opined that card companies are not serious about security. Pule-e-e-eze. What a joke ....spoken like a true lobbyist for the retailers It doesn''t take much research on Google to see the folly of his statement. His accusation that card companies use fines to increase revenues is simply not a credible statement (pule-e-e-e-ze again) to even the casual observer. Fines, like traffic fines, like all fines, are tools to change behavior that needs changing. Who wrote that line for him to parrot on the air anyway? (Ya just gotta shake your head...) I will admit though that Hogan was effective in conveying the point that the security problem "ain''t my fault". Point that ol'' finger of yours, Big Dave, and blame everyone else. That''s really effective in solving the problem, ol'' buddy. (Not a single productive thing came out of his mouth.) I could go on and on.

The issues of security are very serious and the solution will not be easily or quickly accomplished. They are complex and, yes, can be expensive to implement. But, it is absolutely critical that it be taken to heart. There are a number of productive efforts that are in place that should be embraced and adopted by those entities entrusted with protecting their customers personal information. It''s past time to get on board and quit playing the blame game.

[stardustmo]

I salute the effort by CBS to bring this matter front and center, because it is more of an issue than most begin to know. Your segment made it pretty clear about the state of security with the "drive thru" in the parking lots near retailers. I''m sure that is just the tip of the iceberg. We can all be sure that there is another, perhaps several more, TJX''s that will occur or are occurring now (just not discovered).

The email from the TJX vice president, I would venture to guess again, is probably not an uncommon sentiment in that or similar environments. The fact that TJX says their security was comparable to other retailers was likely accurate. Not very reassuring to the consumer who entrusts his or her personal data to the care of the merchant. Who is suppose to be responsible for safeguarding the consumers'' personal information? Not too hard to figure out.

[rayboy21]

Overall program was excellent and informative.
BUT I was troubled by the fact Chris Harms, the forensic investigator, was using his computer WHILE DRIVING. That sets a very bad example and was unnecessary. His eyes constantly went back and forth from the screen to the street. It sets a bad example especially in this day of cell phone and text usage!

[chasdye]

It''s outrageous that Lesley Stahl would end the segment with the comments ". . . many other chains have closed their security gaps, though most stores are still vulnerable."

She made a big point of showing Best Buy and Home Depot, and mentioning Staples. Have THEY closed their security gaps? Who are the other chains? And what does "most stores" mean?

This is sloppy reporting.

[chasdye]

It''s outrageous that Lesley Stahl would end the segment with the comments ". . . many other chains have closed their security gaps, though most stores are still vulnerable."

She made a big point of showing Best Buy and Home Depot, and mentioning Staples. Have THEY closed their security gaps? Who are the other chains? And what does "most stores" mean?

This is sloppy reporting.

[chasdye]

It''s outrageous that Lesley Stahl would end the segment with the comments ". . . many other chains have closed their security gaps, though most stores are still vulnerable."

She made a big point of showing Best Buy and Home Depot, and mentioning Staples. Have THEY closed their security gaps? Who are the other chains? And what does "most stores" mean?

This is sloppy reporting.

[Wookiee-1138]

Wardriving is perfectly legal. It''s the store''s fault for not taking basic precautions.

[gary.dennis]

Two months before the airing of this segment on credit card fraud, the 60 Minutes staff received a PDF containing copies of the registered letters sent to board members at banks, credit card processing companies, congress men and women, credit reporting agencies and the justice department. These letters described a technology capable of preventing identity theft and fraud.

In effect, the technology permits individuals to simply turn asset like a credit card, bank account or personal credit off and on within seconds. Moreover, the entire process can be voice verified. Fully deployed, the technology would drive fraud artists up the wall.

Hurray to 60 Minutes for joining a long procession of other news and business organizations that couldn''t recognize sea change technology if it ran over them.

The real story on ID theft is that so much money is made because of identity theft and ID fraud that solving the problem or nearly solving it would shut down about 4 billion in annual sales for ID theft "snake-oil" remedies now sold to the American consumer.

[gary.dennis]

Two months before the airing of this segment on credit card fraud, the 60 Minutes staff received a PDF containing copies of the registered letters sent to board members at banks, credit card processing companies, congress men and women, credit reporting agencies and the justice department. These letters described a technology capable of preventing identity theft and fraud.

In effect, the technology permits individuals to simply turn asset like a credit card, bank account or personal credit off and on within seconds. Moreover, the entire process can be voice verified. Fully deployed, the technology would drive fraud artists up the wall.

Hurray to 60 Minutes for joining a long procession of other news and business organizations that couldn''t recognize sea change technology if it ran over them.

The real story on ID theft is that so much money is made because of identity theft and ID fraud that solving the problem or nearly solving it would shut down about 4 billion in annual sales for ID theft "snake-oil" remedies now sold to the American consumer.

[denn034]

The story has it backwards. Your credit card is safer in stores than online. The hackers all but demands the view. Sorry but, I disagree CBS.

[addasdc]

I found it unreal that CBS did not interview anyone from the Payment Card Industry (PCI) Council. The US Retail Council spokesman should be sued for grossly misrepresenting that the credit card companies are to blame for forcing merchants to store and maintain credit card data. Shameful reporting, but if it spurs retailers to improve, we''re all better off - but I don''t think the means justifies the ends totally.

[Netterz]

Use CASH. No way will your info be leaked, no credit card co will be making $ off you, and you remain safe. Technology isnt all its cracked up to being.

[Netterz]

Just ignore it.... I am far more concerned with the news articles than the spammer. The more you ignite against him, he more it antagonizes the spam. People will vote on what they prefer, so pushing, spamming, name calling and hat ever,just ignites it all. Comment on the article your reading, and ignore the other posts.