T.J. Maxx Security Breach

The Massachusetts attorney general is leading a probe into the security measures parent company TJX took to protect its consumer-related information from data leaks and hacker attacks.

By Sharon Gaudin
InformationWeek

Feb 9, 2007 01:00 PM

The Massachusetts attorney general is heading up a multistate civil investigation into the recently disclosed security breach at TJX.

The Consumer Protection Division of the Attorney General's Office is investigating the breach, which was revealed last month by the Framingham-based company. The state is looking specifically at what security measures the company took to protect consumer information

"TJX has been very cooperative with the Attorney General's Office, and we are interested in continuing to work closely with the company so that we can protect Massachusetts consumers and the marketplace from credit card and other fraud," Attorney General Martha Coakley said in a written statement.

TJX, whose properties 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods stores, was victim to a hacker who accessed the company's computer systems that process and store information related to customer transactions at its stores in the United States and Puerto Rico, as well as for some stores in Canada, and potentially Canada and Ireland.

The stolen information may include credit and debit card sales transaction data from 2003 as well as data from mid-May through Dec. 2, 2006.

Since taking office last month, Coakley has said that addressing identity theft and credit card fraud will be one of her administration's top priorities.

"The recent TJX date breach demonstrates that Massachusetts citizens do not have all the necessary tools to protect themselves against identity theft or credit card fraud," Coakley said in her statement. "There are several proposals pending, including those that would require notification of consumers when their data was stolen or released, or that would give consumers the right to place a security freeze on their credit reports, which we are interested in reviewing. I look forward to working with the Legislature to determine the best ways to help consumers protect themselves and their credit."

Tips To Protect Yourself

The Massachusetts AG's office is recommending people who have shopped at any of the TJX stores should take these precautionary steps:

· Call one of the three major credit bureaus and place a one-call fraud alert on your credit report. Call either Equifax: at 800-525-6285 , Experian at 888-397-3742 , or TransUnion at 800-680-7289 .

· Order a copy of your credit report, and look for unauthorized activity.

· If there is unexplained activity on your credit report, place an extended fraud alert on your credit report.

· You may want to contact the fraud department of the credit card company or bank that you used when you made purchases at the TJX stores. These financial institutions can monitor your account for suspicious activity.

TJX has established a toll-free customer help line. Callers from the United States can call 866-484-6978 . In addition, the company has posted information on its Web site under Important Customer Alert.

RSA: Microsoft pledges support for OpenID

Dynamic Security could help integrate this authentication system into your present security programs and policies.

RSA: Microsoft pledges support for OpenID

Robert McMillan

February 06, 2007 (Computerworld Hong Kong) Microsoft Corp. has thrown its weight behind OpenID, an emerging Web authentication standard.

The announcement was made today at the RSA Conference in San Francisco during a joint keynote by Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie that was long on vision and short on specifics.

Microsoft pledged to work to integrate OpenID with its CardSpace identity management software, which is now available in conjunction with Windows Vista. "The marriage of CardSpace and OpenID 2.0 is actually a giant step forward," Mundie said.

By integrating these two technologies, Microsoft expects to "eliminate the issue of the man-in-the-middle-attack," Mundie said. In these attacks, which are increasingly being used by phishers, a thief steals sensitive information by setting up a fake Web site that passes information back and forth between the victim and the legitimate Web site.

OpenID is an emerging open-source standard that simplifies the task of logging on to many different Web sites.

Gates and Mundie spent much of their keynote discussing how their company plans to simplify security and make the process of managing digital identities easier.

IT professionals could achieve both ends by getting rid of log-in passwords and replacing them with strong, certificate-based authentication techniques like smart cards, Gates said. "Passwords are not only weak. Passwords have a huge problem. If you get more and more of them, the worse it is," he said.

"We see smart cards ... [and] certificates in general as the way these things should go. You'll be presenting certificates as opposed to weak passwords," he said.

Microsoft hopes to drive the adoption of smart cards, with the launch of its Identity Lifecycle Manager 2007, introduced at RSA. Expected to ship on May 1, this software integrates technology from Microsoft's 2005 acquisition of Alacris with the company's Identity Integration Server. The software will make it easier for users to integrate strong authentication technologies like smart cards into Microsoft networks.

Mundie suggested that in order for security to work, technology companies will need to turn their thinking upside down, to a certain extent. "Security was really a blocking thing," Mundie said. "How do you invert this ... so these security mechanisms become a thing that makes it simpler for anyone to be granted permission to get [network] access."

Microsoft plans to achieve this by switching the focus using technologies like IPsec (Internet Protocol security) and IPv6 (IP version 6), Mundie said. The company has already been using these technologies for the past two and a half years in an internal access control system that is better about granting employees and contractors access to the data and applications that they need, but keeping them away from the rest of the network, he said.

With breaches being reported every week -- often after the loss of a laptop computer -- companies need to think beyond locking down the perimeter of their networks, Mundie added. "The threat model is changing in fundamental ways. We could continue to invest in this fortress mentality of protecting everything, but I don't think that would be sufficient," he said. "Our castle is fairly porous because a lot of our assets leave the castle."

Microsoft's broad vision did not impress one attendee.

"This was the most content-free presentation I've seen at RSA in years," said Bruce Schneier, chief technology officer with BT Group PLC's Counterpane unit. "My guess is that most people in the room could have given that talk because it's where we all want to go."

The keynote, in which Gates and his successor sat side-by-side and, at times, finished each others thoughts, appeared to be a symbolic handing over of power, Schneier said.

Gates will be stepping down from his day-to-day duties in July 2008, at which point Mundie will take over Microsoft's research efforts.

But Schneier doesn't expect Gates to appear at next year's conference. "The take-away is Craig's coming back next year, but Bill isn't," he said.

Study: Users ignore bank security features

Study: Users ignore bank security features

Not like it's their money or anything

Jeremy Kirk February 05, 2007 (IDG News Service) -- Users of online banking sites tend to bypass critical clues that the integrity of those sites may have been compromised, according to the working draft of a study released on Sunday by researchers at Harvard University and the Massachusetts Institute of Technology.

The study, which will be formally released in May at the IEEE Symposium on Security and Privacy in Oakland, California, underscores how new technologies and warnings can't completely protect Internet users from scams such as phishing.

It also throws doubt on the effectiveness of site-authentication images, which have been implemented by financial institutions such as Bank of America Corp., Vanguard Group Inc. and ING Bank FSB. The images, selected by the customers, are shown when a bank customer logs in from a different computer than is normally used.

The study involved 67 users, with more than 90 percent under 30 years old. Because of varying parameters in the study, not all qualified to be included in the results for each of the three tests. Users were ask to conduct common online banking tasks, although precautions were taken to ensure users weren't put at risk.

For the first test, HTTPS indicators -- which show that an encrypted connection is enabled -- were removed from the address bar along with the lock that appears in the bottom right corner of Internet Explorer 6. Although the absence of HTTPS indicators should be a warning, all 67 participants continued with their transactions, the study found.

The researchers then conducted a test where the site-authentication image was removed along with the HTTPS indicators. The researchers believe it is the first empirical investigation into site-authentication images.

Only two of 60 people chose not to log in when the image was removed, a key sign that a site may have been tampered with or is a phishing site, the study said. Of users who were actually using their own bank account for the study, 23 of 25 continued to enter their passwords.

"We find them [site-authentication images] to be ineffective," the study concludes.

In the last test, researchers made it more obvious, this time replacing a password-entry page with a warning page from Internet Explorer 7 Beta 3. The page advises of a problem with the security certificate of the chosen Web site. Despite the warning, 30 of 57 users entered their passwords.

The study comes as U.S. banks are beefing up their authentication technologies amid new requirements from federal regulators.

In October 2005, the Federal Financial Institutions Examination Council (FFIEC) mandated that U.S. banks implement stronger authentication protections by the end of last year, particularly for high-risk transactions such as sending money to a different person's account.

Bank of America uses site-authentication image technology called SiteKey. Users pick an image and assign a phrase to it while also setting three "challenge" questions. If a user logs in from a computer that doesn't already have a cookie, they're asked one of the challenge questions and then to verify the image and phrase.

If the image doesn't appear or the phrase is wrong, consumers shouldn't proceed. Bank of America said the image system benefits users since it's free and doesn't involve extra hardware or software.

IT security goes mainstream at RSA Conference

Business Security for business is big business...

IT security goes mainstream at RSA Conference

The annual RSA Conference is showing evidence of a maturing information security industry with an increasing role for big-name companies. The event has developed into an annual gathering for corporate IT pros and a showcase for hundreds of companies, small and large, that market security products and services to businesses. More here

Security Breach Damage Spreads

Oops.. Cybercrime is costly... More Thefts From TJX Breach

 

JANUARY 30, 2007 | More than 60 banks have reported compromises of customer accounts as a result of the recent security breach at retail giant TJX Companies, and that figure is expected to grow, according to the Massachusetts Bankers Association. And in a separate report, Visa alerted financial institutions that TJX had violated the Payment Card Industry's Data Security Standard guidelines, which prohibit long-term storage of credit card data by retailers. Less than half of the 205 banks in Mass. have reported their findings on the TJX breach, disclosed two weeks ago. (See TJX Breach Skewers Customers, Banks.) Most of the banks reporting in have seen unauthorized account activity on at least some of the credit cards exposed in the breach, according to the MBA. The banks are still contacting TJX customers, and in some cases, are canceling customer accounts and re-issuing cards, according to Daniel Forte, CEO and president of the MBA. The number of banks affected is "likely to grow higher," the MBA says, as many of them haven't been able to report "because the situation is such a moving target." Officials at TJX still aren't saying how the breach occurred, but according to an alert sent Jan. 15 via the Visa Compromised Account Management System, the retailer had stored credit card data dating back to 2003. PCI rules, which are set and enforced by the credit card companies, state that merchants cannot store data for long periods. The banks are absorbing most of the punishment resulting from the breach. It is the banks, not TJX, which are reimbursing customers for the account thefts, and it is the banks, not TJX, which could be subject to fines for doing business with a merchant that does not comply with PCI. The banks are responding by asking for swifter action by legislators and credit card companies to require swift disclosure of breaches among retail merchants. "By not disclosing which firm caused the breach, or quickly disclosing it, consumers are needlessly troubled," Forte says.

 

ID theft catastrophe

ID theft hits a milestone

by Konstantin Kornakov  |   Dec 18 2006 11:25 GMT   |

Identity theft over the last years has become one of the most talked-about contemporary crimes. And no wonder, as the number of personal records lost or stolen in the US since 2005 has now reached a staggering 100 million. This means that more than a quarter of Americans will have had first-hand experience of it. According to Privacy Rights Clearinghouse (PRC), which has kept a track record of all data breaches in the US since February 2005, when the ChoicePoint data theft started the list, the milestone was reached last week.

Since then there have been many major breaches, with some leaving as many as tens of millions potential victims. The largest-ever data breach was registered in June 2005, when card-processing firm CardSystems suffered a hacking incident that led to the loss of 40 million private personal records. Victims were mostly users of MasterCard-issued cards, but Visa and other card issuers were also affected. The second biggest incident occurred in May 2006, when a laptop containing personal data of more than 28 million US military veterans was stolen from the house of an employee of the Veterans Affairs department. An anonymous person later handed in the laptop following an intensive search effort, and the FBI claimed that there was no evidence that any data was taken from the computer. A third data breach with more than 17 million victims was logged in March 2006, when the database of Internet billing company iBill was stolen with the help of either a corrupted insider or by using malware. However, that incident is not counted by PRC towards the total number of victims of ID theft, since no personal financial data was lost, however, the information that was stolen could still be used to fake identities through social engineering.

The latest target for ID thieves seems to be educational institutions, as warnings have been sounded recently about the vulnerability of universities to hacking attacks. The most prominent data breach incident involving a US university happened in May this year, when it was discovered that several computers at Ohio University were broken into by cyberthieves in unrelated incidents. Hackers controlled one of the computers for at least a year, using it as to carry out DoS attacks. Ohio University has now closed their security gaps and is implementing a special plan to improve IT safety. However, other educational institutions are still suffering data breaches. For instance, according to PRC records of the 15 data breach incidents in December 2006, a total of 7 were recorded at colleges or universities. The biggest breach of the month was registered at UCLA, where hackers broke into a database containing personal data of current and former students and staff. This has been a trend all through 2006, as PRC records show that educational organisations account for more than 50 percent of data breached this year. The problem for universities and colleges is to balance the openness required in the learning and scientific process and the need to protect sensitive data. Until this right balance is found right across the educational sphere, though, more victims will suffer the agony of having their personal information stolen by ID thieves.