We've been covering the big retail hacker story for a couple of years, and the twists and turns are like a movie plot.
I was surprised by the Justice Department news on Aug. 5 charging 11 people with stealing over 40 million payment card numbers. It turns out the same guys were behind a bunch of data thefts at nine different retailers, including the really big heist at TJX. And, in a Hitchcock-worthy twist, it turned out that the very guy who was helping the FBI solve the case was the alleged mastermind behind the plot. Eek. Oops, that never looks good.
But maybe the biggest surprise is how easy the systems were to break into. The "60 Minutes" special last year pretty much got it right.
The thieves gained access through relatively insecure wireless networks. Once inside, they were able to move into supposedly better protected parts of the network and install "sniffer" software.Â
This is perfectly ordinary software used by any system administrator on a routine basis that captures the content of each packet of information going by on the network. Incredibly, they were able to trap bank and credit card pin numbers, not just the card numbers.Â This implies the sniffers were sitting on the part of the network we've always been told is most bulletproof -- the line that connects the card-swipe device to the bank. Supposedly, these use the latest level of encryption that no one can hack. But of course, that's only true if the retailers upgrade to the latest standards.Â
All of this costs money. And until a few break-ins were publicized, most retailers probably didn't take the data- security issue very seriously.Â In October 2007, 65 percent of the largest merchants were compliant with theÂ latest standards set by the credit-card companies, up from only 36 percentÂ in December 2006.Â Â Not that the security standards are any panacea either. Thieves will always search for workarounds, and retailers will always have to spend to stay ahead of them.
Coincidentally, thousands of dollars were withdrawn from my bank account last year, using the same methods. I will never use my PIN number at a retailer again. Â