How Credit-Card Data Went Out Wireless Door – WSJ.com

How Credit-Card Data Went Out Wireless Door – WSJ.com
The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory. “It was as easy as breaking into a house through a side window that was wide open,” according to one person familiar with TJX’s internal probe. The devices communicate with computers in store cash registers as well as routers that transmit certain housekeeping data.

After they used that data to crack the encryption code the hackers digitally eavesdropped on employees logging into TJX’s central database in Framingham and stole one or more user names and passwords, investigators believe. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet, probers say.

Encrypted Messages

They were so confident of being undetected that they left encrypted messages to each other on the company’s network, to tell one another which files had already been copied and avoid duplicating work. The company says the hackers may even have lifted bank-card information as customers making purchases waited for their transactions to be approved. TJX transmitted that data to banks “without encryption,” it acknowledged in an SEC filing. That violates credit-card company guidelines, experts say.

This entry was posted in Security. Bookmark the permalink.

Leave a Reply