Hi-Tech Heist
Do you think twice when typing in your credit card number online, but have no problem handing over your plastic card at a store? Well actually, you may have it backward. Your personal information may be more secure in cyberspace than at the mall down the road.
That's because it's easier for dot-coms to protect the data. And most stores in America underestimate how vulnerable they are.
As correspondent Lesley Stahl reports, it's becoming a big problem. The retail industry got a wake-up call earlier this year, when TJX, the parent company of T.J. Maxx and Marshalls, disclosed it had suffered the worst high-tech heist in shopping history. Hackers raided the company's computer system, taking off with tens of millions of records. And what we have learned is: TJX could have prevented it.
"They collected too much personal information. They kept it too long. And finally, they didn't keep it according to appropriate security standards," says Canadian Privacy Commissioner Jennifer Stoddart, who led the investigation of the TJX theft for the Canadian government and the Province of Alberta, and released her findings before investigations in the U.S. are finished. TJX operates chains in both countries.
Asked if there's an actual place where the crime took place, Stoddart tells Stahl, "Yes, it seems that the intrusion happened at two Marshalls stores in the Miami area."
"Did the crime happen inside the stores or outside the store?" Stahl asks.
"This was a case of penetrating the network from without the stores because it is…a wireless network. You can then capture the wireless transmissions if they're not sufficiently encrypted," Stoddart says.
When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls.
Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data.
"So you and I are in this parking lot, and we park in front of one of these big stores. We can just pluck it, is what you're saying, right through the wall," Stahl remarked.
"Absolutely," Harms replied.
All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results.
"Right now, we're right in front of Best Buy," Stahl remarked.
"Right so, Best Buy has a wireless network," Harms explained.
The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.
"It doesn't say Home Depot, but it says 'Orange,'" Stahl noted.
Those three stores told 60 Minutes the wireless signals Harms and Stahl detected do not link to their customer data-banks. But sometimes similar signals do lead hackers to computer systems where the data is held. Harms told 60 Minutes that stores should have security to prevent that.
"When wireless first became a technology for people to use, they realized that they needed a way to protect that data that's flying around in this cloud. So they designed WEP," Harms explains.
WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes.
Now, there's much better encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded.
"It's saying WEP or WPA. That's telling you if they have good encryption devices," Stahl remarked, looking at Harms' computer.
"That's right," Harms replied.
"It's actually telling you that right on your computer?" Stahl asked.
"Absolutely," Harms said.
"That's amazing," Stahl said. "So are you able, with what you have right here in the car with us, to crack WEP right now?"
"Executing the attack is as simple as clicking a button and making it happen," Harms said. "You have pierced the first wall of what, hopefully is many."
At the time of its break-in in 2005, TJX did have a security system. The problem was it was the outdated encryption code WEP.
"Was TJX aware that they were using a system that was pretty much useless? Did they know that?" Stahl asks Jennifer Stoddart.
"If you're running a huge wireless network, it's your business to know about encryption standards. So they should have known that," she says.
TJX did know, but in a letter told 60 Minutes - in their defense, that they believe "our security was comparable to many major retailers."
Yet internal company documents suggest they were warned it was risky to use outdated encryption. In 2005, a TJX vice president sent his bosses this email: "We are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money."
By then, the hackers had already broken in, and once in, raided not only the two Miami stores, but over 2,400 TJX stores in the U.S., England, and Canada, walking away with close to 100 million credit card numbers.
"Because all the stores are networked to a central server. And so by getting in at any part of the network, they could then make their way virtually to the central server and siphon off the information for a year and a half undisturbed," Stoddart says.
On top of the credit card numbers, the hackers got hundreds of thousands of drivers' licenses and Social Security numbers, and military IDs -- personal records about their customers kept for years after the purchases were made.
"And what's the justification for holding onto the information for so long? Is it just that it's too expensive to cull it out?" Stahl asks.
"It costs money to dispose securely of personal information so it was just easier to keep it," Stoddart says. "I think it's that kind of a -- perhaps unwise business decision.
Credit card numbers stolen from TJX keep popping up around the globe. Security Camera images from stores in Florida were used to convict a ring of thieves who made fake cards from TJX numbers and bought over a million dollars' worth of merchandise.
And if you're wondering how the thieves got the stolen card numbers, here's how: illegal online auction sites, where millions of stolen card numbers are bought and sold.
Shawn Henry, the FBI's top cyber-crime agent, showed 60 Minutes how a thief auctions off a stolen credit card.
"A person can buy this credit card, and they bid on it like it's eBay? eBay for bad guys?" Stahl asks.
"They actually would enter into a negotiation with the individual," Henry explains.
60 Minutes and Stahl were allowed to watch while an FBI undercover agent entered into just such a negotiation.
"What you see here is somebody who's actually offered to sell credit card numbers," Henry explained. "In this particular case, what we have is an undercover agent who is engaged in a conversation with somebody who's selling four full identities. For $100 for four full identities."
"I'll take four verifiables by Visa for 25 dollars," the undercover agent types in his computer, placing his bid.
Henry says the seller could be anywhere in the world.
The chances of ever finding these crooks are remote, but the FBI tries to establish a relationship. So, after some Internet banter, the agent jokes: "I'll smile when I get Visas;" he deposits money into the seller's online bank account asking, "You do take e-gold, right?" Answer: "Yes." Now they wait for the deal to go down.
A little later, an e-mail with four people's personal information landed in the in-box.
What popped up were complete files on four Americans, one of them "Pam," along with her address, her Social Security, credit card and ATM pin numbers. Even the answer to that security question "What's your mother's maiden name?" was there.
If you consider all this kind of theft, the cost to the American economy is huge.
"There are some estimates that estimate it in multiple billions of dollars per year of loss," Henry explains.
Leading to a multi-billion dollar blame game between the retail industry and the credit card companies.
"Is there growing tension between the two sides now?" Stahl asks Dave Hogan, who handles computer technology at the National Retail Federation.
"Lesley, absolutely, there's growing tension between the two sides," he replies.
Hogan says credit card companies should change how they do business. "If we could just force Visa and MasterCard to not require retailers to store credit card data, this issue would disappear overnight," he argues.
Hogan says card companies force retailers to store customer data in case there are charge disputes. He thinks the card companies should hold the data, not the stores.
"Honestly, we can eliminate this problem within a few days," Hogan says.
"If it's that easy, why hasn't it been done?" Stahl asks.
"I'm not too sure how vested the credit companies are as far as securing customers' data," Hogan says.
"And you're saying that the credit card companies are the one's who are not security conscious?" Stahl asks.
"In my humble opinion, no," Hogan replies.
He accuses the card companies of using this issue as a way to make money. Visa, for example, has started fining large chains that do not have up-to-date security $25,000 a month.
"If you do the math on it, this could be a windfall of $200 million annually for the credit card companies as far as a revenue stream," Hogan says.
Visa chose not to respond. However, along with other credit card companies, it has issued strict guidelines to retailers on how to protect customer data. But most stores just don't comply.
"The retail industry is not doing enough to prevent these breaches," says Mark Rasch, the former head of the cyber-crime unit at the Justice Department and currently a managing director at FTI, a business consulting firm.
Rasch says this is a war the hackers are winning. Consider the worthless encryption code WEP.
"I had heard that there are retailers who installed WEP even after it was known it didn't work. Now, is that true?" Stahl asks.
"There are retailers who've installed it after. There are some installing it today," Rasch says.
He says stores keep making the same mistakes TJX made, like using passwords any hacker can figure out.
Like what?
"Oh, like 'password,'" Rasch says.
"The password is 'password' and everybody … knows it," Stahl remarks. "I don't know why anybody who looks into would ever use a credit card, ever."
"Because it's a lot more convenient than walking around with piles of cash in your pocket," Rasch explains.
This is the season for big-time shopping, for consumers and for the criminals who are going after the data, among them the TJX hackers, who are still at large.
"Retailers need to adopt the next appropriate technology, and the next one, and the next one, and the one after that, because they want people to keep buying from them," Rasch says.
"So it's just an ongoing, escalating expense. That's all it is," Stahl remarks.
"This is an arms race," Rasch replies.
TJX told 60 Minutes they no longer store unneeded data, and that now all of their stores in the United States use the upgraded encryption code. Since TJX disclosed the theft, many other chains have also closed their security gaps, though most stores are still vulnerable.
Produced By Shachar Bar-On