Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Paulsen Chris Lafferty Nilesh Nipane.  Intruders gained access to credit card information between 2005-2007  ~50 million credit card and debit.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Ryan Paulsen Chris Lafferty Nilesh Nipane.  Intruders gained access to credit card information between 2005-2007  ~50 million credit card and debit."— Presentation transcript:

1 Ryan Paulsen Chris Lafferty Nilesh Nipane

2  Intruders gained access to credit card information between 2005-2007  ~50 million credit card and debit card numbers stolen  ½ million driver’s license and SSN stolen  Largest theft to date  Previous was 1.5 million credit card numbers

3  WEP key crack at St. Paul Marshalls store  Hackers monitor and gather network traffic  Gather data and crack encryption key for traffic destined for central database  Gathered usernames and password from decrypted traffic  Created accounts in TJX systems

4  Create accounts on central database systems in Framingham, MA  Gathered historical data from storage systems ▪ Used by TJX to track returns  Install specially made blabla sniffer tool gathering credit card numbers before they were encrypted ▪ Hackers then logged into the systems and transferred data files off of the system  Used in Wal-Mart gift card scam ($1 Million)

5  Monetary Cost/Loss for nearly all involved  Customers may lose money/time or other resources directly  Banks lose customers or reputation points  TJX loses substantial amounts of money ▪ Approximately $1.5 billion to fees, settlements, and new security measures mandated by FTC ▪ More than $195 million in new security equipment and training

6  Reputation/Business costs  Customer confidence  Federal Trade Commission’s response  Ethical and Policy Implications/Movements  Ethical concerns of information protection, misuse of resources, privacy, etc.

7  Impacts still being felt and analyzed…  Legal Issues / Legislation insufficiencies  The full extent of these attacks and just how many systems were attacked by the same people (still finding out of new cases today)  The actions and lack of actions being taken in response by other companies

8  2004 audit found failure of 9/12 criterion for credit card merchants  Misconfigured wireless networks  Poor antivirus protected  Weak intrusion detection  Easily crackable usernames and passwords  Poor log maintenance  Failed to install data encryption software

9  Initial Breach  Due to deficiencies in the wireless network and WEP encryption scheme ▪ WEP is known to be broken since 2001. (FMS attack)  Collected data transmitted by handheld devices used to communicate price markdowns and to manage inventory ▪ Used that data to crack the encryption code.

10  Other Vulnerabilities  Kiosks, equipped with USB drives, were located in many of TJX's retail stores ▪ Allowed direct access to the company's network and were not protected by firewall

11  Feds tracked down and arrested 11 coconspirators  Discovered credit theft ring known as “Operation Get Rich or Die Trying”  Led by Albert Gonzalez  Ring responsible for most major credit card thefts in US ▪ Including Homestead breach which is now the largest of its kind

12  Class Action Lawsuits  TJX reluctant to disclose data on the breach  Failed to detect for 7 months, took another month to disclose  Prosecutors hope to show negligence  Watershed Case  Companies now must be more open and transparent about how they protect customer data

13  PCI Security Standards Council Data Security Standard (DSS)  Special recommendations published July 2009 for wireless networks  Covers best practices in relation to processing credit card information around wireless networks

14  Wireless Intrusion Detection/Prevention System (IDS/IPS)  Investigate and classify wireless networks and their access to customer data  Create automatic alerts of rouge wireless connections  Response plans to remove rouge connections

15  Filter wireless networks that do not need access to customer data with firewall  Do NOT use VLAN separation  Monitor rules every 6 months From Information Supplement: PCI DSS Wireless Guideline

16  Protect wireless networks that transmit card holder data  Physical protection ▪ Secure access points so no one can reset to factory defaults ▪ Make sure access points aren’t stolen ▪ Don’t store PSKs in obvious locations

17  Protect wireless networks that transmit card holder data  Change default configuration ▪ Use enterprise mode when possible ▪ Do not advertise company name in SSID ▪ Only use SNMPv3 ▪ Disable unnecessary ports and protocols

18  Protect wireless networks that transmit card holder data  Logging and Monitoring ▪ Store event logs for 90 days ▪ Maintain updates to network topology  Security ▪ Use AES when possible ▪ Use enterprise security when possible ▪ 13 character PSK

19  Protect wireless networks that transmit card holder data  Encryption ▪ Use SSLv3 with 256 bit encryption ▪ Treat wireless networks as outside network From Information Supplement: PCI DSS Wireless Guideline

20  Chapter 6 – Database Security  Chapter 7 – Security in Computing  Chapter 9 – Economics of Cybersecurity  Chapter 10 – Privacy  Chapter 11 – Cryptography Explained

21  http://news.cnet.com/2100-7348_3-6169450.html http://news.cnet.com/2100-7348_3-6169450.html  https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guideline s.pdf https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guideline s.pdf  http://www.wired.com/threatlevel/2008/08/11-charged-in-m/ http://www.wired.com/threatlevel/2008/08/11-charged-in-m/  http://www.wired.com/threatlevel/2009/07/pci/ http://www.wired.com/threatlevel/2009/07/pci/  http://www.wired.com/threatlevel/2007/10/tjx-failed-to-n/ http://www.wired.com/threatlevel/2007/10/tjx-failed-to-n/  http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci12 49421,00.html http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci12 49421,00.html  http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci12 45727,00.html http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci12 45727,00.html  http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci123 9711,00.html http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci123 9711,00.html  http://hardware.slashdot.org/article.pl?sid=07/05/05/1812254 http://hardware.slashdot.org/article.pl?sid=07/05/05/1812254  http://www.informationweek.com/shared/printableArticle.jhtml;jsession id=AW4H134JQ43VXQE1GHOSKHWATMY32JVN?articleID=201400171 http://www.informationweek.com/shared/printableArticle.jhtml;jsession id=AW4H134JQ43VXQE1GHOSKHWATMY32JVN?articleID=201400171  http://www.wired.com/threatlevel/2009/06/watt/ http://www.wired.com/threatlevel/2009/06/watt/  http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with- heartland/ http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with- heartland/

Download ppt "Ryan Paulsen Chris Lafferty Nilesh Nipane.  Intruders gained access to credit card information between 2005-2007  ~50 million credit card and debit."

Similar presentations

GCSE ICT Networks & Security..

GCSE ICT Networks & Security..
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Facts, Issues, and Considerations 7 May 2008 Steven Barnett Identity Theft.

Facts, Issues, and Considerations 7 May 2008 Steven Barnett Identity Theft.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Northern KY University Merchant Training

Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Similar presentations

Ads by Google