Four years after hackers breached TJX's unsecured wireless network and stole information on more than 94 million customers, a standards body for the payment-card industry has finally released guidelines for securing wireless networks.
The Payment Card Industry Security Standards Council released its 33-page report (.pdf) on Thursday. It said the guidelines are the product of a working group composed of more than 40 entities -- banks, network security companies and point-of-sale vendors -- convened after the wireless networks of several companies, including TJX, the parent company of TJ Maxx, Marshalls, Office Max and other outlets, were hacked.
Although the standards are aimed at companies that handle payment-card transactions, the council noted in a statement that "these are requirements that all organizations should have in place to protect their networks from attacks...."
The guidelines address secure implementations for deploying an 802.11 WLAN. They include such obvious steps as regularly scanning the network for unauthorized or rogue access points, and setting up an automated alert and response plan to address any that are found; installing firewalls to isolate wireless networks that process or store payment-card data from networks that don't process card transactions; changing default passwords and settings on wireless devices and firewalls; and using strong authentication and encryption.
In 2007, TJX disclosed that hackers had been inside its network stealing data for at least 18 months before they were discovered. An investigation revealed that the hackers obtained access by sitting in the parking lot of two Marshall's stores in Miami and aiming a powerful antenna at its wireless network. TJX was found to have used a weak and outdated encryption standard to protect the data, among other things.
In 2008, a TJ Maxx employee was fired for posting messages to an online forum disclosing that his employer was still engaging in unsecure network practices a year after the record-setting breach was discovered. He wrote that his managers changed the network log-in protocols to allow employees to log onto company servers using blank passwords. The store server was also run in administrator mode, making it easy for hackers — or store employees — to have escalated privileges on the system once they entered it.
See also:
