On Thu, 19 Apr 2007 14:57:57 EDT, Ed Finnell wrote: >In a message dated 4/19/2007 1:31:14 P.M. Central Daylight Time, >Paul Dineen wrote: >> >>http://www.mainstar.com/pdf/000-0123_Security_PR.pdf > >Pretty much FUD. From what I've learned. They went in on Employee Kiosks >with keyghost or something and got in on the front-end server before >anything was encrypted. Other renderings on darkreading.com mentions >back leveled software at most levels. >From a CNN/Money article dated a couple of days ago: "TJX says about three-quarters of the 45.7 million cards had either expired by the time of the theft, or the stolen information didn't include security code data from the cards' magnetic stripes, since TJX masked those codes by storing them as asterisks rather than numbers. "TJX said the intruders also may have been able to tap the unencrypted flow of information to card issuers as customers checked out with their credit cards." The first paragraph that I posted (above) makes it sound like it might have been a man-in-the-middle attack (which can be done to/with z/OS as Stu Henderson's SHARE presentation in Tampa demonstrated, per the proceedings that I read earlier today). The second paragraph supports Ed's assertion that it was on a POS (in-store Point Of Sale) system attack. The trouble with the POS attack scenario is that it is a little hard to imagine that any store would see 45.7 million different credit cards over a 17 month period. I find 4.57 million difficult to believe in any store site much less 10 times that number. The volume argues strongly that it was an inside job... maybe a laptop left plugged into their mainframe IP network with a wireless card broadcasting the results to the neighborhood (as Stu's presentation on SNA security mentioned)?? I once heard a former CIA spook say that any POS system can be hacked from a truck parked at the curb, if the price/value is right. (Speaking from a previous lifetime in marketing research.) Maybe somebody built a proof-of- concept device??? (Think: TEMPEST) -- Tom Schmidt Madison, WI (I wouldn't have thought that the currency conversion effort needed would have made the attack on 45+ million cards into a worthwhile project myself. One card worth $45 million, sure, but 45 million cards at, say, $20 each?? Too much like a real job at some point.)
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
