This past Sunday evening, the 60 Minutes television show presented an excellent segment on identity theft, titled "Hi-Tech Heist." The segment explained the poor data security use by many of the retail stores and chains we shop at. More importantly, the segment showed how identity thieves steal consumers' credit card (and debit card) data via the retail stores' wireless data connections:
"When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls."
The segment did a good job explaining how identity thieves steal data:
"[60 Minutes Correspondent] Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores'
When retail stores use unsecure or poorly protected wireless connections, stealing data is easier than you think:
"We can just pluck it, is what you're saying,
right through the wall," Stahl remarked. "Absolutely," Harms replied. All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results. "Right now, we're right in front of Best Buy," Stahl remarked. "Right so, Best Buy has a wireless network," Harms explained. The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.
What I found most irritating was the segment reported that many retail stores still refuse to invest in effective and current data security methods, while being fully aware of the TJX/TJ Maxx data breach debacle. In an attempt to cut costs and save money, retail companies still install and use obsolete encryption methods for their wireless transmission of your (and mine) credit card information:
"WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes. Now, there's much better
encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded."
More about TJX / TJ Maxx:
"At the time of its break-in in 2005, TJX did have a security system. The problem was it was the outdated encryption code WEP. "Was TJX aware that they were using a system that was pretty much useless? Did they know that?" Stahl asks Jennifer Stoddart... TJX did know, but in a letter told 60 Minutes - in their defense, that they believe 'our security was comparable to many major retailers.' "
So, the retail chain with the largest data breach in USA history admits that their wireless security was no better (or worse) than other retailers! That's pretty damning evidence about the retail industry, which seem more interested in making money that providing secure transactions for consumers.
To me, this is a clear reminder that you should never use a debit card at a retail store. It's best to shop with cash until retailers improve their data security. If you haven't seen this 60 Minutes show, you can watch the 60 Minutes video online.