Sunday | 6 July, 2008
Computerworld

TJX breach shows IT security lacks in retail industry
Breach shows why it's so vital to purge the Track 2 data from POS and other systems
Jaikumar Vijayan 22/01/2007 09:36:08
Page:

Computerworld Buyer's Guide - Vendors Matched to this Article
TippingPoint , Unixpac , Sourcefire , Dimension Data , Hewlett-Packard , SafeNet , GFI , SonicWALL , nCircle , Sagem , NetIQ , MessageLabs , CA , 3Com
Related Features
  • +

    Your Guide to Good-Enough Compliance 17/05/2007 11:55:14

    Legislative requirements are mandatory, but going the extra step is a business decision based on what makes business sense. When it comes to compliance, you can, in fact, be a little bit pregnant
    In November 2005, Jason Spaltro, executive director of information security at US-based Sony Pictures Entertainment, sat down in a conference room with an auditor who had just completed a review of his security practices. The auditor told Spaltro that Sony had several security weaknesses, including insufficiently strong access controls, which is a key Sarbanes-Oxley requirement.
  • +

    Your World. . . Hacked 02/10/2007 10:51:23

    As your business becomes more collaborative and global, the risks to your company’s trade secrets rise proportionally. Fortunately, there are new strategies to protect the data that allows you to compete
    The call to Bob Bailey, an IT executive with a major US government contractor, came on an otherwise ordinary day in October 2003. "Why are you attacking us?" demanded the caller, an IT leader with a Silicon Valley manufacturer. He wanted to know why Bailey's company had launched a denial-of-service attack against his network
  • +

    Ticked Off at Tick the Box Mentality 04/02/2008 13:01:15

    Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?
    Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?
  • +

    Close Fast, Close Smart 26/02/2007 11:24:37

    When it comes to closing the books, the benefits of speed are undeniable. And CIOs are uniquely positioned to help their organizations reap them
    As long as they're meeting their regulatory reporting deadlines, most enterprises don't think a lot about closing their books more quickly.

    Maybe they should start.

    Increasingly, the speed with which an organization closes its books and reports its financial results is being looked at by practitioners, analysts and investors as a defining metric for evaluating whether the organization possesses the best possible processes and enabling technologies. And it turns out that many companies don't, even those making huge IT investments and supporting equally large IT departments.
  • +

    Cracks in the Pharmaceutical Supply Chain 19/02/2007 14:22:09

    Faced with a rising tide of counterfeit and mispriced drugs, pharmaceutical companies are turning to technologies such as RFID to better track medications through a convoluted supply chain
    As an undercover agent with the US Drug Enforcement Administration and the Food and Drug Administration, Aaron Graham saw firsthand how counterfeit drugs can slip into the pharmaceutical supply chain. Graham, now VP and chief security officer for Purdue Pharma, once posed as the manager of an "institutional pharmacy" selling drugs at a discount to secondary wholesalers who were then supposed to sell them to nursing homes. Soon after he began, his phone started ringing. Dozens of smaller pharmaceutical wholesale companies were calling, desperate to buy his drugs. These secondary or "grey market" wholesalers scour the country and the world for low-price drugs they can sell back to major wholesalers for a profit. In addition to trawling for institutional pharmacies, some secondary wholesalers have been known to purchase counterfeit drugs from criminal organizations in places such as China, Thailand or Colombia.
Additional Resources
Executive Guides
Whitepapers
white paper Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Zones
Zone logoZones provide focussed content from Computerworld and leading technology partners.

Newsletter Subscription

Sign up for our Computerworld newsletters!
Computerworld's twice-daily news service keeps you in touch with the latest, most important headlines from Australia and around the world.
Keep up with the latest virtualization technologies, products, news and features.
RSS Feeds

Further protections

The breach at TJX shows why it's so vital to purge the Track 2 data from POS and other systems, said David Taylor, vice president of data security strategies at Protegrity, a U.S.-based company that offers PCI compliance services. It also underscores the importance of encrypting sensitive data, another step that the PCI standard requires retailers to take, Taylor said.

The latest incident is sure to lend even more urgency to the efforts to get retailers to adopt the PCI requirements, said Avivah Litan, an analyst at Gartner. Litan said that so far, only about 50% of Tier 1 merchants -- those processing more than 6 million credit card transactions per month -- have become fully compliant with PCI, even though more than 18 months have passed since the requirements went into effect.

TJX is a Tier 1 merchant and may even qualify as a card processor because of the sheer number of transactions it handles through its various retail chains, Litan said. That would require it to adhere to even more stringent security requirements, she said, adding that she expects credit card companies "to come down really hard" on TJX for its failure to protect customer data.

At the same time, banks that issue cards should be looking at ways to make card information less valuable to thieves in the event that the data is stolen, Litan said. For example, stronger forms of authentication could be used when transactions are being processed, she said. Another possible approach is to require one-time passwords when credit and debit cards are used.

The technology needed to support both of those steps is available and can be implemented fairly easily, according to Litan. But few banks appear to be doing so, she added.

The case for adopting such measures is strengthened by the fact that fraudsters are able to distribute stolen card information and make use of the data quickly, Litan and other analysts said.

According to John Buzzard, a fraud investigator at Fair Isaac in Minneapolis, information stolen in data breaches is sometimes used in less than 24 hours. Typically, data thieves do a quick "dump check" to see if stolen card numbers are valid and then either sell them for up to US$25 apiece or use them to make one or two significant purchases or cash withdrawals, Buzzard said.

To reduce such fraud, he said, card issuers should implement measures for verifying that names, card numbers, expiration dates and other data match the information on record when transactions are being processed. Buzzard said he thinks "a large percentage of card issuers are doing this sort of authentication" already -- but not all of them.

Stronger end-to-end authentication of credit and debit transactions by issuing banks could reduce the risk of card fraud, Taylor said. "But one of the things that is worth emphasizing," he added, "is that the customer data belongs to the merchants and they need to take responsibility for it."

Page:
Computerworld Buyer's Guide - Vendors Matched to this Article
TippingPoint , Unixpac , Sourcefire , Dimension Data , Hewlett-Packard , SafeNet , GFI , SonicWALL , nCircle , Sagem , NetIQ , MessageLabs , CA , 3Com
More about Mastercard, Gartner, General Dynamics, Visa, PLUS, IBM
Market Place
Free Forrester Report on Ubiquitous mobility download now.
If Core Systems hold the unique DNA of an enterprise, what “Genome Project” do software vendors have in mind?
Introducing TechWorld: The hot new site catering specifically to the men & women at the coalface of Australian IT.
Rule Your SOA": SOA Governance is no side issue–but rather the key factor to overall SOA and business success
Combine all aspects of requirements, test planning, and defect management on a single quality platform.
Mashups, Project Portfolio Management, and Application Lifecycle Management: all free, all on-demand now.
CIO Breakfast Briefing | Beyond Virtualisation - The Roadmap to 2012 | Register Now

Computerworld Member Login


 

Beyond Virtualisation - The Roadmap to 2012

CIO Breakfast Briefing
8:30am - 10:30am

Brisbane | 22 July | Sofitel Brisbane
Sydney | 23 July | Four Seasons Hotel
Canberra | 24 July | The Hyatt

Attend and discover:

  • What happens after virtualisation
  • The benefits automation drives
  • When automated infrastructures will emerge
  • What the roadmap to 2012 looks like
  • How to deliver an automated architecture
  • How to maximise your investment in virtualisation
Whitepaper
The University of Melbourne Continues to Leverage HP to Maximise Oracle Application Performance Read Whitepaper

The University of Melbourne Continues to Leverage HP to Maximise Oracle Application Performance

The University of Melbourne recently implemented Oracle Human Resources solution incorporating HR, payroll and self-service functionality, and undertook an upgrade of its Financials application to version 11.5.10. Discover the successes of this project by reading on.

Enterprise IT Buyer's Guide
Find Technology Vendors Fast
 
Find vendors by name | Find by category
Sponsored Links