Slashdot It!
The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.
There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.
The $17.4-billion retailer's wireless network had less security than many people have on their home networks, and for 18 months the company -- which also owns T.J. Maxx, Home Goods and A.J. Wright -- had no idea what was going on. The hackers, who have not been found, downloaded at least 45.7 million credit- and debit-card numbers from about a year's worth of records, the company says. A person familiar with the firm's internal investigation says they may have grabbed as many as 200 million card numbers all told from four years' records.
The previous record for card numbers exposed to thieves was 40 million. The TJX hackers also got personal information such as driver's license numbers, military identification and Social Security numbers of 451,000 customers -- data that could be used for identity theft. The company has apologized for its security lapse and beefed up its system. It rejects the 200 million figure as speculation, but says it may never know the precise number. TJX deleted its own copies of the records stolen by the hackers and can't crack the encryption on files that the hackers left in its system.
The cost of the fraud may take years to count. Banks could spend $300 million to replace cards from just one year's worth of stolen numbers, even though about half the numbers were expired and some were hidden in some of the stolen data. TJX, which discovered the fraud in December, privately projected $20 million in fraudulent transactions from the breach, according to people familiar with the company's internal probe.
In March, police in Florida charged just one gang with buying some of the hacked TJX card data and using it to steal $8 million in small transactions at Wal-Mart Stores Inc., Sam's Club and other stores across the state. TJX-related fraud has occurred in at least six other states and at least eight countries from Mexico to China, bankers and investigators say. They are still working to find all the stolen numbers.
The ease and scale of the fraud expose how poorly some companies are protecting their customers' data on wireless networks, which transmit data by radio waves that are readily intercepted. The incident also has renewed debate about who should be financially responsible. Banks that issue credit and debit cards so far have borne the brunt of the TJX losses, as opposed to the retailer or the credit-card networks such as Visa or MasterCard. Banks' lobbyists and some legislators have started pushing for laws to make the party that lets the data slip responsible for the costs.
Individual consumers so far have largely been covered for the fraudulent TJX charges. Debit-card holders legally can be held liable for unauthorized transactions if they don't report the fraud within 60 days, while credit-card customers can only be liable for the first $50 in fraudulent charges.
Temporary Scare
Eleanor Dunning of Dana Point, Calif., got a temporary scare last fall when she opened her monthly Bank of America Visa bill: There were $45,000 in charges for gift cards from a Wal-Mart in Florida. "What I saw was a whole page of $450 charges, all identical and all in a row, all from the same place," she says. The bank removed the charges and issued her a new card, she said. When TJX's security breach was disclosed and she realized she was a victim of it, she decided to stop shopping at Marshalls.
![[Table]](http://online.wsj.com/public/resources/images/P1-AH827E_WIREL_20070503220102.gif)
TJX's breach-related bill could surpass $1 billion over five years -- including costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities -- estimates Forrester Research, a market and technology research firm in Cambridge, Mass. The security upgrade alone could cost $100 million, says Jon Olstik, a senior analyst for Enterprise Strategy Group, a Milford, Mass., consulting firm, based on his conversations with industry experts and people familiar with the work being done.
TJX declined to comment on those numbers, but says it is undertaking a "thorough, painstaking investigation of the breach," hiring a team of 50 data security experts in December and taking a charge of $5 million in its first fiscal quarter. It says it will also pay for a credit-card fraud monitoring service to help avert identity theft for customers whose Social Security numbers were stolen. "We believe customers should feel safe shopping in our stores," says a letter from Chief Executive Carol Meyrowitz posted on TJX's Web site.
When wireless data networks exploded in popularity starting around 2000, the data was largely shielded by a flawed encoding system called Wired Equivalent Privacy, or WEP, that was quickly pierced. The danger became evident as soon as 2001, when security experts issued warnings that they were able to crack the encryption systems of several major retailers.
By 2003, the wireless industry was offering a more secure system called Wi-Fi Protected Access or WPA, with more complex encryption. Many merchants beefed up their security, but others including TJX were slower to make the change. An auditor later found the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought. The company declined to comment on its security measures.
The hackers in Minnesota took advantage starting in July 2005. Though their identities aren't known, their operation has the hallmarks of gangs made up of Romanian hackers and members of Russian organized crime groups that also are suspected in at least two other U.S. cases over the past two years, security experts say. Investigators say these gangs are known for scoping out the least secure targets and being methodical in their intrusions, in contrast with hacker groups known in the trade as "Bonnie and Clydes" who often enter and exit quickly and clumsily, sometimes strewing clues behind them.
The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory. "It was as easy as breaking into a house through a side window that was wide open," according to one person familiar with TJX's internal probe. The devices communicate with computers in store cash registers as well as routers that transmit certain housekeeping data.
After they used that data to crack the encryption code the hackers digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords, investigators believe. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet, probers say.
Encrypted Messages
They were so confident of being undetected that they left encrypted messages to each other on the company's network, to tell one another which files had already been copied and avoid duplicating work. The company says the hackers may even have lifted bank-card information as customers making purchases waited for their transactions to be approved. TJX transmitted that data to banks "without encryption," it acknowledged in an SEC filing. That violates credit-card company guidelines, experts say.
While the hackers were stealing the data, they were selling it on the Internet on password-protected sites used by gangs who then run up charges using fake cards printed with the numbers, investigators say.
The problems first surfaced at credit-card issuers such as Fidelity Homestead, the Louisiana savings bank. Its customers were dealing with the aftermath of Hurricane Katrina when they began seeing strange transactions on their credit-card bills in November 2005, says Richard Fahr, Fidelity's security officer. First there were unauthorized transactions from Wal-Mart stores in Mexico, and then fraud started surfacing in Southern California, Mr. Fahr says.
Using bogus debit cards containing the data of just a handful of customers, thieves purchased $5,600 worth of goods from Jan. 18 to Jan. 21, 2006. Over the four-day period, they made 25 shopping trips, moving among California supermarkets, department stores, a drug store and a videogame retailer, ringing up charges ranging between $57 and $561. The real cardholders were in Louisiana at the time, Mr. Fahr said.
Fidelity had no idea how the thieves had managed to obtain the debit-card data. "At that time TJX wasn't even in my vocabulary," he says.
Last fall, a spate of fraudulent card purchases appeared in Florida, where police now say a band of 10 thieves traveled in rented cars purchasing gift cards from Wal-Mart and Sam's Club stores, using bogus credit cards stolen from hundreds of TJX customers. Within four months, the gang bought $8 million worth of gift cards and used them to buy flat-screen TVs, computers and other electronics across 50 of the state's 67 counties.
Marilyn Oliver, of San Marcos, Calif., received a phone call from Bank of America alerting her that 40 $400 gift cards had been purchased with her Visa card from cashiers at a single Florida Wal-Mart. "It sort of unnerves you," she says. "I'm very cautious, I shred everything."
Suspicious Purchases
A Wal-Mart clerk in Gainesville, Fla., eventually became suspicious of multiple gift-card purchases and alerted authorities, who reviewed store surveillance tapes and card transaction data at numerous Wal-Mart outlets before making arrests.
As the stolen TJX numbers were being used in Florida, the company was getting a stern warning about its poor security from a routine audit. The auditor told the company last Sept. 29 that it wasn't complying with many of the requirements imposed by Visa and MasterCard, according to a person familiar with the report. The auditor's report cited the outmoded WEP encryption and missing software patches and firewalls.
Then on Dec. 18, another auditor found anomalies in the company's card data. At that point, TJX hired forensics experts from International Business Machines Corp. and General Dynamics Corp. and notified the U.S. Secret Service, which spent a month trying to catch the hackers in the act. But the data thefts stopped and the hackers had obscured their whereabouts by using the Internet addresses of private individuals and public places such as coffee houses. Investigators did find traces of the hackers: altered computer files, suspicious software and some mixed-up data such as time stamps in the wrong order.
On Jan. 17, the company announced its systems had been hacked, affecting "a limited number of credit and debit card holders." It began sending lists of compromised numbers to credit-card issuers as it pored through the data. Some fraudulent activity has continued to pop up this year.
'Hot Lists'
Only last month did Fidelity in Louisiana find out the fraudulent charges in 2005 were linked to the TJX breach, when its card numbers showed up on one of TJX's "hot lists" of stolen cards. New lists keep arriving, and losses for the small bank have climbed from about $7,000 to about $23,000. "The fraud cuts right into our profits," says Fidelity's Mr. Fahr. He says the credit union has asked Visa to reimburse it for the losses, but the credit-card association so far hasn't done so. Visa declined to comment.
Chuck Bower, the chief technical officer of Middlesex Savings Bank, Natick, Mass., says about 18,000 of its Visa debit cards were stolen by TJX thieves, with "at least three dozen claims of fraudulent activities," mostly committed in January and February. The thefts have occurred in Italy, Australia, Mexico and Japan, Mr. Bower reports. Robert Mitchell, chief financial officer of the retail division of Eagle Bank Corp., in Lowell, Mass., says 1,300 of its MasterCards were compromised. The bank has replaced all of them.
Lobbying by banking associations since disclosure of the TJX breach has helped persuade lawmakers in several states and in Congress to consider new legislation. One bill in Massachusetts would impose full financial responsibility for any fraud-related losses, including costs of reissuing of cards, on companies whose security systems are breached. Another bill, in Minnesota, would bar any company from storing any consumer data after a transaction is authorized and completed.
Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said in March he believes Congress will move to require a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards.
We have, on occasion, heard tales of people emailing 
The courts have lost patience 
Some of the more recent Firefox customizations I've examined are ways to speed up the rendering of Web pages. The settings to do this are a little arcane and not terribly self-explanatory, but with a little tinkering, you can often get pages to pop up faster and waste less time redrawing themselves.
According to Robbie Bach, Microsoft's president of the Entertainment and Devices Division, Zune will meet the goal of 1.000.000 players sold by the end of June, set at launch. He also confirms that new Zune things will come in this fall, talks (not) about the Zune Phone, the new Watermelon Red Zune, the Zune Marketplace and of course Xbox 360... 
When I received the Orbitor HD cooler, I was totally impressed. I wish to thank Vizo for providing me the review product for review. This HD cooler was very effective. It cooled my HD from 40 degrees to 36 degrees. Nice and effective. The Blue LED lights up when it is switched on.
The Cooler in the casing
Specs at the back of the box.
The cool LED in action (In the morning)
The cool LED in action (In the dark)
As for the theme color, it makes PowerPoint slides more interesting then previous versions.
In order to install the still images for the ads, workers must move swiftly, as they can only work when the subway systems are nonoperational, usually at night.
Since July last year, there have been seven “month-of-bugs” project, highlighting unpatched flaws in 
AMD is sailing through rough seas these days and there wasn’t much positive news we were able to report about the company lately. However, just in a time when you would expect it the least, AMD is shifting gears and adjust its approach to provide information about technologies that are on the market already, products that will be introduced in the near term and products that are scheduled to be introduced in a few years down the road. Among the product demos that AMD brought along, especially two products stood out: First, the company showed off the Agena FX quad-core processor, running in tandem with ATI R600 graphics cards as well as DDR2-1066 memory in two test systems. Agena FX is the desktop version of the “Barcelona” Opteron quad-core processor and is scheduled to be launched sometime after Barcelona, which apparently is still on track for a mid-2007 introduction.
The first steps into this direction, to which AMD refers to as “accelerated computing” will happen with the release of the “Fusion” processor, which is planned to surface in 2009. While AMD considers the GPU integration in Fusion as a solution that mainly targets mainstream notebooks and offers benefits in terms of power efficiency, production cost and some performance advantages such as reduced latencies, the company hopes that the GPU part evolves into a “general purpose” processing engine over time: By 2012, the company said, software code could be optimized and the potential of a heterogeneous CPU/GPU could be “exploited”.
