Why Encryption Didn’t Save TJX

TJX: It’s the target of the largest known customer record theft of all time, and it’s a case in point that encryption is not a silver bullet.

This is the heart of the encryption problem, quoted from the 10-K filing The TJX Companies made to the Securities and Exchange Commission:

“Despite our masking and encryption practices on our Framingham system in 2006, the technology utilized in the Computer Intrusion during 2006 could have enabled the Intruder to steal payment card data from our Framingham system during the payment card issuer’s approval process, in which data (including the track 2 data) is transmitted to payment card issuer’s without encryption. Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.”

Encryption has no value when data isn’t encrypted, obviously, but credit cards can’t be processed when their numbers are encrypted. Hence, a smart crook will seek a way to get the data during that window of time when it’s in that state of being “in the clear”—that is, unencrypted.

TJX’s intruder also had a backup plan if data in the clear wasn’t attainable: namely, the decryption key.

There are several reasons why encryption didn’t save TJX and won’t save many companies, regardless of how much legislators have mandated or want to mandate its use. (One example of which is the June 2006 White House mandate requiring federal agencies to encrypt the hard drives of all their laptops and mobile devices.)

In an interview with eWEEK, McAfee Chief Security Officer Dr. Martin Carmichael said that after he had read TJX’s take on the intrusion, he was curious if TJX was using data masking as articles indicated, or some sort of data encryption. Dr. Carmichael indicated there were different methods of encryption key methods: shared key, in which the sender and receiver of encrypted data both have the same key, or asymmetric, which uses a public/private key pair.

Data stolen from TJX was used in an $8 million scheme before the breach was discovered. Click here to read more.

Shared-key encryption is inherently risky, since humans think up convenient but absurdly insecure places to store their keys. “We have seen … some companies that chose to use shared-key [encryption] that stores the key with the data,” Carmichael said. “Which is outside of most policy. Sometimes ease of development can be [counter to] good security process.” In fact, Carmichael has seen keys in data files that are named “key to data.”

Another encryption trap is the use of weak encryption. Original DES (Data Encryption Standard) encryption is now considered to be insecure for many applications, chiefly due to its 56-bit key size being too small. DES keys have been broken in less than 24 hours. Some analytical results point to theoretical weaknesses in the cipher, as well, although those have not been proven in practice. In May 2002, DES was superseded by AES (Advanced Encryption Standard) following a public competition, but DES remained in widespread use as late as 2004; Carmichael said it was “very common in a lot of applications.”

Read the full story on eWEEK.com: Why Encryption Didn’t Save TJX

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles