Really great locks and
keeping the key under the mat"> Next new revelation: the thieves grabbed transaction data before it could be encrypted, effectively sidestepping encryption security. This is hardly a new strategy, which is why most systems add substantial security to the system at that point. How hardened was TJXs? Again, without those details, its hard to assess whether TJX had defended itself appropriately.There were new numbers about the size of the breach, but nothing materially changed. It was always known to be huge and this didnt change much.Lets set aside, for the moment, the role that TJX played. Given the tactics that TJX reported, what are the implications for retail IT execs? What does this mean for encryption procedures?For Aberdeen retail analyst Sahir Anand, its a signal that procedures have to be re-examined. "There is no safe transaction environment for a customer. The whole notion of network security obviously needs to be revisited," Anand said, "from the point of authentication to how the POS data is handled."Most industry observers, however, said that a less-dramatic change is needed. Simply adhering to safe computing procedures—including taking extreme precautions to safeguard encryption keys, such as storing them on separate non-networked hardware—and making sure encryption is never the only protection being used is probably adequate.Ted Julian, vice president of strategy for Bedford-Mass.-based security firm Application Security, places himself in that in-between position."The emerging details of this (TJX) incident highlight the fundamental limitation of encryption," Julian said. "While encryption has always been seductive as a silver-bullet security measure, it is at most a leg on the security stool. The other legs are vulnerability assessment—hardening databases against attack—and activity monitoring, to flag attacks, misuse and abuse." Former prosecutor Rasch agreed that encryption is still a crucial tool, but it needs to be considered just one tool among many. "Encryption creates a false sense of security," he said.The problem he cited is the tendency to store the keys on the same machine as the protected data. "Ideally, the key should be kept on a separate piece of hardware and used only when its needed. The keys typically are kept somewhere on the system," which Rasch compared to "having really great locks and keeping the key under the mat." Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan_Schuman@ziffdavis.com. To read earlier retail technology opinion columns from Evan Schuman, please click here. Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.
The filing confirmed some things we had already reported, such as it was the Secret Service that had requested TJX to keep quiet and that, when discovered in mid-December, authorities believed the thief was still routinely accessing the servers, which meant they had a chance of laying a trap.