Daily Debrief: Forty million card numbers compromised

It's the latest iteration of white collar crime. And it's expensive, destructive, and a serious nuisance for victims. I'm talking about credit and debit card theft via wireless networks. Recently, a multinational group of 11 was charged with stealing more than 41 million credit and debit card numbers.

The crime plays upon the vulnerability of a retailer's wireless networks. In a technique dubbed "war-driving," criminals cruise by stores, looking for holes in the security system so they can extract all the vital credit and debit card information. Once obtained, the numbers could be reprinted onto actual physical cards to be sold off on the black market. I'm oversimplifying the process by a few steps, but nonetheless, it highlights the ease--and also the sophistication--of these hackers in search of victims.

In Wednesday's edition of the Daily Debrief, I sit down with CNET News Editor-in-chief Dan Farber to discuss the attack and the long way technology has to go before it can provide the necessary safeguards for consumers. You needn't turn to all cash and cut up your credit and debit cards just yet, he advises.

[ccouvillion]

Do you not have spell checkers? It's spelled forty.

[humanssssss]

am i not seeing things ... it's forty. there's nothing wrong.

[skswave]

The real crime here is that for the last three years the PC industry has shipped Millions of PCs and motherboards with Trusted Platform modules. This device provides a very secure container in which to hold the secret keys that can be used to encrypt every wireless link. This technology is in every box, Industry Standard and Vendor neutral. However, The IT proffessionals are failing to implement best practices and turn on these devices to hold the keys. They have continue to not leverage the best solutions to protect our identities and assume we will waste our time fixing them when they get lost. I strongly suggest that dan cover this crime as well. Our PCs are available with and have body armor but body armor is only helpful if you wear it. It was over a year ago when this hack was originally broadly published. How are we doing?? Many organizations turned on WPA to secure the wireless but use keys held in software that can easily be stolen by a virus or a bad employee. If the keys are in a TPM then the keys are safe unless the PC is stolen and usually that gets noticed. Put a seagate FDE drive in the PC to prevent any type of boot and now we have a real security solution for the end point. If Industry doesn't apply the patch of moving keys to hardware then the goverment will force us to do it. We do not need regulation, we need action. If you have a VPN, Wireless, Any type of certificate based access move the Keys to the TPM and move them now. Your OEM has given you the tools to secure your brand, your Job, and your customers data, but like any patch you need to apply it.

Steven Sprague
Wave Systems Corp.

[Darkwend]

Poor and misleading description of wardriving. By definition it only refers to people who search for wireless networks using a portable device. Although it may lead to criminal activities actually wardriving isn't illegal. I know the term "wardriving" may sound like a horrible thing, but in many cases it isn't. Check out the wikipedia article for more info: http://en.wikipedia.org/wiki/Wardriving.