Like many other consumers, Tyson had automatic payments on his card that suddenly weren’t happening. Ultimately the card had to be replaced. All this came about after TJX — operator of Winners and HomeSense stores — announced in January that unidentified intruders had gained access to customer credit card numbers stored in its computer systems, exposing consumers to the risk of fraud and identity theft.

It later emerged that intruders first gained access to TJX’s computer systems as early as mid-2005, and store transactions from all of 2003, the first half of 2004 and May to December of 2006 had been compromised.
 
TJX has issued statements saying it is working with credit-card issuers and security contractors, but has not said how the breach happened and did not return calls from Canadian Security seeking comment.

It’s not the only company to suffer such an intrusion. A recent survey conducted by privacy and information management research firm for Dallas law firm Scott & Scott LLP found that more than 85 per cent of organizations surveyed had had a breach.

 While Tyson suffered the same sort of inconvenience from the TJX breach as many others, his 20-plus years of experience in security — he is currently senior security manager for the City of Vancouver — gives him a different perspective.

Tyson suspects — and other experts agree — that if the intruders were from outside the company, they likely gained access through a poorly secured web application.

 “Security is a weakest-link discipline,” Tyson says, and with many organizations focusing on securing the perimeters of their networks but paying less attention to the online applications that provide the outside world with legitimate access to data on those networks, those applications are often the weakest link.

 “Seventy-five per cent of new attacks now exploit software vulnerabilities, and most of the IT security dollars are spent bolstering the security on the perimeter of the network,” says Brian O’Higgins, chief technology officer at Third Brigade Inc., an Ottawa-based intrusion prevention system provider.

There are a number of ways web applications can be compromised, some of them disturbingly simple. One example security specialists like to give is SQL injection.

Structured Query Language (SQL) is a venerable and widely used language for requesting information from databases. A SQL query might ask for the names, credit card numbers and expiry dates of, say, all the customers in Toronto. That query should come from inside the organization. But in some cases, an outsider who knows SQL can type such a query into a website — in the field where a customer is supposed to type a password, say — and the web application will recognize the input as an SQL query and process it without considering where it came from.

Of course an application shouldn’t do this. It should validate data as it is input and reject commands entered in the data fields of a web page. But the programmers who write applications aren’t necessarily security experts. The trick of injecting commands is “one that people have known about for a couple of years, so they’re getting fixed,” O’Higgins adds — “but there’s always the next one.”

Is this what happened at TJX? We don’t know. But computer security experts agree that the security of web applications often doesn’t get the attention it should. That’s the bad news; the good news is that they also have a concrete suggestion as to what to do about it.

Two major credit-card issuers, Visa and MasterCard, created the first version of the Payment Card Industry Data Security Standard — a framework of technical requirements and testing procedures to ensure that credit-card information is handled safely.  Three other card issuers joined with Visa and MasterCard early this year to create the Payment Card Industry Security Standards Council, which has updated the initial standard and will maintain it in future. (The standard and other information about the council can be found on the council’s web site at www.pcisecuritystandards.org.)

Any organization that handles credit-card data is expected to comply with the standards, says Bob Russo, general manager of the PCI Security Standards Council, and it includes provisions to address insecure applications, which he agrees are a prime target for intruders.

The TJX breach could also have been the work of an insider — someone who worked for the company, with legitimate access to its systems and possibly inside knowledge about security provisions. “An insider issue is the most common type of problem in criminal acts,” says Dave Morrow, chief security and privacy officer at computer services firm Electronic Data Systems Corp. of Plano, Tex., “and insiders have a built-in advantage because they know the controls, they know the weaknesses and they operate in the environment every day.”

The best defence against inside jobs is strong security policies, adds Dave Woelfle, chief architect for global sales support at EDS Canada. “A lot of organizations need to move to a model where you only get access by permissions ... really limit access to only those who need it, as much as you can.”

They should also separate controls so that no one individual can do anything that might compromise data without the co-operation of someone else. Rigorous audits can also help catch insider breaches faster, Morrow adds.

Provisions to guard against insider breaches are also included in the PCI standards, Russo says. They include requirements like strong passwords and access logs.

 No security standard is a guarantee against problems, but O’Higgins thinks any company adhering to the PCI standards should be relatively safe from intrusions for a while at least.

 
Intrusions into a company’s computer systems are not the only concern, though, as another bad-news security story that made the headlines early this year showed. Canadian Imperial Bank of Commerce revealed in January that a disk containing a backup file was lost in transit between Montreal and Toronto just before Christmas. The file contained information on about 470,000 clients of CIBC subsidiary Talvest Mutual Funds.
 
There has been no indication that the lost data fell into malicious hands or was used in any way that could hurt the customers concerned — at least not so far.

 Morrow doesn’t think the incident is particularly unusual. “There were incidents in the industry for years and years where tapes didn’t show up, or disk drives of CDs got lost in the mail or whatever,” he says, “but people just didn’t pay that much attention to it.” Stricter legislation requiring companies to notify customers when such security breaches occur mean the public hears about more of them now, Morrow says.

The best defence against the loss of physical media containing data — whether it’s a disk, a tape, a laptop or even a personal digital assistant or smart phone — is encryption. EDS encrypts all data before it leaves a client site, says Woelfle.

 It’s a good idea, says Simon Hunt, chief technology officer at SafeBoot N.V., a supplier of encryption and other security technology — but too few are acting on it. “About two per cent of the corporate-owned devices that should be encrypted actually are encrypted,” Hunt says.

It’s not that encryption is expensive, nor does encryption make life difficult for users. Where the extra work comes is in planning how encryption will be implemented — a process that can be fairly long and arduous. However, having to admit to an intrusion into your systems is bad for business.

 And customers as well as investors get skittish about such incidents. Take Dave Tyson, who says he will be discouraging his family from shopping at Winners “for some time”.

“Business in general has failed to convince customers that security is a large enough priority,” he says.