If a gang of burglars were caught robbing a department store one night, you’d say to throw the book at them. You’d be glad they were caught and think the Police were doing a great job and be happy for the store stopping a loss that raises costs and prices for all of us, right?

But what if you found out that the persons caught stealing from the store found the door unlocked and just helped themselves? Maybe you wouldn’t feel so sympathetic toward the store with the inept security. Maybe you’d feel that, while it was still wrong to take something from the store, those who did were lured into doing it by the open door. Maybe you’d wonder if you wanted to do business with the store.

Well, that’s exactly the situation with the recent arrests and indictment of 11 people who got caught stealing millions of credit card numbers from a bunch of major name retail companies through their wide-open wireless network. Apparently, they put in wireless network equipment and left it unencrypted, leaving them with less security than I use for my home network.

I first heard of this story several months ago. It just reached the indictment stage and hit the news again this week.

…the indictment revealed that the hackers’ tactics were crude, suggesting they stumbled into a much bigger security hole than they anticipated.

The hackers allegedly found insecure wireless networks using a simple method known as “wardriving,” or driving around in a car with laptops or other devices, to look for stores’ Wi-Fi connections with security holes. Once inside the networks, the hackers allegedly installed programs to capture credit and debit card numbers in transit from the stores to payment processors. [Associated Press]

Suddenly, the big-bad Hackers don’t seem so big-bad. They seem more like opportunists that took advantage of an opening the hapless stores left wide open.

Almost every store nowadays uses cash registers that are basically computer terminals and send data back to the office, if not the “head office” instantly. It costs a lot of money to install these machines and set them up. All it takes is one do-it-yourself department manager to walk into the computer department and get a couple wireless network boxes out of stock so they can move a register. Have you ever wondered how they managed to get a register outside for the Garden Department, or a sidewalk sale? Too cheap to call the IT Department in, so this is what they get.

Unfortunately, the consumer (you and me) will end up paying the bill for this incompetence. The credit card companies will have huge losses and so will the stores. Both will pass them along to us.

Not all of this crime was done wirelessly, but it’s scary to think that any of it was so easy.

The medical industry went through this a few years ago and has adopted strict rules governing patient information. You won’t see a wireless access point in a doctor’s office because of this. Maybe it’s time for similar guidelines for businesses that handle a customer’s credit card information.

Another interesting aspect of this story is how it is reported. CNN’s version doesn’t mention wireless networks or “wardriving,” saying only that the perps “installed ‘sniffer’ programs at the cash register terminals” making it sound like they went into the store with tools. Yet, both the Associated Press and Info Week are clear about how the criminals were using the wireless network to get into the retailers computers. Why does CNN gloss over the details and omit the store’s share of blame in the crime?

Of course, not all such crimes are so easy. A couple similar cases (actually part of the same series of indictments) reported by Ars Technica [1] [2] involved more sophisticated techniques, such as fast-talking their way into server rooms, not open wireless access. So good security all around is on order.

Another article from Ars Technica, says

a criminal can buy your personal credit or debit card number, complete with PIN, for less than the price of a Happy Meal at McDonald’s.

Scary. The same article quotes a study by Symantec saying

54 percent of all data breaches that could lead to identity theft were directly related to the theft or loss of a computer or data-storage medium (such as an external hard drive or even a USB thumbdrive).

Wow. I lost a thumb drive a while ago, but I’m glad the sensitive stuff – passwords and financial information – was encrypted and hidden on it. I now keep two identical thumb drives and use one as a back up in case the other is lost. Periodically, I copy the one I use to the other and put it away in a safe spot.

But, no matter how careful I am with my personal information, it’s pointless if some store is going to lose it for me.