SSL Encryption and Identity Theft: Are Your Favorite Stores Your Worst Enemies?
Unless you're a network security administrator, a web programmer, or a computer geek, it's not likely that you've heard of SSL encryption. Maybe you have, since SSL encryption and its performance as a data-loss prevention measure have received a lot of media coverage in the last several years.
There have been some huge data breaches involving the credit card accounts and personal information of millions of people who were under the protection of SSL encryption. Sadly, merchants who didn't invest in upgrading their data-loss prevention software were easy targets for hackers. These hackers exploited the weaknesses of obsolete SSL encryption protocols and used the stolen data to commit identity theft on an unprecedented scale.
What is SSL encryption?
Secure Sockets Layer (SSL) is a cryptographic protocol for protecting information sent over networks such as the World Wide Web. SSL encrypts information at the Application Layer to ensure the safe transfer of data to the Transport Layer. Every time someone sends a packet of information — e.g., an e-mail, an instant message, a request to view a web page, or a credit card verification request — SSL encryption takes the information and encrypts it until it can be decoded at its final destination. This is a very simplified explanation of a fairly complicated process, but the purpose of SSL encryption is to prevent electronic eavesdropping while data packets travel from one place to another.
SSL encryption as an archaic data-loss prevention measure came into the public eye after the largest data breach of all time occurred. TJX Companies, Inc., owns many popular retail stores, including TJ Maxx, HomeSense, Marshall's, Bob's Stores, and others. Early in 2007, TJX acknowledged that hackers stole the debit and credit card accounts and other personal information of 45.6 million people from its computer networks over a period of 18 months. An investigation found that hackers first accessed this information in July 2005 and continued to exploit the weaknesses of an outdated SSL protocol called WEP encryption.
Updating to the more secure WPA encryption across a network as large as TJX's would have cost millions. Instead, TJX (and many, many others) delayed investing in more robust data-loss prevention until a later date. Ironically, TJX ended up spending millions anyway in fines, data-loss prevention upgrades, and damages in lawsuits filed by identity theft victims.
The TJX data breach is a cautionary tale for all consumers. No matter how careful consumers are about protecting credit card numbers and other personal information, all that caution can be for naught if they use their credit or debit cards at a merchant with outdated data-loss prevention protocols.