Remember warchalking? Circa 2002, hackers used to ride around looking for unsecured corporate wi-fi signals. When they found one, they'd use chalk to mark the location with special graffiti that said, in effect, "Hey, look! Free wi-fi here!"
That's pretty much what the crooks who stole 40 million credit card numbers did. Just without the chalk. Or the charm.
There really was something charming about warchalkers. They didn't hide their wi-fi hunting; they advertised it. For savvy IT people, that made security a little easier. A warchalker's mark was a clear warning that someone had smuggled in an unauthorised wi-fi access point. Finding and dealing with it was easy, once we knew it was there. In that respect, warchalking was practically a public service.
That's certainly not how anyone would describe the work of the identity thieves whose indictments were announced earlier this month in Boston, San Diego and New York. These were the guys allegedly behind huge data thefts at TJX, OfficeMax, Barnes & Noble and other retailers.
According to prosecutors, the thieves hacked their way into company networks, installed network-sniffing software and transferred large quantities of credit card information to their own servers. They sold some numbers and used others to manufacture fake cards of their own, which they used at ATMs to steal thousands of dollars at a time.
Understand, these are professional criminals with professional-grade tools and technical knowledge. Once they found an opening, they used custom software to capture credit card numbers and a well-organised international network of contacts to sell them.
But each theft reportedly began the same way: with the thieves driving around, looking for unsecured wi-fi signals.
In 2003, they found one at a BJ's Wholesale Club. In 2004, an OfficeMax. In 2005, a Marshalls department store, which gave them access to the mother lode: Marshalls' corporate parent, TJX.
Along the way, the thieves also found their way into Barnes & Noble, Sports Authority, Boston Market and other chains. The crooks' total haul is estimated conservatively to be in the tens of millions of dollars.
And none of it would have been possible without unsecured wi-fi access points.
That means we've got our work cut out for us.
Sure, this ring of identity thieves has been identified. But what they did, other crooks can do.
There's still unsecured wi-fi connected to most corporate networks. The situation is worst for companies like restaurants and retailers, which have lots of sites and not enough IT people to staff them all. But anywhere there's a network port where a user can plug in a cheap, store-bought access point, there's a potential problem.
It's time to start scouring our networks for those devices again. And the way to do it is the same way hackers and crooks would: by wandering around offices and especially remote sites, looking for unsecured, unauthorized, at-risk wi-fi signals.
Maybe it seems like an awfully weak reaction to a huge threat. But in practice, unsecured wi-fi hot spots are likely the biggest holes in our security perimeter. And now we know from experience — the experience of TJX, BJ's, OfficeMax and all the rest — just how much of a risk they represent.
After all, that's how the crooks got in.
There's unsecured wi-fi out there. Last time around, the warchalkers gave us warning.
This time, we'll have to handle it on our own.