Just as data security had been an afterthought for many businesses in their rush to get online in the 1990s, creating opportunities for the likes of Shadowcrew, many firms had taken no precautions as they eagerly adopted WiFi in the early 2000s. Gonzalez was especially intrigued by the possibilities of a technique known as "war driving": hackers would sit in cars or vans in the parking lots of big-box stores with laptops and high-power radio antennae and burrow through companies' vulnerable WiFi networks. Adepts could get into a billion-dollar multinational's servers in minutes.

..

Scott cracked the Marshalls WiFi network, and he and James started navigating the system: they co-opted log-ins and passwords and got Gonzalez into the network; they made their way into the corporate servers at the Framingham, Mass., headquarters of Marshalls' parent company, TJX; they located the servers that housed old card transactions from stores. Scott set up a VPN - the system Gonzalez and the Secret Service used to ensnare Shadowcrew - so they could move in and out of TJX and install software without detection. When Gonzalez found that so many of the card numbers they were getting were expired, he had Stephen Watt develop a "sniffer" program to seek out, capture and store recent transactions. Once the collection of data reached a certain size, the program was designed to automatically close, then encrypt, compress and forward the card data to Gonzalez's computer, just as you might send someone an e-mail with a zip file attached. Steadily, patiently, they siphoned the material from the TJX servers. "The experienced ones take their time and slowly bleed the data out," a Secret Service analyst says.

...

Using similar methods, they hacked into OfficeMax, Barnes & Noble, Target, Sports Authority and Boston Market, and probably many other companies that never detected a breach or notified the authorities. Scott bought a six-foot-tall radio antenna, and he and James rented hotel rooms near stores for the tougher jobs. In many cases, the data were simply there for the taking, unencrypted, unprotected.


...computer security was something that was just dollars and cents off the bottom line - it doesn't bring in money," Heymann told me when I asked why war-driving hackers were able to steal data so easily.

Full story...