Canada’s Privacy Commissioner recently issued a statement about the TJX breach of Personally Identifiable Information for millions of credit card holders. Click HERE for the news release.

The report cites several problems that demonstrate a lack of due diligence on TJX’s part in protecting customer information, including:

  1. Collecting too much customer information. I often tell people that one of the easiest ways to keep a system secure and robust is to limit the amount of information it handles. The less information you collect, the easier it is to secure, and the less testing is required on boundary conditions in the software code.
  2. Holding information too long. Obviously, the longer you hold it, the more records will pile up, increasing risk exposure. You may not be more likely to be breached, but if you are, the impact is bigger when you have more records kept in one place (especially in an operations zone).
  3. Using outdated encryption technology for wireless network communication. For many years now, most IT experts (not even security experts) have known that the WEP protocol for encrypting wireless data communications is easily broken by a hacker with the right tools. The WPA standard is more sophisticated, and harder to break.

I would recommend that home users currently using unencrypted wireless networks, or using WEP encryption, switch to WPA as soon as possible.

It is generally quite easy to do. In most cases it involves the following steps (which may vary depending on your network components and computers):

1) From a computer plugged directly into your wireless router, log into the router as an administrator and locate the wireless settings screen (usually in a tab).

2) Within the wireless settings, there should be a Security section or a option labelled Security. Go to it.

3) Choose to enable encryption using the “Wi-Fi Protected Access” or WPA option. There can be several options within WPA. The most common is the Pre-Shared Key (PSK) option. There may also be algorithm options. The default should be fine, as the wireless adapters in your computers should be able to recognize and negotiate it.

4) Enter a Pass-Phrase (a series of words or a complex password) that is unique and relatively long (more than 8 characters). You should write down the Pass-Phrase and keep it in a safe place where you will be able to find it, but will not be obvious for people who might snoop. (This is the same practice I recommend for storing normal passwords and challenge questions that you might forget.) You will probably have to repeat the Pass-Phrase to ensure that it is correct. Save the settings, and close the router’s administrator session.
5) Log into each wireless computer and turn on the wireless adapter. In most cases, the computer’s software will recognize the network and will tell you that it is encrypted and requires a Pass-Phrase to connect. (If it does not come up right away, you may need to find the wireless network management software and ask for a scan of wireless networks in the area.) Enter the same Pass-Phrase that you used on the router and save it. The network should become usable almost immediately.
There are a few other good security practices for using wireless routers, such as changing the SSID (network name), turning off SSID Broadcast if you can, changing the router administrator’s default password and limiting router access to only the MAC addresses of your own computers.

If you know of any other tips for enabling stronger security on wireless networks, please feel free to comment.