Editor: Nigel Woodford

Author: Chris Hunter

When consumers think about buying products online, the thought of how secure the connection is and how the data is handled is a major concern. Many people still fear internet commerce  for this reason. With  the advent of wireless networking and the improper integration of these technologies into corporate infrastructures, retail security has suffered greatly.

AirDefense inc., a manufacturer of wireless security products, recently conducted a six week undercover investigation into the security of major retailers around the world. The study's sample set included malls and shopping centers in the major cities of Atlanta, Boston, Chicago, Los Angeles, New York, San Francisco, London, and Paris. Among the subjects are 51 of the largest US retail chains. The goal of the investigation was to expose security vulnerabilities in wireless networks that are increasingly being used to transport sensitive data such as credit card information.

What the study found was not good news for consumers. Of the 4,748 wireless access points the survey covered, more than half of them were vulnerable to attack. The worst violators were found to have 25% of the data set with absolutely no encryption at all. AirDefense said that some of the networks they scanned were still set at the defaults from the manufacturer, which basically says, "Hey! I'm over here!", to any person with ill intentions.

Access points aside, the survey found more than 2500 wireless devices that are employed by retailers for various duties. Among the laptops, hand-helds and bar-code scanners in use, 85% of them could have been compromised if the wrong person was connecting. Another unfortunate circumstance is that major retailers generally employ the same methodology throughout their networks. If a vulnerability is present at Union Square and Market Street in San Francisco, more than likely the same vulnerability is present at Michigan Avenue in Chicago. This is the result of the "cookie-cutter" approach to networking.

Twenty-five percent of the stores investigated at least tried to implement basic Wired Equivalent Privacy encryption, however, the use of WEP encryption is no longer enough. Tool-sets freely available online are capable of breaking these encryption schemes with little or no effort. AirDefense also stated that many of the APs had the ability to use more advanced encryption methods, such as WPA, but failed to implement them.

Richard Rushing, the Chief Security Officer at AirDefense, stated, "Retailers around the country are leaving the proverbial barn door open for potential problems, should unauthorized individuals desire to steal consumer credit card information and point-of-sale information...". This can been seen with the recent 45.7 million credit cards that were exposed to possible fraud in March of this year.  Crackers supposedly used wireless systems to infiltrate the retailer TJX Cos, and obtained loads of sensitive data. Recent court filings even point to over a 100 million cards compromised in the TJX case.

Credit card industries report that their audits produced better scores of 65% security compliance. Those numbers are up from 36% last year, Visa said on the 24th of October. This raises the question of whether or not AirDefense is exaggerating the survey to their benefit. The validity of the results are shaky, due to the industry that the company is engaged in. However, many other industry experts assert that they can confirm the survey results. Lars Laven, a co-founder of Columbitech, which is also involved in wireless security, stated, "This survey provides only the tip of the iceberg to a much larger security problem."

The agency notified all of the violators by email, and they refused to divulge identities to reduce exposure to hacker attempts. How the PCI Security Standards Council will respond to this issue and whether or not the problem is as serious as stated, is still in question. If the survey is legitimate, it paints a poor picture of corporate security and it will definitely damage consumer confidence in real world retail.

Comments

Add New Search RSS

Write comment
Name:
Email:	do not notifynotify
Website:
Title:
UBBCode:	-color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge
Please input the anti-spam code that you can read in the image.

Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved.