Retailers Victims Of Wireless Networks Hacking, Study Finds

Nov 20, 2007 2:48 PM

After monitoring more than 3,000 stores at major shopping areas in the U.S. and Europe, a wireless security company says that half of the surveyed stores use wireless data systems vulnerable to hacking, according to The Associated Press.

The data that stores routinely transmit on wireless networks include credit card and Social Security numbers and other sensitive customer information.

AirDefense Inc., an Atlanta-based maker of security products for wireless data systems, found that about 25 percent of the stores' 4,748 wireless access points were exchanging data with no encryption at all to foil electronic eavesdroppers.

Another 25 percent were using an outdated encryption method called Wireless Equivalent Privacy that is easily cracked by thieves using widely available tools.

The remaining half of the access points -- the connections between wireless devices and computer networks -- were using newer encryption methods that are considered far harder to crack.

"You can drive down a street with a laptop and easily find wireless access points, and it does not require a great degree of sophistication," Avivah Litan, a security analyst with Gartner Inc. told the AP. "In technical circles, people talk about this all the time, but nobody ever puts it together broadly like this survey."

Litan, who does not work with AirDefense, says she was familiar with its findings. She called them significant and said the survey of 3,045 stores was the largest involving retailers she is familiar with.

The six-week undercover project -- conducted at shopping areas in Atlanta, Boston, Chicago, Los Angeles, New York, San Francisco, London and Paris -- attempted to expose security holes in wireless networks that are increasingly used to transmit data inside stores.

Wireless systems are believed to have been the entry points for recent large-scale data thefts at retailers, including a massive heist at discount retailer TJX Cos.

TJX told the AP that in March, at least 45.7 million cards were exposed, although recent court filings by banks suing TJX estimate than 100 million were. Canadian investigators concluded in September that TJX had failed to upgrade its encryption from the older WEP method by the time the eavesdropping began in July 2005.

"The bad guys are going to go for the low-hanging fruit, and that's the wireless networks," says Richard Rushing, AirDefense's chief security officer and manager of the survey project.

Credit card industry reports on merchants' compliance with data security standards give higher marks than AirDefense. But Litan says many security auditors miss some devices connected wirelessly to retail data systems -- or the devices are added later.

Lars Laven, co-founder of another wireless security firm called Columbitech that is not involved in AirDefense's study, says his company "can confirm that there are numerous security holes in retail.

"This survey provides only the tip of the iceberg to a much larger security problem," Laven says.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue