Survey research included a review of wireless data security at more than 4,000 stores in some of the world's busiest shopping cities including Atlanta, Boston, Chicago, London, Los Angeles, New York City, San Francisco, Paris, Seoul and Sydney.
Security vulnerabilities in wireless networks typically are the result of weak encryption, data leakage, mis-configured access points and outdated access point (AP) firmware. One of the more overlooked issues with large retailers is a "cookie-cutter" approach to wireless technology. By using the same technology, configuration, security and/or naming conventions at all retail locations, vulnerabilities repeat themselves across the entire store chain, rendering them susceptible to attacks as well as Payment Card Industry (PCI) non-compliance.
"Retailers nationwide are improving wireless security, as quantified by the significant drop in vulnerable wireless devices that were discovered during this year's monitoring efforts," said Richard Rushing, senior director of information security, Mobile Devices, Motorola. "However, a significant majority of retailers are still susceptible to a network intrusion - a sign that wireless security remains an afterthought for many."
Motorola AirDefense's Wireless Security Survey monitored 7,940 access points - the hardware that connects wireless devices to wired computer networks - and discovered 32 percent were unencrypted, compared to 26 percent in last year's survey. Finding the same result as last year, 25 percent of APs were still using Wired Equivalent Privacy (WEP), the weakest protocol for wireless data encryption, which can be cracked in minutes. PCI Data Security Standard (DSS) version 1.2 prohibits new WEP deployments in the Cardholder Data Environment (CDE) beyond March 31, 2009 and requires the elimination of WEP from the CDE beyond June 30, 2010.
Other interesting survey findings include:
Retailers in Los Angeles and New York City were deploying some form of encryption on 77 percent of their wireless APs. Paris retailers ranked second with 76 percent. Retailers in London and Boston ranked the lowest with only 51 percent and 60 percent of APs, respectively, using some form of encryption.
12 percent of all APs monitored were using WiFi Protected Access (WPA) while another 27 percent were using WPA-PSK (pre shared key), which is only as strong as the shared password used to protect them. In total, only 7 percent of retailers were using WPA2, which is the strongest WiFi security protocol available today.
22 percent, or 1,740, of APs were mis-configured, an increase from 13 percent in the 2007 survey.
Some networks were deployed using default configurations and service set identification (SSID), such as "Retail Wireless," "Cash Register," "POS WiFi," or "store#1234," and "Default". This signals to hackers that nothing has been changed on these devices or the entire wireless network.
WiFi signage has become popular for retailers, advertising they offer wireless. However, advertising an open wireless network may tip hackers in targeting other customers, who may not be using effective data security tools.
32 percent of retail locations were leaking unencrypted traffic, with an additional 34 percent of retail locations leaking encrypted traffic, for a total of 66 percent. Data leakage is easily solved with simple configuration changes or modifications.
"PCI compliance requires the immediate elimination of unauthorized wireless devices from the CDE as well as an upgrade from WEP to WPA within the next 18 months," said Sujai Hajela, vice president and general manager of Enterprise WLAN, Motorola Enterprise Mobility business. "Several high profile retail data breaches have exploited wireless vulnerabilities, resulting in millions of credit card numbers being compromised. Retailers need to understand that they cannot properly secure their corporate or customer data with a passive approach to wireless security."
Using Motorola AirDefense technology, Motorola scanned the airwaves at major shopping centers for the presence of wireless networks and evaluated what wireless data security practices were currently in use. This evaluation took place during the third quarter and fourth quarter of 2008. No personal credit card information was obtained as the goal of this survey was to raise awareness among retailers about the importance of deploying best practices in wireless security to better protect the information on retailer networks.
Visto en news.moneycentral.msn.com