Despite the well-publicized wireless woes of retailer TJX earlier this year, it seems many retailers have failed to move to protect themselves from the loss of customer data.
AirDefense, the Alphretta, Georgia-based wireless intrusion prevention vendor, conducted a “war drive” survey recently of over 3,000 retailers in eight major cities–Atlanta, Boston, Chicago, Los Angeles, New York City, San Francisco, London and Paris.
In those locations, 2,500 wireless devices were discovered by wireless
monitors, and 85 percent of the devices could be compromised in one way or
another due to flaws in security configurations.
In fact, AirDefense found that 25 percent of retailers use either Wired
Equivalency Protocol (WEP) encryption — the weakest level of encryption that can be broken in under a minute — or no encryption at all to protect
their wireless data.
After a number of high-profile cases of retail data loss involving wireless networks, “I would hope there was more awareness,” said Richard Rushing, the chief security officer of AirDefense. “I had hopes and dreams that it would be better. But my dreams were dashed after the first shopping center.”
Rushing wasn’t entirely surprised by the findings—they were an improvement over past AirDefense war drives of retail establishments “I remember doing retailers before, and it was 85 to 90 percent that were unencrypted a few years ago.”
However, he was still taken aback by the scale of the vulnerabilities “I thought that the Payment Card Industry (PCI) standard would have forced fixes. But the problem was they never looked at their wireless networks after they did PCI.”
Visa and MasterCard had set a deadline for retailers to comply
with with PCI for handling credit card data passed in June of 2005. In September of 2006, American Express, JCB. Discover Financial Services joined MasterCard and Visa to form the PCI Security Standards Council, and the standard was expanded across all
their payment card brands.
The standard requires merchants to build and maintain a secure network, firewalling cardholder data from the rest of the network. It also requires encrypted transmission of
Yet, despite these requirements, many retail networks remain vulnerable—even after they’ve allegedly complied with PCI standards.
“Fifty percent of the networks are leaking out traffic that has no business being leaked out,” said Rushing. “And you have to assume some of this is consumer transactions.”
Some legacy devices, like barcode scanners, attach to the closest wireless access point available, he said. This means that someone could easily spoof a wireless access point with a laptop or handheld PC and obtain information on how to connect to the network. All it takes for me is to come closer, and say, ‘I’m an access point.’ It’s the same as how a Bluetooth handset would always connect to the closest phone.”
As a result of devices like these, and misconfigured or unsecured networks, the war drive found that over half of the retail networks checked were “enticing to hackers,” Rushing said. Aside from the 25 percent that were essentially unprotected, many were otherwise misconfigured and carried a wide variety of corporate network traffic.
It was weak encryption that led to the theft of customer credit card
data from TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods
and other stores. Last January, the company admitted that hackers
had stolen data from over 45 million credit and debit card
transactions over a two-year period.
The Wall Street Journal reported in May that an insecure wireless network connecting point-of-sale systems in a Marshall’s store near St. Paul, Minn. may have
been responsible for making the theft possible.
Yesterday, TJX noted in an earnings statement that it estimated its loss from the credit card breach at $216 million. The company took additional charges this year, noting in its press release, “(Our) year-to-date, fiscal 2008 earnings results reflect after-tax charges of $130 million, or $.28 per share, related to the previously reported unauthorized computer intrusion(s).”
Rushing said that while he didn’t expect that this would be the “year
of the denial of service attack” for retailers, it was entirely
possible for a hacker or intruder to take down entire sections of
retailers’ corporate networks—and it would be hard to tell that was
the cause of a store network outage. “Someone can sit on the wireless
network and turn off the whole network,” he said. “The problem is it
would be so masked just because of the business of the network.”