Lots Of Retailers Don't Use Proper Wireless Security

The recently reported TJ Maxx security breach—where data on 94 million credit card accounts was stolen in 2003, 2004, and 2006—has ended up costing the company $200 million and counting. But although it’s the biggest example so far of retail data theft, TJ Maxx isn’t the only retailer doing a poor job of keeping sensitive data protected from hackers. One wireless security vendor recently surveyed thousands of stores and discovered that a significant number of retailers don’t practice good wireless security:

According to AirDefense, about 85% of the 2,500 wireless devices that it discovered in retail stores, such as laptops and barcode scanners, were vulnerable to wireless hacks. Out of the 4,748 access points that were monitored for the survey, about 550 had poorly named SSIDs that could give away the store’s identity.

A lot of point-of-sale devices were found left in their default configurations, and out of 3,000 stores, about a quarter of them were using no wireless protection at all, while another quarter were using the easily-broken WEP encryption method.

An analyst points out that AirDefense has a business interest in finding and pointing out security holes, but that doesn’t make the findings imaginary. Even the analyst admits it’s a real problem in retail today:

“Wireless security continues to be the major hole that allows criminals access to retailer systems,” she said. “It’s very difficult to lock it down” for retailers.

“What retail wireless security?” [ComputerWorld]
(Photo: Getty)


Edit Your Comment

  1. darkclawsofchaos says:

    … barcodes scanners huh? so theoretically, one can illegally access that channel and change prices, so the question is, is reaking federal FCC laws cost-effective?

  2. iamme99 says:

    Too many people really think that corporations are tech savvy and know what they are doing. Having worked for many, I’d like to tell you, it ain’t so.

    I’ve worked for company after company that wants to guide other companies in how they do their business by selling them services or products to improve productivity, security, etc.

    But if you are inside the company that is doing the selling, you will often find that companies don’t even use the product they sell to others. And too often, they are really backward on their own technology. It’s scary and disappointing.

  3. BigNutty says:

    They better wake up soon. The bad publicity alone could ruin a company before they realize it.

  4. sommere says:

    (IAACSP – I am a computer security professional)
    Security on wireless is more complicated than “is the wireless encrypted.” There are many layers in which encryption can be employed. If their bar code scanners and cash registers all use SSL in order to communicate with the server, then encrypting the wireless again really isn’t necessary to keep that data safe, and won’t add much security.

    In many cases the traffic goes over the public Internet to get to some central server. If they are relying solely on the wireless security, then they are leaving the data open to hackers somewhere else.

    The best security is to encrypt the data from the client application all the way to the server application. Any encryption beyond that is just gravy.

  5. mac-phisto says:

    is wireless necessary? imo, that’s the first question that should be asked. POS terminals can be hardwired, so why wireless? scanners, price loaders, inventory guns, etc. all come with models that do not rely on wireless transfer of information. sure, running cat5 all over is a PITA, but it’s a hell of a lot cheaper than a $200 million data breach.

    but wireless wasn’t the issue with tj maxx (as far as i know). that was a breach of data resident on servers that should’ve been locked down tighter than hannibal lecter.

    the reality is that merchant networks have as many (if not more) holes in them than your average home network. unconfigured firewalls (or none at all), no port monitoring, no network monitoring…pretty standard practices even at businesses with entire IT departments.

    @sommere: encrypting the data is definitely important, but i would aruge that limiting access even to encrypted data is just as important. ciphers aren’t crack-proof & if you give enough data to a good cracker, they’ll find a way around the encryption.

  6. pestie says:

    @mac-phisto: ciphers aren’t crack-proof & if you give enough data to a good cracker, they’ll find a way around the encryption

    I have to take issue with that. A good cipher, properly implemented, is effectively crack-proof. WEP, for example, isn’t a bad algorithm, it’s a bad implementation. SSL is a much more secure implementation, but its weak point is the human element – people click “yeah, OK, whatever” to anything that pops up while browsing, making it trivially easy to intercept SSL-encrypted browser traffic (i.e. banking/financial sites, credit-card orders, etc.).

  7. mac-phisto says:

    @pestie: effectively crack-proof & crack-proof are two different things entirely (haven’t you ever seen sneakers!?! – j/k). i agree with you that the human element is the factor that destroys most security & therein lies the problem – all computer interactions require human input at various points in the process, from implementation of the initial system to use of the application. my argument wasn’t against the use of encryption, though. it was about limiting access by removing wireless when it is not needed.

    what’s the point of an uncrackable communication cipher if the thief is sitting at an endpoint to collect the data after it’s transmitted? eliminating wireless & firewalling a network severely limits a hackers’ opportunity to aggregate data.

  8. XTC46 says:

    @sommere: Your logic is flawed. Even if the POS system uses SSL to the server and beyond, having the connection from any device to the POS system not secured leaves a glaring hole in the system. If I can get the data before it gets encrypted, or easily connect to the POS system itself, then you encryption beyond that is useless becasue I can get to the data before it has been encrypted and then after it has been decrypted.

    Security 101…Security is about layers, you are saying if one of the layers are in place, then the rest are extra, and thats wrong.