Security Sweep Finds Retailer’s Wi-Fi Networks At Risk

Despite the well-publicized wireless woes of retailer TJX earlier this year, it seems many retailers have failed to move to protect themselves from the loss of customer data.

AirDefense, the Alphretta, Georgia-based wireless intrusion prevention vendor, conducted a “war drive” survey recently of over 3,000 retailers in eight major cities–Atlanta, Boston, Chicago, Los Angeles, New York City, San Francisco, London and Paris.

In those locations, 2,500 wireless devices were discovered by wireless
monitors, and 85 percent of the devices could be compromised in one way or
another due to flaws in security configurations.

In fact, AirDefense found that 25 percent of retailers use either Wired
Equivalency Protocol (WEP) encryption — the weakest level of encryption that can be broken in under a minute — or no encryption at all to protect
their wireless data.

After a number of high-profile cases of retail data loss involving wireless networks, “I would hope there was more awareness,” said Richard Rushing, the chief security officer of AirDefense. “I had hopes and dreams that it would be better. But my dreams were dashed after the first shopping center.”

Rushing wasn’t entirely surprised by the findings—they were an improvement over past AirDefense war drives of retail establishments “I remember doing retailers before, and it was 85 to 90 percent that were unencrypted a few years ago.”

However, he was still taken aback by the scale of the vulnerabilities “I thought that the Payment Card Industry (PCI) standard would have forced fixes. But the problem was they never looked at their wireless networks after they did PCI.”

Visa and MasterCard had set a deadline for retailers to comply
with with PCI for handling credit card data passed in June of 2005. In September of 2006, American Express, JCB. Discover Financial Services joined MasterCard and Visa to form the PCI Security Standards Council, and the standard was expanded across all
their payment card brands.

The standard requires merchants to build and maintain a secure network, firewalling cardholder data from the rest of the network. It also requires encrypted transmission of
cardholder data.

Yet, despite these requirements, many retail networks remain vulnerable—even after they’ve allegedly complied with PCI standards.

“Fifty percent of the networks are leaking out traffic that has no business being leaked out,” said Rushing. “And you have to assume some of this is consumer transactions.”

Some legacy devices, like barcode scanners, attach to the closest wireless access point available, he said. This means that someone could easily spoof a wireless access point with a laptop or handheld PC and obtain information on how to connect to the network. All it takes for me is to come closer, and say, ‘I’m an access point.’ It’s the same as how a Bluetooth handset would always connect to the closest phone.”

As a result of devices like these, and misconfigured or unsecured networks, the war drive found that over half of the retail networks checked were “enticing to hackers,” Rushing said. Aside from the 25 percent that were essentially unprotected, many were otherwise misconfigured and carried a wide variety of corporate network traffic.

It was weak encryption that led to the theft of customer credit card
data from TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods
and other stores. Last January, the company admitted that hackers
had stolen data from over 45 million credit and debit card
transactions over a two-year period.

This article was first published on InternetNews.com. To read the full article, click here.

RELATED NEWS AND ANALYSIS

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2020

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020

• Anticipating The Coming Wave Of AI Enhanced PCs

  FEATURE |  By Rob Enderle,
  September 05, 2020

• The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  August 14, 2020