Retailers Still Vulnerable to Attacks on their Wireless Networks

Even after the well-publicized security breach at retailer TJX in early 2007, many retailers seem to have failed in preventing loss of their consumer data. The current threat to retailers is not from shoplifting of items but from fraudsters with a wireless access to the traders' networks.

Such is the essence of the latest report by wireless security vendor AirDefense Inc. which published the research paper on November 15, 2007. According to the company's CTO Amit Sinha, modern retailers are more vulnerable to data hack than to petty theft. Dark Reading reported this on November 15, 2007.

As part of its study, the staff of AirDefense opted for wireless antennas to perform a penetration test on the wireless networks of some 3,000 retail stores that were selected from the mega cities of Boston, Chicago, Atlanta, New York City, Los Angeles, San Francisco, Paris and London. The test revealed that from about 2,500 handhelds, barcode scanners and laptops, and nearly 5,000 access points, some 85% of them were easily vulnerable to hack, Sinha said.

The test further revealed that 25% of retailers deployed either WEP i.e. Wired Equivalency Protocol Encryption system, the most weak encryption level that takes just one minute to break, or had no encryption to safeguard their data from theft.

Also, a test on wireless LANs showed that 12% of them had the store's name configured in the setup as the SSID (Service Set Identifier). This is like providing the intruder a route map to the store, said Sinha. A number of other wireless equipments still had default passwords configured with them. Most of these passwords are listed on the World Wide Web.

The company understands that those networks at retail stores that are loosely secured pose several kinds of risks. First, the barcode readers and local network can be manipulated to capture transaction and credit card information from customers inside the store. Secondly, numerous local retail stores have their WLANs connected to their partners' systems or corporate networks, all that open entry points for attackers.

Sinha advises retailers to think deeper about threats from wireless attacks and about their prevention.

Related article: Retailer TJX Settles with FTC Over Consumers’ Data Breach

» SPAMfighter News - 11/29/2007