Nearly half (44%) of the wireless devices used by retailers – including? laptops, mobile computers and barcode scanners – could be compromised by data leaks and other security problems, according to the second annual Motorola AirDefense Retail Shopping Wireless Security Survey, reports Retailer Daily.?
That percentage is significantly lower than results from the same retail shopping survey conducted in 2007, which found security vulnerabilities in 85% of wireless devices.
Survey research included a review of wireless data security at more than 4,000 stores in some of the world’s busiest shopping cities, including Atlanta, Boston, Chicago, London, Los Angeles, New York City, San Francisco, Paris, Seoul, and Sydney.
Security vulnerabilities in wireless networks typically are the result of weak encryption, data leakage, misconfigured access points, and outdated access point (AP) firmware.
One of the more overlooked issues with large retailers is a “cookie-cutter” approach to wireless technology, Motorola said: By using the same technology, configuration, security, and naming conventions at all retail locations, vulnerabilities repeat themselves across the entire store chain, rendering them susceptible to attacks as well as Payment Card Industry (PCI) non-compliance.
Motorola AirDefense’s Wireless Security Survey monitored 7,940 access points–the hardware that connects wireless devices to wired computer networks–and discovered 32% were unencrypted, compared with 26% in last year’s survey.
The same as last year: 25% of APs were still using Wired Equivalent Privacy (WEP), the weakest protocol for wireless data encryption, which can be cracked in minutes.
PCI Data Security Standard (DSS) version 1.2 prohibits new WEP deployments in the Cardholder Data Environment (CDE) beyond March 31, 2009 and requires the elimination of WEP from the CDE beyond June 30, 2010.
Other survey findings:
- Retailers in Los Angeles and New York City were deploying some form of encryption on 77% of their wireless APs. Paris retailers ranked second with 76%. Retailers in London and Boston ranked the lowest with only 51% and 60% of APs, respectively, using some form of encryption.
- 12% of all APs monitored were using WiFi Protected Access (WPA) while another 27% were using WPA-PSK (pre shared key), which is only as strong as the shared password used to protect them. In total, only 7% of retailers were using WPA2, which is the strongest WiFi security protocol available.
- 22%, or 1,740, of APs were misconfigured, an increase from 13% in the 2007 survey.
- Some networks were deployed using default configurations and service set identification (SSID), such as “Retail Wireless,” “Cash Register,” “POS WiFi,” or “store#1234,” and “Default”–signaling to hackers that nothing has been changed on these devices or the entire wireless network.
WiFi signage has become popular for retailers, advertising that they offer wireless. However, advertising an open wireless network may tip hackers in targeting other customers, who may not be using effective data security tools.
The study found that 32% of retail locations were leaking unencrypted traffic, with an additional 34% of retail locations leaking encrypted traffic, for a total of 66%. Data leakage is easily solved with simple configuration changes or modifications.
About the data: Using Motorola AirDefense technology, Motorola scanned the airwaves at major shopping centers for the presence of wireless networks and evaluated what wireless data security practices were currently in use. This evaluation took place during Q3 and Q4 of 2008. No personal credit card information was obtained as the goal of this survey was to raise awareness among retailers about the importance of deploying best practices in wireless security to better protect the information on retailer networks.
