Protecting the Perimeter

Those embarrassing leaks! For retailers, those mortifying moments are related to the data leaking out of their wireless networks, thanks to poor security.

For the second year in a row, Motorola AirDefense sent agents out to 4,161 stores at shopping malls and plazas across the globe in their own pedestrian version of war driving. Armed with laptops, these investigators sniffed around for access to retailers' wireless networks and devices, seeing what is leaking out.

Here's what they found: weak encryption, leaking data, misconfigured access points, old AP firmware, and configurations that are identical from store to store within the chain. Two-thirds of retailers had some sort of leakage.

What's Wrong?
There is some good news. Agents revisited the same sites, and things were a bit better this year than the year before. Back then, the crew found vulnerabilities in 85 percent of wireless devices such as mobile computers, scanners and laptops. This time it was 44 percent.

However, some numbers went up; there were more APs that were unencrypted than before (32 percent) and 25 percent were using the soon-to-be-discontinued WEP.
Wireless networks have transitioned from mission-enhancing to mission critical, now often carrying critical data such as selling tools, transactions and phone traffic. More in-store systems are now riding on the wireless network, from security cameras to kiosks to digital signage.

With PCI compliance worries, privacy regulations and competitive concerns, it's essential that retailers do a better job protecting the perimeters of their networks.

Trusted advisers reinforce their value when they point out vulnerabilities such as these:
  • 22 percent of retailers had misconfigured access points, up 13 percent from last year
  • 10 percent of the access point Service Set Identification (SSIDs) were poorly named, which can give away a store's identity.
  • Often the SSID was the store number.
  • 32 percent of retailers had unencrypted data leakage.
  • 34 percent had encrypted data leakage.
  • 25 percent still used WEP. According to Payment Card Industry Data Security Standard (PCI DSS) version 1.2, merchants using WEP networks must transition to  Wi-Fi Protected Access (WPA) security no later than June 30, 2010; merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks.
  • 12 percent used WPA, while 27% used WPA-PSK;  just 7% used WPA2, the strongest protocol
  • Retailers attempted to make life easier by installing cookie cutter settings on networks and devices, making them easier to support and service.

Into the Breach
Not surprisingly, SMB retailers were particularly likely to have problems. Smaller retailers continued to experience myriad wireless security issues. A common scenario: retailers installing consumer-grade Wi-Fi, failing to change the defaults, and then using that to connect to Internet-based credit card authorization services.

  • Small- and mid-size retailers are ideal candidates for network monitoring services, to ensure mission-critical data remains secure and protected from intrusion.
  • With stakes this high, it's essential for these gaps to be addressed. 

This story is excerpted from "Filling in the Gaps" which appeared in the April 2009 issue of VSR Magazine. VSR is a sister publication to RIS News. To read the complete article, visit and click on the "Magazine" tab.

This ad will auto-close in 10 seconds