"The overall results of AirDefense's two comprehensive national retail wireless surveys show surprising deficiencies in how retailers approach corporate network security," said Mike Potts, president and CEO, AirDefense. "However, in some stores we did notice the use of stronger encryption through upgraded Point-of-Sale devices and wireless infrastructure providing hope that more and more retailers will follow suit by adding additional layers of security technologies to their corporate networks."
During its monitoring, AirDefense discovered more than 1,300 Access Points. Alarmingly, thirty-nine percent (39%) were unencrypted with twenty-nine percent (29%) encrypted with Wired Equivalent Privacy (WEP), the weakest protocol for wireless data encryption, which can be compromised in minutes but is in wide use today. In addition, it was found that others were utilizing Wi-Fi Protected Access (WPA) or WPA2, the two strongest encryption protocols for prevention against theft.
AirDefense conducted monitoring in some of the busiest retail locations within the five boroughs of NYC. AirDefense discovered numerous wireless vulnerabilities due to data leakage, rogue devices, mis-configured Access Points, poorly named Access Points and outdated Access Point firmware utilized by large retail chains. Many retailers did not simply follow basic security practices. This type of "cookie cutter" approach occurs when large retailers with multiple locations within NYC and/or nationwide use the same technology in all retail locations so vulnerabilities will repeat themselves across the entire store chain.
AirDefense also found thirty-five percent (35%) of Service Set Identification (SSIDs) had the store name in the SSID, giving away retailers identities. SSIDs can easily be reconfigured but often times are not. AirDefense found an unexpected upswing in rogue devices which might be attributed to the type of locations surveyed as there was a broad focus on shopping areas with heavy consumer day-to-day use versus flagship tourist destinations where remote chains might have been overlooked by retailers. AirDefense also found Point-of-Sale devices advertising themselves over the wireless network. This combined with the most recent operating system vulnerabilities, could lead to an easy compromise of the devices as well as unauthorized credit card and consumer information obtained.
Additionally, some of the networks discovered were fresh out of the box, using default configurations and SSIDs, such as retail wireless, POS Wi-Fi, company name or store#1234. This sends out a signal to someone with a desire to commit fraud that nothing has been changed on these devices and the entire wireless network. Also, data leakage occurs when companies add wireless functionality onto an existing wired network. Point-of-Sale information on products and possibly consumer credit card information can leak onto the wireless airwaves and be stolen. Of the devices surveyed by AirDefense, twenty-three percent (23%) did have data leakage occur. Data leakage, involving unencrypted data and encrypted data, was also visible in addition to proprietary protocols that let devices communicate across different networks, such as IPX, NetBIOS and SNA.
Since the survey involved both large and small shopping areas throughout NYC, a recurring theme is that many retailers have not updated their wireless situations or secured their stores beyond double locks, video surveillance or employing security guards. The higher number of rogue Access Points discovered as well as weak encryption practices shows the lack of effort or knowledge by some retailers to protect beyond the better known flagship stores. Many retailers were also offering "Free Wi-Fi" at their stores which has increased by fifty percent (50%) from past surveys, which is a nice shopping perk for consumers, but a potential nightmare for corporate IT staff.
