Some National Retailers Have Wireless Security Gaps, Survey Shows

Thursday, November 15th 2007, 4:54 pm

By: News On 6

BOSTON (AP) _ Half of more than 3,000 retail stores that a wireless security company secretly monitored major shopping centers in the U.S. and Europe use wireless data systems vulnerable to hacking, the company said Thursday.

The data stores routinely transmit on wireless networks includes customer credit card and social security numbers and other sensitive information.

AirDefense Inc., an Atlanta-based maker of security products for wireless data systems, found that about 25 percent of the stores' 4,748 wireless access points were exchanging data with no encryption at all to mask the information.

Another 25 percent were using an outdated encryption method called Wireless Equivalent Privacy that AirDefense said is easily cracked by thieves using widely available tools.

The remaining half of the access points - the connections between wireless devices and computer networks - were using newer encryption methods that are considered far harder to crack.

``You can drive down a street with a laptop and find easily wireless access points, and it does not require a great degree of sophistication,'' said Avivah Litan, of Gartner Inc. ``In technical circles, people talk about this all the time, but nobody ever puts it together broadly like this survey.''

An independent security analyst, Avivah Litan said she was familiar with AirDefense's findings, and she called them significant. The survey of 3,045 stores was the largest involving retailers Litan is familiar with, she said.

The six-week undercover project - conducted at shopping areas in Atlanta, Boston, Chicago, Los Angeles, New York, San Francisco, London and Paris - attempted to expose security holes in wireless networks that are increasingly used to transmit data inside stores.

Some of the data stores transmit is of little or no use to thieves, like information scanned from barcodes, but much of it is sensitive.

Wireless systems are believed to have been the entry points for recent large-scale data thefts at retailers, including a massive heist at discount retailer TJX Cos.

TJX said in March that at least 45.7 million cards were exposed to possible fraud, although recent court filings by banks suing TJX estimate the total at more than 100 million.

``The bad guys are going to go for the low-hanging fruit, and that's the wireless networks,'' said Richard Rushing, AirDefense's chief security officer and manager of the survey project.

Credit card industry reports on merchants' compliance with data security standards give higher marks than AirDefense's findings, but Avivah Litan said some many security auditors miss some devices connected wirelessly to retail data systems - or the devices are added later.

At the same time, Avivah Litan said AirDefense - which sells wireless security products to a range of clients including large corporations and government agencies - ``is likely to exaggerate to the extent that it's in their self-interest.''

Lars Laven, co-founder of another wireless security firm called Columbitech not involved in AirDefense's study, said his company ``can confirm that there are numerous security holes in retail.

``This survey provides only the tip of the iceberg to a much larger security problem,'' Lars Laven said.

Spokespersons for the National Retail Federation, credit card associations Visa and MasterCard, and a card industry security organization called the PCI Security Standards Council declined to comment right away on AirDefense's findings.

But Visa Inc. said Oct. 24 that 65 percent of the largest U.S. merchants were in compliance with the latest card industry security standards, which include encryption requirements and other security measures.

That's up from 36 percent at the end of last year, Visa said.

AirDefense's Richard Rushing said he and two other AirDefense employees fanned out over six weeks starting in September to such retail districts Rodeo Drive in Los Angeles's Beverly Hills, New York's Madison Avenue and London's Piccadilly Circus.
While the 3,045 retail outlets surveyed included many large, high-end stores, they also included merchants' carts in shopping malls and other small, less sophisticated retailers, Richard Rushing said.

The survey included locations of 51 of the largest U.S. retail chains, Richard said.
The surveyors carried backpacks containing laptop computers with 4-inch-long radio signal-intercepting antennae. After walking through the stores, they downloaded the information the laptops had gathered and examined the data for security holes using tools that unscramble encrypted data.

The retailers weren't told of the project, although AirDefense did privately notify retailers via e-mail in cases where it found major security flaws, Richard Rushing said.
AirDefense is not disclosing the names of individual retailers to avoid drawing' hackers attention.

Among other findings, AirDefense found that of the 2,500 wireless devices such as portable computers, handhelds and barcode scanners in use at the stores, data transmissions could have been compromised with 85 percent of the devices for a variety of reasons.