Wednesday, December 3, 2008

WLAN Security, Customers and POS

The widespread acceptance of Wireless Local Area Networks is a money maker for the e-commerce market. Not only has the Small Office/Home Office (SOHO) been a welcomed market for the manufacturers of wireless devices ( Cisco/Linksys), the acceptance of wireless networking is saving millions of dollars to these markets. Organizations are reaping profits in the region of billions of dollars in cost and productivity savings. The customer base is generally unquestioning and accepting or at times even unaware of the presence of these technologies. One only has to venture into a Target, BestBuy, or Macys to be exposed to the transparent use of Wi-Fi.

Marketing is a remarkable skill. With the recent stampeding of a store attendant in a New York store, I'm in awe of the magnificence of marketers. Only an earthshaking advertising campaign could possibly entice a shopper to fall in line thousands deep to purchase a new toy. This, in a winter chill that is almost anti-human. Oh the brilliance of marketing. The everyday shopper follow the routine of choosing the item and forking over the plastic. Very few are aware of WLAN compliance requirements for wireless networks. Not many question the secure handling of their confidential information. Analysts from organizations like the Gartner group, Frost & Sullivan Research have posted numerous articles that are meant to educate the customer. I salute them for their in depth work. The question though remains, "How many shopper would read a technical article?" Should one expect the everyday shopper to understand PCI, Sarbenes Oxley or WLAN security best practices. I hear your answer. A resounding NO! Neither should one anticipate a memo from the large retail outlets identifying their due care or due diligence in protecting your confidential information.

Some may ask, "What does that have do with me?" The answer is everything. In our advanced shopping society, technology, though unnoticed, is at the forefront. We have become used to technology that is pushed on us without any great introduction. Most of us are leaving our data safety in the hands of organizations who at times do not take the necessary precautions to create a safe shopping environment. Questions are rarely asked. Who would have thought that a certain franchise's wireless network was so open that we were safer leaving our credit cards in the shopping cart than presenting it to the cashier. Does the customer need to know that despite all the brouhaha wireless networks are not as secure as wired networks? The government mandates legislation for organizations using wireless networks.

I beg to include here excerpts of an article I read that brings to the forefront the dismal task of providing security to the customer.

When thieves stole the PIN pads at a cash register in one of his company's stores, Daniel Marcotte was amazed. Not that they'd done it -- such thefts can happen once a week during the holiday season. But watching it on videotape later, "I couldn't tell they had it with them when they left" the store, says Marcotte, director of systems and data security at La Senza, a Montreal retailer now owned by The Limited.

A couple of hours later, the thieves were back. They'd doctored the PIN pads to let them get customer card data. They got them back onto the point-of-sale system quickly, too. But here's where La Senza's security precautions kicked in: Its PIN pads in effect have their own Media Access Control address, and once they're disconnected, that address is no longer available. So the thieves were foiled -- this time. What you are reading here is an attack on a Point of Sale system. These systems normally comprise the cash register, the bar code scanner, wi-fi access, the in-store voice or IP network and the store inventory management system. The everyday customer is vigilant of the thief who physically walks in to the outlet. Very few are aware of the tech savvy culprit. These are the invisible, bitheads who have compromised these systems for monetary gains. The targets are the uninformed, non-questioning shoppers with no knowledge of wi-fi vulnerabilities. According to one Mr. Keith Aubele, the former loss prevention executive at Wal-Mart and Home Depot, these systems are "incredibly easy to bypass."

Holiday cashiering is noticeably a seasonal job. A problem exists with this phenomena. It is called under-ringing or sweet-hearting. In this scheme the unscrupulous cashier does not scan all the items presented. This, however, affects the retail outlet. Their loss. Now we address the customer. Point-of-sale technology was not designed to capture customer data. These technologies were designed for tracking purposes, but retailers now use them to capture customer data. Alert! huge management/security issue! The customer is now left at the mercy of the mitigation steps taken by the retailer. Some organizations are managing numerous locations. Most outlets are using known vulnerable systems with a hope and pray approach. In Europe where E-commerce has caught on quicker that other world regions, they use a technology known as chip-and PIN for credit cards. The cost factor to upgrading to this technology is not feasible from the view of the outlet. These point of sale terminals are mostly not understood by the retailers who use them, most are not aware of the information collected by their systems.

Some of these outlets are presently using WEP (Wired Equivalent Privacy) as the encryption of choice. To the knowledgeable attacker this is an invitation. Now back to the customer. What guarantee do we have that our data is protected? Card companies like Visa and Mastercard are trying to pressure retailers to be compliant to PCI ( Payment Card Industry) security standards. We all know that this will be avoided if it costs too much to implement. There has been a promise from Visa to implement fines against non-compliant retailers. I read a disturbing report that the forecast of POS is dismal. The highly respected Gartner Group predicts that by 2009, most attacks against retailers would be through the POS. They further stated that merely 30% of POS software will be compliant.

I remember that old Captain and Tennille song, "you better shop around."


wrote by Keith Charles on ezinearticles.com

No comments: