The Green Sheet Online Edition
May 29, 2007 • Issue 07:05:02
Getting wise to wireless security
Wireless security has been in the news since The TJX Companies Inc. disclosed that unauthorized intrusion into its computer systems resulted in the theft of credit card data (see "TJX data breach may fuel liability laws," The Green Sheet, Feb. 12, 2007, issue 07:02:01). Further, The Wall Street Journal reported in May that the retailer's wireless networks were less secure than most home networks.
Advanced POS software, Internet-protocol terminals, wireless local area network terminals and a plethora of other equipment are active on many networks that store and transmit credit card and customer information. As ISOs and merchant level salespeople, you must take precautions to protect it.
I can't emphasize enough how important it is to protect your network and those of your customers. This requires knowledge of what network security entails.
Connecting with cans
Let's look at an example. Suppose you want to stretch your network. Nothing complex _ you just want to share Internet access and files between offices in two buildings. Perhaps the offices are across the street from each other, and tearing up the street to run a cable is out of the question.
You could set up a virtual private network link. But that would mean more money and possibly a slow link. You could connect wirelessly; however, the signal might keep dropping out, breaking your connection.
In the late 1990s, some ingenious folks came up with a solution: the cantenna. Wikipedia describes this device as a "directional waveguide antenna for long-range Wi-Fi used to increase the range of (or snoop on) a wireless network.
"Originally built using a Pringles potato chip can, a cantenna can be constructed quickly, easily and inexpensively, using readily obtained materials."
A cantenna may look a bit rickety, but it can increase a wireless network's range by double or more. With this technology, you could stretch your network across a very wide street and not worry about distance or interference from other networks.
Something else happened in the late 1990s. Many people (myself included) realized we could connect to each other's networks. A new geek sport developed called "wardriving." This involved the cantenna, a global positioning system and a laptop. With a little bit of software on a laptop, anyone could drive around town and quickly build a map of vulnerable wireless networks.
I did it once with a friend. We counted over 50 open networks (those lacking password protection) in downtown Saint Paul, Minn., alone. It wasn't hard to use other people's networks to get on the Internet because nothing was locked down.
If you have a wireless network, people can find it. This extends far beyond the "available wireless networks" that your computer finds when searching for Internet access. Some people think their networks are hidden because they don't appear in that list; in reality, no network is hidden.
Unfortunately, as companies rushed to embrace wireless scanners, mobile check-in and checkout desks, and all sorts of portable technology, coordination around security became much more difficult.
A colleague who was responsible for security at a large Fortune 500 company wardrove his company campus and hallways to shut down rogue and vulnerable access points that exposed the company's network to potential intrusion.
Wireless encryption protocol (WEP) has existed from early-on to help keep wireless networks secure. Unfortunately some flaws in the design were exploited just after 2000. Now software can easily crack into a WEP-protected network in one minute or less. (For more information on WEP, see http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy.)
In 2003, Wi-Fi protected access (WPA) was created to strengthen wireless security. To date, this encryption system has been secure enough for most industrial and commercial purposes. It is also simple enough for many home-users to set up. (For more details on WPA, see http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access.)
You can take several measures to secure the wireless portion of a network:
- Use WPA.
- Hide or do not broadcast your network's service set identifier (SSID).
- Use MAC address filtering, which is a security access control methodology.
- Use WEP.
While hiding the SSID and using MAC address filtering do impede intruders, they do not, alone or together, provide an adequate level of security. Adding WPA does.
Wireless networks share the same channels as cordless phones and walkie-talkies. There are roughly 14 channels (or frequencies) available to wireless networks. Just like WEP-cracking software, applications exist that will find hidden SSIDs and spoof MAC addresses.
Closing the jacks
Protecting a wireless network is not the end of the job. Open network jacks are an easy way around security measures. If customers or clients can easily plug into your network unsupervised, all the hard work done on wireless protection won't do much good.
If you're sharing your Internet connection with your neighbors, make sure a firewall protects you from them.
Many Payment Card Industry Data Security Standard audits look for exposed wireless networks, network jacks and other vulnerable points on networks. You can help your merchant customers by performing a few cursory checks on their networks. Ask them the following questions about their security:
- Do you have a wireless network?
- How do you secure it? (If they don't know, offer to help them log on to their wireless router/access point and see how it is configured.)
- Do you share your Internet connection with neighbors or visiting customers/vendors?
- Does each computer run a firewall?
- Do you regularly scan your computers for spyware and viruses?
- Do you install Microsoft patches regularly?
These are basic steps, but they go a long way toward protecting a network and its data.
Joel Rydbeck, Chief Technology Officer of Nubrek Inc., brings his strong background in e-commerce and business process automation to the merchant services industry. Rachael Rydbeck, President of the company, has a background in product management and technical writing. Nubrek offers eISO, a Web application for ISOs that tracks leads and provides automated residual and commission reports. For more information on eISO or to view a free demo, visit www.nubrek.com/eiso.html.
E-mail Joel at firstname.lastname@example.org
or Rachael at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.