GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

PCI: The 'little engine that could' gains steam

News

Industry Update

Eureka! HMS has conference hosting down

Visa muscles to squelch risk

Interchange under attack

Visa identifies apps storing sensitive data

ISOMetrics:
Restaurants most vulnerable to data breaches

Features

Mind on the ATM money

Tracy Kitten
ATMmarketplace.com

Industry Leader

Kim Fitzsimmons –

Views

Payments: A very large space

Patti Murphy
The Takoma Group

Education

Street SmartsSM:
To certify or not to certify: That is the MLS question

Dee Karawadra
Impact PaySystem

What if my ISO tanks?

Adam Atlas
Attorney at Law

Ten myths muddling PCI mastery

Ross Federgreen
CSRSI

Statement analysis for cave men

Jason Felts
Advanced Merchant Services Inc.

Getting wise to wireless security

Joel and Rachael Rydbeck
Nubrek Inc.

Help desk quality check

Biff Matthews
CardWare International

Company Profile

WAY Systems Inc.

Premier Payment Systems

New Products

No-brainer protection on smart cards

Smart Card Guard
National Envelope Corp.

Fort Knox for merchant data

CardVault
3Delta Systems Inc.

A new Vu of IP device management

NetVu version 2.3
Precidia Technologies Inc.

Inspiration

What about you?

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

May 29, 2007  •  Issue 07:05:02

previous next

Getting wise to wireless security

By Joel and Rachael Rydbeck

Wireless security has been in the news since The TJX Companies Inc. disclosed that unauthorized intrusion into its computer systems resulted in the theft of credit card data (see "TJX data breach may fuel liability laws," The Green Sheet, Feb. 12, 2007, issue 07:02:01). Further, The Wall Street Journal reported in May that the retailer's wireless networks were less secure than most home networks.

Advanced POS software, Internet-protocol terminals, wireless local area network terminals and a plethora of other equipment are active on many networks that store and transmit credit card and customer information. As ISOs and merchant level salespeople, you must take precautions to protect it.

I can't emphasize enough how important it is to protect your network and those of your customers. This requires knowledge of what network security entails.

Connecting with cans

Let's look at an example. Suppose you want to stretch your network. Nothing complex _ you just want to share Internet access and files between offices in two buildings. Perhaps the offices are across the street from each other, and tearing up the street to run a cable is out of the question.

You could set up a virtual private network link. But that would mean more money and possibly a slow link. You could connect wirelessly; however, the signal might keep dropping out, breaking your connection.

In the late 1990s, some ingenious folks came up with a solution: the cantenna. Wikipedia describes this device as a "directional waveguide antenna for long-range Wi-Fi used to increase the range of (or snoop on) a wireless network.

"Originally built using a Pringles potato chip can, a cantenna can be constructed quickly, easily and inexpensively, using readily obtained materials."

A cantenna may look a bit rickety, but it can increase a wireless network's range by double or more. With this technology, you could stretch your network across a very wide street and not worry about distance or interference from other networks.

Wardriving geeks

Something else happened in the late 1990s. Many people (myself included) realized we could connect to each other's networks. A new geek sport developed called "wardriving." This involved the cantenna, a global positioning system and a laptop. With a little bit of software on a laptop, anyone could drive around town and quickly build a map of vulnerable wireless networks.

I did it once with a friend. We counted over 50 open networks (those lacking password protection) in downtown Saint Paul, Minn., alone. It wasn't hard to use other people's networks to get on the Internet because nothing was locked down.

If you have a wireless network, people can find it. This extends far beyond the "available wireless networks" that your computer finds when searching for Internet access. Some people think their networks are hidden because they don't appear in that list; in reality, no network is hidden.

Unfortunately, as companies rushed to embrace wireless scanners, mobile check-in and checkout desks, and all sorts of portable technology, coordination around security became much more difficult.

A colleague who was responsible for security at a large Fortune 500 company wardrove his company campus and hallways to shut down rogue and vulnerable access points that exposed the company's network to potential intrusion.

Sporting encryption

Wireless encryption protocol (WEP) has existed from early-on to help keep wireless networks secure. Unfortunately some flaws in the design were exploited just after 2000. Now software can easily crack into a WEP-protected network in one minute or less. (For more information on WEP, see http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy.)

In 2003, Wi-Fi protected access (WPA) was created to strengthen wireless security. To date, this encryption system has been secure enough for most industrial and commercial purposes. It is also simple enough for many home-users to set up. (For more details on WPA, see http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access.)

You can take several measures to secure the wireless portion of a network:

While hiding the SSID and using MAC address filtering do impede intruders, they do not, alone or together, provide an adequate level of security. Adding WPA does.

Wireless networks share the same channels as cordless phones and walkie-talkies. There are roughly 14 channels (or frequencies) available to wireless networks. Just like WEP-cracking software, applications exist that will find hidden SSIDs and spoof MAC addresses.

Closing the jacks

Protecting a wireless network is not the end of the job. Open network jacks are an easy way around security measures. If customers or clients can easily plug into your network unsupervised, all the hard work done on wireless protection won't do much good.

If you're sharing your Internet connection with your neighbors, make sure a firewall protects you from them.

Many Payment Card Industry Data Security Standard audits look for exposed wireless networks, network jacks and other vulnerable points on networks. You can help your merchant customers by performing a few cursory checks on their networks. Ask them the following questions about their security:

These are basic steps, but they go a long way toward protecting a network and its data.

Joel Rydbeck, Chief Technology Officer of Nubrek Inc., brings his strong background in e-commerce and business process automation to the merchant services industry. Rachael Rydbeck, President of the company, has a background in product management and technical writing. Nubrek offers eISO, a Web application for ISOs that tracks leads and provides automated residual and commission reports. For more information on eISO or to view a free demo, visit www.nubrek.com/eiso.html. E-mail Joel at joel@nubrek.com or Rachael at rachael@nubrek.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems