May Day MaydayBy Sean Gallagher | Posted 2002-06-01 Email Print
Best Buy's in-store wireless network exposed customers' credit card data. The retailer has plenty of company.
You could call it a security Mayday.
Imagine Best Buy's surprise when it found on May 1 that customers' credit-card data and other transaction information at some of its 1,900 stores had been left vulnerable to electronic snooping, thanks to the use of portable point-of-sale (POS) terminals connected to the stores' servers by a wireless local area network (LAN).
The POS systems in question relied on the increasingly popular 802.11b wireless networking standard, also known as WiFi. But the $15 billion consumer-electronics retailer apparently did not use even the most fundamental security features of WiFi, leaving information passed over the wireless network unencrypted.
While it's not certain that any actual customer data fell into the wrong hands, or that credit card data was actually transmitted in the clear for all to see, the revelation quickly forced the company to pull the POS systems in question from store floors. At best, the company has had its reputation with customers tarnished.
"It's dumb not to encrypt [wireless data]," says Jonas Hellgren, managing director at data security consulting firm Guardent. "It's a matter of five seconds to configure it."
Best Buy Public Relations Manager Donna Beadle says that one to two of the wireless, computerized sales registers per store used 802.11, and those registers were only used during peak hours to shrink checkout lines. The company would offer little more information about its in-store wireless networks, including who manufactured the wireless POS systems they use. They were from "various companies," says Beadle. "Our IT department is currently investigating the problem."
Best Buy's vulnerability became public in a May 1 posting to a mailing list on Security Focus Online, the Web site for a company that provides security threat management systems. The anonymous writer reported that he had been able to detect the network at a Best Buy store from his car after installing a wireless card he purchased there in his laptop. Running "kismet," a Linux network monitoring utility, he was able to record and examine packets of network dataand he claimed to have found what looked like credit card numbers in clear text within that data, along with other data about customer transactions and commands to the store's database. He also found that other Best Buy stores in his area had wireless networks enabled. "I am NOT comfortable using my credit card at any Best Buy right now," he wrote.
It's not unusual for companies to operate WiFi networks without encryption. Hellgren estimates that over half of WiFi networks are running unencrypted. On a recent test in Boston, Hellgren says only five of the 50 networks his team intercepted while wandering through the city were using the Wired Equivalent Privacy (WEP) encryption scheme built into WiFi network hardware.
The gap in the Minneapolis retailer's security apparently wasn't limited to a specific geographic area. According to one analyst, the problem is widespread and has been publicized and discussed on other Web site mailing lists.
"All Best Buys use 802.11b, without WEP," Eric Parker, an analyst at Mind Security, said on the Security Focus online site.
While WEP doesn't provide a great deal of securityits encryption keys are fixed, and even an amateur hacker (albeit a persistent one) can compromise WEP by passively monitoring the network long enoughit at least offers the wireless equivalent of latching the front door, foiling casual attempts at intrusion. Additional steps can be taken to make WiFi more secure, such as adding virtual private network (VPN) software similar to that used by users connecting to corporate networks over the Internet.
What is unusual about Best Buy's case is that the systems were part of a company-approved system designed to handle customer dataand they still didn't use encryption. Home Depot and Wal-Mart also use in-store wireless networks, as do a growing number of retail chains. But they are used, in most cases, for performing inventory functions and price checks with handheld barcode scanners. "There are some companies with wireless terminals that take credit cards, like Hertz, but they are definitely encrypted," says Hellgren.
The real security threat to most companies from WiFi is how easy and inexpensive it is for anyone to set up a wireless network. "It's the same problem companies used to have with modems," says Hellgren. You can buy a wireless access point for less than $150, and a laptop wireless card for under $100. You don't need much, if any, specialized knowledge to set them up. As a result, departments or even individuals can quickly extend the corporate network into the wireless domain.
And often, these extensions are left unsecured; sometimes their default identification and password settings remain unchanged. That leaves the door wide open to "war drivers" mobile hackers armed with a laptop, wireless card, external antenna and shareware softwareto detect unprotected WiFi networks and monitor their traffic, and in some cases even use them to gain access to corporate networks. While the range of 802.11b networks may be advertised as only 100 to 200 feet, external antennae can in some cases extend that range to as much as a quarter-mile.
Some WiFi equipment vendors are enhancing the built-in security within their products. Nokia, for example, is using smart cards within its latest line of 802.11 network cards to authenticate wireless devices and provide a higher level of encryption. And other vendors are developing dynamic key distribution systemssystems that send out multiple and constantly changing encryption keys rather than just one, to improve the security of WEP. But for now, the best way to secure WiFi networks is simply to take the time to implement and enforce the use of security measures already available.
Because, as Best Buy now knows all too well, haste makes wasteand very bad PR, to say the least.