Not too long ago my wife and I went out to a nice restaurant for dinner. When it was time to pay, the waiter took my credit card and swiped it using a portable credit card processing device. Being in the security industry, I couldn’t help but wonder if the transaction was secure. After all, wireless connections are a vector hackers use to steal customer account information from retail vendors. Since I wanted to enjoy the evening I let that thought go for the time being.
When I got back to the office I started to think more about the level of security retail point-of-sale businesses have for their wireless networks. After all, wireless has become an important tool vendors use not only to take payments, but also as a way to provide customers with more value. Think about it. When we go into a store we can access product information over WiFi. We can redeem coupons over our mobile device. We can get information on promotional offers. There’s a lot available to keep customers interested and loyal.
It’s a two-way street though. Retailers are also collecting data on customers. For example, once we connect to their WiFi or pay our bill using a wireless point-of-sale (POS) payment card reader they can learn more about our shopping habits, the device we’re using, how long we’re connected and more. While all this gives us a more personalized shopping experience, it also helps retailers sell more products, in theory at least. Sounds like a win-win, right? Sure, as long as all the data that travels across the wireless network is secured. But that’s the issue. How do consumers know their personal information is secured over the wireless network? For retailers, how do they ensure their wireless network is secured from attack?
Wilson Lee, a colleague of mine, recently wrote in his blog that “It doesn’t matter whether you are a Fortune 100 company or a small business, the chances are that your Internet doorway is under attack more than your brick and mortar doorway.” His point is that when it comes to theft, it’s not just the physical door to your store that you should be concerned about. The fact is, small retail stores often serve as a point of entry to a corporate network which could result in a larger breach.
How popular is the use of wireless with retail businesses? A survey of retail IT professionals from EarthLink, IHL Group and AirTight Networks revealed that 82 percent of midsize-to-large retailers have deployed in-store WiFi, and 57 percent offer WiFi to both employees and customers. So, if you’re a retailer with a wireless LAN that’s used both internally and by customers, what steps can you take to help secure your wireless network from attack? Here are some basic “do’s” and “don’ts.
- Use basic or default passwords to access your wireless network that are easy to figure out or find on the Internet.
- Use the name of the store as the wireless service set identifier or SSID.
- Allow customers on the same wireless LAN as your internal staff and business systems. Keep them separate.
- Don’t use WEP (wired equivalent privacy) to secure your network. It’s not very secure.
- Adopt a multi-layered security approach to avoid single point of failure.
- Consider using a site survey tool before you roll out your WLAN. You might just find some unauthorized (rogue) access points.
- Create a stringent security policy for wireless access and then allow exceptions.
- Have your wireless traffic go through a next-generation firewall to scan for and eliminate threats.
- Run intrusion detection and prevention (IDP) to identify rogue access points and prevent connections to the devices. This is a requirement for PCI (Payment Card Industry) compliance.
- Create a “walled garden” for customer only access that is separate from internal users through virtual access point segmentation and wireless guest services.
The use of wireless in retail locations continues to increase, both from the consumer and business perspectives, making it a potential vector for attack. To learn more about how you can protect your business and POS systems from attack, read this white paper.