Credit card processors finally get clue, will ban WEP
By Jacqui Cheng
By Jacqui Cheng
* Related: Study: stores put customer data at risk with poor WiFi security practicesCompanies that accept major credit cards will be barred from using WEP for their WiFi security, but not until mid-2010. The rule is part of new security standards defined and released this week by the Payment Card Industry Security Standards Council, which is made up of companies like Visa, MasterCard, American Express, and Discover. The sad thing is that WEP—which can be cracked in as little as two minutes—is still widely used in the old and decrepit point-of-sale systems used by many retailers; the new rules should help move along the long-overdue adoption of tighter security in credit card processing.As part of the new Data Security Standard (DSS) agreement, retailers that accept credit cards from PCI council members may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010. The council notes that the reason for this change is "to emphasize using strong encryption technologies for wireless technologies, for both authentication and transmission."
WEP's hackability has been widely known since 2001, and has been blamed for the largest incident of consumer data theft in history. TJX, parent company of discount retailers T.J. Maxx and Marshalls, disclosed last year that hackers had stolen data covering over 45 million credit and debit cards over an 18-month period. In addition to pilfering over 45 million—and possibly as many as 200 million—credit card and debit card numbers, the hackers were also able to obtain other personal data from over 450,000 customers. This included driver's license numbers and Social Security numbers.
Although TJX has become the poster-child for consumer data theft over WiFi, it is (by far) not the only company to use insecure wireless technologies. Wireless security manufacturer AirDefense released a report in late 2007 saying that a quarter of the 4,748 retail access points it surveyed across the US had no security whatsoever, while another quarter only used WEP, "one of the weakest protocols for wireless data encryption." Just under half (49 percent) of the surveyed hotspots used WiFi Protected Access (WPA) or WPA 2—much stronger encryption protocols than WEP. The firm observed that the large majority of the stores involved in the survey maintain stronger security of their physical property than their wireless routers, showing that retailers are still slow to take data security seriously.
Banning WEP is a long overdue move, and had the industry been faster to recognize the insecure nature of WEP, the TJX incident may never have happened. It's unfortunate that laggards will have until the middle of 2010 to drop WEP, as it unnecessarily puts customer data at risk for data theft.
* Found via Wi-Fi Net News: New Credit Card Processing Rules Kill off WEP (in 2009)