Wireless technology: High-tech tool or high-risk approach?

Wireless technology: High-tech tool or high-risk approach?


In this age of multi-tasking, people are answering e-mails, paying bills, accessing bank accounts on the run. And wireless technology has made this possible.

TJX Breach

This convenience doesn't come without a high price by way of security, however. Wireless — while being a convenient and time-saving technology — introduces a new set of security threats, such as rogue wireless devices, identity theft and noncompliant access points, or APs.

The TJX Cos., parent of T.J. Maxx and Marshalls, suffered the worst high-tech heist in retail history at the beginning of 2007. In addition to credit card data, hackers also made off with tens of millions of records containing personal information. The TJX breach resulted in the data on 45.7 million credit and debit cards being compromised. The theft occurred as the result of weak wireless security.

'War Driving'

The ease with which this type of theft can occur was apparent in a "60 Minutes" piece that aired in November. For the story, correspondent Lesley Stahl accompanied a computer forensic investigator in an activity referred to as "war driving" to demonstrate how hackers sitting in a parking lot can snatch a retailer's wireless data. All it takes is a laptop computer and free software.

"It doesn't take a sophisticated criminal [to commit this type of crime]," says Steve Rowen, partner, RSR Retail Systems Research and author of a study titled. "Safe Without Wires: The Value of Securing Wireless Technologies Report." The study was conducted by the Miami-based RSR to demonstrate how retailers are able to lessen the challenges of operating wireless systems securely.

"The difference between someone stealing over the Internet and a wireless breach is that the wireless breach is probably coming from someone sitting in the parking lot," says Nicholas Percoco, vice president of consulting at Chicago-based Trustwave.

Richard Rushing, chief security officer of AirDefense, points to three major factors that need to be addressed in order to prevent a breach: infrastructure; encryption; and security. The Atlanta-based AirDefense specializes in wireless security for companies, including healthcare and government agencies.

"Wireless technology moved in so quickly," says Rushing, "Now it's time to play catch-up." Adding that the bigger issue still is understanding wireless, he adds: "Retailers that move ahead with a weak security posture in two years will find that their system is very insecure."

Cost of a Data Breach

Ponemon Institute published a benchmark study in 2006 titled, "Cost of a Data Breach —Understanding Financial Impact, Customer Turnover and Preventative Solutions." The costs incurred by 31 companies that were the victims of a breach were studied. Breaches ranged from 2,500 to 263,000 records from 15 separate industry sectors and showed the damages resulting from 815,000 compromised customer records. The findings found that the total cost averaged $182 per compromised customer record, and the average total price per reporting company was $4.8 million per occurrence.

According to AirDefense: "The cost of a data breach is substantial, from immediate fines and business disruption to long-term brand damage and legal liabilities."

Payment Card Industry

The PCI Security Standards Council, based in Wakefield, Mass., was created to promote the education and awareness of standards that enhance payment data security. The council was formed by the major payment card brands: American Express; Discover Financial Servicesp; JCB; MasterCard Worldwide; and Visa International.

PCI released an updated Self Assessment Questionnaire, or SAQ, for service providers and merchants, which is designed to streamline the assessment process. "With the introduction of the updated SAQ, merchants will now have a better understanding of the steps necessary to secure their payment data and comply with the PCI Data Security Standards," says Bob Russo, general manager of PCI, in a press release.

The release also states that, according to a recent report by Javelin Research and Strategy: "63% of consumers believe that merchants and retailers are the least secure among payment transaction stakeholders in protecting account information.

Hooters of America has conformed to PCI requirements for the past three years. "Being PCI compliant is expensive, and it's almost impossible to be 100-percent compliant," says Wes Marco, director of information services for the Atlanta-based Hooters. "It is getting better year by year, though" he adds.

Foodservice Not Immune

Retail is not the leading industry to fall victim to this type of theft. Trustwave, a provider of security and compliance management solutions, reports that the foodservice industry represents the majority of compromises, 52%, followed by retail, at 24%.

There is widespread use of credit and debit cards in foodservice. According to the National Restaurant Association, 53 percent of all adults pay using an electronic payment system at their table. In addition, 44 percent use an electronic ordering system at their table in a full-service restaurant; 34 percent would use wireless Internet access at their table if it were offered at their favorite full-service restaurant.

"Wireless was going to be the panacea," says Jeff Chasney, EVP, strategic planning and chief information officer for CKE Restaurants, pointing to the increasing use of video cameras to monitor transactions and the way servers handle the credit cards. Chasney adds that wireless systems are required more in full-service operations than in quick-service restaurants, noting that the entire payment transaction in a QSR facility takes place at the counter.

Carpinteria, Calif.-based CKE Restaurants is installing and deploying a credit card readers in all of its Carl's Jr. Restaurants. "We will install the system in the drive-thru as well," Chasney says. "We're fleshing that out now." Swipe systems are being installed in the company's Hardee's units.

Exploited By Organized Crime

Wireless vulnerabilities are being exploited by organized crime in an effort to secure profitable data such as credit cards numbers and sensitive customer records. "The majority of credit card fraud is taking place in restaurants," says Rowen of RSR. "That's because opportunities are more present in restaurants."

The criminal element has found a way to entice minimum wage servers. "[Mobs from various countries] are stealing information by giving servers a small swipe device that allows them to steal credit card numbers," says Marco of Hooters. The reward for the servers is a check for $10,000 dollars. "These kids are offered $5 to $10 for each credit card number they can get," adds Rushing of AirDefense.

$6 Charge At Pizza Joint

Trustwave's Percoco uses the following as an example. "You and I both use a credit card at a pizza restaurant and have a $6 charge. When you receive your credit card bill, a couple of lines below that charge, you see one for $1,000 from an electronics store, which you didn't make."

If there are only two such occurrences, then it's usually not an issue. However, if there are 500 or 1,000 such reports in one day, then it begins to mean something, he says. "We start looking for common places, and the only place in common is that pizza restaurant," he says. "There is the possibility that restaurant has servers who are skimming."

Askimmer is a member of the waitstaff who has a small device in his or her pocket and uses it to swipe the credit cards, perhaps even as they're taking the card away from the table to process. This is not the person, however, who gets a lot of volume. Police are called in when skimming is suspected. Percoco notes that if it's only a couple of dozen cards, that's the work of an aggressive skimmer.

An Internet hacker, on the other hand, can steal 50,000 card numbers in half a second. The numbers then are broken down and sold in what are referred to as "one hundred card dumps," or a list of credit cards. 

"That pizza restaurant is in the business of making good pizza, not security," notes Michelle Genser, corporate communications manager for Trustwave.

This is the type of breach where Trustwave would be called in. Percoco said that 99 percent of Trustwave's customers are proactive, resulting in most of the company's business coming prior to a breach.

Willing To Spend Money

Ruby Tuesday's Nick Ibrahim's stance is that wireless is safe if you're willing to spend money. "You would have to go with a $1,000 router from Cisco," says Ibrahim, senior vice president and chief technology officer for the restaurant company. "Not the $40 one from Best Buy."

The Maryville, Tenn.-based restaurant company, while not currently using wireless, remains open to the technology. "The only thing we're questioning is if there is a device that can hold our 80 menu items," Ibrahim says.

Chasney notes that one of the inhibitors of monitoring these systems will be the cost. "Our [fraud] has decreased, which means a reduced tolerance has pushed us to do more," he says.

Ibrahim points out the ease with which wireless equipment can be moved. "When you build a restaurant, if you want to move the POS system, you have to call an electrician," he says. "With wireless, all you need is an electrical outlet."

Pay-At-The-Table Devices

When asked about the pay-at-table option, Percoco says, "You don't have the risk of skimmers, but now you have to depend on the security of the system."

Hooters is testing pay-at-the-table devices, finding that some of the performance issues come from the equipment operating too slowly. Another factor to consider, Chasney adds: "You have no control over that PDA once the server walks away from the table."

'Right Out of the Box'

"One of the things I definitely want to bring out is that we're finding more and more breaches in restaurants and small retailers," Rushing says, because they buy routers that are 95 percent wireless, enabled "right out of the box." Such routers also are prevalent among seasonal retailers, such as tax preparers and Christmas shops.

The World of Wi-Fi

It is commonplace nowadays to see people in coffee and sandwich shops propped in front of their laptops, taking advantage of the restaurants' free Wi-Fi service.

"At McDonald's, we are always looking for ways to better serve our guests. This includes providing safe, secure and convenient Wi-Fi access at more than 9,000 McDonald's U.S. restaurants," says Tom Gergets, senior director technology for McDonald's USA in Oak Brook, Ill., in a statement. He goes on to add that the company's customers appreciate the added value and convenience of Wi-Fi accessibility at their local McDonald's.

"As with many customer Wi-Fi access locations available today, we're diligently working with our technology staff and outside vendors to ensure the integrity of our service. In fact, McDonald's has implemented industry best-practice controls and safeguards within our Wi-Fi offering," he states.

He adds the caveat that "Wi-Fi users, like anyone using the Internet, should take necessary steps — including the installation of appropriate software — to ensure that their sensitive data is protected."

Marco notes: "Wi-Fi needs to be a separate factor, which drives up costs" He also points out that in order to have a secure hot spot, you would need a separate DSL. "Anyone who combines the two is asking for trouble," he says. "You're only as secure as whoever else is on the hot spot," agrees Rushing.

Ibrahim says Ruby Tuesday considered Wi-Fi and actually tried to implement it in its New York restaurant. "We could not deploy it because of all the interference," he says.

Ongoing Debate

An ongoing debate among operators is whether or not Wi-Fi is beneficial for table-service operations.

Marco says, "If your restaurant is filling up and going into a wait situation because the tables are no longer turning over, then you have a problem." There is also the issue of the servers. "How do you compensate them for the loss of their tips?" he adds.

Another breach of sorts that Ibrahim points to with Wi-Fi is the control over what customers are viewing. He offers the example of a family dining with children and someone at the next table having an offensive site open. "You can't go over to the person and say 'Please close your laptop,' " Ibrahim observes.

Media Hype Justified

How do these industry pundits weigh in on the subject of TV, radio, magazine, newspaper and Internet coverage of wireless breaches?

"The media is definitely justified in their reporting," says AirDefense's Rushing.

Rowen adds: "I think that the role of the media is important to get the word out,"

Chasney says he feels there's more consumer awareness due to increased newspaper coverage.

It's not all gloom and doom for wireless technology, however. "You can lock down your wireless access points," says Marco. "There are some very good ways to protect yourself."

— By Mary Ann Tasoulas