Ever since the dawn of Wi-Fi, earnest engineers in windowless rooms have busted their collective butts to create security mechanisms that thwart wireless cyber attacks, from the insufficient WEP (Wired Equivalent Privacy) to the more secure WPA2 (Wi-Fi Protected Access, uh, 2). But, apparently, their hard work doesn't matter to many people. While security systems available for Wi-Fi networks are comprehensive, thousands of customers have largely ignored them entirely. In fact, several recent studies show that a huge number of small businesses don't bother to use any encryption on their Wi-Fi networks. And that includes retailers, which are endangering customers' credit cards. For the past few years, RSA Security, a division of EMC Corp. ( EMC), has surveyed the world's major financial hubs, sniffing out unencrypted wireless networks. The most recent poll found that New Yorkers, unsurprisingly, are streetwise with their Wi-Fi, and only 3% of business-related access points are unencrypted. In London, on the other hand, 20% of all business access points went totally unprotected. Meanwhile, at the beginning of 2009, Motorola ( MOT) announced the results of its second annual AirDefense Retail Shopping Wireless Security Survey, which tracks wireless data security in some 4,000 stores in cities where people like to shop. Now, you'd think retailers would be pretty worried about security. According to the Identity Theft Resource Center, there were 656 reported identity data breaches in 2008, including customers' credit card and Social Security numbers, up from 446 in 2007. The most nefarious and embarrassing of these was the case in which smooth criminals stole more than 45 million credit card numbers from TJX Cos. ( TJX), a crime that began when they checked out one unsecured access point in a single retail store, and eventually gained access to the local area network, or LAN. Lowe's ( LOW) was victim to a similar crime in 2003, in which a couple of ruffians managed to hack into the network from the parking lot of a Michigan store, although they managed to steal only a handful of credit card numbers.
"So it's not that the value of the wireless data is that precious, but that weakly protected -- let alone unprotected -- WAPs can be the path around your firewall and on to your LAN," says Paul Roberts, a senior security analyst at the 451 Group, a technology industry analysis firm in Boston. "Look at recent high profile hacks. That started as a hack against a weakly encrypted wireless LAN deployment in a regional store, but ultimately led to the company's crown jewels." To that end, most credit card companies require retailers to adhere to a strict set of rules called the PCI Data Security Standard, designed to keep criminals from committing identity theft. PCI-DSS includes several rules that apply directly to wireless LANs, not the least of which is the encryption of private data. Negligent retailers face penalties. The PCI Security Standards Council this week released an updated guide on how to follow the rules, which are largely common sense. Yet the Motorola survey showed that when it came to securing Wi-Fi networks, too many retailers were doing it wrong -- or not doing it at all. At retailers in Los Angeles and New York, only 77% of wireless APs used any type of encryption. Boston fared worse, with a rate of 60%. This is just silly. Pretty much all the wireless networking companies out there bundle encryption tools with their products, from a $40 D-Link router on sale at Best Buy ( BBY) to a multi-hundred-dollar corporate-level access point from Cisco ( CSCO). But the features only work if you turn them on. If you run a wireless network, and especially if you run a retail business, take 15 minutes to set the encryption and passwords on your network. The annoyance of doing so is nothing compared with the headache of telling your customers that someone stole their credit card numbers.