Undercover Survey of 3,045 Stores Claims to Find Major Wireless Security Gaps at Half

The data that stores routinely transmit on wireless networks include credit card and Social Security numbers and other sensitive customer information.

AirDefense Inc., an Atlanta-based maker of security products for wireless data systems, found that about 25 percent of the stores' 4,748 wireless access points were exchanging data with no encryption at all to foil electronic eavesdroppers.

Another 25 percent were using an outdated encryption method called Wireless Equivalent Privacy that is easily cracked by thieves using widely available tools.

The remaining half of the access points _ the connections between wireless devices and computer networks _ were using newer encryption methods that are considered far harder to crack.

"You can drive down a street with a laptop and easily find wireless access points, and it does not require a great degree of sophistication," said Avivah Litan, a security analyst with Gartner Inc. "In technical circles, people talk about this all the time, but nobody ever puts it together broadly like this survey."

Litan, who does not work with AirDefense, said she was familiar with its findings. She called them significant and said the survey of 3,045 stores was the largest involving retailers she is familiar with.

The six-week undercover project _ conducted at shopping areas in Atlanta, Boston, Chicago, Los Angeles, New York, San Francisco, London and Paris _ attempted to expose security holes in wireless networks that are increasingly used to transmit data inside stores.

Wireless systems are believed to have been the entry points for recent large-scale data thefts at retailers, including a massive heist at discount retailer TJX Cos.

TJX said in March that at least 45.7 million cards were exposed, although recent court filings by banks suing TJX estimate than 100 million were. Canadian investigators concluded in September that TJX had failed to upgrade its encryption from the older WEP method by the time the eavesdropping began in July 2005.

"The bad guys are going to go for the low-hanging fruit, and that's the wireless networks," said Richard Rushing, AirDefense's chief security officer and manager of the survey project.

Credit card industry reports on merchants' compliance with data security standards give higher marks than AirDefense. But Litan said many security auditors miss some devices connected wirelessly to retail data systems _ or the devices are added later.

Lars Laven, co-founder of another wireless security firm called Columbitech that is not involved in AirDefense's study, said his company "can confirm that there are numerous security holes in retail.

"This survey provides only the tip of the iceberg to a much larger security problem," Laven said.

AirDefense privately notified retailers when it found major security flaws, Rushing said. It is not disclosing the names of individual retailers to avoid drawing hackers' attention.

Representatives for the National Retail Federation and credit card associations Visa and MasterCard declined comment.

A spokesman for the credit card industry organization that sets payment security standards said wireless safeguards are key.

"We are working closely with retailers to identify and mitigate issues related to wireless technologies in payment environments and evolve the security of this technology," said Bob Russo, general manager of the PCI Security Standards Council.

Visa Inc. said Oct. 24 that 65 percent of the largest U.S. merchants were in compliance with the latest card industry security standards, which include encryption requirements and other security measures. That's up from 36 percent at the end of last year.

AirDefense's Rushing said he and two other AirDefense employees fanned out over six weeks starting in September to such retail districts as New York's Madison Avenue, London's Picadilly Circus and Rodeo Drive in Los Angeles's Beverly Hills.

While the 3,045 retail outlets surveyed included many large, high-end stores, they also included smaller merchants, Rushing said.

The survey included locations of 51 of the 100 largest U.S. retail chains, he said.

The surveyors carried backpacks containing laptop computers with 4-inch-long radio signal-intercepting antennae. After walking through the stores, they downloaded the information the laptops had gathered and examined the data for security holes using tools that unscramble encrypted data.

Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.