Friday, November 16, 2007

Study: Half of retailers' wireless data easy to Hack

This study really highlights why it was such a disappointment to privacy protection advocates that the Governor bowed to money and pressure from the retail industry and vetoed
Assemblyman Dave Jones data security bill, AB 779 last month.

These new findings, in addition to the fact that the bill sailed through the legislature this year with near unanimous support (which is almost unheard of!), signifies this issue if far from dead...and AB 779, or a version of it, will be back in 2008.

The Washington Post reports:

"AirDefense Inc., an Atlanta-based maker of security products for wireless data systems, found about 25 percent of the stores' 4,748 wireless access points were exchanging data with no encryption at all to foil electronic eavesdroppers. Another 25 percent were using an outdated encryption method called Wireless Equivalent Privacy that is easily cracked by thieves using widely available tools."


"You can drive down a street with a laptop and easily find wireless access points, and it does not require a great degree of sophistication," said Avivah Litan, a security analyst with Gartner Inc. "In technical circles, people talk about this all the time, but nobody ever puts it together broadly like this survey."


TJX said in March that at least 45.7 million cards were exposed, although recent court filings by banks suing TJX estimate than 100 million were. Canadian investigators concluded in September that TJX had failed to upgrade its encryption from the older WEP method by the time the eavesdropping began in July 2005.


AirDefense privately notified retailers when it found major security flaws, Rushing said. It is not disclosing the names of individual retailers to avoid drawing hackers' attention. Representatives for the National Retail Federation and credit card associations Visa and MasterCard declined comment.

Read the full Washington Post article here - and don't be surprised when this study re-emerges next year as more proof positive that Californians deserve increased protections of their private personal data - and greater accountability for those that are responsible for it being compromised.

No comments: