| The widespread acceptance of Wireless Local Area | | | | A couple of hours later, the thieves were back. They'd |
| Networks is a money maker for the e-commerce | | | | doctored the PIN pads to let them get customer card |
| market. Not only has the Small Office/Home Office | | | | data. They got them back onto the point-of-sale |
| (SOHO) been a welcomed market for the | | | | system quickly, too. But here's where La Senza's |
| manufacturers of wireless devices ( Cisco/Linksys), | | | | security precautions kicked in: Its PIN pads in effect |
| the acceptance of wireless networking is saving | | | | have their own Media Access Control address, and |
| millions of dollars to these markets. Organizations are | | | | once they're disconnected, that address is no longer |
| reaping profits in the region of billions of dollars in cost | | | | available. So the thieves were foiled -- this time. What |
| and productivity savings. The customer base is | | | | you are reading here is an attack on a Point of Sale |
| generally unquestioning and accepting or at times even | | | | system. These systems normally comprise the cash |
| unaware of the presence of these technologies. One | | | | register, the bar code scanner, wi-fi access, the |
| only has to venture into a Target, BestBuy, or Macys | | | | in-store voice or IP network and the store inventory |
| to be exposed to the transparent use of Wi-Fi. | | | | management system. The everyday customer is |
| Marketing is a remarkable skill. With the recent | | | | vigilant of the thief who physically walks in to the outlet. |
| stampeding of a store attendant in a New York store, | | | | Very few are aware of the tech savvy culprit. These |
| I'm in awe of the magnificence of marketers. Only an | | | | are the invisible, bitheads who have compromised |
| earthshaking advertising campaign could possibly | | | | these systems for monetary gains. The targets are |
| entice a shopper to fall in line thousands deep to | | | | the uninformed, non-questioning shoppers with no |
| purchase a new toy. This, in a winter chill that is almost | | | | knowledge of wi-fi vulnerabilities. According to one Mr. |
| anti-human. Oh the brilliance of marketing. The | | | | Keith Aubele, the former loss prevention executive at |
| everyday shopper follow the routine of choosing the | | | | Wal-Mart and Home Depot, these systems are |
| item and forking over the plastic. Very few are aware | | | | "incredibly easy to bypass." |
| of WLAN compliance requirements for wireless | | | | Holiday cashiering is noticeably a seasonal job. A |
| networks. Not many question the secure handling of | | | | problem exists with this phenomena. It is called |
| their confidential information. Analysts from | | | | under-ringing or sweet-hearting. In this scheme the |
| organizations like the Gartner group, Frost & | | | | unscrupulous cashier does not scan all the items |
| Sullivan Research have posted numerous articles that | | | | presented. This, however, affects the retail outlet. Their |
| are meant to educate the customer. I salute them for | | | | loss. Now we address the customer. Point-of-sale |
| their in depth work. The question though remains, "How | | | | technology was not designed to capture customer |
| many shopper would read a technical article?" Should | | | | data. These technologies were designed for tracking |
| one expect the everyday shopper to understand PCI, | | | | purposes, but retailers now use them to capture |
| Sarbenes Oxley or WLAN security best practices. I | | | | customer data. Alert! huge management/security issue! |
| hear your answer. A resounding NO! Neither should | | | | The customer is now left at the mercy of the |
| one anticipate a memo from the large retail outlets | | | | mitigation steps taken by the retailer. Some |
| identifying their due care or due diligence in protecting | | | | organizations are managing numerous locations. Most |
| your confidential information. | | | | outlets are using known vulnerable systems with a |
| Some may ask, "What does that have do with me?" | | | | hope and pray approach. In Europe where |
| The answer is everything. In our advanced shopping | | | | E-commerce has caught on quicker that other world |
| society, technology, though unnoticed, is at the | | | | regions, they use a technology known as chip-and PIN |
| forefront. We have become used to technology that is | | | | for credit cards. The cost factor to upgrading to this |
| pushed on us without any great introduction. Most of | | | | technology is not feasible from the view of the outlet. |
| us are leaving our data safety in the hands of | | | | These point of sale terminals are mostly not |
| organizations who at times do not take the necessary | | | | understood by the retailers who use them, most are |
| precautions to create a safe shopping environment. | | | | not aware of the information collected by their |
| Questions are rarely asked. Who would have thought | | | | systems. |
| that a certain franchise's wireless network was so | | | | Some of these outlets are presently using WEP |
| open that we were safer leaving our credit cards in | | | | (Wired Equivalent Privacy) as the encryption of choice. |
| the shopping cart than presenting it to the cashier. | | | | To the knowledgeable attacker this is an invitation. |
| Does the customer need to know that despite all the | | | | Now back to the customer. What guarantee do we |
| brouhaha wireless networks are not as secure as | | | | have that our data is protected? Card companies like |
| wired networks? The government mandates legislation | | | | Visa and Mastercard are trying to pressure retailers to |
| for organizations using wireless networks. | | | | be compliant to PCI ( Payment Card Industry) security |
| I beg to include here excerpts of an article I read that | | | | standards. We all know that this will be avoided if it |
| brings to the forefront the dismal task of providing | | | | costs too much to implement. There has been a |
| security to the customer. | | | | promise from Visa to implement fines against |
| When thieves stole the PIN pads at a cash register in | | | | non-compliant retailers. I read a disturbing report that |
| one of his company's stores, Daniel Marcotte was | | | | the forecast of POS is dismal. The highly respected |
| amazed. Not that they'd done it -- such thefts can | | | | Gartner Group predicts that by 2009, most attacks |
| happen once a week during the holiday season. But | | | | against retailers would be through the POS. They |
| watching it on videotape later, "I couldn't tell they had it | | | | further stated that merely 30% of POS software will |
| with them when they left" the store, says Marcotte, | | | | be compliant. |
| director of systems and data security at La Senza, a | | | | I remember that old Captain and Tennille song, "you |
| Montreal retailer now owned by The Limited. | | | | better shop around. |