Stop using WEP encryption!

Filed Under: Data loss

Say No to WEP wireless security

Anyone who pays close attention to the security headlines will be only too aware of the major security incident which hit major retailers such as TJ Maxx having millions of credit card details stolen from them.

As we have reported, hackers are accused of breaking into the stores' wireless networks to snatch the confidential information as it was transmitted across the air.

The Payment Card Industry (PCI) Security Standards Council has announced some changes to the data security standard that companies are advised to follow to reach a minimum level of protection of their customers' credit card information.

One of those amendments underlines the importance of no longer relying on WEP encryption to hide the critical data from the prying eyes of hackers, and instead using a stronger encryption standard such as Wi-Fi Protected Access (WPA and WPA2).

TJ Maxx and others are believed to have been encrypting their credit card transmissions, but using the weaker WEP technology which is frankly child's play for hackers to break.

The new rules prohibit the use of the WEP standard as any part of credit-card processing - for instance, sending card data from a store terminal to a server - after 30 June 2010, and prohibit any new system from being installed that uses WEP after 31 March 2009.

Frankly, the sooner the better.

Another change in the PCI standard is that it makes clearer that it's not just Windows computers involved with card processing that are required to run anti-virus software - all operating systems should be secured with protection against malware. I think this is a sensible clarification - even though Windows attacks dominate the landscape, there is the danger that users of alternative OSes believe that they are somehow magically immune from threats.

If you run a company that handles credit cards then you should be careful to realise that PCI compliance is not a goal to aspire to, and achieving it doesn't mean that your firm is necessarily secure. The best organisations will actually aspire to go further than PCI compliance to reduce the chances of having data on their customers compromised by the criminal underworld.

Further information:

,

You might like

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.