PCI DSS -- The Retail POS Mandate for WirelessWall

Introduction

TLC-Chamonix, LLC today unveiled its WirelesWall POS Architecture for XPe wireless Point of Sale Terminals. It achieves PCI DSS compliance by combining AES encryption, firewall and end-to-end security in a standards compliant software solution. It allows replacement of WEP without having to disturb existing networks or POS terminals (including Fujitsu TeamPoS terminals).

WirelessWall is a unique, encrypting firewall that leaves the network infrastructure fully intact while providing a transparent instant upgrade to WPA2-Enterprise level security, allowing business applications and operations to continue undisturbed. It gives peace of mind from better security, compliance, and loss prevention, while avoiding the cost of new equipment, new leases and downtime.

Industry Initiative

Faced with the prospect of billions of dollars in losses and lawsuit settlements, the retail industry is finally taking serious measures at self-regulation to protect merchants and consumers from wireless security breaches. Consider:

• 2009 TJX, the parent company of TJ Maxx, Marshalls and other retailers, paid a $9.8M settlement to 41 states after a $40.9M settlement to Visa for wireless POS breaches. It absorbed over $135 million loss from its 2007 incidents alone.

• 2008 breaches identified by the Identity Theft Resource Center-breaches totaled 449 with over 22 million records exposed. (That’s more than all breaches in 2007 and the individual record count is climbing and will exceed 2207 as well)

• 2007 breaches totaled 448 paper and electronic breaches with 127 million records exposed.

• 2006 breaches totaled 315 affecting nearly 20 million individuals.

• 2005 breaches totaled 158 affecting more than 64.8 million people.

The Payment Card Industry (PCI) is a consortium of worldwide credit card companies (Visa, Mastercard, American Express, Discover and JCB International). To confront and mitigate these mounting losses, and faced with imminent regulation by state and federal agencies plus penalties for violating existing privacy laws, they formed a Security Standards Counsel which implemented a Data Security Standard (PCI DSS) to preemptively control the problem.

PCI DSS – A New World Order

The latest edition of the standard mandates improved wireless security practices and drops the broken Wired Equivalency Protocol (WEP) as an approved method, in favor of protocols using strong encryption such as AES. See: PCI DSS 1.2

PCI DSS is not merely a set of recommendations -- non-compliance is not an option. It is a contractual obligation which demands all retail merchants big and small to comply as a condition of being allowed to continue processing credit cards and consumer information via electronic Point of Sale (POS) terminals or other wireless method.

According to mandate, retailers may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010.

Impact Assessment

Naturally, this has enormous significance to operations and the bottom line of retailers. Perhaps just as great is the cost to POS terminal vendors, who have a large inventory of WEP-only wireless terminals that are often leased to merchants. They stand to lose considerable sums replacing or retrofitting equipment at costs which cannot easily be passed on to merchants, especially in a bad recession.

In these difficult times, vendors and merchants alike need a lower cost, easy to deploy solution that scales from small business to large enterprises with least impact.

WEP Dominates

The mandate bans the use of WEP, but it still dominates and others like WPA2 are poorly adopted. An Airtight 2009 Financial Districts Survey of 3,632 access points in major cities found half were Open or used WEP security. It concluded:

• Everybody who knows security knows WEP is broken, but it still dominates.
• Some used WPA, which had a crack demonstrated in Tokyo in 2008.
• Others hide SSIDs which doesn't protect traffic captured by wireless sniffers.
• 39% were “enterprise” APs (corporate HQs, offices, etc.)
• Only 11% used WPA2

Even worse than this news is that of the tiny few organizations using WPA2, almost all have implemented pre-shared keys (WPA2-PSK) which has well known dictionary cracks, like CoWPAtty that can crack it in seconds – in many ways, making it worse than WEP.

Why Fix Something that Isn’t Broken?

The abysmal failure of WPA2 to gain widespread adoption has not prompted the industry to question why (almost) no one is using it. Serious debate and changes in the telecommunications industry to adopt better technology and new standards will be needed before WEP is entirely eliminated.

WEP is still pervasive in large part because wireless equipment manufacturers and industry groups failed to take decisive action to totally replace it and continue to manufacture equipment that supports it. WPA2 is still a security configuration option (and alphabetically WEP is first in most lists). Many users are simply unaware of the difference.

There is also the reluctance to switch from existing protocols until there is an incident that demands it. This translates to the maxim: Why fix something that isn’t broken? Unfortunately, this common sense rule can be very costly when applied to security. WEP is broken, but most users don’t know it. The feeling is that if WEP weren’t “good enough”, why would the protocol still be supported by network equipment?

Consumer awareness is one aspect. Even among the technically knowledgeable, there is little appreciation of the distinction between WPA, WPA2-PSK and the only truly strong protocols: WPA2-Enterprise. All others suffer risk of Man-In-The-Middle attacks, brute-force guessing, or key exchange compromises. The dictionary vulnerability risk of WPA2-PSK can be more vulnerable than WEP.

WPA2-Enterprise is the best solution, but many businesses just don’t have back-end RADIUS authentication and LDAP identity management servers or IT with the level of knowledge required to use them, so they accept the risk

The WirelessWall Architecture

The award winning WirelessWall is a government certified (FIPS 140-2) wireless security suite used by the military and DOE. Renown for its investment protection value, WirelessWall adds WPA2-Enterprise grade protection to the current network as a software-only solution instead of replacing legacy wireless hardware and firmware. The DoD 8100-2 directive is mandate for federal and state governments to provide standards based end-to-end strong security. WirelessWall satisfies this directive and was assessed by the Joint Interoperability Testing Center (JITC) for use by Coalition Forces. This high level of protection is now being used to benefit the private sector and retail to eliminate hacking or sniffing end-to-end.

Even if terminals and WiFi gear only support WEP or no security at all, it adds a layer of strong encryption without any reconfiguration. Because it bundles WiFi AES encryption with RADIUS, LDAP and Firewall Policies all in one package, it is simpler to deploy and administer, and more cost effective than having those in a separate back-end (although it will support external services if needed). WirelessWall supports all wireless gear: all 802.11 protocols, WiMax 802.16e, Mesh and 4G. Using WirelessWall gives you everything for a fraction of the cost and none of the inconvenience of alternatives.

Contact: TLC-Chamonix, LLC

120 Village Square Suite
11 Orinda , CA 94563, USA
Phone : +1-877-479-4500
E-Mail:info@tlc-chamonix.com
http://wirelesswall.com/

Why (not) 11i?

A few years ago, the 802.11i draft standard was touted as the solution to secure wireless and make up for the weaknesses of WEP or some of the proprietary protocols like LEAP. Indeed, the 802.11i standard did present a solution called Robust Secure Network (RSN) in addition to weaker levels to accommodate industry transition and "good enough" security for personal/home use.

Fast forward to today. Enterprise mobility and a remote workforce is common. It's an understatement to say the security perimeter is longer. With the coming WiMax revolution, the perimeter can be measured in miles. The 802.11i draft became the 802.11-2007 standard. The need for RSN as the only security level is greater than ever.

Even though the RSN calls for WPA2-Enterprise, most deployments use WPA2-Personal that allows for pre-shared keys (PSK). The resulting encryption can be strong, but the key is vulnerable to dictionary attacks (like CoWPAtty) so it could be guessed. It also doesn't provide end-to-end protection to the datacenter. The "keys are in the ignition" with the 802.11-2007 standard because it does not allow the topography where the Access Point is not the holder of the key material. The CAPWAP standard proposed this "Split MAC" model that made it possible to handle encryption at the datacenter, but this is still a long way from ratification.

In summary, if we ask why not 11i or why not WPA2, the answers are:

• WPA2 is usually deployed as the weaker WPA2-PSK.
  
• WPA2 in all forms leaves the "keys in the ignition" for Access Point vulnerability.
• WPA2 does not provide end-to-end encryption -- the back-door is open.
  
• WPA2 does not avoid the "weakest link" syndrome of non-uniform security across the enterprise.
• Many client machines still don't support WPA2, which can result in allowing pockets of weakness, or costly replacement of user devices if they aren't commodity PCs.
• WPA2-Enterprise is (very) difficult to implement across Mesh networks.
• Cost of upgrading the wireless infrastructure to WPA2 can be high.
  

The use of WirelessWall solves every one of the above problems to make a certified strong, uniform blanket of security and keeps costs down by protecting the investment in existing wireless assets.

Where's Your End-Point?

Modern wireless networks are fielded with security without thought to where the security ends. Typical 802.11 access points secure the 300-foot or so space between the station and the Access Point (AP). This is fine for a Home network with an AP or router only a few feet away, but inadequate for an enterprise or corporate network where the larger wired or wireless gap to the data center can span floors in a building, or between facilities. If WiMAX or long-haul bridges and repeaters are used (as in Mesh Networks), the distance can be many miles/km. This leaves a huge backdoor that can be sniffed or tapped. This weakness has now made headlines and the risks have been shown to directly translate to major financial cost in the billions due from theft and privacy loss.

To be really secure, encryption should originate from the Datacenter, not each AP. This way, the AP is just a passthrough and can be set to open mode and still pass the encrypted traffic end-to-end, regardless of distance. The WirelessWall software from TLC-Chamonix, LLC is both the cheapest solution and the most secure, since it makes any existing wireless infrastructure sniffer-proof with no new capital equipment.

Access Points: An Open Back Door

Every Access Point on the market is vulnerable because even though encrypted information may go out, unencrypted information goes in. The flawed assumption is that the wire going into the AP is trusted. This makes it easy to tap, sniff or spoof.

Today's standards for WPA2 (Personal or Enterprise) perpetuate the exposure by requiring key material or RADIUS passwords to be stored on the AP itself. This is a vulnerability for AP hacking -- either physical (opening up the AP) or by gaining wireless access to the AP administrative channel and getting Pre-Shared Keys or RADIUS shared secrets). The AP could then spoof the backend or be reprogrammed to broadcast traffic in the clear on another channel. This is particularly true of the Atheros Multiband chipsets that can support many "virtual" APs.

Access and firewall policies are not centralized or standard between AP vendors. These must be replicated on each AP whenever the policy changes, adding to cost and complexity of administration, which means they are less likely to be changed often even though that would strengthen security. Various remote management schemes add another dimension to the exposure.

Centralized Security Management offers the advantage of keeping key material and 802.1X authenticator passwords at the Datacenter rather than on APs at the edge of the security envelope. This model is reflected in the "Split-AP" model in the upcoming IETF CAPWAP standards and used by WirelessWall. It keeps the APs blind to all security profiles.

In summary, WirelessWall is recommended because it follows the CAPWAP Taxonomy guidelines for a Split-AP mode. CAPWAP is a future standard that is not yet ratified and years away from market. WirelessWall provides comparable security-model functionality today as a FIPS 140-2 software solution using AES-CCMP Layer 2 encryption, 802.1X and EAP-TTLS with mutual authentication. It is smart security to keep APs "dumb" -- administrators have less to worry about because they don't expose the data center to compromise at every AP location.

Wireless Warning

T.J. Maxx Data Theft Likely Due To Wireless 'Wardriving'

[article]

You've read the headlines. A small ring of hackers using wireless sniffers stole 45 million credit cards from a single chain resulting in LOSSES IN THE BILLIONS. This should put retailers and any organization using WiFi on notice. That underscores how vulnerable WiFi really is and the stakes. DON'T LET THIS HAPPEN TO YOU.

What many don't know is that EVERY ACCESS POINT ON THE MARKET TODAY IS VULNERABLE AND IMPOSSIBLE TO SECURE. 802.11i (WPA2) was supposed to solve the weaknesses in earlier encryption (WEP). IT DOES NOT. Stronger encryption alone is not enough.

Access Points truly are impossible to secure because of the flawed assumption in the industry that the wire going in is trusted and unencrypted. While acceptable for home wireless, too many organizations have a security perimeter that is a lot farther than a router a few feet from their computers. Access Points used in business and government are often on a different floor, or a different building on campus, and can be connected to the datacenter on a LAN, or worse, by wireless repeaters and bridges that may have poor or no security. Miles of vulneraility and exposure to physical tapping, interception or sniffing.

WirelessWall treats the AP as a conduit, it encrypts all traffic at Layer 2 before it goes into the AP, and it is only decrypted by the trusted user at the end-point. Because it is Layer 2, EVERYTHING above it is secure, without relying on elective, weak or slow application security at Layer 3 or above.

If you're serious about Loss Prevention, choose WirelessWall.