Introduction
TLC-Chamonix, LLC today unveiled its WirelesWall POS Architecture for XPe wireless Point of Sale Terminals. It achieves PCI DSS compliance by combining AES encryption, firewall and end-to-end security in a standards compliant software solution. It allows replacement of WEP without having to disturb existing networks or POS terminals (including Fujitsu TeamPoS terminals).
WirelessWall is a unique, encrypting firewall that leaves the network infrastructure fully intact while providing a transparent instant upgrade to WPA2-Enterprise level security, allowing business applications and operations to continue undisturbed. It gives peace of mind from better security, compliance, and loss prevention, while avoiding the cost of new equipment, new leases and downtime.
Industry Initiative
Faced with the prospect of billions of dollars in losses and lawsuit settlements, the retail industry is finally taking serious measures at self-regulation to protect merchants and consumers from wireless security breaches. Consider:
- 2009 TJX, the parent company of TJ Maxx, Marshalls and other retailers, paid a $9.8M settlement to 41 states after a $40.9M settlement to Visa for wireless POS breaches. It absorbed over $135 million loss from its 2007 incidents alone.
- 2008 breaches identified by the Identity Theft Resource Center-breaches totaled 449 with over 22 million records exposed. (That’s more than all breaches in 2007 and the individual record count is climbing and will exceed 2207 as well)
- 2007 breaches totaled 448 paper and electronic breaches with 127 million records exposed.
- 2006 breaches totaled 315 affecting nearly 20 million individuals.
- 2005 breaches totaled 158 affecting more than 64.8 million people.
The Payment Card Industry (PCI) is a consortium of worldwide credit card companies (Visa, Mastercard, American Express, Discover and JCB International). To confront and mitigate these mounting losses, and faced with imminent regulation by state and federal agencies plus penalties for violating existing privacy laws, they formed a Security Standards Counsel which implemented a Data Security Standard (PCI DSS) to preemptively control the problem.
PCI DSS – A
The latest edition of the standard mandates improved wireless security practices and drops the broken Wired Equivalency Protocol (WEP) as an approved method, in favor of protocols using strong encryption such as AES. See: PCI DSS 1.2
PCI DSS is not merely a set of recommendations -- non-compliance is not an option. It is a contractual obligation which demands all retail merchants big and small to comply as a condition of being allowed to continue processing credit cards and consumer information via electronic Point of Sale (POS) terminals or other wireless method.
According to mandate, retailers may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010.
Impact Assessment
Naturally, this has enormous significance to operations and the bottom line of retailers. Perhaps just as great is the cost to POS terminal vendors, who have a large inventory of WEP-only wireless terminals that are often leased to merchants. They stand to lose considerable sums replacing or retrofitting equipment at costs which cannot easily be passed on to merchants, especially in a bad recession.
In these difficult times, vendors and merchants alike need a lower cost, easy to deploy solution that scales from small business to large enterprises with least impact.
WEP Dominates
The mandate bans the use of WEP, but it still dominates and others like WPA2 are poorly adopted. An Airtight 2009 Financial Districts Survey of 3,632 access points in major cities found half were Open or used WEP security. It concluded:
- Everybody who knows security knows WEP is broken, but it still dominates.
- Some used WPA, which had a crack demonstrated in
- Others hide SSIDs which doesn't protect traffic captured by wireless sniffers.
- 39% were “enterprise” APs (corporate HQs, offices, etc.)
- Only 11% used WPA2
Even worse than this news is that of the tiny few organizations using WPA2, almost all have implemented pre-shared keys (WPA2-PSK) which has well known dictionary cracks, like CoWPAtty that can crack it in seconds – in many ways, making it worse than WEP.
Why Fix Something that Isn’t Broken?
The abysmal failure of WPA2 to gain widespread adoption has not prompted the industry to question why (almost) no one is using it. Serious debate and changes in the telecommunications industry to adopt better technology and new standards will be needed before WEP is entirely eliminated.
WEP is still pervasive in large part because wireless equipment manufacturers and industry groups failed to take decisive action to totally replace it and continue to manufacture equipment that supports it. WPA2 is still a security configuration option (and alphabetically WEP is first in most lists). Many users are simply unaware of the difference.
There is also the reluctance to switch from existing protocols until there is an incident that demands it. This translates to the maxim: Why fix something that isn’t broken? Unfortunately, this common sense rule can be very costly when applied to security. WEP is broken, but most users don’t know it. The feeling is that if WEP weren’t “good enough”, why would the protocol still be supported by network equipment?
Consumer awareness is one aspect. Even among the technically knowledgeable, there is little appreciation of the distinction between WPA, WPA2-PSK and the only truly strong protocols: WPA2-Enterprise. All others suffer risk of Man-In-The-Middle attacks, brute-force guessing, or key exchange compromises. The dictionary vulnerability risk of WPA2-PSK can be more vulnerable than WEP.
WPA2-Enterprise is the best solution, but many businesses just don’t have back-end RADIUS authentication and LDAP identity management servers or IT with the level of knowledge required to use them, so they accept the risk
The WirelessWall Architecture
The award winning WirelessWall is a government certified (FIPS 140-2) wireless security suite used by the military and DOE. Renown for its investment protection value, WirelessWall adds WPA2-Enterprise grade protection to the current network as a software-only solution instead of replacing legacy wireless hardware and firmware. The DoD 8100-2 directive is mandate for federal and state governments to provide standards based end-to-end strong security. WirelessWall satisfies this directive and was assessed by the Joint Interoperability Testing Center (JITC) for use by Coalition Forces. This high level of protection is now being used to benefit the private sector and retail to eliminate hacking or sniffing end-to-end.
Even if terminals and WiFi gear only support WEP or no security at all, it adds a layer of strong encryption without any reconfiguration. Because it bundles WiFi AES encryption with RADIUS, LDAP and Firewall Policies all in one package, it is simpler to deploy and administer, and more cost effective than having those in a separate back-end (although it will support external services if needed). WirelessWall supports all wireless gear: all 802.11 protocols, WiMax 802.16e, Mesh and 4G. Using WirelessWall gives you everything for a fraction of the cost and none of the inconvenience of alternatives.
Contact: TLC-Chamonix, LLC
11
Phone : +1-877-479-4500
E-Mail:info@tlc-chamonix.com
http://wirelesswall.com/
Posts
