Welcome!

Wireless Authors: John Savageau, Jennifer Rung, Greg Ness, Pat Romanski, Bruce Johnston

Related Topics: Wireless

Wireless: Article

Breaching Wireless Networks

Wireless Point-of-Sale: The New Target
By Ryan Sherstobitoff
Article Rating:
September 2, 2008 02:30 PM EDT
Reads:
 2,115

Wireless networks and endpoints offer convenience and connectivity, but unless properly secured, they also offer a means of egress into the network. As evidenced by recent headlines surrounding undiscovered data breaches and subsequent public exposure, hackers have begun to turn their eye toward breaching wireless networks and taking advantage of the many weaknesses incumbent. At the same time, we continue to see a trend toward stealing cardholder information from retailers such as TJ Maxx and Hannaford Brothers. According to a recent study conducted by the Verizon Business Risk Team, 84 percent of the data compromised in documented breaches pertained to cardholder information. [1]

The use of mobile networks is not an uncommon way of providing access for employees throughout a corporate campus. However, these networks come with several often-ignored dangers, including the exploitation of WEP (Wired Equivalent Privacy) and access points being deployed with minimal security measures.

If not properly mitigated, these vulnerabilities can eventually result in the exposure of private information as well as compliance violations if an exposure were to occur through one of those vulnerabilities.

The Target: Wireless Point-of-Sale (POS)
From an architectural perspective, a POS system runs an operating system (see Figure 1), likely a version of Windows or Linux designed to limit functionality - meaning not all O/S functions are available to the logged-in user. These devices are physically divided into two different components:

  • Card Reader: A system that reads the card as it is swiped.
  • Transaction Unit: A system that sends the card information to an authorization source.

The POS system is the primary hub between the store and the internal branch servers and is usually part of a collection of networked POS endpoints located at checkout stands. The information read at the POS via the above components will be sent to an authorization source (e.g., Amex) through the transaction unit that in some cases is integrated together with a magnetic card reader, such as a Verifone device.

In addition, the payment information that is read at the POS when making a purchase may be sent over the network to a branch server to collect information for auditing purposes.

Normally the information sent between the retailer and the authorization source will use strong encryption to protect the information. However, network security between the POS and the internal branch servers may or may not be encrypted depending on the configuration.

Published September 2, 2008 – Reads 2,115
Copyright © 2008 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Ryan Sherstobitoff

Ryan Sherstobitoff is the Chief Corporate Evangelist at Panda Security USA (www.pandasecurity.com). He is widely recognized as a security expert throughout the country and lectures audiences across the U.S. on cybercrime trends as well as corporate risk assessments. He can be reached at ryans@us.pandasecurity.com or through the PandaLabs blog at http://pandalabs.pandasecurity.com/.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.