The Dumbest Wireless Security Errors

For years, chief security officers have viewed wireless security as a contradiction-in-terms punchline. But with PCI rules clamping down and cyberthieves sniffing around for whatever holes they can find, wireless security has stopped being funny. Still, either through ignorance or carelessness, many retailers have been caught doing some pretty ridiculous things when deploying wireless security.

From a gas-station chain that tested security by calling the attendants to ask if rogue devices were attached to a grocery chain that tried to scare off hackers by using extra-long SSIDs, this week's StorefrontBacktalk podcast on security looks at the most absurd retail wireless security efforts.

In one case, a department store chain with 500 locations hired eight people to travel to more than 10 states and manually scan its Wi-Fi networks. "They bought some scanning software, bought eight netbooks and had some algorithm to work out how they were going to cover this many locations," said one wireless security auditor. "They simply were trying to rush to meet a compensating control. The bank had given them a deadline of January 1 of this year, so they definitely took the shortest route to get that checkbox."

But the retailer didn't factor in travel expenses and employee days off--or the fact that it would take weeks just to compile the data from the whirlwind tour. Worse still, most of the stores were in urban areas where the wireless airspace was cluttered with SSIDs and client signals. "To figure out what was actually on the network was nearly impossible," the auditor said. "For whatever money they spent to get the checkbox, they got probably zero benefit from it."

To listen to the first of two StorefrontBacktalk podcasts on worst practices in wireless security, please click here.