Stop using WEP encryption!

Say No to WEP wireless security

Anyone who pays close attention to the security headlines will be only too aware of the major security incident which hit major retailers such as TJ Maxx having millions of credit card details stolen from them.

As we have reported, hackers are accused of breaking into the stores’ wireless networks to snatch the confidential information as it was transmitted across the air.

The Payment Card Industry (PCI) Security Standards Council has announced some changes to the data security standard that companies are advised to follow to reach a minimum level of protection of their customers’ credit card information.

Sign up to our free newsletter.
Security news, advice, and tips.

One of those amendments underlines the importance of no longer relying on WEP encryption to hide the critical data from the prying eyes of hackers, and instead using a stronger encryption standard such as Wi-Fi Protected Access (WPA and WPA2).

TJ Maxx and others are believed to have been encrypting their credit card transmissions, but using the weaker WEP technology which is frankly child’s play for hackers to break.

The new rules prohibit the use of the WEP standard as any part of credit-card processing – for instance, sending card data from a store terminal to a server – after 30 June 2010, and prohibit any new system from being installed that uses WEP after 31 March 2009.

Frankly, the sooner the better.

Another change in the PCI standard is that it makes clearer that it’s not just Windows computers involved with card processing that are required to run anti-virus software – all operating systems should be secured with protection against malware. I think this is a sensible clarification – even though Windows attacks dominate the landscape, there is the danger that users of alternative OSes believe that they are somehow magically immune from threats.

If you run a company that handles credit cards then you should be careful to realise that PCI compliance is not a goal to aspire to, and achieving it doesn’t mean that your firm is necessarily secure. The best organisations will actually aspire to go further than PCI compliance to reduce the chances of having data on their customers compromised by the criminal underworld.

Further information:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.