Many businesses run their own wireless infrastructures and many know well to protect it. But how do you know when it is time to use a stronger encryption algorithm to protect the data sent wirelessly?
Generally, there are two possibilities. One is to wait until hackers break into your network by exploiting the easy-to-break WEP encryption you have on your wireless network and as a result steak millions of customers’ credit card numbers and personal data. Example: the TJX story.
The second, and the better possibility, is to do it before your (or your client’s) organization is prominently featured in the Wall Street Journal. Example: the TJX story.
Here’s a short excerpt of what should make every IT director to think about switching from WEP to WPA or better.
Investigators found that TJX was using a weak encryption protocol to protect its consumer data in July 2005, when hackers first broke into its computer system. The protocol, known as Wired Equivalent Privacy, or WEP, isn’t recommended by securities experts even for wireless home networks because it is so vulnerable to hackers.
TJX decided to upgrade to a more secure Wi-Fi Protected Access encryption protocol at the end of September 2005, Canadian officials said. By then, however, hackers had been able to access the company’s internal transaction database. They did so initially from outside two stores in Miami, the probe found.
- TJX’s Security System Faulted in Canada Probe, Wall Street Journal, September 26, 2007.
This happened to me very recently. I applied to join a certain credit union. The credit union has a wonderful website and, as it should, it has an online application which seems secure enough. I filled out the necessary personal information and submitted my application over the SSL connection. Among the standard questions were few security questions such as mother’s maiden name, favorite teacher, and others. In response to my completed application, I received an email which also seemed to meet adequate financial institution information security and privacy requirements (e.g. no account numbers, login names, passwords, etc. being sent in plain text over email.)
Everything seemed fine. Until the next day when I received a phone call from an "unknown name/unknown number" phone. The lady on the other end identified very politely as X from the credit union, welcomed me to the union, and asked me whether I would be willing to talk with her briefly about my finanical needs and how the credit union may be able to help. This was nice customer service, I thought, and agreed to talk with her for a "couple of minutes." The next thing she asked me was whether I can verify the security information on my account and proceeded to ask me about my mother’s maiden name. The call ended shortly after this question and after I calmly tried to explain to X that asking such questions during an outbound phone call is not a good idea because anybody could, in theory, make this phone call and obtain my security information.
I went to the credit union’s website and was impressed by the thorough explanations they have on Internet security and in the effort they make to "teach" their customers not to respond to phishing emails asking for personal login or financial information. I am sure the credit union has a policy prohibiting outgoing emails from soliciting customers’ security information. But did anyone at the credit union think to put in place the same security policy for outgoing phone calls to customers? Apparently not.