UK's lax wireless security threatens TJX-style hack
UK shoppers' credit-card details could be at risk from the same wireless hack technique that snared more than 40 million people's details in the US, according to security experts.
Security at hundreds of medium-sized retailers is not fully checked to ensure financial details cannot be accessed through insecure wireless networks, the experts claimed.
The claim comes in the wake of US authorities charging 11 people in connection with the country's largest-ever identity-theft case, alleged to have been carried out by the defendants driving around in search of wireless networks susceptible to hacking — so-called 'wardriving'.
The defendants are accused of stealing more than 40 million credit- and debit-card numbers before selling the information, with one of the corporate victims — TJX, owner of clothing retailer TK Maxx — being targeted by hackers who broke the WEP encryption on its wireless network.
Retailers handling up to six million Visa transactions in the UK are not subject to an independent audit to check they are compliant with PCI DSS security standards that can block such hacks.
A test of 552 wireless networks in central London last year by security analyst firm NCC Group found that 93 percent fell below the strongest encryption standard and that 41 percent used the "broken" WEP encryption.
Andrew Moloney, security expert at RSA Security, said: "All the focus has been on the 'level one' merchants — the high-street and multinational retailers — and making sure they are compliant with PCI DSS."
"The smaller retailers, handling hundreds of thousands or low millions of transactions, are more exposed because they have not been pushed down that path to the same extent. There has not been a lot of pressure and enforcement to ensure that they are keeping to the PCI DSS," said Moloney.
"We are as likely to see attacks in the UK as the US, or any wealthy Western country where there is ample credit cards with a good credit limit," he added.
Paul Vlissidis, head of assurance at NCC Group, said: "There is a good chance that there is a lot more insecure technology down among those low-level merchants."
"And this is the level at which there are going to be a large number of retailers, as opposed to the comparatively small number of level-one retailers," he said.
Guidance on the Visa Europe sites makes clear that, even though merchants classed at level two and below are not subject to an on-site audit, they are subject to a quarterly "network scan" of their systems.