News Stay informed about the latest enterprise technology news and product updates.

Study reveals lack of financial wireless computer security

Vulnerability scanning in the financial districts of seven cities by AirTight Networks show many misconfigured and unmanaged wireless network access points.

A study by AirTight Networks Inc. of financial districts in seven cities revealed numerous wireless vulnerabilities and a lack of wireless computer security best practices.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Researchers at the Mountain View, Calif.-based wireless security vendor conducted five-minute wireless vulnerability scans at 30 random locations in the financial districts of New York, Chicago, Boston, Wilmington, Del., Philadelphia, San Francisco and London. More than 3,600 wireless network access points were scanned near banks and stock exchanges.

Access points that were open or using weak WEP encryption made up 57% of the airspace scanned, putting them at risk for data leakage, according to the study. Almost 40% of those open or WEP-secured access points were enterprise grade. The rest were consumer or SOHO grade, which can't be centrally managed, AirTight executives said.

Wireless computer security:
Deploying secure wireless LANs: Wireless networks have taken a beating in the financial world since it was discovered that the massive TJX data breach was enabled by an insecure Wi-Fi network.

Data leakage detection and prevention: While corporate data loss is not a new concern, newer technologies are emerging to help combat the threat

Mobile payment adoption risks: As mobile banking grows in popularity, financial institutions need to weigh the adoption risks to determine whether it's a product they want to offer.

"A lot of best practices were simply being skipped," said Mike Baglietto, director of product marketing at AirTight Networks.

Twenty percent of the open wireless network access points were simply hiding their service set identifier (SSID) for security, he said. The SSID is a character sequence that names a wireless network.

"Open access points create a front door to your enterprise; hackers can gain access to your infrastructure and scan devices for vulnerabilities," Baglietto said. Researchers saw instances in which open access points leaked unencrypted packets attached to a financial internal network, he said.

"We're just using commonly available tools that you can download from the Internet," he added. "People with more sophisticated tools pose a bigger threat."

Also, researchers found that more than half of Wi-Fi clients were broadcasting SSIDs and 34% were willing to connect to free and highly insecure Wi-Fi.

"To me, this indicates that the major unsolved problem is risky user behavior and misconfigured clients," said Lisa Phifer, president of Core Competence Inc., a Chester Springs, Pa.-based consulting firm specializing in network and security technologies.

"Employees may be improperly using their own or another company's open visitor WLAN without a VPN or SSL to protect their data. Far too many are apparently willing to associate with hotspot, home or ad hoc SSIDs without really knowing to whom they've connected."

Many businesses today understand how to lock down their own access points, even those that decide to allow open or WEP access for certain applications and devices, Phifer said.

SearchSecurity radio:

"But I don't think enterprises fully appreciate -- much less take steps to remedy -- these client-side vulnerabilities. And that gap will only grow wider with the proliferation of unmanaged Wi-Fi enabled mobile devices like iPhones."

Phifer noted that of the 39% of open or WEP access points that were enterprise-grade in AirTight's study, many could have been private guest/visitor networks that rely on other security measures such as SSL, VPN or WEP-protected VoIP networks.

Baglietto acknowledged that the districts obviously include other types of businesses, but said the study indicates that financial institutions would do well by implementing wireless security best practices. Those include using strong standards for authentication and encryption like WPA, conducting ongoing wireless security audits and monitoring guest Wi-Fi access.

"With the financial crisis, financial institutions already have one black eye," he said. "They don't need anymore headaches."

Dig Deeper on Secure wireless networks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.