Revelations earlier this year that poor wireless security contributed to the theft of 45 million credit card numbers at US retailer TJ Maxx increased calls for firms to abandon Wired Equivalent Privacy (WEP), the protocol found to be at fault. But a recent survey of London’s wireless infrastructure by RSA suggests WEP use remains widespread, and this is despite a new payment card industry (PCI) standard requiring firms to maintain the highest levels of network security.

According to RSA, in the past year the proportion of access points (APs) with encryption has increased from 74 percent to 81 percent. However, the majority still use WEP, despite its well-publicised limitations. Of the secured APs detected, only 48 percent were protected by the 802.11i or Wi-Fi Protected Access (WPA) advanced encryption protocols.

RSA probed wireless networks from street level using a laptop equipped with a high-gain antenna and running software from intrusion prevention specialist AirTight Networks. The software could identify the type of 802.11 device it encountered along with SSID, channel number and type of encryption being used.

To comply with the new www.pcisecuritystandards.org/tech, which came into force on 30 June, businesses that carry out online transactions must “build and maintain a secure network”. They must “install and maintain a firewall configuration to protect cardholder data”, and avoid using “vendor-supplied defaults for system passwords and other security parameters”.

The RSA survey found that although the frequency of encrypted APs had increased over the past 12 months, the proportion of APs with default settings rose from 22 percent to 30 percent. RSA said this could probably be attributed to the explosive growth of wireless adoption, up an astonishing 160 percent over 2006.

In terms of specific wireless security requirements, firms wishing to conform to PCI DSS “should encrypt the transmissions by using Wi-Fi protected access [WPA or WPA2] technology, IPSec VPN, or SSL/TLS”. On the deficiencies of WEP, the standard could hardly be clearer, stating: “Never rely exclusively on Wired Equivalent Privacy (WEP) to protect confidentiality and access to a wireless LAN.”

On the basis of its research, RSA has published Recommended Wireless LAN Security Policy, a guide to bolstering Wi-Fi security. In it, RSA stresses that “all wireless APs/base stations connected to the corporate network should be approved by the computer security department and must use corporate-approved vendor products and security configurations”. The full report can be downloaded from the last URL below.