After the TJX breach, the PCI security council strengthened their wireless security standard in an attempt to prevent such catastrophic incidents from reoccurring. While some of the largest retailers strengthened their wireless security, small and medium businesses need to take a look at their own security practices because they are just as susceptible, maybe more. In its annual Data Breach Investigations Report earlier this week, Verizon said "criminals are increasingly hitting smaller businesses as it becomes harder to steal financial data from big companies."
War-driving is still more common than most people probably think, but the number of incidents reported by small and medium businesses is very low. In most cases, WEP encryption is still the target. In a recent Network World article reported that Seattle police are investigating a group of criminals attacking local businesses via Wi-Fi access points encrypted with the flawed WEP protocol. Does this appear to be an isolated incident? No. According to the Seattle police, this group of criminals has been suspected of these types wireless attacks for as many as *5 years*.
What is troubling is the number of retailers that continue to opt for a "compensating control" to address their wireless security requirements. Even PCI's "approved" methods including quarterly wireless scans and visual inspections are insufficient to protect your business. Wi-Fi is everywhere, its easy to find an unencrypted (or poorly encrypted) signal.
Until companies understand the risk of properly secured Wi-Fi, they will remain susceptible. Just ask the guys in Seattle.