UK at risk from repeat of US hack attack?

UK shoppers credit card details could be at risk from the same wireless hack technique that snared more than 40 million people's details in the US, according to security experts.

Security at hundreds of medium sized retailers is not fully checked to ensure financial details can not be accessed through insecure wireless networks, they claim.

It comes in the wake of US authorities charging 11 people in connection with the country's largest-ever identity theft case, alleged to have been carried out by hacking into wireless networks - so-called 'wardriving'.

They are accused of stealing more than 40 million credit and debit card numbers before selling the information, with one of the victims TJX Corporation, owner of clothing retailer TK Maxx, being targeted by hackers who broke the WEP encryption on its wireless network.

silicon.com Retail & Leisure

Get the latest retail and leisure news straight to your inbox. Sign up for the R&L newsletter today!

Retailers handling up to six million Visa transactions in the UK are not subject to an independent audit to check they are compliant with PCI DSS security standards that can block such hacks.

A test of 552 wireless networks in central London last year by security analysts NCC Group found 93 per cent fell below the strongest encryption standard and that 41 per cent used the "broken" WEP encryption.

Andrew Moloney, security expert at RSA Security, said: "All the focus has been on the 'level one' merchants - the high street and multi-national retailers - and making sure they are compliant with PCI DSS.

"The smaller retailers handling hundreds of thousands or low millions of transactions are more exposed because they have not been pushed down that path to the same extent. There has not been a lot of pressure and enforcement to ensure that they are keeping to the PCI DSS.

"We are as likely to see attacks in the UK as the US or any wealthy Western country where there is ample credit cards with a good credit limit."

Paul Vlissidis, head of assurance at NCC Group, said: "There is a good chance that there is a lot more insecure technology down among those low level merchants.

"And this is the level at which there are going to be a large number of retailers, as opposed to the comparatively small number of level one retailers."

Guidance on the Visa Europe sites makes clear that even though merchants classed at level two and below are not subject to an onsite audit they are subject to a quarterly "network scan" of their systems.