While financial institutions are improving the way they secure their wireless networks, criminals are looking for new ways to exploit security vulnerabilities, says an international survey.

The Wireless Security Survey 2006, commissioned by RSA Security, shows that use of wireless internet networks in London, Paris and New York’s financial districts has increased significantly over the past year.

Security measures have also improved with more than 75 per cent of all firms switching on Wired Equivalent Privacy (Wep) encryption, which is found in most wireless products to protect corporate information.

While security has improved in percentage terms, the number of unprotected wireless access points has increased. Last year 630 access points in London’s financial district were unprotected and exposed to drive-by hacking. This year 714 access points are vulnerable.

‘People want to get up and running and use the technology as soon as possible,’ said Tim Pickard, area vice president of international marketing at RSA Security. ‘Security can come as a bit of an afterthought.’

Businesses that leave wireless networks unsecured face a number of risks. Clive Longbottom, service director at analyst Quocirca, says by doing so, firms are leaving the door open for everyone from opportunist internet surfers to people intent on industrial espionage.

‘The worst scenario is that any files that are open on the network could be accessed and intellectual property could be at risk,’ said Longbottom.

Businesses also face a growing risk from rogue hotspots which criminals are establishing to try to steal confidential user information. By spoofing legitimate wireless hotspots, criminals trick users into using their system and record passwords for corporate networks, credit card entries and financial data, says Pickard.

A test system recently set up by consultancy Capgemini found a number of devices connected to its rogue hotspot.

‘They can be used to perpetrate online identity fraud. The likelihood of this is high, given that a rogue hotspot allows for a higher volume of accurate details to be captured than in an email-based phishing attack,’ says the RSA Security report.

IT departments need to get a tighter grip on wireless usage. It is not just about securing access points sanctioned by the organisation. Firms also need to regularly audit their IT networks to ensure that employees have not installed their own wireless access points.

Quocirca’s Longbottom says financial firms should have high levels of security anyway, so if wireless access points are breached, other information can not be accessed.

As well as WEP encryption, firms should also use WiFi Protected Access and Mac security protocols alongside a virtual private network, he says.

‘If a City firm, where sensitive information is abundant, does not have good security within its own internal network then it has a problem, regardless of wireless,’ said Longbottom.

Wireless security…in 30 seconds

Best practice tips for setting up a corporate wireless network:

*Regularly audit company security policies and wireless networks to identify rogue access points and vulnerabilities.

*Ensure all access points, base stations and other wireless products using the corporate network are approved by the IT security department.

*Register all wireless network interface cards used in laptops and desktop PCs with the IT department and use their mandatory access control address for authentication.

*Ensure lost or stolen cards are reported immediately.

*Users with wireless Lan devices should use a company-approved virtual private network (VPN) for communication and authenticating users and encrypted traffic.

*Direct wireless traffic through the VPN before it enters the corporate network.