" Ok, so you cracked wep. You know that's pretty simple, right?"
You're changing the subject, but whatever.
Cracking WEP can be simple or not. There are different ways it can be implemented, such as rotating keys, and even stuff like WPA/TKIP can be cracked.
You have to be able to capture enough packets to crack WEP. In the absence of a lot of trafic, you have to wait a looong time. Or you used to, at least. That was the assumption their network was built on... their only devices were handheld price scanners, which don't generate enough traffic. This is a national retail chain that you've certainly seen if not visited, not a bunch of yay-hoos.
I had to map out their MAC filtering scheme, spoof MAC addresses, cause wireless devices to reauthenticate, capture packets, and reinject them. I used aireplay, airodump, aircrack on Linux, along with Kismet and some other goodies for the wireless piece. Also had to map out firewall trust relationships to get inbound access, and do a number of other fun things.
The only real safe way to deploy wireless is to tunnel. Open WLAN, and clients must VPN (no split tunnel!) in order to get network access. SSL vpn, client based VPN, doesn't matter.
Wireless is very tricky. It makes the concept of a network perimiter dissapear unless you do it right. Wireless signals can leak a long ways, too.
There's a little program for Linux that will make every client authenticate with certificates to the server running the WAP so that spoofing and man-in-the-middle is no longer possible.