Switch (data) and credit cards
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by Terry on December 2, 2006, 8:03 am
Please log in for more thread options Recently I had a customer request that his partially wireless network be all hardwired. This is a store with server, cash registers and administrative workstations, all on the same network.His credit card transactions recently went to network instead of dial up. The credit card company is telling him that he cannot have anything wireless for security reasons.Now his registers are hardwired to a switch, where the WAP is connected, so that data does not go out to the wireless. And the wireless is encrypted ( as good as Linksys can do it). So what is their problem ? Has anyone else heard of this ? TerryS | |||||||||||||||||||||||||
|
Posted by GlowingBlueMist on December 2, 2006, 4:29 pm
Please log in for more thread options The more intelligent credit card thieves have learned that if they take a laptop, add a decent antenna, and mix in the proper software they can sit in the parking lot and decode credit card transactions at stores that are setup by people who do not understand modern network security. The security used by most WAP devices can be decoded by many available programs and can be found by a few simple internet searches. Hard wiring all of the cash registers to a central point in the building does nothing for security if they use just a simple bridge and hook a WAP off of the same bridge. That still results in the WAP echoing everything that the registers do out to the radio link for the thieves to monitor and collect. The most common way to stop this is to use a router, properly configured, to separate the WAP from the internal financial traffic, and especially the machines that support the credit card transactions. Then with proper router configuration they can still use the WAP to control the portable inventory transaction devices. VPN hardware and software can then be used to connect other devices, like laptops, to the network in order to provide that traffic with better security then the built in WAP security software. No reason to allow people to sit in the parking lot and read all of the corporate Email or inventory levels now is there... | |||||||||||||||||||||||||
|
Posted by T on December 3, 2006, 12:57 am
Please log in for more thread options
nobody@invalid.com says... > > Recently I had a customer request that his partially wireless network be
> > all hardwired. This is a store with server, cash registers and > > administrative workstations, all on the same network.His credit card > > transactions recently went to network instead of dial up. The credit card > > company is telling him that he cannot have anything wireless for security > > reasons.Now his registers are hardwired to a switch, where the WAP is > > connected, so that data does not go out to the wireless. And the wireless > > is encrypted ( as good as Linksys can do it). So what is their problem ? > > Has anyone else heard of this ? > > > > TerryS >
> The more intelligent credit card thieves have learned that if they take a > laptop, add a decent antenna, and mix in the proper software they can sit in > the parking lot and decode credit card transactions at stores that are setup > by people who do not understand modern network security. The security used > by most WAP devices can be decoded by many available programs and can be > found by a few simple internet searches. They do this because the SSID gets broadcast. If you turn off SSID broadcast it limits them a bit. So shutoff SSID, do MAC filtering, and use a strong WAP key. Not that it can't be broken, but it makes it damned hard to do so. The reason I mention SSID is because they clone the SSID on their little WAP and then the target systems will connect to that, passing along their key info and all. > Hard wiring all of the cash registers to a central point in the building
> does nothing for security if they use just a simple bridge and hook a WAP > off of the same bridge. That still results in the WAP echoing everything > that the registers do out to the radio link for the thieves to monitor and > collect. > > The most common way to stop this is to use a router, properly configured, to > separate the WAP from the internal financial traffic, and especially the > machines that support the credit card transactions. Agreed. At work our WAP is limited by a Linux router setup to only allow port 80, and gets a separate IP range from our network. We use old desktop computers to because we don't have the budget to go out and buy hardware routers. | |||||||||||||||||||||||||
|
Posted by Wolfgang S. Rupprecht on December 2, 2006, 6:03 pm
Please log in for more thread options
> The credit card company is telling him that he cannot have anything
> wireless for security reasons.Now his registers are hardwired to a > switch, where the WAP is connected, so that data does not go out to > the wireless. WAP is pretty much discredited as a security method. It is still better than nothing but not by much. The best use is to stop simple misconfigurations like some laptop that is set up to lock onto the strongest signal mistakenly locking onto your access point. WAP will be resistant to light probing, but it won't withstand a few minutes of concerted attack. The FBI used to go around showing how easy it is to break WAP. In this demo it took around 3 minutes. http://www.smallnetbuilder.com/wireless/wireless-features/the_feds_can_own_your_wlan_too/ You can't go too wrong if you plug your access point into a spare interface on your router and treat it as another untrusted, "outside" interface and filter accordingly. -wolfgang | |||||||||||||||||||||||||
|
Posted by Bob Vaughan on December 4, 2006, 4:27 am
Please log in for more thread options
Wolfgang S. Rupprecht >
>WAP is pretty much discredited as a security method. It is still >better than nothing but not by much. The best use is to stop simple >misconfigurations like some laptop that is set up to lock onto the >strongest signal mistakenly locking onto your access point. WAP will >be resistant to light probing, but it won't withstand a few minutes of >concerted attack. The FBI used to go around showing how easy it is to >break WAP. In this demo it took around 3 minutes. I think there is a typo in here somewhere.. we're either talking about WEP or WPA. WEP is basicly useless. WPA, if properly setup can offer much better security. >http://www.smallnetbuilder.com/wireless/wireless-features/the_feds_can_own_your_wlan_too/
> >You can't go too wrong if you plug your access point into a spare >interface on your router and treat it as another untrusted, "outside" >interface and filter accordingly. Agreed, but in this context "router" refers to a real router, not a linksys/netgear/dlink/etc SOHO grade "router". -- -- Welcome My Son, Welcome To The Machine -- Bob Vaughan | techie @ tantivy.net | | P.O. Box 19792, Stanford, Ca 94309 | -- I am Me, I am only Me, And no one else is Me, What could be simpler? -- | |||||||||||||||||||||||||
> all hardwired. This is a store with server, cash registers and
> administrative workstations, all on the same network.His credit card
> transactions recently went to network instead of dial up. The credit card
> company is telling him that he cannot have anything wireless for security
> reasons.Now his registers are hardwired to a switch, where the WAP is
> connected, so that data does not go out to the wireless. And the wireless
> is encrypted ( as good as Linksys can do it). So what is their problem ?
> Has anyone else heard of this ?
>
> TerryS