Switch (data) and credit cards

Recently I had a customer request that his partially wireless network be all hardwired. This is a store with server, cash registers and administrative workstations, all on the same network.His credit card transactions recently went to network instead of dial up. The credit card company is telling him that he cannot have anything wireless for security reasons.Now his registers are hardwired to a switch, where the WAP is connected, so that data does not go out to the wireless. And the wireless is encrypted ( as good as Linksys can do it). So what is their problem ? Has anyone else heard of this ?

TerryS

Reply to
Terry
Loading thread data ...

The more intelligent credit card thieves have learned that if they take a laptop, add a decent antenna, and mix in the proper software they can sit in the parking lot and decode credit card transactions at stores that are setup by people who do not understand modern network security. The security used by most WAP devices can be decoded by many available programs and can be found by a few simple internet searches.

Hard wiring all of the cash registers to a central point in the building does nothing for security if they use just a simple bridge and hook a WAP off of the same bridge. That still results in the WAP echoing everything that the registers do out to the radio link for the thieves to monitor and collect.

The most common way to stop this is to use a router, properly configured, to separate the WAP from the internal financial traffic, and especially the machines that support the credit card transactions.

Then with proper router configuration they can still use the WAP to control the portable inventory transaction devices.

VPN hardware and software can then be used to connect other devices, like laptops, to the network in order to provide that traffic with better security then the built in WAP security software. No reason to allow people to sit in the parking lot and read all of the corporate Email or inventory levels now is there...

Reply to
GlowingBlueMist

WAP is pretty much discredited as a security method. It is still better than nothing but not by much. The best use is to stop simple misconfigurations like some laptop that is set up to lock onto the strongest signal mistakenly locking onto your access point. WAP will be resistant to light probing, but it won't withstand a few minutes of concerted attack. The FBI used to go around showing how easy it is to break WAP. In this demo it took around 3 minutes.

formatting link
You can't go too wrong if you plug your access point into a spare interface on your router and treat it as another untrusted, "outside" interface and filter accordingly.

-wolfgang

Reply to
Wolfgang S. Rupprecht

They do this because the SSID gets broadcast. If you turn off SSID broadcast it limits them a bit. So shutoff SSID, do MAC filtering, and use a strong WAP key. Not that it can't be broken, but it makes it damned hard to do so.

The reason I mention SSID is because they clone the SSID on their little WAP and then the target systems will connect to that, passing along their key info and all.

Agreed. At work our WAP is limited by a Linux router setup to only allow port 80, and gets a separate IP range from our network.

We use old desktop computers to because we don't have the budget to go out and buy hardware routers.

Reply to
T

I think there is a typo in here somewhere.. we're either talking about WEP or WPA.

WEP is basicly useless.

WPA, if properly setup can offer much better security.

Agreed, but in this context "router" refers to a real router, not a linksys/netgear/dlink/etc SOHO grade "router".

Reply to
Bob Vaughan

Yes, I had assumed that the OP meant WEP. Then for some inexplicable reason that typo got stuck in my head and I parroted it. Sigh.

FWIW, I'm not sure I'd really recommend WPA (version 1) either. It has a few vulnerabilities that are dealt with by intentionally dropping incoming packets for 60 seconds. In a real world situation that adds one more thing that can be used for a DOS attack.

WPA2 with a true 64-character hex key seem like the best way to go if one must have a wireless connection at all. I'd still put it on an outside interface just to add another layer of security.

Agreed. I don't know where this nonsense of calling those NAT boxes "routers" came from.

-wolfgang

Reply to
Wolfgang S. Rupprecht

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.