Currently Being ModeratedOct 24, 2013 7:48 PM (in response to MacPcConsultant)
Yes it can. Never use an unsecured wireless network for anything like that. Even an encrypted, non-trusted wireless network is vulnerable.
Currently Being ModeratedOct 24, 2013 7:53 PM (in response to MacPcConsultant)
Second Tlix ... wirless is basically "radio station". Unless you encrypt that radio signal, you are being very foolish. Free wi-fi at Wendy's or McDonalds is basically un-encrypted as well.
Tell the owner that SSID-encryption is a must if ANY of the company business information is transferred over wireless network.
Currently Being ModeratedOct 24, 2013 8:12 PM (in response to steve359)
NOt only that, if a person outside uses that wireless network for bad things, such as hacking, illegal downloads or file sharing or child - the word will be starred out - the police will come knocking on the business owner's door because they come to the owner of the wifi.
Having your network open and unsecured...it's not a matter of if it will be misused, but when.
Currently Being ModeratedOct 24, 2013 8:17 PM (in response to Skydiver119)
Gotta love that knock on the door from the local/federal authorities pinning p-ography charges on you.
And when your competitors know all about your "competitive bids" and win the contracts.
Currently Being ModeratedOct 24, 2013 8:34 PM (in response to MacPcConsultant)
Can sufficient banking info which can lead to fraud be extracted from a Mac via an unsecured network by monitoring keystrokes wirelessly ?
No. You can't monitor keystrokes at all over a wireless network, whether secured or not. What you can do is capture network traffic. Whether that compromises security or not depends on what the traffic is. A connection secured with IPSec or SSL, for example, is encrypted above the hardware level and will resist eavesdropping on an untrusted network.
Even on a secure network, users can capture each others' traffic.
Currently Being ModeratedOct 24, 2013 9:07 PM (in response to Linc Davis)
Thank you for these concerns. I'm not an employee of this business. The start post was really only asking if this person's banking information could be received to the extent that his credit card info (number, name, expiration date, and 3-4 digit security code) could be used improperly/unauthorized.
How could anyone on-site or off-site get this info wirelessly from the computer if keystrokes cannot be monitored? If the traffic is captured, in what format is that capture, and how is the banking info extracted? Banking and merchant websites used https. Isn't this sufficient to prevent theft of banking information?
Currently Being ModeratedOct 24, 2013 9:06 PM (in response to MacPcConsultant)
Any wireless network traffic monitor can read unencyrpted banking and CC information.
They can sit within teh transmitting range of the network in an unmarked white van.
Currently Being ModeratedOct 24, 2013 9:08 PM (in response to steve359)
But those websites dealing with this info use https protocols. Isn't that sufficient to protect banking/credit card data?
Currently Being ModeratedOct 24, 2013 9:12 PM (in response to MacPcConsultant)
My employer requires me to use their protected network while at the office and requires me to use WPA-2 encrypted wireless at home.
I distrust other networks that do not have passwords.
That is all I can say.
Currently Being ModeratedOct 24, 2013 9:19 PM (in response to MacPcConsultant)
Isn't this sufficient to prevent theft of banking information?
It should be, as long as the encryption keys used to secure the data in transit are secure. Compromise of banking transactions is not the real problem. The argument against an unsecured network is that it may be used by intruders for their own purposes, such as transmitting contraband data.
Currently Being ModeratedOct 25, 2013 2:54 AM (in response to MacPcConsultant)
It may be that this particular employee's problems are happening elsewhere, but this business should still secure their network. If needed they can provide a separate unsecured gateway to the Internet for visitors to the site that isolates the business network. There are wi-fi routers that can manage such parallel services within the one box. If the business ever has any cause to handle credit card data then securing the network would form part of PCI DSS compliance.
Currently Being ModeratedOct 25, 2013 3:39 AM (in response to MacPcConsultant)
Just to add to what has already been said, I would agree that it seems likely that that employee's problems aren't being caused by the insecure network.
You pointed out that bank traffic is encrypted, which is true. Whether on a secure or an insecure network, the data cannot be viewed by a third-party snooping on network traffic. However, if there's a flaw in the implementation of the bank site's login system, it could be possible for an attacker to gain access to the account through a form of session hijacking. This should not be the case, and I'm sure most bank sites don't have such vulnerabilities. If you're dealing with a small bank, though, that doesn't have the budget for a really decent site, that could be an issue.
I agree with others that this business network should be locked down with WPA-2 encryption. There are potential legal issues as well as security issues if it isn't secured.
Currently Being ModeratedOct 25, 2013 8:05 AM (in response to MacPcConsultant)
Operational network security involves some knowledge and is difficult to maintain, but whoever set up the network for this business already flunked the most basic part. Who knows what else is configured insecurely here?
Ignoring the credit card data — and I suspect there's more about that than has been disclosed here — this network is ripe for sending out massive quantities of spam, for launching web attacks, and activities potentially involving content that can be considered immoral or illegal in various jurisdictions. Bad News, in other words.
While cracking WPA2 is getting easier all the time and while there are attacks against various routers available to folks within a network perimeter, that's still more work than this wide-open network.
As for the credit card activity and keyloggers, there are viable attacks against various implementations of HTTPS. Not all web sites get that right, and not all web tools get that right, and not all SSL/TLS implementations are equivalent.
A successful HTTPS attack isn't something an attacler probably doesn't want to give away for small amounts of cash, though. The attack itself is very valuable.
Given I suspect there's more here than just that unencrypted wireless LAN — if I were this employee and had to expose my credit card data on these networks, then I'd switch to using my own iOS device for these accesses and would switch to cellular data only for this traffic, and not expose this sort of data while connected to the wireless LAN. Not credit card data. Not passwords for various secure sites. Definitely not my AppleID. Not that the cellular data network is entirely secure, either. qv: "Stingray", et al. But cellular is still a fair bit better than this wide-open unencrypted wireless LAN.
Currently Being ModeratedOct 25, 2013 8:40 AM (in response to MrHoffman)
While cracking WPA2 is getting easier all the time....
Can you please explain, amplify.