Skip navigation

Can bank information be extracted on a wireless network ?

597 Views 18 Replies Latest reply: Oct 25, 2013 12:00 PM by tjolley11 RSS
1 2 Previous Next
MacPcConsultant Level 1 Level 1 (5 points)
Currently Being Moderated
Oct 24, 2013 6:26 PM

A business has all Mac computers on an unsecured wireless network.   The signal is weak outside the building, but it is detectable.  There are about 30 employees.   The owner does not want the SSID password protected.   Three times in the past twelve months, only one employee has had her checking and credit card accounts compromised with a few very small irregular charges.  The bank told her about keyloggers. She hasn't lost money because the bank credited her account, but the bank is also not researching the alleged perpetrators because the amounts are too small.  The bank simply changes her account numbers.  No other employees have had a problem, and the single employee uses her credit card (linked to her other accounts) in many locations when she's not as work.

 

It's unknown if she has file sharing turned on.

 

Can sufficient banking info which can lead to fraud be extracted from a Mac via an unsecured network by monitoring keystrokes wirelessly ?

  • Tlix Level 4 Level 4 (1,315 points)

    Yes it can. Never use an unsecured wireless network for anything like that. Even an encrypted, non-trusted wireless network is vulnerable.

  • steve359 Level 6 Level 6 (12,035 points)

    Second Tlix ... wirless is basically "radio station".  Unless you encrypt that radio signal, you are being very foolish.  Free wi-fi at Wendy's or McDonalds is basically un-encrypted as well.

     

    Tell the owner that SSID-encryption is a must if ANY of the company business information is transferred over wireless network.

  • Skydiver119 Level 7 Level 7 (20,305 points)

    NOt only that, if a person outside uses that wireless network for bad things, such as hacking, illegal downloads or file sharing or child - the word will be starred out - the police will come  knocking on the business owner's door because they come to the owner of the wifi.

     

    Having your network open and unsecured...it's not a matter of if it will be misused, but when.

  • steve359 Level 6 Level 6 (12,035 points)

    Gotta love that knock on the door from the local/federal authorities pinning p-ography charges on you.

     

    And when your competitors know all about your "competitive bids" and win the contracts.

  • Linc Davis Level 10 Level 10 (107,695 points)

    Can sufficient banking info which can lead to fraud be extracted from a Mac via an unsecured network by monitoring keystrokes wirelessly ?

     

    No. You can't monitor keystrokes at all over a wireless network, whether secured or not. What you can do is capture network traffic. Whether that compromises security or not depends on what the traffic is. A connection secured with IPSec or SSL, for example, is encrypted above the hardware level and will resist eavesdropping on an untrusted network.

     

    Even on a secure network, users can capture each others' traffic.

  • steve359 Level 6 Level 6 (12,035 points)

    Any wireless network traffic monitor can read unencyrpted banking and CC information.

     

    They can sit within teh transmitting range of the network in an unmarked white van.

  • steve359 Level 6 Level 6 (12,035 points)

    My employer requires me to use their protected network while at the office and requires me to use WPA-2 encrypted wireless at home.

     

    I distrust other networks that do not have passwords.

     

    That is all I can say.

  • Linc Davis Level 10 Level 10 (107,695 points)

    Isn't this sufficient to prevent theft of banking information?

     

    It should be, as long as the encryption keys used to secure the data in transit are secure. Compromise of banking transactions is not the real problem. The argument against an unsecured network is that it may be used by intruders for their own purposes, such as transmitting contraband data.

  • turingtest2 Level 8 Level 8 (43,935 points)

    It may be that this particular employee's problems are happening elsewhere, but this business should still secure their network. If needed they can provide a separate unsecured gateway to the Internet for visitors to the site that isolates the business network. There are wi-fi routers that can manage such parallel services within the one box. If the business ever has any cause to handle credit card data then securing the network would form part of PCI DSS compliance.

     

    tt2

  • thomas_r. Level 7 Level 7 (26,945 points)

    Just to add to what has already been said, I would agree that it seems likely that that employee's problems aren't being caused by the insecure network.

     

    You pointed out that bank traffic is encrypted, which is true. Whether on a secure or an insecure network, the data cannot be viewed by a third-party snooping on network traffic. However, if there's a flaw in the implementation of the bank site's login system, it could be possible for an attacker to gain access to the account through a form of session hijacking. This should not be the case, and I'm sure most bank sites don't have such vulnerabilities. If you're dealing with a small bank, though, that doesn't have the budget for a really decent site, that could be an issue.

     

    I agree with others that this business network should be locked down with WPA-2 encryption. There are potential legal issues as well as security issues if it isn't secured.

  • MrHoffman Level 6 Level 6 (11,700 points)

    Operational network security involves some knowledge and is difficult to maintain, but whoever set up the network for this business already flunked the most basic part.  Who knows what else is configured insecurely here?

     

    Ignoring the credit card data — and I suspect there's more about that than has been disclosed here — this network is ripe for sending out massive quantities of spam, for launching web attacks, and activities potentially involving content that can be considered immoral or illegal in various jurisdictions.  Bad News, in other words.

     

    While cracking WPA2 is getting easier all the time and while there are attacks against various routers available to folks within a network perimeter, that's still more work than this wide-open network.

     

    As for the credit card activity and keyloggers, there are viable attacks against various implementations of HTTPS.  Not all web sites get that right, and not all web tools get that right, and not all SSL/TLS implementations are equivalent.

     

    A successful HTTPS attack isn't something an attacler probably doesn't want to give away for small amounts of cash, though.  The attack itself is very valuable.

     

    Given I suspect there's more here than just that unencrypted wireless LAN — if I were this employee and had to expose my credit card data on these networks, then I'd switch to using my own iOS device for these accesses and would switch to cellular data only for this traffic, and not expose this sort of data while connected to the wireless LAN.  Not credit card data.  Not passwords for various secure sites.  Definitely not my AppleID.  Not that the cellular data network is entirely secure, either.  qv: "Stingray", et al.  But cellular is still a fair bit better than this wide-open unencrypted wireless LAN.

  • WZZZ Level 6 Level 6 (11,875 points)

    While cracking WPA2 is getting easier all the time....

    Can you please explain, amplify.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.