All Top Banking

WarDriving 101

Posted by John B. Frank Thursday, August 7, 2008

Earlier this week the DoJ busted the international hacking ring behind the TJMax data breach. The method used to "break-in" was simplistic, a technique called "wardriving." I wanted to learn more about it, so I googled "wardriving and jejune as it may be, I thought I'd share the following article from the London Times:

The picture of the BlueTooth WiFi Sniper Gun came from an image search
.

The charge sheet for the 11 alleged conspirators in what the US DoJ calls "the largest hacking and identity theft case ever prosecuted" identifies a technique known as wardriving.

Wardriving involves a computer user driving around searching for insecure wireless networks. All the hacker needs to steal credit card and other information from a shop is a standard laptop that picks up the signal from the wireless network in a store.

If the security on the shop's wireless network is weak, the hacker can break in within a matter of seconds in some cases — gaining access to information held by the indivudual store, such as credit card numbers, as well other information kept on the company network to which the store is connected.

Wireless networks are now extremely common in retail stores. Restaurants also use wireless terminals so that customers can pay bills with a debit card without leaving their table.

Staff in supermarkets and clothing shops carry wireless handheld devices to scan and manage stock, and many shops now also manage their entire payment systems over such networks —to avoid the hassle of moving jumbles of wires should they wish to change their layout.

Hackers who engage in wardriving will typically search for shops that use outdated security systems — or protocols — to protect their wireless networks. One of the oldest protocols, called Wired Equivalent Privacy (WEP) — which is still widely in use — can be hacked in a matter of seconds, experts said.

Modern protocols, such as Wi-fi Protected Access (WPA), and WPA2 are more resilient, but can still be successfully hacked if the shop or other outlet has not chosen effective passwords or followed other basic network safety guidelines.

"In some cases you're talking about the equivalent of locking the side gate with a suitcase padlock — it's that insecure," said Paul Vlissidis, a security expert with the Manchester-based company NCC Group.

Once a hacker has stolen the credit card and other information, he or she will typically sell it in online chatrooms where criminals gather to trade such details.

The US charge sheet accuses the alleged hackers of laundering the money using "internet-based currencies" — likely a reference to online payment systems such as e-gold, which facilititate anonymous money transfer.

The main reason that wireless networks used by retail outlets remain weak is the cost of upgrade. "If it's a supermarket that has thousands of those devices to check stock, then you're talking about a massive cost to rip out the old wireless infrastructure," said Paul Cronin, a security tester with the Reading-based company Pentura.

An alliance of credit card companies and banks is working to introduce a new standard that would increase security by requiring stores to satisfy 12 criteria before being allowed to process payments wirelessly.

The Payment Card Industry Data Security Standard (PCI DSS) — which is supported by APACS, the UK payments association — would require stores to use up-to-date encryption, install firewalls, restrict access to information kept on the network and monitor and test their networks regularly.

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio