Thursday, August 7, 2008

WarDriving 101

Earlier this week the DoJ busted the international hacking ring behind the TJMax data breach. The method used to "break-in" was simplistic, a technique called "wardriving." I wanted to learn more about it, so I googled "wardriving and jejune as it may be, I thought I'd share the following article from the London Times:

The picture of the BlueTooth WiFi Sniper Gun came from an image search

The charge sheet for the 11 alleged conspirators in what the US DoJ calls "the largest hacking and identity theft case ever prosecuted" identifies a technique known as wardriving.

Wardriving involves a computer user driving around searching for insecure wireless networks. All the hacker needs to steal credit card and other information from a shop is a standard laptop that picks up the signal from the wireless network in a store.

If the security on the shop's wireless network is weak, the hacker can break in within a matter of seconds in some cases — gaining access to information held by the indivudual store, such as credit card numbers, as well other information kept on the company network to which the store is connected.

Wireless networks are now extremely common in retail stores. Restaurants also use wireless terminals so that customers can pay bills with a debit card without leaving their table.

Staff in supermarkets and clothing shops carry wireless handheld devices to scan and manage stock, and many shops now also manage their entire payment systems over such networks —to avoid the hassle of moving jumbles of wires should they wish to change their layout.

Hackers who engage in wardriving will typically search for shops that use outdated security systems — or protocols — to protect their wireless networks. One of the oldest protocols, called Wired Equivalent Privacy (WEP) — which is still widely in use — can be hacked in a matter of seconds, experts said.

Modern protocols, such as Wi-fi Protected Access (WPA), and WPA2 are more resilient, but can still be successfully hacked if the shop or other outlet has not chosen effective passwords or followed other basic network safety guidelines.

"In some cases you're talking about the equivalent of locking the side gate with a suitcase padlock — it's that insecure," said Paul Vlissidis, a security expert with the Manchester-based company NCC Group.

Once a hacker has stolen the credit card and other information, he or she will typically sell it in online chatrooms where criminals gather to trade such details.

The US charge sheet accuses the alleged hackers of laundering the money using "internet-based currencies" — likely a reference to online payment systems such as e-gold, which facilititate anonymous money transfer.

The main reason that wireless networks used by retail outlets remain weak is the cost of upgrade. "If it's a supermarket that has thousands of those devices to check stock, then you're talking about a massive cost to rip out the old wireless infrastructure," said Paul Cronin, a security tester with the Reading-based company Pentura.

An alliance of credit card companies and banks is working to introduce a new standard that would increase security by requiring stores to satisfy 12 criteria before being allowed to process payments wirelessly.

The Payment Card Industry Data Security Standard (PCI DSS) — which is supported by APACS, the UK payments association — would require stores to use up-to-date encryption, install firewalls, restrict access to information kept on the network and monitor and test their networks regularly.

Disqus for ePayment News