Transmissions
by Dragorn
Wireless vulnerabilities aren't dead. We just stopped watching.
I'm sure we all thought we were done with this one - can there really be much more to be said about open wireless networks? Haven't we ridden that one off into the sunset once and for all? Apparently not, since while we were all recovering from HOPE (or going to DEFCON), a credit card theft ring leveraging vulnerable wireless networks was busted for stealing tens of millions of credit card numbers along with customer information.
Eleven members of an international credit card ring were charged in Boston with stealing over 41 million credit card numbers from major U.S. retailers like Boston Market, Barnes & Noble, DSW, and the highly publicized TJ Maxx. Sound familiar?
This is basically the same as the attack on Lowe's Hardware, where three men pled guilty to installing sniffer software via the wireless network to capture credit card data. Remember that attack? Not really?
Maybe because it happened four years ago. Seems like a lot of people forgot about it. What makes the latest attack unique is that, unlike the attempt at Lowe's, this was both successful at capturing credit card information, and internationally organized, sending the credit card information overseas to servers in Ukraine, China, and Latvia.
How does this keep happening?
Probably the usual: a combination of no (or obviously insufficient) network security, and insufficient segregation of the internal network. Forget "crunchy on the outside, chewy in the center." We're looking at sponge-like porosity of the network perimeter. Both the Lowe's attack and these recent ones relied not only on a weak outer layer of security, but on an unstructured internal network where wireless users are allowed access to the point-of-sale network.
Just how weak is WEP?
With modern attacks (Aircrack-ng and a single associated client (needed to get an ARP frame), a WEP key can be cracked in about two minutes (regardless of 64- or 128-bit WEP). By capturing and re-injecting an ARP frame thousands of times, collecting enough encrypted data to derive the key becomes trivial.
Other attacks implemented in the Aircrack-ng suite expose other flaws in the WEP protocol, rendering nearly any network using WEP for protection vulnerable. This might not be a big deal for a home user - generally nothing you're doing is likely to be interesting enough to be worth cracking WEP and it's easier to move on to an open network if all you're looking for is Internet access to check email. For a corporation handling personal info and credit cards, simple WEP is hugely insufficient.
While WEP has been the basis for all of these attacks, none of them have truly relied on the wireless network; the lion's share of the blame falls on an apparently wide open network design inside the retailers.
Combining the weakness of WEP with a poor internal network design will rarely end well. Some handheld inventory devices can only speak WEP, not having the computational power to support stronger encryption methods. But until these are phased out, it's critical that the wireless network is treated as a hostile, external network.
There should be no reason for a wireless user to directly interface with the network holding the point-of-sale systems for credit card processing. But in all of these cases, the real work was done by a sniffer installed on the companies' systems handling credit card data. The wireless network was used only as a jumping-off point for infecting the rest of the network.
Of course, we can't lay all of the blame on the compromised companies... the Payment Card Industry Data Storage Standard (PCI DSS) recommends against using WEP, but allows it if additional security mechanisms are in place - or if it is 104-bit WEP with a 24-bit IV (a.k.a. good old fashioned WEP like we've already broken), MAC address filtering (really?), and rotating WEP keys quarterly (that's 170 days versus about two minutes to crack the new key).
A company following these guidelines to the letter can still be massively exposed.
It's tempting to dismiss all of this as corporate level crime with no impact on any of us. Sure, there's the obvious upfront costs - reissuing and replacing the credit cards, dealing with the fraudulent items on the bills, items being ordered to new addresses tripping alarms - and I'd be done writing about this right there, except for two key points that are (largely) overlooked:
First: Most retailers offer their own branded credit cards, and delight in trying to get you to sign up for them when you make a purchase at the point-of-sale terminal with instant credit checking and validation.
The information used to sign up for the card has to be transmitted to the credit card company somehow. While none of the articles mention what "personal information" beyond credit card numbers was compromised, it would seem perfectly plausible that enough information to apply for new cards at a different address was gathered. Most people reading 2600 ought to be savvy enough not to expose their personal information casually. Phishing attacks are pretty transparent, and identity-stealing Trojans are fairly easy to avoid. But when the company issuing the credit card can't be trusted to secure the information, the game changes significantly.
Second: "What is your favorite color?" "What school did you graduate from?" "What is your home town?" Sound familiar? Sound like the sort of questions asked when changing the billing address on a credit card? Sounds a lot like what most people don't think twice about putting on a social networking site (rhymes with "Pie Face"), too. The thieves who steal credit card data in bulk would never bother to identify individuals. The final consumers of the stolen credit card numbers are now in possession of the account number, expiration details, full name, and, if you have an online presence with any identifiable information, potentially enough data to change your billing and shipping addresses without your knowledge.
A brief search through social networking sites showed no shortage of mentions of home towns, high schools, favorite colors (either explicitly or guessed via the general theme of the page), favorite bands - all of which, combined with stolen credit card details, could be sufficient for complex fraud.
So please: Stop using WEP. Now. Let it die.
And design your networks so that they have more than one layer of security.