November 10th, 2004, 05:43 AM
found a bank using unsecure wireless
i was wardrivin today out havin fun and just messin around, found the usual 'default' 'linksys' and the stupid stuff people dont change, found only a couple wep enabled AP's, and then....i found a ssid of 'finance' as i was driving by a bank. i pulled over and parked, and sat there in awe. a banks finance department, using wireless that is un-encrypted (even if it was it'd be crackable) i didnt know what to do. i always do everything legal and dont actually connect to AP's, just log traffic with kismet and airsnort, finding anywhere from 80 to 120 wireless AP's. so im in a pickle, do i just let the bank go by their business, and hope nothing bad happens, or should i let them know....'hey your broadcasting your customers financial information out in the public air unecrypted for anyone to see' and risk gettin a bad look and in trouble (i havent done anything legal but they might freak out) or what? really i'd like some advice on what to do. i know its not illegal just wardrivin only when you connect to them, and i havent connected. i'd like to inform them and maybe tell them to set up wep or wpa or whatever just to keep anything from bad happening, but i also might get in trouble for stumbling accross a bank institutions unencrypted network...advice please??? thanks.
November 10th, 2004, 05:58 AM
you should definetely tell them. I believe that you have a certain moral responsability in protecting innocents (the bank's customers) against possible harm.
However, I do understand the situation that you are in: I was in similar situation last year, except with a pharmacy using insecure wireless were presciptions and the medical history of patients was transmitted...
If you want to make sure that you don't get into any trouble, just send them an anonymous letter explaining the situation and possible ways of resolving it.
On the other hand, I'm sure that they would much appreciate it if you set up an appointement with the branch director and explained him the situation. In most case, they will see the intent behind the action and will be thankful.
hope this helps...
all the best,
November 10th, 2004, 06:50 AM
guess im not really in a 'situation', guess im just more nervous about tellin the guy his network is sort of open. im pretty convinced im gonna tell them now about it, just hoping they dont flip or something.
November 10th, 2004, 07:24 AM
maybe just a phone call explaining everything? Or, print out this page and set up an appointment with a director and explain your concern for the customers and their data (are you a patron of that particular bank as well? That might help keep things calm with the person you speak with) I think its an honest thing expressing your concern. Of course, if you speak with some un-informed average joe, he might think your discovery of the signal might constitute as 'hacking'. I, as well as most everyone here (IMO) do NOT think you have done anything illegal or wrong.
just tell them the truth. If i were a bank, i would want someone to let me know that my door was wide open, and hopefully the person you speak with would want the same thing.
November 10th, 2004, 11:04 AM
enron Part 2 gonna hapen. in this case the customers will lose
so tell the authorities and u dunno may get a reward
commision here too.... heh h e eh
Came as strangers,
met as friends ,
Parted as one
November 10th, 2004, 12:34 PM
First off I would check out if there was a diner or something of the sort close to the bank. If there is I would then go and have a coffee there and see if I could pick up the network. If that was sucessfull then I would go to the bank and tell them you were working on your laptop and noticed that your wireless card was picking up a connection and you traced it to them. Otherwise tell them you were thinking of opening an account with them and you wanted to make sure their IT system was secure.
edit if they get difficult and start making threats just make the point it is like they left their keys in the door and instead of walking off with the keys you knock on the door to let them know.
Let us know what happens in any case.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
November 10th, 2004, 01:25 PM
Re: found a bank using unsecure wireless
Banks use to be very nervous about this kind of news. Even you are legal (that activity isnt legal here), i advise you to inform them ANONYMOUSLY.
i always do everything legal and dont actually connect to AP's, just log traffic with kismet and airsnort i'd like to inform them
Print all data, write a letter and send it thru regular mail. Address your letter to Internal Audit Dept. Be clear that is not a threat, you just picked traffic by "accident" (dont go further about your wardriving) and you are trying to help them to fix the problem.
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
November 10th, 2004, 04:17 PM
Only a very small percentage of banks use wireless. Chances are this is some dumbsh! user who thought it would be cool to smack a wireless gateway to sync his palm. Drop a note in the night deposit "Attention IS Manager" or something or call and ask for the Bank Security Officer who is outside IT (hopefully).
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
November 10th, 2004, 07:14 PM
Or something being overlooked.
I mean the ssid is finance. Just sounds so sweet to your blackhat wardriver.
If it is like a small local bank then it is also very possibly just some dumb IT staff.
Tell them there open then. A phone call from a pay phone if you want to be anonymous.
Its really up to you, you have no obligation to tell them.
That which does not kill me makes me stronger -- Friedrich Nietzche
November 10th, 2004, 07:53 PM
I have also stumbled upon a local bank that is using unsecure wireless, and informed them thru before written letter and via email. That was several months ago, yet as far as I can tell, nothing has changed.
I can sit in the shopping center parking lot, or for more comfortable, at Dunkin Dounuts. can gateway out thru them all day long. I can NOT however access anything on their local network, it appears to be a simple internet gateway, and that is all (not that I looked TOOO hard).
I personally wouldnt worry too much about informing them, I would just tell them you were using your notebook in the care, and picked up the signal. Hell tell them you were in your contact manager looking up a cellphone number.
Unless you have tried to break into their net, and tripped al sorts of alerts, you really havent done anything wrong. Make sure you document everything the best you can, and I am sure that if they decide to bonehead into causing you trouble, they won't like their name on the front page of the local paper "Bank using unsecure network".
Your call, but I would inform them.
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!