Also our bank had some kind of port security so if it wasn’t a recognized MAC address, the port just switched off.
And serious company will have this as basic security. It’s a fundamental function even available on your consumer grade router at home. While it’s overkill for that use, it’s basic security for a company.
That’s why it’s not surprising at all that a bank didn’t bother to do that. Banks have some of the most egregious security issues.
i’d argue that any serious company wouldn’t really bother with MAC identification… they’re so easy to spoof that it adds to operational overhead far more than the benefit it brings
more likely with these things you’d have a VLAN mapped to a physical port, and if that port were disconnected you’d instantly get a notification and send someone to check it out
Spoofing a MAC is easy but it still requires knowing both what an existing valid address is, and ensuring that it’s not already connected to the network. It’s only operational overhead when a new device is onboarded, after that the impact is minimal.
A policy that requires sending a tech is fine, but if you have hundreds or thousands of individual locations then you aren’t going to have a tech onsite at every one of them to quickly check and fix an issue, and you don’t really want to have to trust an end user to verify and/or make physical changes on site if you can avoid it.
This is still trivial. A Pi with 2 NICs and a Linux bridge. Using the 2 ports, effectively put the Pi in between the device you want to spoof and the rest of the network. Now you can see the traffic, the MAC addresses etc.
And serious company will have this as basic security. It’s a fundamental function even available on your consumer grade router at home. While it’s overkill for that use, it’s basic security for a company.
That’s why it’s not surprising at all that a bank didn’t bother to do that. Banks have some of the most egregious security issues.
i’d argue that any serious company wouldn’t really bother with MAC identification… they’re so easy to spoof that it adds to operational overhead far more than the benefit it brings
more likely with these things you’d have a VLAN mapped to a physical port, and if that port were disconnected you’d instantly get a notification and send someone to check it out
Spoofing a MAC is easy but it still requires knowing both what an existing valid address is, and ensuring that it’s not already connected to the network. It’s only operational overhead when a new device is onboarded, after that the impact is minimal.
A policy that requires sending a tech is fine, but if you have hundreds or thousands of individual locations then you aren’t going to have a tech onsite at every one of them to quickly check and fix an issue, and you don’t really want to have to trust an end user to verify and/or make physical changes on site if you can avoid it.
This is still trivial. A Pi with 2 NICs and a Linux bridge. Using the 2 ports, effectively put the Pi in between the device you want to spoof and the rest of the network. Now you can see the traffic, the MAC addresses etc.
… Which financial company do you work for?