Why is MAC-based authentication insecure?

Even with wireless encryption enabled, MAC addresses are sent unencrypted. The reason for this is that if you encrypted the MAC address, every client on the wireless network would need to decrypt every single packet, just to find out whether it was sent to them or not.

Imagine watching a Netflix movie on your laptop using your home wireless connection, with a smartphone in your pocket also connected to the wifi. Your phone would need to receive every packet containing the streaming movie, decrypt it, then discard it. This would consume a huge amount of CPU and battery for no real reason.

Since the MAC address in each packet is always unencrypted, it's trivial for any attacker to run a packet sniffer, get a list of all the MAC addresses communicating on the network, then impersonate one of them.

Security Now podcast #11 (MP3, transcript) covers MAC filtering as well as WEP, disabling SSID broadcasts, and other ineffective ways of securing a wireless network.

In an ethernet network the MAC address is used to uniquely identify each node (computer etc) on the network. Every packet broadcast over the network must contain the MAC address of the intended receiver to ensure packets get where they need to go.

Therefore using a packet sniffing tool it is quite easy to extract valid MAC addresses "off the wire". Once you have the MAC address, as you already know, spoofing the MAC address is even easier.

Also, I seem to remember that MAC addresses are part of the OSI Data Link layer (level 2) and are still visible in packets even if encryption such as WEP / WPA2 is used. This may have changed more recently however.

It's only insecure if you actually have something valuable to protect. If you're just trying to prevent unauthorized users from using your wireless connection MAC-based authentication is fine.

MAC addresses aren't intended to be kept private, so it's very easy for someone to clone it.

In computer security there is a statement "Users are the weakest links in the security chain " So I can imagine a one situation.

Say an internal user wants to do something "illegal".. So in this case he can use the MAC of his own machine and do whatever thing he want. Since the admins can see it is a "hack" there is no responsibility of the real user.

And as far as I know a user can scan for the MAC addresses within the LAN. I think packet sniffer tools can retrieve them. So in that case he can steal a MAC of a his mate as well.

Don't think the hackers are from the outside. They may be insiders as well.