Vulnerability Development: Re: Wlan @ bestbuy is cleartext?

[Ron DuFresne <dufresne () winternet com>]

bestbuy reads the firewalls list, I forget the name of their contact on
the list, perhaps this should be x-posted there for clarification.
Additionally, their corporate headquarters is in Minnesota, and one might
find an address on their wbsite or a phone number to direct concerns.

this is a BIG issue, and should be clarified.

Thanks,

Ron DuFresne


On Wed, 1 May 2002, Blue Boar wrote:

> I was asked to anonymously proxy this question to the list.  Here ya go.
>
>                                               BB
>
> ----------------------------------------------------------------------------------------------------
>
> This past week I went to bestbuy to purchase a D-link wlan card... egar to
> get my laptop up and running while in the car I put my card in and
> installed the driver. I noticed the traffic light was lit up as if I had a
> connection. Out of curriosity I fired up kismet and sure enough there were
> packets flying through the air right infront of BestBuy. Well I decided to
> run in an try to make a Credit Card purchase real quick to verify that my
> info was not going all over the parking lot in the clear. Well after
> sorting out my logs I noticed what looked to be like SQL queries and table
> headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME,
> REGISTER_ID and things of that nature... luckily no where in that data did
> I find my own credit card. Non the less I decided to run to the store next
> to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted
> through the data collected and this time I did indeed find a RAW clear text
> credit card number....not mine ... but definately a credit card number.
>
> Heres my delima... I checked out a few of the other best buy stores for
> "beacon packets" and everyone I drove by was sending them out...so I assume
> all BestBuy's are wlan enabled. What I need to find out is ... are
> BestBuys's Cash register terminals indeed using wlan and are they indeed
> sending out MY data in the clear... I am NOT comfortable using my credit
> card at ANY BestBuy as of right now...  due to legality though I don't feel
> comfortable walking into the store and confronting someone about it.... for
> all I know it could be standard BestBuy corp. practices to use nonsecure
> wlan. I figured by starting a thread other people that have attempted this
> may have more info or some from BestBuy may be reading the list and they
> may pipe up.
>
> ----------------------------------------------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.