|
Vulnerability Development
mailing list archives
RE: Wlan @ bestbuy is cleartext?
From: "Duffy, Shawn" <SDuffy () NCIINC com>
Date: Wed, 1 May 2002 12:25:32 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Checking into it may be a legality problem. For those of you
interested in trying this one out at your local BestBuy, be aware
they may already know...
Anyway, at this point, I suggest you contact local law enforcement
and ask them what they think. By now, I would hope most areas have a
network tasks forces that can at least address the issue either for
you or with you when you confront BestBuy. Who knows, you may be a
hero and hire you as a CSO ;-)
Also, I wouldn't doddle on this, you may prevent an identity theft!
Shawn.
- -----Original Message-----
From: Blue Boar [mailto:BlueBoar () thievco com]
Sent: Wednesday, May 01, 2002 11:57 AM
To: vuln-dev () securityfocus com
Subject: Wlan @ bestbuy is cleartext?
I was asked to anonymously proxy this question to the list. Here ya
go.
BB
- ----------------------------------------------------------------------
- ------------------------------
This past week I went to bestbuy to purchase a D-link wlan card...
egar to
get my laptop up and running while in the car I put my card in and
installed the driver. I noticed the traffic light was lit up as if I
had a
connection. Out of curriosity I fired up kismet and sure enough there
were
packets flying through the air right infront of BestBuy. Well I
decided to
run in an try to make a Credit Card purchase real quick to verify
that my
info was not going all over the parking lot in the clear. Well after
sorting out my logs I noticed what looked to be like SQL queries and
table
headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME,
REGISTER_ID and things of that nature... luckily no where in that
data did
I find my own credit card. Non the less I decided to run to the store
next
to BestBuy while I left me PC on grabbing packets. Well yesterday I
sorted
through the data collected and this time I did indeed find a RAW
clear text
credit card number....not mine ... but definately a credit card
number.
Heres my delima... I checked out a few of the other best buy stores
for
"beacon packets" and everyone I drove by was sending them out...so I
assume
all BestBuy's are wlan enabled. What I need to find out is ... are
BestBuys's Cash register terminals indeed using wlan and are they
indeed
sending out MY data in the clear... I am NOT comfortable using my
credit
card at ANY BestBuy as of right now... due to legality though I
don't feel
comfortable walking into the store and confronting someone about
it.... for
all I know it could be standard BestBuy corp. practices to use
nonsecure
wlan. I figured by starting a thread other people that have attempted
this
may have more info or some from BestBuy may be reading the list and
they
may pipe up.
- ----------------------------------------------------------------------
- ------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPNAXpc9b0XjZv5u0EQLDUACfUT6Ji7Ti20kSd0AV3cvTulqKMyQAn3gw
K36+SGuRUV9qiaKqSZrDcLfN
=STK0
-----END PGP SIGNATURE-----
 By Date 
By Thread
Current thread:
|
Intro
