RE: Wlan @ bestbuy is cleartext?

["Duffy, Shawn" <SDuffy () NCIINC com>]

Ok, I get the picture.  I have been misunderstood here.

For clarification, I am not stating that Blue Boar is the one who
should be in trouble.  My statement of "checking into it" was intended for
everyone reading the thread.  I think it was definitely noteworthy Blue Boar
let us know.  But I don't know that everyone out here won't run out to the
nearest BestBuy, Home Depot, or whatever and pull-out their trusty WLan card
and a copy of Netstumbler looking to capture credit cards in the clear.

As far as BestBuy may already know; then yes, they are liable.  But,
who here wants to be the one who has to go to court and explain  it? 
Again, I am just saying before you go out to your local stores and start
gathering credit card numbers, think about it.  

Lastly, if someone happens to live in a quite town with no "computer
crime prevention", are you telling the readers that makes it ok?  Me
either.

Help each other out, guys (and gals).  Blue Boar did that.  I am
certainly going to take his advice about credit card purchases and I plan on
sharing his information with others.

Peace

sd




-----Original Message-----
From: Vachon, Scott [mailto:Scott.Vachon () Paymentech com]
Sent: Wednesday, May 01, 2002 1:36 PM
To: 'vuln-dev () securityfocus com'
Subject: RE: Wlan @ bestbuy is cleartext?



> Checking into it may be a legality problem.

How so ? He's not the one transmitting confidential data in the
clear...

> For those of you interested in trying this one out at your local
> BestBuy, be aware they may already know...

And if they are still transmitting in the clear, then they are
legally liable...

> Anyway, at this point, I suggest you contact local law enforcement
> and ask them what they think.  By now, I would hope most areas have
> a network tasks forces that can at least address the issue either
> for you or with you when you  confront BestBuy.  Who knows, you may be a
> hero and hire you as a CSO ;-)

LOL. I like the assumption about the task forces but, I fear you are
very wrong. The bigger cities may have them but, the thousands of smaller
towns are doubtful at best. I suspect many would not be able to cite any
infractions on the part of the tech bringing this to their attention.
I further doubt they would have the jurisdiction to accompany said
person to BestBuy to help unscrew them. I do suspect that one or two people
employed by them have run this up the flagpole in the last few hours...

> Also, I wouldn't doddle on this, you may prevent an identity theft!

No better reason needed. Well said.

~S~

Disclaimer: My own 2 cents....
_________________________________________________________________
Original Post Here:
his past week I went to bestbuy to purchase a D-link wlan card...
egar to get my laptop up and running while in the car I put my card in and 
installed the driver. I noticed the traffic light was lit up as if I
had a connection. Out of curriosity I fired up kismet and sure enough there
were packets flying through the air right infront of BestBuy. Well I
decided to run in an try to make a Credit Card purchase real quick to verify
that my info was not going all over the parking lot in the clear. Well after

sorting out my logs I noticed what looked to be like SQL queries and
table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, 
REGISTER_ID and things of that nature... luckily no where in that
data did I find my own credit card. Non the less I decided to run to the
store
next to BestBuy while I left me PC on grabbing packets. Well yesterday I
sorted through the data collected and this time I did indeed find a RAW
clear text credit card number....not mine ... but definately a credit card
number.

Heres my delima... I checked out a few of the other best buy stores
for "beacon packets" and everyone I drove by was sending them out...so I
assume all BestBuy's are wlan enabled. What I need to find out is ... are 
BestBuys's Cash register terminals indeed using wlan and are they
indeed sending out MY data in the clear... I am NOT comfortable using my
credit card at ANY BestBuy as of right now...  due to legality though I
don't feel comfortable walking into the store and confronting someone about
it.... for all I know it could be standard BestBuy corp. practices to use
nonsecure wlan. I figured by starting a thread other people that have
attempted
this may have more info or some from BestBuy may be reading the list and
they may pipe up.