RE: Wlan @ bestbuy is cleartext?

[H C <keydet89 () yahoo com>]

Ken,

Good input.  There are companies that do credit
monitoring, some by consolidating up-to-date
information from all three credit reporting agencies. 
This helps guard against identity theft, etc.

I do agree with the concerns, however, of the OP.  It
would be somewhat shocking to make a purchase, and
then find the CC info in a packet capture.  However, I
think that there are some things that do need to be
pointed out about the original post:

1.  There are many sites our on the 'Net that provide
maps of various cities and accessible WAPs...with more
information from the OP, this may be verifiable to
some degree.

2.  Being anonymous, one has to question the
credibility of the OP.  From his account, it doesn't
sound as if he did anything wrong.  While I do
understand that he wouldn't want his name or IP known,
he could have provided some information by which his
claims could be independently verified.  How do we
even know that he was, in fact, on the Best Buy WLAN? 
It could very well have been some other WLAN.

While it *may* have been the Best Buy WLAN, what makes
the OP think that the cash registers are on this WLAN?
 Most POS devices are cabled.  I can see where devices
used in inventory may be on a WLAN, and I wouldn't be
too surprised to find out that the LAN isn't segmented
to prevent sensitive information from passing over the
WLAN.  However, all we have at this point is
unverifiable claims.

3.  The OP stated that he examined the data after his
second capture, and found a credit card number.  How
do we know?  I'm not saying that this information
should be posted to the list, or to any individual for
that matter...but I am saying that several claims were
made that are completely unverifiable.  

The next step is basically up to the OP.  I don't
think that this is an issue for law enforcement,
necessarily, but it may be something that does need to
be addressed.    Take it up w/ corporate, and if you
aren't satisfied with their response, go to a consumer
advocacy group.

--- Ken Ludeman <kludeman () adi-cs com> wrote:
> Regardless, most credit card companies offer secure
> purchasing?  If I see $3000 dollars on my credit
> card statement that I didn't purchase something
> with, I'll just contact my credit card company and
> dispute it.   
>
> Let the credit card companies worry about it.  I
> don't have the wallet space to carry around several
> hundred dollars because I'm living the life of
> credit card paranoia!  Sure, I'm concerned over the
> recent findings, but am I going to go live in a
> plastic bubble because of it. :)
>
> Just had to add this - 
>
> -----Original Message-----
> From: H C [mailto:keydet89 () yahoo com]
> Sent: Wednesday, May 01, 2002 11:02 AM
> To: Duffy, Shawn; 'Blue Boar';
> 'vuln-dev () securityfocus com'
> Subject: RE: Wlan @ bestbuy is cleartext?
>
>
>
> > Checking into it may be a legality problem. 
>
> This concept...the legality of "checking into"
> problems...was an interesting thread on another list
> for a while.  Some feel that guys like Lamo and what
> he did to gain access to NYTimes is not only legal,
> but justified.  Others don't feel that way.  I guess
> the only real opinion that matters is that of a
> judge.
>
> > For those of you
> > interested in trying this one out at your local
> > BestBuy, be aware they may already know...
>
> Already know what?  That their WLAN is insecure.  If
> they are already aware of that, and do
> nothing...does
> that then constitute negligence?
>  
> > Anyway, at this point, I suggest you contact local
> > law enforcement
> > and ask them what they think.  By now, I would
> hope
> > most areas have a
> > network tasks forces that can at least address the
> > issue either for
> > you or with you when you  confront BestBuy.  
>
> "Network tasks forces"?  Are you saying that it's
> your
> opinion that all law enforcement jurisdictions
> should,
> by now, have 'tasks forces' [sic] for dealing with
> problems such as these?  That's hardly
> realistic...some may, but I certainly wouldn't count
> on any arbitrary jurisdiction having the necessary
> LEO
> staff for such things.
>
> From the description of his activities performed, it
> doesn't sound as if the OP has done anything wrong. 
> I
> would suggest that he attempt to contact someone at
> Best Buy corporate headquarters, and clearly state
> his
> concerns (if it's a letter, run spell check, and
> have
> someone check the grammar, that sort of thing). 
> Maybe
> he can implore BlueBoar for one more favor.  Going
> to
> law enforcement isn't going to yield anything at
> this
> point...has a crime been committed?  So far, it
> doesn't sound like it.  
>
> I'd suggest first contacting Best Buy, either by
> phone
> or letter.  If phone calls don't work, try a letter.
>
> Document your efforts.  If that doesn't work, take
> your documentation to a consumer advocacy group.
>
> > Also, I wouldn't doddle on this, you may prevent
> an
> > identity theft!
>
> I hope the OP at least stops making credit card
> purchases at BestBuy, until the situation is
> resolved.
>  He should suggest that his friends do the same.
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com


__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com