Vulnerability Development mailing list archives
RE: Wlan @ bestbuy is cleartext?
From: H C <keydet89 () yahoo com>
Date: Wed, 1 May 2002 12:48:09 -0700 (PDT)
Ken, Good input. There are companies that do credit monitoring, some by consolidating up-to-date information from all three credit reporting agencies. This helps guard against identity theft, etc. I do agree with the concerns, however, of the OP. It would be somewhat shocking to make a purchase, and then find the CC info in a packet capture. However, I think that there are some things that do need to be pointed out about the original post: 1. There are many sites our on the 'Net that provide maps of various cities and accessible WAPs...with more information from the OP, this may be verifiable to some degree. 2. Being anonymous, one has to question the credibility of the OP. From his account, it doesn't sound as if he did anything wrong. While I do understand that he wouldn't want his name or IP known, he could have provided some information by which his claims could be independently verified. How do we even know that he was, in fact, on the Best Buy WLAN? It could very well have been some other WLAN. While it *may* have been the Best Buy WLAN, what makes the OP think that the cash registers are on this WLAN? Most POS devices are cabled. I can see where devices used in inventory may be on a WLAN, and I wouldn't be too surprised to find out that the LAN isn't segmented to prevent sensitive information from passing over the WLAN. However, all we have at this point is unverifiable claims. 3. The OP stated that he examined the data after his second capture, and found a credit card number. How do we know? I'm not saying that this information should be posted to the list, or to any individual for that matter...but I am saying that several claims were made that are completely unverifiable. The next step is basically up to the OP. I don't think that this is an issue for law enforcement, necessarily, but it may be something that does need to be addressed. Take it up w/ corporate, and if you aren't satisfied with their response, go to a consumer advocacy group. --- Ken Ludeman <kludeman () adi-cs com> wrote:
Regardless, most credit card companies offer secure purchasing? If I see $3000 dollars on my credit card statement that I didn't purchase something with, I'll just contact my credit card company and dispute it. Let the credit card companies worry about it. I don't have the wallet space to carry around several hundred dollars because I'm living the life of credit card paranoia! Sure, I'm concerned over the recent findings, but am I going to go live in a plastic bubble because of it. :) Just had to add this - -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Wednesday, May 01, 2002 11:02 AM To: Duffy, Shawn; 'Blue Boar'; 'vuln-dev () securityfocus com' Subject: RE: Wlan @ bestbuy is cleartext?Checking into it may be a legality problem.This concept...the legality of "checking into" problems...was an interesting thread on another list for a while. Some feel that guys like Lamo and what he did to gain access to NYTimes is not only legal, but justified. Others don't feel that way. I guess the only real opinion that matters is that of a judge.For those of you interested in trying this one out at your local BestBuy, be aware they may already know...Already know what? That their WLAN is insecure. If they are already aware of that, and do nothing...does that then constitute negligence?Anyway, at this point, I suggest you contact local law enforcement and ask them what they think. By now, I wouldhopemost areas have a network tasks forces that can at least address the issue either for you or with you when you confront BestBuy."Network tasks forces"? Are you saying that it's your opinion that all law enforcement jurisdictions should, by now, have 'tasks forces' [sic] for dealing with problems such as these? That's hardly realistic...some may, but I certainly wouldn't count on any arbitrary jurisdiction having the necessary LEO staff for such things. From the description of his activities performed, it doesn't sound as if the OP has done anything wrong. I would suggest that he attempt to contact someone at Best Buy corporate headquarters, and clearly state his concerns (if it's a letter, run spell check, and have someone check the grammar, that sort of thing). Maybe he can implore BlueBoar for one more favor. Going to law enforcement isn't going to yield anything at this point...has a crime been committed? So far, it doesn't sound like it. I'd suggest first contacting Best Buy, either by phone or letter. If phone calls don't work, try a letter. Document your efforts. If that doesn't work, take your documentation to a consumer advocacy group.Also, I wouldn't doddle on this, you may preventanidentity theft!I hope the OP at least stops making credit card purchases at BestBuy, until the situation is resolved. He should suggest that his friends do the same. __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
__________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
Current thread:
- Re: Wlan @ bestbuy is cleartext?, (continued)
- Message not available
- Re: Wlan @ bestbuy is cleartext? Deus, Attonbitus (May 01)
- RE: Wlan @ bestbuy is cleartext? Michael Cunningham (May 01)
- Re: Wlan @ bestbuy is cleartext? Blue Boar (May 01)
- RE: Wlan @ bestbuy is cleartext? Michael Cunningham (May 01)
- RE: Wlan @ bestbuy is cleartext? Deus, Attonbitus (May 01)
- RE: Wlan @ bestbuy is cleartext? H C (May 01)
- Re: Fwd: Re: Wlan @ bestbuy is cleartext? miked (May 02)
- Re: Fwd: Re: Wlan @ bestbuy is cleartext? Dale Harris (May 02)
- Re: Fwd: Re: Wlan @ bestbuy is cleartext? Meritt James (May 02)
- RE: Wlan @ bestbuy is cleartext? Dom De Vitto (May 01)
- Re: Wlan @ bestbuy is cleartext? Meritt James (May 02)