Re: Wlan @ bestbuy is cleartext?

[Kris Herzog <antiwesley () antiwesley com>]

In-Reply-To: <3CD0105A.30308 () thievco com>

> I was asked to anonymously proxy this question to the list.  Here ya go.
>
>                                               BB
>
> ----------------------------------------------------------------------------------------------------
>
> This past week I went to bestbuy to purchase a D-link wlan card... egar to 
> get my laptop up and running while in the car I put my card in and 
> installed the driver. I noticed the traffic light was lit up as if I had a 
> connection. Out of curriosity I fired up kismet and sure enough there were 
> packets flying through the air right infront of BestBuy. Well I decided to 
> run in an try to make a Credit Card purchase real quick to verify that my 
> info was not going all over the parking lot in the clear. Well after 
> sorting out my logs I noticed what looked to be like SQL queries and table 
> headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, 
> REGISTER_ID and things of that nature... luckily no where in that data did 
> I find my own credit card. Non the less I decided to run to the store next 
> to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted 
> through the data collected and this time I did indeed find a RAW clear text 
> credit card number....not mine ... but definately a credit card number.
>
> Heres my delima... I checked out a few of the other best buy stores for 
> "beacon packets" and everyone I drove by was sending them out...so I assume 
> all BestBuy's are wlan enabled. What I need to find out is ... are 
> BestBuys's Cash register terminals indeed using wlan and are they indeed 
> sending out MY data in the clear... I am NOT comfortable using my credit 
> card at ANY BestBuy as of right now...  due to legality though I don't feel 
> comfortable walking into the store and confronting someone about it.... for 
> all I know it could be standard BestBuy corp. practices to use nonsecure 
> wlan. I figured by starting a thread other people that have attempted this 
> may have more info or some from BestBuy may be reading the list and they 
> may pipe up.
I worked at a Best Buy, and while this is a concern, you shouldn't be afraid to tell them about this.

Here's my suggestion. Take your laptop, go to the security counter up front. Ask to speak to the Security lead, or the 
on-duty manager or sales manager. Wait there, then briefly explain what you found and how you came about it.
Explain that you were doing it only as a test for your new card, and they shouldn't have any problem with that bit.
Then explain that this information is being sent outside of the building, and that you, as a customer find this very 
worrying and you feel that will discourage you from shopping at a Best Buy in the future. This will really perk them up 
and they prolly will ask for the data on a disk, and then have you erase it from your laptop.

They were really nice people and I can see something like this being a concern for them.