-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Checking into it may be a legality problem. For those of you interested in trying this one out at your local BestBuy, be aware they may already know... Anyway, at this point, I suggest you contact local law enforcement and ask them what they think. By now, I would hope most areas have a network tasks forces that can at least address the issue either for you or with you when you confront BestBuy. Who knows, you may be a hero and hire you as a CSO ;-) Also, I wouldn't doddle on this, you may prevent an identity theft! Shawn. - -----Original Message----- From: Blue Boar [mailto:BlueBoarat_private] Sent: Wednesday, May 01, 2002 11:57 AM To: vuln-devat_private Subject: Wlan @ bestbuy is cleartext? I was asked to anonymously proxy this question to the list. Here ya go. BB - ---------------------------------------------------------------------- - ------------------------------ This past week I went to bestbuy to purchase a D-link wlan card... egar to get my laptop up and running while in the car I put my card in and installed the driver. I noticed the traffic light was lit up as if I had a connection. Out of curriosity I fired up kismet and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card. Non the less I decided to run to the store next to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted through the data collected and this time I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number. Heres my delima... I checked out a few of the other best buy stores for "beacon packets" and everyone I drove by was sending them out...so I assume all BestBuy's are wlan enabled. What I need to find out is ... are BestBuys's Cash register terminals indeed using wlan and are they indeed sending out MY data in the clear... I am NOT comfortable using my credit card at ANY BestBuy as of right now... due to legality though I don't feel comfortable walking into the store and confronting someone about it.... for all I know it could be standard BestBuy corp. practices to use nonsecure wlan. I figured by starting a thread other people that have attempted this may have more info or some from BestBuy may be reading the list and they may pipe up. - ---------------------------------------------------------------------- - ------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPNAXpc9b0XjZv5u0EQLDUACfUT6Ji7Ti20kSd0AV3cvTulqKMyQAn3gw K36+SGuRUV9qiaKqSZrDcLfN =STK0 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 10:29:18 PDT