One approach might be to contact the press. If consumers can be brought to understand that their CC information is in jeopardy, even when they don't do anything online it might hurt the big businesses' sales. That would translate to the big businesses fixing the problem, perhaps... -Yanek. > -----Original Message----- > From: Duffy, Shawn [mailto:SDuffyat_private] > Sent: Wednesday, May 01, 2002 12:26 PM > To: 'Blue Boar'; 'vuln-devat_private' > Subject: RE: Wlan @ bestbuy is cleartext? > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Checking into it may be a legality problem. For those of you > interested in trying this one out at your local BestBuy, be aware > they may already know... > > Anyway, at this point, I suggest you contact local law enforcement > and ask them what they think. By now, I would hope most areas have a > network tasks forces that can at least address the issue either for > you or with you when you confront BestBuy. Who knows, you may be a > hero and hire you as a CSO ;-) > > Also, I wouldn't doddle on this, you may prevent an identity theft! > > Shawn. > > > > - -----Original Message----- > From: Blue Boar [mailto:BlueBoarat_private] > Sent: Wednesday, May 01, 2002 11:57 AM > To: vuln-devat_private > Subject: Wlan @ bestbuy is cleartext? > > > I was asked to anonymously proxy this question to the list. Here ya > go. > > BB > > - > ---------------------------------------------------------------------- > - ------------------------------ > > This past week I went to bestbuy to purchase a D-link wlan card... > egar to > get my laptop up and running while in the car I put my card in and > installed the driver. I noticed the traffic light was lit up as if I > had a > connection. Out of curriosity I fired up kismet and sure enough there > were > packets flying through the air right infront of BestBuy. Well I > decided to > run in an try to make a Credit Card purchase real quick to verify > that my > info was not going all over the parking lot in the clear. Well after > sorting out my logs I noticed what looked to be like SQL queries and > table > headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, > REGISTER_ID and things of that nature... luckily no where in that > data did > I find my own credit card. Non the less I decided to run to the store > next > to BestBuy while I left me PC on grabbing packets. Well yesterday I > sorted > through the data collected and this time I did indeed find a RAW > clear text > credit card number....not mine ... but definately a credit card > number. > > Heres my delima... I checked out a few of the other best buy stores > for > "beacon packets" and everyone I drove by was sending them out...so I > assume > all BestBuy's are wlan enabled. What I need to find out is ... are > BestBuys's Cash register terminals indeed using wlan and are they > indeed > sending out MY data in the clear... I am NOT comfortable using my > credit > card at ANY BestBuy as of right now... due to legality though I > don't feel > comfortable walking into the store and confronting someone about > it.... for > all I know it could be standard BestBuy corp. practices to use > nonsecure > wlan. I figured by starting a thread other people that have attempted > this > may have more info or some from BestBuy may be reading the list and > they > may pipe up. > > - > ---------------------------------------------------------------------- > - ------------------------------ > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.1 > > iQA/AwUBPNAXpc9b0XjZv5u0EQLDUACfUT6Ji7Ti20kSd0AV3cvTulqKMyQAn3gw > K36+SGuRUV9qiaKqSZrDcLfN > =STK0 > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 11:59:18 PDT