Ken, Good input. There are companies that do credit monitoring, some by consolidating up-to-date information from all three credit reporting agencies. This helps guard against identity theft, etc. I do agree with the concerns, however, of the OP. It would be somewhat shocking to make a purchase, and then find the CC info in a packet capture. However, I think that there are some things that do need to be pointed out about the original post: 1. There are many sites our on the 'Net that provide maps of various cities and accessible WAPs...with more information from the OP, this may be verifiable to some degree. 2. Being anonymous, one has to question the credibility of the OP. From his account, it doesn't sound as if he did anything wrong. While I do understand that he wouldn't want his name or IP known, he could have provided some information by which his claims could be independently verified. How do we even know that he was, in fact, on the Best Buy WLAN? It could very well have been some other WLAN. While it *may* have been the Best Buy WLAN, what makes the OP think that the cash registers are on this WLAN? Most POS devices are cabled. I can see where devices used in inventory may be on a WLAN, and I wouldn't be too surprised to find out that the LAN isn't segmented to prevent sensitive information from passing over the WLAN. However, all we have at this point is unverifiable claims. 3. The OP stated that he examined the data after his second capture, and found a credit card number. How do we know? I'm not saying that this information should be posted to the list, or to any individual for that matter...but I am saying that several claims were made that are completely unverifiable. The next step is basically up to the OP. I don't think that this is an issue for law enforcement, necessarily, but it may be something that does need to be addressed. Take it up w/ corporate, and if you aren't satisfied with their response, go to a consumer advocacy group. --- Ken Ludeman <kludeman@adi-cs.com> wrote: > Regardless, most credit card companies offer secure > purchasing? If I see $3000 dollars on my credit > card statement that I didn't purchase something > with, I'll just contact my credit card company and > dispute it. > > Let the credit card companies worry about it. I > don't have the wallet space to carry around several > hundred dollars because I'm living the life of > credit card paranoia! Sure, I'm concerned over the > recent findings, but am I going to go live in a > plastic bubble because of it. :) > > Just had to add this - > > -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Wednesday, May 01, 2002 11:02 AM > To: Duffy, Shawn; 'Blue Boar'; > 'vuln-devat_private' > Subject: RE: Wlan @ bestbuy is cleartext? > > > > > Checking into it may be a legality problem. > > This concept...the legality of "checking into" > problems...was an interesting thread on another list > for a while. Some feel that guys like Lamo and what > he did to gain access to NYTimes is not only legal, > but justified. Others don't feel that way. I guess > the only real opinion that matters is that of a > judge. > > > For those of you > > interested in trying this one out at your local > > BestBuy, be aware they may already know... > > Already know what? That their WLAN is insecure. If > they are already aware of that, and do > nothing...does > that then constitute negligence? > > > Anyway, at this point, I suggest you contact local > > law enforcement > > and ask them what they think. By now, I would > hope > > most areas have a > > network tasks forces that can at least address the > > issue either for > > you or with you when you confront BestBuy. > > "Network tasks forces"? Are you saying that it's > your > opinion that all law enforcement jurisdictions > should, > by now, have 'tasks forces' [sic] for dealing with > problems such as these? That's hardly > realistic...some may, but I certainly wouldn't count > on any arbitrary jurisdiction having the necessary > LEO > staff for such things. > > From the description of his activities performed, it > doesn't sound as if the OP has done anything wrong. > I > would suggest that he attempt to contact someone at > Best Buy corporate headquarters, and clearly state > his > concerns (if it's a letter, run spell check, and > have > someone check the grammar, that sort of thing). > Maybe > he can implore BlueBoar for one more favor. Going > to > law enforcement isn't going to yield anything at > this > point...has a crime been committed? So far, it > doesn't sound like it. > > I'd suggest first contacting Best Buy, either by > phone > or letter. If phone calls don't work, try a letter. > > Document your efforts. If that doesn't work, take > your documentation to a consumer advocacy group. > > > Also, I wouldn't doddle on this, you may prevent > an > > identity theft! > > I hope the OP at least stops making credit card > purchases at BestBuy, until the situation is > resolved. > He should suggest that his friends do the same. > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - your guide to health and wellness > http://health.yahoo.com __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 14:10:41 PDT