Ok, I get the picture. I have been misunderstood here. For clarification, I am not stating that Blue Boar is the one who should be in trouble. My statement of "checking into it" was intended for everyone reading the thread. I think it was definitely noteworthy Blue Boar let us know. But I don't know that everyone out here won't run out to the nearest BestBuy, Home Depot, or whatever and pull-out their trusty WLan card and a copy of Netstumbler looking to capture credit cards in the clear. As far as BestBuy may already know; then yes, they are liable. But, who here wants to be the one who has to go to court and explain it? Again, I am just saying before you go out to your local stores and start gathering credit card numbers, think about it. Lastly, if someone happens to live in a quite town with no "computer crime prevention", are you telling the readers that makes it ok? Me either. Help each other out, guys (and gals). Blue Boar did that. I am certainly going to take his advice about credit card purchases and I plan on sharing his information with others. Peace sd -----Original Message----- From: Vachon, Scott [mailto:Scott.Vachonat_private] Sent: Wednesday, May 01, 2002 1:36 PM To: 'vuln-devat_private' Subject: RE: Wlan @ bestbuy is cleartext? >Checking into it may be a legality problem. How so ? He's not the one transmitting confidential data in the clear... > For those of you interested in trying this one out at your local > BestBuy, be aware they may already know... And if they are still transmitting in the clear, then they are legally liable... >Anyway, at this point, I suggest you contact local law enforcement >and ask them what they think. By now, I would hope most areas have >a network tasks forces that can at least address the issue either >for you or with you when you confront BestBuy. Who knows, you may be a >hero and hire you as a CSO ;-) LOL. I like the assumption about the task forces but, I fear you are very wrong. The bigger cities may have them but, the thousands of smaller towns are doubtful at best. I suspect many would not be able to cite any infractions on the part of the tech bringing this to their attention. I further doubt they would have the jurisdiction to accompany said person to BestBuy to help unscrew them. I do suspect that one or two people employed by them have run this up the flagpole in the last few hours... >Also, I wouldn't doddle on this, you may prevent an identity theft! No better reason needed. Well said. ~S~ Disclaimer: My own 2 cents.... _________________________________________________________________ Original Post Here: his past week I went to bestbuy to purchase a D-link wlan card... egar to get my laptop up and running while in the car I put my card in and installed the driver. I noticed the traffic light was lit up as if I had a connection. Out of curriosity I fired up kismet and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card. Non the less I decided to run to the store next to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted through the data collected and this time I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number. Heres my delima... I checked out a few of the other best buy stores for "beacon packets" and everyone I drove by was sending them out...so I assume all BestBuy's are wlan enabled. What I need to find out is ... are BestBuys's Cash register terminals indeed using wlan and are they indeed sending out MY data in the clear... I am NOT comfortable using my credit card at ANY BestBuy as of right now... due to legality though I don't feel comfortable walking into the store and confronting someone about it.... for all I know it could be standard BestBuy corp. practices to use nonsecure wlan. I figured by starting a thread other people that have attempted this may have more info or some from BestBuy may be reading the list and they may pipe up.
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 15:06:22 PDT