-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, I get the picture. I have been misunderstood here. For clarification, I am not stating that Blue Boar is the one who should be in trouble. My statement of "checking into it" was intended for everyone reading the thread. I think it was definitely noteworthy Blue Boar let us know. But I don't know that everyone out here won't run out to the nearest BestBuy, Home Depot, or whatever and pull-out their trusty WLan card and a copy of Netstumbler looking to capture credit cards in the clear. As far as BestBuy may already know; then yes, they are liable. But, who here wants to be the one who has to go to court and explain it? Again, I am just saying before you go out to your local stores and start gathering credit card numbers, think about it. Lastly, if someone happens to live in a quite town with no "computer crime prevention", are you telling the readers that makes it ok? Me either. Help each other out, guys (and gals). Blue Boar did that. I am certainly going to take his advice about credit card purchases and I plan on sharing his information with others. Peace sd - -----Original Message----- From: Vachon, Scott [mailto:Scott.Vachonat_private] Sent: Wednesday, May 01, 2002 1:36 PM To: 'vuln-devat_private' Subject: RE: Wlan @ bestbuy is cleartext? >Checking into it may be a legality problem. How so ? He's not the one transmitting confidential data in the clear... > For those of you interested in trying this one out at your local > BestBuy, be aware >they may already know... And if they are still transmitting in the clear, then they are legally liable... >Anyway, at this point, I suggest you contact local law enforcement >and ask them what they think. By now, I would hope most areas have >a network tasks forces that can at least address the issue either >for >you or with you when you confront BestBuy. Who knows, you may be a >hero and hire you as a CSO ;-) LOL. I like the assumption about the task forces but, I fear you are very wrong. The bigger cities may have them but, the thousands of smaller towns are doubtful at best. I suspect many would not be able to cite any infractions on the part of the tech bringing this to their attention. I further doubt they would have the jurisdiction to accompany said person to BestBuy to help unscrew them. I do suspect that one or two people employed by them have run this up the flagpole in the last few hours... >Also, I wouldn't doddle on this, you may prevent an identity theft! No better reason needed. Well said. ~S~ Disclaimer: My own 2 cents.... ______________________________________________________________________ ______ ______________ Original Post Here: his past week I went to bestbuy to purchase a D-link wlan card... egar to get my laptop up and running while in the car I put my card in and installed the driver. I noticed the traffic light was lit up as if I had a connection. Out of curriosity I fired up kismet and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card. Non the less I decided to run to the store next to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted through the data collected and this time I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number. Heres my delima... I checked out a few of the other best buy stores for "beacon packets" and everyone I drove by was sending them out...so I assume all BestBuy's are wlan enabled. What I need to find out is ... are BestBuys's Cash register terminals indeed using wlan and are they indeed sending out MY data in the clear... I am NOT comfortable using my credit card at ANY BestBuy as of right now... due to legality though I don't feel comfortable walking into the store and confronting someone about it.... for all I know it could be standard BestBuy corp. practices to use nonsecure wlan. I figured by starting a thread other people that have attempted this may have more info or some from BestBuy may be reading the list and they may pipe up. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPNBGac9b0XjZv5u0EQIjpgCeMx3UERfNXTVXEUR78pyVBXYyo7MAoLCF 8xsS8Tc64ny3obXGbGCxybE4 =eQdC -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 15:21:07 PDT