-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 04:44 PM 5/1/2002, Erik Parker wrote: >Let me know if you find any. From what I heard from a media source, when >they approached Best Buy about it today, best buy ordered their stores to >shut off the wireless registers. > >My local Best Buy checked out an hour ago, to not have wireless running. > >However, Petsmart, and DSW shoes do the same thing.. unencrypted customer >data. OK. Let's expand on this a bit-- Let's say that it is all true and the source was correct in their post about everything. The clear text CCN in the packet stream is small potatoes. The OP said that he saw the table names and SQL elements in clear text- this means that the client-server application itself must be concatenating string variables into SQL commands and posting them to the server as ad-hoc queries as opposed to using procedures or propertly formatted data objects (or something like that). Though I have not seen a POS register system do this, if the poster was correct, then this one does. Along with the query information will be the server information and the credentials used. So, if the information is correct, it would not take that much recon to gain enough info to compromise the back-end server. Why worry about a few credit card numbers when you can have them all? I'm looking forward to seeing the real deal on this... I'd sniff it myself, but the closest BestBuy to me is way over in Reno, and anyone who has horked in Reno knows it is almost impossible to get good data with the casino's all blasting everyone's financial information up and down the spectrum ;) AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPNCGWIhsmyD15h5gEQLMEACgh9Y/n/MXieBKe+qYGnrzou/Twt8AoOJs d8LvE0LC0R14vbigkdOv4Oef =9sGX -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 17:56:34 PDT