Wireless Registers May Expose Your Credit Card

flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."

Sucks

[loply]

Why didnt they just encrypt it, the whole network/transmission that is? That would be an obvious thing to do if I were programming anything of this nature. Heck, I went to the bother of XOR`ing the TCP stream on my high school computing project, surely the nitwit who wrote/engineered this system should have taken the time to add security to it?

Re:Sucks

[Namoric]

You are asking people to THINK. It just won't happen.

Re:Sucks

[dthable]

the nitwit who wrote/engineered this system should have taken the time to add security to it?

But that's asking a lot from those high school kids. I'm sure they had problems figuring out where they needed to connect the RJ-45 cable.

Re:Sucks

[cyclist1200]

I'm sure they had problems figuring out where they needed to connect the RJ-45 cable.

Which explains why they went to wireless!

encryption

[mikedavis44]

wireless needs some decent encryption schemes before it becomes accepted in the public domain

Re:encryption

[GrenDel+Fuego]

Yeah, wireless encryption sucks....

However, you can add encryption to the tcp/ip running over the wireless. With something like Cash Registers, you can be sure that they're all running the exact same software.

Enabling IPSec, or something similiar shouldn't be too difficult. it's not like you need to make sure it's compatable with all the different OSes.

Re:encryption

[saridder]

You can always use VPN's between the register and central computer. Then you bypass WEP.

Re:encryption

[m0rningstar]

The issue here (from the vuln-dev story, where this broke) is that they're not even using WEP.
It also appears there is SQL database access, etc, etc.

Leads to a lot of scary options.

d'oh

sorry

fp!

on the bejken..

Re:fp!

damn... :D

me so lame..

Hang on...

[enneff]

What the fuck?

This is obvious gross negligence on behalf of the point-of-sale software/hardware vendor. How could any remotely security-conscious developer send credit card details in plain text, even over a wired network?

Absolute insanity. I am in awe.

Re:Hang on...

In deed the sponsoring bank should pull there
agreement with the company

Re:Hang on...

[erasmus_]

Absolutely. The manufacturer states in the article that their equipment includes security, but whether the stores use it is up to them. Well, that sounds a lot like Microsoft's IIS - oh, it can be secure, they say, you just have to know how to do it.

Wrong, wrong, what a wrong approach. This company should've turned encryption on by default. Then, if the stores choose to turn it off for some crazy reason, that's up to them. Meanwhile, if my cc number was to be stolen using this method, I think I could easily hold the manufacturer and the installer of these wireless registers responsible as well as the store.

Re:Hang on...

[ShavenYak]

Meanwhile, if my cc number was to be stolen using this method, I think I could easily hold the manufacturer and the installer of these wireless registers responsible as well as the store.

Of course, you only stand to lose probably $50 to fraudulent charges depending on your card agreement, and the card company would probably even waive that. When the card companies start losing substantial money, they'll be suing the wireless register manufacturers and installers for big bucks.

Re:Hang on...

[Dr.+Scott]

Of course, you only stand to lose probably $50 to fraudulent charges depending on your card agreement, and the card company would probably even waive that.

Fifty bucks. Plus the hassle of waiting for your replacement cards to arrive. Plus dealing with the newspaper, the carpet store, and everybody else who had your number for a legit charge and now find it won't go through. Plus going through your statement to find the bogus charges. The hassle factor is real, and exceeds $50 for many people.

But yeah, it's the credit card companies that will lose enough money to make suing worthwhile. They all have contracts with the merchants. Wonder what the terms say about this sort of thing?

Just my luck

[CmdrTaco+(editor)]

Most of the time the clerks can't run my credit cards through the scanner because the magnetic strip is screwed up, so they have to enter the numbers manually.

I've always thought it to be inconvenient, but if this is true maybe more people will purposely disable their cards in such a fashion.

Re:Just my luck

[FyRE666]

I've always thought it to be inconvenient, but if this is true maybe more people will purposely disable their cards in such a fashion.

??? How would this be more secure. The same data will still be transmitted, it's just a different entry method!

Re:Just my luck

[kippy]

I don't think that will make much of a difference since that info probably still goes over the wireless LAN regardless of being scanned or typed.

Or I could be wrong. That's a possibility too.

Re:Just my luck

[burts_here]

er.. why would disabling the strips not mean the the details are sent over the arewaves (unless it is just the scanners that are handheld, i dont know i've never seen any) they would still have to type your card details into the machines, would they not?

Re:Just my luck

It's less secure when the clerk has to key in the number. The store imprint copy prints the account number on the receipt (not just the last 4 digits) and the clerk also has to go to the trouble of making an imprint of the card (old school style) allowing full access to your account number, exp date, name, etc.

Credit cards *are* insecure

[burts_here]

the whole concept of having a card with a number on which you can tell people down the phone, send down the internet, give to people in shops/restauratns is very very insecure, I've ordered stuff on my mums card before, do they care that i'm not my mum, do they shit. If people have to resort to wireless scanners to get card numbers they are throwing way to much money at the exercies, you can get card details much esier from bins, old till rolls etc...
i have developed a foolproof method of fooling them though, dont have a credit card, ok so they wont actully give me one yet but hey...

Re:Credit cards *are* insecure

I've ordered stuff on my mums card before, do they care that i'm not my mum, do they shit.

I bet your mum cares a lot though, you stupid little shit.

Re:Credit cards *are* insecure

funnily enough i asked her first... moron

Re:Credit cards *are* insecure

So you had permission to use it... so why mention this in the first place ?

Re:Credit cards *are* insecure

The companies you're buying from don't know that.

steal away.

[catwh0re]

this is an issue absorbed by the credit card company, so it doesn't effect the consumer in any other way than inconvenience.

Re:steal away.

The Consumer has to pay for this through higher fees from the cc-companies. Theft is NEVER victimless

Re:steal away.

[GutBomb]

but it's not really stealing if i ipurchase things with someone else's card because i would not have bought anything if i did not have someone else's credit card number.

oh wait... I have been reading slashdot for too long!

Re:steal away.

"this is an issue absorbed by the credit card company, so it doesn't effect the consumer in any other way than inconvenience."

...and as ya excuse for obscenely high rates.

Re:steal away.

[FatAlb3rt]

get a clue. do you really think it's free money for everyone? if that's the case, you have just found a solution for poverty.

Re:steal away.

Actually the loss is absorbed by the retailer. Even when it's no fault of theirs (ie all relevant checks were made), even if it's directly the fault of the credit card company (a card reported stolen wasn't cancelled, for example).

In fact, the credit card companies make a profit on every fraudulent transaction because the merchant is still liable for the commission on the transaction, even when they have to pay a chargeback.

A cynic might say that this is why credit card companies have done so damn little to combat fraud....

Re:steal away.

Really? Absorbed by the credit card companies? Where do you think their revenues come from?

Credit card companies charge a percentage of every transaction, which the merchant pays. In turn the merchants adjust their prices to pass the extra cost on to the consumer(you and me.)

If the credit card companies need to raise their per transaction cost to cover fraud who really ends up paying for it? Consumers

Re:steal away.

[fscking_coward_2001]

This is "insightful"?

Re:steal away.

[catwh0re]

try not to get too emotional, it's not exactly a simple thing for millions of people to do on a consistent large scale. as for the consumer, if you're smart (which most slashdotters aren't in anyone's respectable opinion) you'd already know how to not give your credit card company a cent.

Re:steal away.

[essdodson]

Credit cards are all about being smart. If you don't spend more than you have credit cards are 100% convienience and cost you nothing in interest.

Re:steal away.

[freeweed]

I think what you meant to say is that you can damn well do as you please with any signal that passes through YOUR body, after all, these are PUBLIC airwaves damnit!

Re:steal away.

gooooooooooooooooooaaaaalllll!

Re:steal away.

[FuzzyBad-Mofo]

Ah, but does it affect them?

Fuzzy

Re:steal away.

[john+barleycorn]

No this is an issue absorbed by _all of us_. In the end every consumer in the country is affected by this. When those stolen numbers are used they create chargebacks for the retail/web chains they were used at. This is an expense to those stores. In turn prices are raised to cover them. Just like shoplifting, its a problem everyone pays for at some point.

Irresponsible?

[FyRE666]

Why on Earth would a store be "beaming credit card numbers about" with no though to security? Seems they've opened themselves to a wave of court cases and possible fraud. Then again, every time you give your card to a waiter or till operator there's a chance the underpaid employee will be stealing the details via a personal "swiper". There was a programme on UK tv recently discussing this widespread fraud...

Re:Irresponsible?

[j09824]

Seems they've opened themselves to a wave of court cases and possible fraud.

If only that were the case. But in real life, people can do all sorts of irresponsible things with your credit card number and you don't really have any recourse, even if it damages your credit rating and costs you months to straighten out the mess. At best, you can hope that MC or Visa will punish them through their contractual relationship.

Re:Irresponsible?

[Some+Woman]

This happened to my uncle while he was in England last summer. The waiter at a restaurant "borrowed" his credit card number. He didn't find out until the credit card company called him about hundreds of dollars worth of alcohol purchased in Spain. (Interesting sidenote-he doesn't drink because he believes that alcohol is a sin against God. :)

wireless anything

This doesn't suprprise me. Practically any signal sent wirelessly can be intercepted. Encryption you say, but even that can be hacked through if the interceptor is prepared to wait (I'm sure the average desktop PC in a couple of decades will be able to chew through 4096bit encryption with ease).

Re:wireless anything

[GutBomb]

in a couple of decades encryption will be more powerful also.

Re:wireless anything

That wasn't the point I'm making. What you do, for example, with your wireless internet connection today could all be picked up and recorded by your neighbour, and cracked and revealed in 15 years time. Even if encryption in 2 decades time is stronger, messages encrypted can be easily broken 20 years further down the track.

Re:wireless anything

[Markus+Landgren]

I guess that's why cc:s have expiration dates.

unFrickingbelievable

[Zod000]

I can't believe Best Buy would be so lame as to have unencrypted credit card information being sent around like that. I was always under the impression that credit card information was encrypted electronically when you made your purchase, boy what a fool I was. Why is all this being transmitted wirelessly to begin with? I don't know if this is the norm, but would it really be that hard just to run a few wires from the checkout lanes to the server when they built the place?

Re:unFrickingbelievable

[silentbozo]

This is WORST Buy we're talking about, remember?

The same guys who want to foist copy protected CDs as a standard on their customers? The ones who tried to arrest a customer for trying to pick up a video card that he bought on sale online? The ones with the ultra-crappy customer service?

If you're still shopping at Best Buy, this fiasco with the wireless registers should be enough to make you go somewhere else.

Re:unFrickingbelievable

[ShavenYak]

would it really be that hard just to run a few wires from the checkout lanes to the server when they built the place?

I was thinking the same thing - what the @#$%#! did they need wireless for, anyway? They don't move the cash registers around!

WEP

[vlag]

Apparently, these stores didn't even bother to turn on WEP. AT ALL. Thats just stupid. WEP has lots of supposed insecurities but GOD DAMN, how stupid is that??? It's better than nothing.

Re:WEP

[jon+doh!]

is is better than nothing though? if you see a stream of data that's obviously encrypted, aren't you going to look at it harder than the rest of the stuff? i would...of course assuming you can tell its encrypted...

that's why I don't like wireless

[gobelijn]

It's nice technology, and has some pretty good uses, but overall people don't pay enough attention to security. And that's just plain dangerous.

We've had a seminar recently at our university with a security expert talking about cellular phones. There's a lot of encryption going on in these devices, but it's apparently not very solid. In one standard made by the big boys of the industry, an example encryption method was presented that wasn't fully secure. The little ones didn't have the knowledge to implement their own, so they adopted the example. Only to pay a lot of cash to some experts afterwards to get it out again.

Now, them paying a lot of cash is not the dangerous part, but the lack of security is. It's only a matter of time before the first big virus strike in bluetooth-gsm-cash register-insert your favourite device here.

Come to think of it, that would be rather cool :-)

security

[jaavaaguru]

Lock down all ports on the server except SSH, and force the cash register client machines to tunnel through SSH for everything. I use it at home, work and university. It's better to be over security-conscious than being to relaxed about it.

However, that's just covering up the symptoms of a greater problem. It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use.

Re:security

[BenLutgens]

IPSec would be the safe simple way to go.

Re:security

please shut up and die.

Re:security

Do you think these handhelds support SSH in any way or form?

Re:security

[Odinson]

"It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use."

I as a profesional, understanding the issues, would accept a higher rate credit card, say 12% rather than the 10.74% for a public key challenge chip on a major credit card. If people were educated they would understand the value of paying more(not much more) for that little chip. Unfortunatly 48% of people don't know how long it takes for the earth to revolve around the sun.

Re:security

[trg83]

I thought the sun revolved around the earth. j/k

Re:security

[omnirealm]

I am developing a financial application for use over Bluetooth from a PDA to a cash register, and I can say from first-hand experience that the problem of security over a wireless domain is not trivial. Your solution to channel everything through SSH is not economically feasible when you consider the processor and memory requirements necessary for *every single* vendor system out there to do this. The problem gets worse when you start talking about cell phones and wristwatches transmitting credit card numbers to vendor systems.

Bluetooth and 802.11b both have link-level encryption built in, but they both need some work before I would trust them with my financial information. For example, brute forcing the Bluetooth's E0 cipher can be reduced from a complexity of 2^128 to 2^100, and generating a database of keys and sample encrypted data can reduce the problem to a complexity of 2 if a match is found while listening to the communications!

You will have to clarify what you mean by "the account number is sent to the central server." Is it encrypted before it's sent? Against what key? How does your solution deal with non-repudiation (the device is authenticated, but not the user)?

One idea I came up with while working on this project was to incorporate the one-time use credit card numbers with client-to-vendor system. Before you leave home, your financial institution transmits a set of randomly generated one-time numbers to your PDA, wristwatch, cell phone, whatever, and the client sends a different number from the set each time he wishes to pay for something. That way, it doesn't matter if the number is compromised after the transaction is completed.

Re:security

[swillden]

I as a profesional, understanding the issues, would accept a higher rate credit card, say 12% rather than the 10.74% for a public key challenge chip on a major credit card.

Why? Your liability limit is $50 anyway. I suppose there's also the inconvenience of having your card number stolen, but from a pure cost perspective I'd expect that the lower rate plus the risk of being out $50 would be cheaper.

Of course, it's the issuing banks and merchants who absorb the rest of the fraud above the $50 limit and a good part of that fraud cost gets passed back to you in the form of a higher interest rate, so, theoretically, getting a more secure card could potentially *lower* your interest rate.

Except: In most places in the world the fraud rate is so low that it costs less to just absorb the fraud than it would to spend an additional $2 per card to put a microprocessor in it. In the U.S. smart credit cards are being issued because they're cool and attract cardholders rather than because they provide any benefit themselves. Europe is a different story.

Re:security

[swillden]

It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies.

You can discard either the central system or the public key crypto. In fact the current smart credit card standards do use public key with off-line challenge/response verification. The terminal sends a challenge to the card which encrypts it and sends back the encrypted challenge, the card;s public key and certificate (signed by the issuing bank) and the bank's public key and certificate (signed by, e.g. Visa).

The terminal has the root public key and uses it to verify the bank certificate, then uses the bank public key to verify the card certificate, then uses the card public key to verify the response. The card and terminal also each have a set of rules that they evaluate to decide if the transaction can be conducted off-line. If both agree that it can, then the transaction happens off-line, otherwise a standard credit card verification process is done with the central server. It would be nice if the on-line part would also use the crypto.

That's the mode called Dynamic Data Authentication (DDA). There's another one called Static Data Authentication which omits the challenge/response and doesn't require the card to perform any computations. And yes, it's obviously much less secure.

As an alternative (which is workable but not used in any standard I'm aware of) strong authentication with a central system can easily be done with symmetric crypto; no need for the complexity and uglinesses of public key.

Re:security

[Odinson]

"Why? Your liability limit is $50 anyway. I suppose there's also the inconvenience of having your card number stolen, but from a pure cost perspective I'd expect that the lower rate plus the risk of being out $50 would be cheaper."

Two reasons...

Usually I am not effected by interest rate to much because I make paying off my cards a top priority.

I am aware of the $50 but there is nothing in the law that says my account must be credited in 30 days of the report or some such thing. I could theoretically be held accountable for the money pending an investigation, or definatly if contest the card companies findings from an investigation. One of advantages of having a credit card is it's instant loan/buying power for emergancies. That is gone during that time. More credit cards could solve that problem but also mean more risk.

I agree that it would lower the card companies bills over the long run, so I would only accept a higher rate on a temporary basis.

I see what you are saying but I don't want to wait until the government steps in and forces the card companies to eat the cost of updating card info sending equiptment, registers, servers, cards, etc...

Re:security

[swillden]

I am aware of the $50 but there is nothing in the law that says my account must be credited in 30 days of the report or some such thing. I could theoretically be held accountable for the money pending an investigation, or definatly if contest the card companies findings from an investigation.

Have you ever been a victim of credit card fraud? I'll bet you haven't. I have, on a couple of occasions and I can tell you that it's no sweat. In neither of my experiences did they even make me pay the $50. In the first instance, I lost my card and called it in. They looked up the last few transactions, asked me which were mine and which were not. One was not. They sent me a new card and the fraudulent charges never even showed up on my bill. In the second case I got a phone call out of the blue from the issuer saying they'd seen some out of profile charges and asking if they were mine. I said no, they sent me a new card and again I never even saw the charges. These aren't unusual or isolated incidents, either. Virtually everyone I know who has had credit cards for 10+ years and used them extensively has seen fraudulent charges against their cards, and the issuers are very good about resolving it quickly, and at little or no cost to the cardholder.

The credit card business is so extremely competitive that the issuers know that anything they do to piss off a good customer will cost them more than it's worth, so they're very accomodating (the first few times, anyway; I imagine that if you had a consistent pattern of fraud reported against your account that they'd begin to get suspicious).

I see what you are saying but I don't want to wait until the government steps in and forces the card companies to eat the cost of updating card info sending equiptment, registers, servers, cards, etc...

Why would the government ever do that? Managing the level of fraud and the technologies they use to prevent it is something the credit card industry has done very successfully for 50 years. They started with paper documents then moved to plastic cards and then embossed plastic cards (so they could get an 'imprint'). When fraud got too high they added magnetic stripes and eventually holograms. In places where fraud is a significant problem today they have moved aggressively to smart cards. Time and again they've risen to the challenge and kept themselves profitable through a combination of legal and technological means.

Why would that change so much that the government would have to get involved?

In my opinion, you should just try to get the best service you can at the lowest price you can and let the banks figure out the most effective way to make money. It's what they do!

Re:security

[bitbin]

Have you ever been a victim of credit card fraud? I'll bet you haven't. I have, on a couple of occasions and I can tell you that it's no sweat. ...

one of my card #'s was recently stolen and while I was not held liable for any charges, i wouldn't say it was "no sweat". perhaps the bank I'm dealing with is just challenged, but it took 3 statements for the charges to finally get resolved and I'd much rather be doing something useful with my time (or at least sleeping or drinking beer) than talking to the bank's fraud people on the phone.

Original source

[Omega+Hacker]

You can find what appears to be the original fwd'd (anonymized) copy of the mail from the guy who first checked this out at this location.

Re:Original source

[erasmus_]

Very interesting, thanks. I wonder why his credit card number was not in the stream though, while others were, when he specifically made a transaction just to check it out? Perhaps some registers dial the line to verify the cc directly, while others beam it to another terminal equipped with a phone line?

Re:Original source

[ptbarnett]

In the article, Best Buy said that only a small percentage of their transactions were handled over a wireless connection. Reading between the lines, I will guess that only certain registers use wireless.

Which registers? Probably ones that they have set up temporarily, or in locationd where it was't practical to run a network drop (on a timely basis?).

So, the submittor may have simply chosen the wrong (or right!) place to complete his purchase.

Re:Original source

[b1tsh1ft0r]

If you want to be informed of these things when they are released, subscribe to a mailing list. Here is the original post. I submitted this yesterday, but of course it was rejected. Maybe I shouldn't have encouraged people to exploit the vulnerability? Nah!

Your recent submissons

2002-05-01 20:23:44 Best Buy (In)security (articles,news) (rejected)

Re:Original source

[ddstreet]

Which registers?

I have never heard of any wireless checkout terminals (I am in the POS business). Think about it; it just doesn't make sense - they are (physically) fixed terminals, why spend considerable $ on setting it up with wireless, when you can lay (relatively) cheap wire? It doesn't make financial sense.

However, I have heard of wireless kiosks. That makes sense - you may want it at the front door one day, and near some product in the back another day. Thay make sense to move around. Quite possibly that is what was getting picked up. I have never heard of a kiosk with a built-in MSR (Magnetic Stripe Reader - it reads your card) but they may be out there.

Essentially, you probably don't have to worry about wireless checkout terminals - even in BB.

Re:Original source

[valdezjuan]

Securityfocus's mailing list Vuln-Dev is where the original post came through. There has been an interesting thread on the subject since the posting. You may want to check it out:

http://online.securityfocus.com/archive/82/27036 4/ 2002-04-29/2002-05-05/1

You can follow the thread by clicking the next article in thread link on the right.

Re:Original source

[erasmus_]

I don't understand how you can say you're in the POS business and have never heard of this. They do not call them kiosks in the article, they specifically say:

Symbol makes hardware used by IBM in its wireless point-of-sale terminals.

Now I do understand your point that it may be cheaper to do physical wire, but that doesn't seem to be preventing the many customers that they mention in the article, including Best Buy from purchasing and using this wireless POS technology.

Re:Original source

[ddstreet]

I don't understand how you can say you're in the POS business and have never heard of this

Hmm, are you in the POS business? No? But that article said it...so it must be true...

They do not call them kiosks in the article

Do you think Symbol (who makes wireless cards) really knows what hardware IBM puts those cards into...? Maybe he used "terminal" as a generic word that might possibly include kiosks...hmm...or maybe he's doesn't know any specifics...

including Best Buy from purchasing

Next time you go into BB (if ever) take a look at who makes their POS terminals.

Re:Original source

online.securityfocus.com is a crappy site it freezes and doesnt render at all in ns 4

Re:Original source

[0x0d0a]

Maybe the number was cached.

Who's still shopping at Best Buy?

[pavera]

There was a story here a couple weeks ago about the evils of best buy.

Why are we suprised that they don't care about their customers, they've already proved that with the nVidia 4600 Ti scandal.

is wireless really just for a quick and easy setup

all the security breaches I keep reading regarding wireless networks (encrypted and non-encrypted) make me wonder if it's worth having all this security risk for the sake of some flashy device that doesn't have any wires. Would it kill them to run wires between these things?

If anyone can educate me on other benefits, I'd be glad to hear them......

How i gave away my credit card details.

[oliverthered]

I had a call the other day, from someone the BBC T.V. licensing department; or so I thought.(The BBC is a non-optout subscription service)

The caller said that I hadn't paid my licence for the year, and asked if I would like to.

Being a bit crap with bill payments I found this quite handy, I searched around for my credit card, but couldn't find it, so,

I told the caller that, "I couldn't find my card and would I be able to pay over the phone tomorrow". She said that, "they were open tomorrow", but expressed great concern, because they were, "checking licences in the area", so I had another look for my credit card and found it, gave the caller my details.

A few days later the T.V. licence arrived,
I have cancelled my credit card because I couldn't be sure if the caller really from the BBC, if so they've started demanding money with menaces.

There should be system security inspections.

[Innominate+Recreant]

Each time I fly somewhere, I don't inspect the plane before boarding it. When I go to the grocery store, I assume that the government has inspected the facilities that produce the food I buy. The average consumer has neither the time nor the expertise to inspect each plane or food processing plant to decide if it meets a reasonable standard.

Government inspection doesn't mitigate any responsibility that a food plant or an airline has. It merely provides the consumer with some assurances. And in most cases (not all) it works. Most of us buy food every week, and most of us don't die of food poisoning. Most planes take off and land safely. However, the food producer or the airline company is still responsible for the product.

As we rely more system security in our daily business transactions, I think that rigid standards of system security should be created and enforced.

If we start holding irresponsible retailers, like Best Buy in this case, accountable for damages, you'll see consumers *and* retailers lobbying for such an effort.

Why bother? Thieves can just guess.

[j09824]

Credit card thieves can simply brute force the credit card numbers. Some banks helpfully even assign credit card numbers sequentially or predictably, and the credit card number space is too small anyway.

Social security numbers used as identification, credit card numbers, and a whole host of other "real world" identifiers and systems are simply extremely sloppy security. In the past, that meant that only a few customers got screwed. With modern computer equipment, a lot of people get screwed.

What is particularly annoying about it is that the companies that put this sloppy security in place never really have given a damn about protecting their customers--as long as the casualties are not too many and don't frighten the masses away, it's acceptable. In most cases, companies that use sloppy identifiers or security end up not even being legally liable for the trouble and expenses they are causing their customers.

But its not just Best Buy

[CodeMonky]

On vuln-dev (vulnerability development, a list on security-focus.com) there has been a discussion going on about this for over a week, and people are pointing out all the stores that have problems, and its getting to the point where it is easier to say who DOESN'T have a problem than who does.

Re:But its not just Best Buy

...its getting to the point where it is easier to say who DOESN'T have a problem than who does.

So what retailers care about securing their customers' data?

Re:But its not just Best Buy

[ryanr]

The vuln-dev thread started yesterday, that's the source for the MSNBC story.

http://online.securityfocus.com/archive/82/2002-04 -29/2002-05-05/0

Not surprised

[dreamchaser]

Is anybody actually surprised that nobody at Best Buy knows how to configure an encrypted wireless network?

Re:Not surprised

[fooguy]

Let's be fair here.

Most of these retail type places buy a turn key solution (::COUGH:: ::COUGH:: IBM ::COUGH::). I don't expect my mechanic to know how to fix my car, and I don't expect a store manager to understand wireless encryption. A store doesn't have its own IT people, corporate does. Maybe (if they're lucky) corporate even had a helpdesk they can call.

Someone sold them this wireless gear, they should be the onces concerned about the security.

Re:Not surprised

[Amazing+Quantum+Man]

I don't expect my mechanic to know how to fix my car,

Maybe you should find another mechanic. That's exactly what a mechanic SHOULD know.

Re:Not surprised

[cdrudge]

I don't expect my mechanic to know how to fix my car

You don't? If I am going to pay someone to do something for me, I'm sure I would want him to know how to do it. I pay my doctor because she knows about my body. I pay my accountant because he knows about my finances. I pay my mechanic because he knows about my car.

Re:Not surprised

Oh, and how exactly do you configure an encrypted wireless network in this case?

Trust

[infiniti99]

Someone down the line knows your credit card number. If you hand your card to the person at the register, then you are placing trust in them. If your information is stolen by a 3rd party, then it is because of the incompetence of whoever you placed your trust in.

According to the article, Best Buy has since stopped using wireless cash registers. Still, I think the problem is not with wireless itself, but the particular implementation Best Buy was using. Couldn't they simply encrypt the data?

Of course, credit cards are inherently problematic. Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal) Thus, everyone would be able to give, but not take. As it stands, credit cards have the worst security of anything. It's ironic too, since a lot of us computer enthusiasts will rant all day about how everyone should be using ssh and GPG, yet we give our login and password to the waitress next time we eat.

Re:Trust

[anthony_dipierro]

If you hand your card to the person at the register, then you are placing trust in them.

It's actually exactly the opposite. When you hand your credit card to the person at the register, they are placing their trust in you. Credit cards are nothing more than a promise to pay.

Re:Trust

[mixbsd]

authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal)
...cell-phones are *wireless* so inherently insecure, be they digital or analogue.

Re:Trust

[Geeyzus]

Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal)

I agree.

Now, if the government could only standardize some way to do this. Perhaps instead of electronically, maybe some physical medium could be used to represent the money we have. We could actually hand these physical objects to the cashier on exiting a store. It would of course have to be small enough to carry around with us also. I hope to see this in real life one day!

Re:Trust

[buck_wild]

Now if only we could make them small and foldable...

Re:How i gave away my credit card details.

[burts_here]

this is why you need a wireless scanner, so you dont have to give your credit card details out to callers, give somone elses.
seriously though, i didnt think the bbc where actually in charge of issuing licences, i thought they just got the money...

umm

isn't a wireless cash register a little like leaving an open atm unwatched on a public street and expecting people to do the right thing and pass it by?

No credit card fraud before the internet?

[p4k]

Now you don't even have to be online to have your number stolen.

Like you ever did need to be online to get your number stolen - easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.

This is *the* classic error in security thinking - only consider the hardware, ignore the human factors.

Re:No credit card fraud before the internet?

[BreakWindows]

easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.

Customer: Excuse me, sir?
Me: *stares at credit card*
Customer: Hello? Are you going to ring up that sale, or what?
Me: *stares at credit card*
Customer: What the hell are you doing??
Me: *stares at credit card*
Customer: You're not trying to memorize those 16 digits plus expiration date, are you?
Me: *stares at credit card*
Customer: That's it, I'm going to another store!
Me: *stares at credit card*
Me: Oh, sorry, I was just...umm...lost in the beauty of this blue swirly chip in the middle.

Re:No credit card fraud before the internet?

[fooguy]

Actually, the easiest way to steal a credit card number is to generate a number for yourself.

Or so I'm told .

Re:No credit card fraud before the internet?

[ShavenYak]

easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.

Or to go to a restaurant and grab receipts off of tables.

When dining and paying with a credit card, never leave until the waiter has picked the receipt up. At least then you only have to trust the waiter, not everyone else in the restaurant.

Re:No credit card fraud before the internet?

[Peyna]

Exactly how my bank card # got stolen. I traced it to a clerk in a gas station, I had not used the check card anywhere else previously besides ATM machines, etc. and I visited said gas station the night before. Lucky for me he apparently tried to use it at some lumber supply company for a few thousand dollars to see how much he could get out of it, and they were kind of suspicious when he wanted to use 2 credit cards each with a name different from his own =] I wonder how many places would care enough to catch something like that.

Re:No credit card fraud before the internet?

[Peyna]

Haven't worked in retail much have you? I worked at a grocery store when I was 16 (4 years ago), and all credit card information needed was nicely printed on the roll of tape in the register that we had to take out at the end of our shift and give to the accounting folks. All you'd have to do is look at it later when the person leaves. I'm sure 3rd shift gas station attendants have plenty of free time.

Re:No credit card fraud before the internet?

[Bedouin+X]

Thank you!!

I was scanning the replies to see if anybody else caught that before I posted. I used to work for a ver ubiquitous electronics retailer that loved to ask for your name and address. We had a few unscrupulous employees there that would go through the receipts at the end of the day and record credit card numbers with the bonus catch of their name, address, and in many cases their phone number.

The company tried to wise up by not printing the address on the ticket but it just took a quick dive into the computer system to retrieve this information. I know for a fact that nothing has changed at this company and I can only imagine what others are like.

Re:No credit card fraud before the internet?

[tongue]

How does this allow you to "steal" a credit card? You still need the exp. date, the cardholder's name, possibly address, and sometimes even the three digit number found on the signature panel. the only thing that the luhn algorithm is good for is validating that the card *might* be a valid card number, not a valid card.

Re:No credit card fraud before the internet?

[fooguy]

You still need the exp. date, the cardholder's name, possibly address, and sometimes even the three digit number found on the signature panel. the only thing that the luhn algorithm is good for is validating that the card *might* be a valid card number, not a valid card.

Depends on what you're using the card number for. Not every company that accepts credit cards check those things throughly. For example, some smaller computer places just take the number and the expiration date and run the card manually.

I'm aware of a couple websites that offer services (not goods) that you can buy with a credit card that just do a LUHN check. If the number passes your service is provided. Billing is done by hand later. Credit card processors that can validate in real time (Verisign for example) are pretty expensive, much more so than printing out an email and keying it into a POS terminal.

Blah, ok the cats out of the bag

[LWolenczak]

Ok, I have known about this for about five months. Prirry sad huh? You can even pickup logins, passwords, and get EIGRP broadcasts from their router for best buy's data network. One thing I have noticed recently, as of last weekend, the best buy I pass as I head to work dosen't make my laptop beep twice.....

Re:Blah, ok the cats out of the bag

1 is a l337 d00d, give m3 j00r cr3d17 c4rd numb3rs n0w 0r 1 w1ll bl0w up ur c0mput3r

More validation is needed

[min0r_threat]

Credit card transactions such as this validate the credit card number against an algorithm, and ensure that number matches the bank who issued the card and the type of card (VISA, Mastercard et. al.)

Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.

The practice of skimming credit cards and capturing numbers over wireless networks will continue, and credit card fraud will continue because it is easy to commit . . . probably until some form of smart cards encompassing biometrics are in mass use in the marketplace. Incorporate a finger print into a smart card and small recognition scanner at the point of sale. If your fingerprint doesn't match that on the card then the treansaction will be denied. This won't help on-line fraud or fraud perpetrated during transactions when the cardholder isn't present, but it will cut down on innocent people being ripped off.

So why don't banks incorporate this? It's purely down to cost. They're not interested in consumers being defrauded, what matters to them is the money the banks lose. Fraud is a big problem, but until the levels of fraud amount to more than the cost of issuing and installing smart card or biometric technology, banks aren't going to be interested.

In the case of validation, European countries with lower levels of credit card fraud are those with higher levels of validation. Many countries in Europe require a matching signature as well as a PIN number. Sure, the PIN number may be picked up over a wireless network, but it goes to show that more stringent validation checks will reduce levels of credit card fraud.

And as for using encryption - surely that is just common sense?!

Re:More validation is needed

[EasyTarget]

Sure, the PIN number may be picked up over a wireless network

Not necesserily.. the PIN is stored on the card itself (one-way encrypted or sumething.. I'm not well-up on crypto stuff). So therefore the whole pin-processing can go on within the POS (Point-Of-Sale) terminal which just needs to return a success or denial message.

Re:More validation is needed

[Hast]

I don't like the idea of finger print based ID. Basically I want the ID to be based on something I can put down on the ground and step away from.

Re:More validation is needed

[psychofox]

It seems extremely unlikely that the pin is stored on the card in any form whatsoever. It is trivial to read all the data from the magnetic strip on a card. If were "one-way encrypted", it would be easy to brute force (though I hestitate to even call it brute force) it.

Re:More validation is needed

[erasmus_]

You can do that with a finger. It's just a tad more painful :)

But I know what you mean, you don't want your identity to be something you can't really cancel, which is a good point.

Re:More validation is needed

[anthony_dipierro]

In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.

Sure there is. Your signature matches the signature on the back of the card. Good combination of something you have (the card), and something you are (the signature).

Why are fingerprints so much harder to copy than signatures? They're both biometrics.

Re:More validation is needed

[RelliK]

Not necesserily.. the PIN is stored on the card itself (one-way encrypted or sumething.. I'm not well-up on crypto stuff). So therefore the whole pin-processing can go on within the POS (Point-Of-Sale) terminal which just needs to return a success or denial message.

You got one thing right: you're not well-up on crypto stuff. Or common sense. How would this magical POS know if the PIN is valid or not? If PIN is hard-coded on the card, how is it different from the card number?

Re:More validation is needed

[EasyTarget]

I've been told this on several occasions by people who -are- well up on card security. The PIN is certainly stored on the card in some applications.

The PIN is obviously -not- stored plaintext, but as a DES encrypted number somehow. This may not be true for all systems but if you look halfway down here or here
You will get the general idea.

On the other hand, other sites tell you differently.

Re:More validation is needed

[GLX]

No way... What happens when I change my PIN? (something trivial to do with most banks...) They surely don't send me out a new card.

As well, a lot of credit card companies allow you to pick your PIN long after you've received the card...

Re:More validation is needed

[ddstreet]

the PIN is stored on the card itself

Nope.

You want to know what is stored on your card? Not much. US cards (foreign - e.g. Japanese - are different) contain 3 tracks (ISO tracks) which contain up to 98 bytes (track 1) + 46 bytes (track 2) + 139 bytes (track 3). Total up to 283 bytes. So that ain't a lot of info.

Oh, what exactly is stored on the card? Well take a look at this doc in the MSR (Magnetic Stripe Reader) section. Thar ya go.

Re:More validation is needed

[swillden]

I've been told this on several occasions by people who -are- well up on card security. The PIN is certainly stored on the card in some applications.

Some applications, yes, this application, no. Smart card-based credit cards may and often do store the PIN in the chip, but that's because the chip is fairly secure. The magstripe is not. There are some DES-encrypted verification codes stored on the magstrip, but not the PIN.

An easy way to prove that this is the case is to call your credit card company and change your PIN. You'll notice that they do not issue you a new card.

Re:More validation is needed

[JimBobJoe]

Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.

For the most part, this isn't important with in-store transactions. Why?

1. Online fraud is more pervasive than in store fraud--20 to 1.
2. The type of fraud in which a person uses someone else's card is *extremely rare.* Most people who lose their wallets or have their wallets stolen are vigilant and get the cards cancelled quickly enough.
3. The in store fraud which does take place involve fake cards printed up by the fraudster with a new card number and expiration date, or sometimes they magnetize one of their own cards with the new card number/expiration date. Clearly those could be fought with a more complex (possibly biometric based) system...but the cost is astronomical in comparison to what it would stop. In fact, in the mid 90's there was this idea to put photos on credit cards, and that seems to have fallen by the way side. The cost to the bank of processing cards that way simply is not justifiable, especially since it doesn't achieve a damn thing. In store fraud simply is not the problem online fraud is.

but it will cut down on innocent people being ripped off

not directly. innocent people don't get ripped off because credit card issuers swallow the charges (even that $50 thing that we hear so much about is usually waived.)
however, on-line fraud is swallowed by the merchant, but that's a different story.

Re:More validation is needed

[trancelucent]

the PIN is stored on the card itself

Wrong. The only data stored on a US credit card mag stripe are the card number and expiration date, in plain text.

Re:More validation is needed

> innocent people don't get ripped off because credit card issuers swallow the changes

WRONG... the *merchants* eat the charges. The deck is stacked against them. If the credit card companies had to pay, the system would be vastly more secure than it is now.

Re:More validation is needed

[seaan]

Information about the PIN (not the PIN itself) may be stored on the magnetic stripe of a debit or credit card. The standards are pretty vague when it comes to PIN verification, and it is mostly up the individual institution to decide how to verify their customer's PIN. By contrast the standards are very precise about the location of account numbers and expiration dates, because they are needed interoperability reasons - everyone using that card needs to know about them. PIN verification is only performed by the "bank-card-owner" (or a designated stand-in processor).

The PIN information is called a PIN-Verification-Number, and may be stored in the mag-stripe data. The PVN can also be called an offset, but essentially think of it as a cryptographic-hash (usually DES based). Local verification of the PVN used to be much more common, especially when the only place to use debit cards were the ATMs owned by your bank. The banks would place their verifications keys in every ATM, so that they could perform transactions even when the ATM was not connected. Because of both security reasons and improved communications, this is pretty uncommon now for all but the smallest of banks.

There is now a trend in the industry to not use card-based PVN, and to instead rely upon central databases. As Point-of-Sale terminals and the cross-use of ATMs owned by different banks grew, local verification became impractical. The keys used to verify the PVN were very secret and the banks did not want to share them with other banks; let alone trust them to a POS terminal (Aside: POS terminals tend to be very price sensitive, and their security capabilities are usually as minimal as the purchaser can get away with. From bitter experience, I know that trying to sell a customer POS terminals with much better security at say $205; will loose because they will buy an insecure $200 model instead!).

Finally to address another comment in the thread: If you change your PIN, and your bank uses a card-based PVN, you will need to update your card's magnetic stripe (disclaimer: I helped design a system that does exactly that, used at a number of major banks such as Wells Fargo, Citigroup, etc.). If your card does not have a PVN stored on the mag-stripe (for example, most US credit cards), than obviously you won't have to update the card when changing your PIN.

Truly a Best Buy

[phunhippy]

Best Buy sends the credit card info cleartext over 802.11....... hmmmm maybe they really truly are best buy then! They went out and found the cheapest Wireless Point of Sale system.. to them it was the BEST BUY :)

Re:How i gave away my credit card details.

[oliverthered]

The general point is, I'm a fairly cautios person, I always ask the police for ID, throw away all those 'You have won £30,000', all you have to do is sent £10 to claim you prise junk mail letters etc... It was only the aggressive nature of the caller that made me susspitious, basicly you can
get anyones credit card details,
Pick a number from the phone book,
Just phone up the TV licensing people, and enquire about 'your' license,
If it's about to run out etc... then
Phone the number in the phone book,
tell them there TV licence has expired,
Take there details,
Pass them onto the TV licensing people (so that they think evrything is ok).
And use there credit card details for making calls to phone sex lines, or whatever.

high tech credit card theft

[GutBomb]

with everyone paranoid about credit card theft using high tech means people seem to forget that while most internet transactions are safe, what you really need to worry about are people who actually handle your card.

The cashier has access to your nubmer. the accountant has access to your number. the manager of the store has access to your nubmer. some stores print the entire number on reciepts so anybody willing to dumpster dive has access to your number. waiters and waitresses who carry your card off to the register in a restaurant has access to your number...

and now people in the parking lot have access to your number.

Re:high tech credit card theft

[anthony_dipierro]

Exactly. My grandfather once had his credit card number stolen directly by a store worker who wrote it down on a piece of paper. Turns out she also had the unauthorized purchases shipped to her house, so the FBI came a knocking shortly later.

What about "People" transmitted credit card number

[Steev]

I don't know about you guys, but I'm much more worried about people writing my credit card number down and passing it to somebody else or overhearing me when I order something over the phone than I am about it being picked up wirelessly by some chump with a laptop in the corner of the store.

Most -- note that I said "most" and not "all" -- of the people that are going to defraud me by using my CC number are not going to have access to a computer with equipment capable of sniffing the air packets (that sounds kind of gross) to get that number in the first place.

New transmission medium

[rednuhter]

If I told you I had devised a way of connecting to the internet via the ocean (Im am trying to make a point) you would say hay (if you are american) thats pretty cool, when are you going to have that on the market. I reply (cos it is still in development) 2-3 years.
So for the next 2-3 years I have my amazing tcp/ip over large bodies of water running just for testing, why should I encrypt? no on else knows how it works I problery have a custom packet handling system etc.
Same with wi-fi, no one expected everyone to have access to it so soon.
The wi-fi tills are proberly well over a year old (even if they are new to the store).
I worked on a number of etransaction systems for orders over the internet between businesses and the number that had no security except the fact nobody knew which URLs were being used was stagering.

Re:New transmission medium

[groman]

Well, when you're developing a method of communications you don't usually test it by running other people's credit card numbers through it.

Re:Trust - bzzzt! wrong def?

[nalfeshnee]

ummm ... last time i looked, using a credit card is patently NOT the same as handing someone the keys to your safe. the money is NOT yours, and if someone other than yourself manages to gain access to it, you do NOT have to pay it back (at least, above a certain limit, $50, whatever).

that is the whole point of credit cards, after all. a way to deal with cashless transactions in a way that ensures your money is not technically at stake should something go tits up with the system. now, if we are talking about DEBIT cards, such as the Switch cards in the UK, that is a totally different kettle of fish, and your point about the safe is entirely correct.

nalfy.

Exactly!

[Grape+Smuggler]

For example, you responded to an obvious troll. Guess someone has a case of the Mondays!

HAND!

Credit card encryption

[plumby]

It's not only the shops that don't believe in encryption. I recently worked on an electronic payment project, and we told the bank (Major UK high street bank, not saying which one) that we wanted to encrypt our connection to them. We were basically told "Don't be paranoid, no one does that. We don't accept encrypted links."!

Other Fraud mechanism.

[EasyTarget]

If the transactions are in plain-text, is there any checksumming etc.. that takes place.

It occurs to me that what you could do is be able to intercept (or pre-empt) and replace data in valid transactions.

Then sit in the car-park, and substitute a different card number in to any refund transactions encountered. Create an account specifically for this, and drain it before any fraud is likely to be detected, easy money.

All of this is assuming that the systems do not use basic checksumming double-verification etc.. but given that they already transmit them wirelessly and unencrypted, what chance is there that they take even basic protections against false data beiong injected into the network.

Re:Other Fraud mechanism.

Then sit in the car-park, and substitute a different card number in to any refund transactions encountered.

Refunds require an original transaction number. What you could do is have a friend go in and buy lots of stuff and then substitute a stolen card number for his. Or just use an expired card and fake the authorization...

Re:Why bother? Thieves can just guess.

[BlueUnderwear]

Usually, attempting to do this ("guessing" credit card numbers) would rack up rather high charge backs fees for each failed attempt. Those chargeback fees are exactly intended to foil such guesswork. The idea of makeing up numbers (with checksum matching) is fairly old, and has been used by spamfighters to "punish" spamvertised sites (pretend to buy an article, supply a bogus cc number, do it early, do it often, use open proxies, and watch as the outfit goes out of business due to chargeback fees).

However, what makes the scam your are linking to interesting, is not the fact that the criminals were brute forcing the numbers, but rather than they were using merchant accounts other than their own to do it. That way, some unsuspecting victim was stuck with the bill, rather than themselves. It was more an exploit of authorize.net's online card validation system than a problem with the credit cards themselves.

What about Card Receipts?

[dannycarroll]

This is bad, because it's probably able to be automated but on the other hand, how many people throw their cc receipts away in the first bin they come to?

Re:What about Card Receipts?

[Atrahasis]

Most (nearly all) CC receipts carry only the last 4 digits of the card that was charged.

My dad and the Discover Card readers

So one day my dad brings home these credit card readers from a surplus store.
"Can you do anything with these" he asked.
"No" I replied.

Re:How i gave away my credit card details.

[IainHere]

>>The BBC is a non-optout subscription service

You aren't obliged to own a television. Throw it away.

So can crooked cashiers...

[mcwop]

which is exactly what happened to me at Best Buy.

Root password

[Mattygfunk]

Presumably your PIN number for savings transactions on a bankcard would be processed at the handset, but this information would be serious concern for a lot of people if it was broadcast as well.

One of the major reasons I dont own a credit card and haven't ever, is the loose security generally. By simply trusting the clerk wont look at the numbers on the card is a rediculous gamble with money you don't have.

Hey, gimmy your root password on a bit of paper and ill give it back to you if you forget. Promise I won't look.

Re:Root password

By simply trusting the clerk wont look at the numbers on the card is a rediculous gamble with money you don't have.

You don't have $50? Get a card with $0 liability.

Re:What about "People" transmitted credit card num

[arkanes]

You're worrying about people stealing YOUR credit card number, and the people stealing want A credit card number (actually, lots of them). It's a waste of time to randomly tap phones, and the old writing them down from your retail job works but has alot of potential risk involved. Sitting in a parking lot for a couple hours with a laptop is practically risk-free (just need to find a Best Buy next to a McDonalads or something) and will let you gather LOTS of numbers. Therefore, while someone wanting your specific card isn't any better off, the odds of your card being stolen this way, and used in a way that will cause you a huge mess, is higher.

Home Depot?

[b1t+r0t]

I've noticed a wireless base station at the back of my local Home Depot. I seem to recall it had a directional antenna pointed at the cash register area. (And by extension, towards the parking lot as well.) I hope they have enough clue to use at least minimal encryption. The hell with parking lots. Get an iPaq or Zaurus with an 802.11b card and you could walk around the store with it turned on and hidden in your pocket. For as long as the batteries held out, anyhow.

Re:Home Depot?

[Gonarat]

The problem is that you don't even need to get out of your car. Get a laptop, an 802.11b card (that supports an external antenna), a 1/4 wave mag-mount, some software, and you are in business. The big problem is that most wireless access points default to no WEP, default system id, and default password to set up the device. If these are not changed, then anyone with the above equipment can sniff the data. One does not even need to enter the store.

BTW, if you are sitting in your vehicle, you can hook up to the cigarette lighter/use an inverter, and sniff away without running the batteries down on your laptop.

Re:Home Depot?

home depot does not use wireless for customer information (registers or anything credit card related)

online credit card theft

[hetairoi]

"Now you don't even have to be online to have your number stolen."

right, before the internet, credit card numbers couldn't be stolen. I also understand that before the internet, no music was ever pirated.

---

slan

[tofupup]

here is a good gpl project slan
http://slan.sourceforge.net/
that does exactly that. it is
a bit sparse on details but
it basically secures 802.11.
it fakes a network driver and
creates a secure link so there
is little need to modify much.
it needs a shot in the arm
and a bit of "hype" but
looks good otherwise.

Oh, the irony

[rommi]

They can somehow get the equipment to sniff CC numbers? But they can't get CC's by themselves? Castrated...

180 degree turn?

[Mattygfunk]

Will shop security turn the tide towards the Internet for secure transactions when it was previously critisized for being prone to "hackers"?

Re:How i gave away my credit card details.

[burts_here]

cunning... i never thought they would be clever enought to fool me into thinking everything was ok, but actually sending you a real licence is pretty dam good, if it wasnt so low down and dirty i would be impressed! ;)

Credit Card numbers get stolen offline?

[pinkUZI]

Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen.

This should come as no suprise seems it has been easier to steal credit card numbers offline than online for some time now. Think about that pimply faced waiter disapearing in the back with your credit card at a restaraunt. Who cares if you lose your credit card/number anyway?

I already have one time CC numbers

[bsdnazz]

I use an online bank in the UK which can and does issue one time credit card numbers. When issued they are set to expire at the end of the month (delta it being near the end of the month) and the transaction value is capped.

The transactions appear on my normal CC bill so I don't have to manage lots of CC numbers.

Not a total solution but helpful none the less.

Re:Why bother? Thieves can just guess.

[j09824]

These scams predate Internet credit card payments by many years. People used to guess credit card numbers and "verify" them over the phone or at various convenience locations. Banks have made this particularly simple by making valid, recently issued numbers easy to guess.

Online????

[neilb78]

Now you don't even have to be online to have your number stolen.

Ah....news flash....you've never had to be online to have your number stolen. Resturant, Gas Station, Pick-Pocket....etc... HELO... McFly...

offline credit card fraud? never heard of it

"Now you don't even have to be online to have your number stolen."

Someone tell this dude about cc receipts, people on phone orders stealing your cc number, and all those dozens of other offline methods of cc fraud which existed waay before cc fraud came online. It's not a new thing.

Daniel

You never had to be online!

"
Now you don't even have to be online to have your number stolen
"

You never did. It has always been more likely that the waiter or the cashier would steal your credit card, rather than some hacker.

Re:Why bother? Thieves can just guess.

[dachshund]

With modern computer equipment, a lot of people get screwed.

Or, that is, a lot of banks and merchants get screwed. Last I checked, I wasn't liable for any mysterious charges that showed up on my bill. When the CC companies feel that a more secure system will protect their profits, they'll implement it.

As seen on vuln-dev...

[Denium]

This was originally a thread on SF's vuln-dev mailing list. The moderator, Blue Boar, posted the message on behalf of an annonymous correspondent.

The original message is available at SF's archive.

Original message (FYI)

[Denium]

To: Vuln-Dev
Subject: Wlan @ bestbuy is cleartext?
Date: May 1 2002 3:57PM
Author: Blue Boar

I was asked to anonymously proxy this question to the list. Here ya go.

BB

This past week I went to bestbuy to purchase a D-link wlan card... egar to get my laptop up and running while in the car I put my card in and installed the driver. I noticed the traffic light was lit up as if I had a connection. Out of curriosity I fired up kismet and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card. Non the less I decided to run to the store next to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted through the data collected and this time I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number.

Heres my delima... I checked out a few of the other best buy stores for "beacon packets" and everyone I drove by was sending them out...so I assume all BestBuy's are wlan enabled. What I need to find out is ... are BestBuys's Cash register terminals indeed using wlan and are they indeed sending out MY data in the clear... I am NOT comfortable using my credit card at ANY BestBuy as of right now... due to legality though I don't feel comfortable walking into the store and confronting someone about it.... for all I know it could be standard BestBuy corp. practices to use nonsecure wlan. I figured by starting a thread other people that have attempted this may have more info or some from BestBuy may be reading the list and they may pipe up.

guessing doesn't work

[David+Jao]

the credit card number space is too small anyway.

You got it wrong. The social security number space (9 digits) is too small, but the credit card number space is perfectly adequate.

Most credit card numbers (not counting store-issued cards here) are 16 digits, for a total of 1E16 possible numbers. There are 6E9 people in the world, and less than one credit card per person. That leaves you over a million invalid credit card numbers for every valid one.

Now, granted, there are some regularities in the set of valid credit card numbers that you can use to increase your chances of guessing one, but that's not enough to overcome the million to one shot that you start out with. Moreover, in most cases, actually using a credit card number requires knowing the name and expiration date of the account as well.

I agree that banks assigning credit card numbers predictably is a problem, but this problem would exist regardless of the size of the number space. The size of the number space itself is not a problem.

Re:guessing doesn't work

Most credit card numbers (not counting store-issued cards here) are 16 digits, for a total of 1E16 possible numbers.

And the first 8 digits are determined by your card. And the last 1 or 2 are determined by the checksum. So now we're down to 7 digits. 1 in 10 million. Then assume that there are 1000 other people using the card. Bam, you're down to 1 in 10,000.

Re:guessing doesn't work

[Mr.Intel]

And the first 8 digits are determined by your card. And the last 1 or 2 are determined by the checksum. So now we're down to 7 digits. 1 in 10 million. Then assume that there are 1000 other people using the card. Bam, you're down to 1 in 10,000.

Now add to that the expiration date and "signature code" and you have two more keys to verify you are holding that card in your hand. Sure, Credit Cards suck in and of themselves, but there is more to it than a number. More e-tailers I do busines with ask for those three things and sometimes a phone number to call the issuing bank.

Re:guessing doesn't work

The first 4 digits of those 16 are definitely not random, those digits are assigned depending on the bank that issued the card. The routing number is going to be the only ass kicker in generating CCN's. The algorithm's the different companies use are far from complex and be figured out after around 13 attempts starting from a valid number.

but oh well.

Re:guessing doesn't work

[indiigo]

Incorrect. Banks own the first four digits, you are looking at 12 numbers now.

They *are* often sequential, so you are looking at getting a few cards from a single bank and using a range,
and the expiry dates are about 1/14 chance, often using each in turn will work. Get a friend at a retail shop to try them all. Not all that hard.

Re:guessing doesn't work

[David+Jao]

Banks own the first four digits, you are looking at 12 numbers now.

12 numbers it may be, but no single bank has the entire human population as customers, so 1E12 is not an unreasonable space size for a single bank.

They *are* often sequential

This kind of stupidity on the part of the banks is not a problem that an increased space size will solve.

Re:is wireless really just for a quick and easy se

[BreakWindows]

Well, they allow us to get free credit card numbers!

Re:How i gave away my credit card details.

[oliverthered]

OK, you can have a satalite disk, but don't have to pay for any services, i.e. you can opt-out.

everytime you buy a can of coke etc.... you are indirectly paying for advertising this is a non-optout non subscription service, even if you don't have a TV

I prefer direct payment.

Re:Trust - bzzzt! wrong def?

[infiniti99]

if someone other than yourself manages to gain access to it, you do NOT have to pay it back

This is true. Using credit cards can sometimes be safer for an individual than other monetary transactions, because the credit card company will insure you if something goes wrong (within limits, as you say).

Still, this doesn't make the system technically better... it just moves the risk onto the credit card company. Although now that I think about it, would the average credit card user be able to handle the risk themselves if the system were implemented my way? We all know how people write passwords on their forehead.

Re:Why bother? Thieves can just guess.

Yes, there's no better way to fight spam than to commit fraud. It's those brilliant civic minded individuals that make the world a better place.

Re:Trust - bzzzt! wrong def?

Still, this doesn't make the system technically better... it just moves the risk onto the credit card company.

No, it moves the risk onto the merchant. Credit cards are nothing more than an efficient loan system. Rather than the merchant checking each buyers credit, and going through collections every time a buyer defaults, they have the bank do it all for them in a much more efficient fashion.

Yes, one time credit card numbers would be preferable, but it's probably not worth it to most consumers for the pennies on the dollar they will ultimately save.

One time credit card numbers?

[BCoates]

Gives more credence to the idea of one time use credit card numbers

Sounds like a great idea, one-transaction cards, with a unique number on each of them, all tied to one account.

But plastic swipe cards are too expensive to use once and throw away--make them out of paper, better for the environment.

While you're at it, you could eliminate the need for the seperate credit card reciept by putting the amount and signature on the (paper) card, and handing it to the retailer... you could even that funny non-carbon carbon paper if you wanted a reciept for yourself.

Print them up in a handy-little tear off pack, maybe throw in a balance sheet so you can keep track of your expenses (if you're so inclined).

If you let little old ladies get ones with puppies or kittens on them, this radical idea of yours might just be a success!

--
Benjamin Coates

Re:One time credit card numbers?

[ShavenYak]

There's nothing (well, very few things) I hate worse than standing in line behind some schmoe paying with a check. It would be fine if they wrote everyhing but the amount out in advance, and then just had that to fill in once they were rung up - but that never happens. They wait for the cashier to finish, then ask to borrow a pen. Then they fill in the name of the store, the date, the amounts, something on the (pointless) memo line, then finally they sign the check. Now, the cashier has to validate the check, ask for an ID, perhaps call the manager over if the customer wanted cash back.

Then, once they are finally through, I swipe my card, wait 5 seconds for the receipt, sign it, and am on my way. And if my wallet is stolen, my maximum liability is $50, if the old lady's checkbook is stolen, she can be out the entire balance of her checking account.

Re:One time credit card numbers?

[MCZapf]

Why stop there? You could also make these paper transaction cards reusable - don't tie them to any single account. Each one would still have a unique serial number on it. For convenience, they could be available in nice, round-numbered denominations: $1, $2, $5, $10, $20. I don't know about puppies or kittens, but you could put portraits of dead presidents on them, I think.

Re:One time credit card numbers?

[randombozo]

This reminds me of old passbook bank savings accounts. Give the teller your deposit and your book, and they give you back the book with the deposit and your new balance added to it.

They got killed off by ATM machines and "shareholder value." Why encourage customers to keep a book that leaves no questions when you can give them a receipt that most fools just leave behind or throw away at first chance? Bank error in your favour? Yeah, right.

Re:One time credit card numbers?

[sharkey]

Idea for the $10,000 paper transaction card: Put all the Presidents on it, they could have a party. Jimmy Carter would likely pass out on the couch.

Re:One time credit card numbers?

Wow, man, if the worst thing in your life is waiting a minute or two for someone to write a check, I'll trade you for mine.

People are in such an artificial hurry, no wonder we're all stressed out!

Re:One time credit card numbers?

[ShavenYak]

Perhaps that was a bit of an exaggeration. Having my wisdom teeth removed was definitely worse, as was food poisoning, my first breakup, and any number of other things that don't come to mind immediately. However, waiting in line is something that happens quite often, and as Murphy's Law would dictate, always happens when I'm already running late for something, so it stands out more.

Re:How i gave away my credit card details.

[Zonekeeper]

You have to have a license in England to have a TV??

Another Reason

[Amazing+Quantum+Man]

Yet another reason not to shop at Best Buy

Re:How i gave away my credit card details.

[oliverthered]

Yep, anything that can recieve TV signals.

Information Security vs. Legal Security

[jstockdale]

We must remember that the reason credit cards exist in the first place is to simplify the transfer of money from entity a to entity b. Although it is true that the securtiy is a joke on the current implimentation, the reason it hasn't been upgraded is that nearly any addition of security will add overhead to the user, and complicate their interaction with the credit system. Instead, the credit cards use a system of zero liability for unauthorized transfers for the end user (which nulls their complaints about securty) and a heavy handed, we will find you and prosecute and screw your life over if you rip us off philosophy. Therefore their overall security in the big picture with respect to fraud isn't quite as bad as many people have claimed it to be. They may not have information security, but they have legal security, and as long as their technology people keep up with those people committing fraud (ask a guy in my residence hall at uni whether or not the three guys he knows that did this think that they can keep up ... i'm sure he'll get back to you in about 6 months when his friends get out of jail (yep they're about 19 btw)) then the system will continue as it has been.

one more reason not to shop at Best Buy

[AssFace]

is there a known list of stores that use this wireless - or is there an easy way to tell?

SecurID and Credit Card Companies

[OS24Ever]

SecureID and Credit card companies should get together. Those neat little keychain FOBs that change numbers every 60 seconds would be a good tech for the one-shot credit cards. If your card number changed every 60 seconds It'd be pretty hard to snag it and use it.

It should be somewhat easy to implement, credit cards would cost a bit more so of COURSE annual fees would have to go up at least 150% ;)

I'm going to restate this over and over again.

[mindstrm]

Check your credit card contract.

Most say you are liable for fraud only if your CARD is stolen, and only for the time between it's theft and when you report it to the company.

Any other fraudulent use of your credit card number you are simply NOT liable for. Remember, it's not really your number, and the card is not really yours. It's the property of the issuer, it says so on the back. It's a (weak) security token they issue you in order to identify yourself as someone who has a line of credit. If someone uses that, fraudulently, it is a screwup on the part of the merchant, or the bank. You do not pay.

If your contract says otherwise, or puts any other liability on you (other than normal, responsible behavior of course), shop around and find something better.

I realize it's a pain if someone has your number, and starts using it. It can be really inconvenient. But my point is.. rather than treating this like property that they have stolen from us, just like stealing our cash, we should be looking to the credit card companies to make sure this does not become our problem... because ultimately, it's theirs.

European Card Readers

[cmpalmer]

I've always said that I trust secure web transactions more than I trust giving my credit card to a waiter and having him carry it into the back of the store for five minutes.

When I was in Paris last month, I was, at the time, pleasantly surprised that every cafe or restaurant I went to had wireless credit/debit card readers that they carried to your table so that the card never left your sight. These may be in use more in the U.S., but I don't think I've seen them.

Do these European devices have decent security, or would I have been better off giving Pierre the card to use on a wired reader?

Re:European Card Readers

[Gonarat]

We looked at the wireless credit card terminals that you are refering to. The model we saw used 900Mhz and a proprietary 128 bit encryption scheme (not WEP). I believe they were coming out with 2.4GHz models, but they still used the proprietary encryption scheme. I do not know if they 802.11b or not. At least the encryption scheme is more robust than WEP.

Why are you worried?

[mindstrm]

If someone taps your phone or otherwise gets your number and uses it, why does this concern you?
The worst that can happen is you have to make one phone call to your card issuer to tell him you didn't make the charges.

If they use your number, they are not defrauding you. They are defrauding the merchant by using a card that is not theirs (the issuer will cancel the transaction and the merchant will not get paid.)

One of the main benefits of credit cards are that the responsbility for validation rests on the merchant, not on you. Unless your card is physically stolen and you don't report it, you do not have to pay for fraudulent use whatsoever.

What about Canadfa too? - Re:European Card Readers

[Malc]

Here in Canada, the debit card system is called Interact. There're no signatures as it is all based on PIN numbers.

In the last few years I've been seeing an increasing number of wireless payment options. This is great in bars as it saves going and hanging around in an obscure corner with the wait staff constantly trying to squeeze by.

It makes me wonder how secure it is... I wouldn't want somebody to get my bankcard and PIN number.

Re: PIN

The PIN is the DES-encrypted version of the card number (account number, whatever), translated to decimal digits by substitution from the encrypted block's hex representation. If you can specify your own PIN, you actually specify an offset between the above value and the value you type to the sniff^HATM keyboard.

The secrecy of a PIN comes from the secrecy of the PIN-encrypting DES key. ATM-to-branch traffic is also encrypted under DES keys set up by split-knowledge procedures.

More proof

[rblancarte]

I like how the /. blurb said - Now you don't even have to be online to have your number stolen. You never did. Anyone who knew anything about credit card security said that your card was more secure during internet transactions that using it out and about in the real world. This is just another case of that.

I love how people want to make it seem that these are all new ways of credit card fraud. Fact is that it was out there long before technology, and as long as CCs are used, it will be around for a while.

RonB

Cash.

[Kedyn's+Crow]

Incidents like this remind me why I do nearly all my
business in cash. Cash is and will always be more secure
than any electronic substitute.

Read it...

[cthrall]

The article makes no mention of people actually grabbing cleartext passwds out of the ether, just:

"But several computer hackers contacted by MSNBC.com said they had spied credit card data in among the wireless traffic they'd captured."

Uh huh. And I can use my PalmPilot to grab IR signals out of thin air and steal cars.

http://www.monkey.org/geeks/archive/9812/msg0002 7. html

Re:Read it...

[unithom]

It is quite a strange feeling to come to the end of a thread and see yourself quoted.

If you don't believe me, I can probably find my old calculator, and dig out the program that we used to do it. My friend had a Jeep Grand Cherokee, we borrowed the key fob, recorded the signal, and played it back. Woo, the doors opened.

This is not unlike using a copy of OmniRemote these days on a palm pilot to 'learn' the buttons of your remote control.

I don't know if they still use IR for car entry systems, but I doubt it.

Best,

Thom Brooks

Re:Read it...

[cthrall]

Oh, I believe you...just linking to your page to illustrate the power of suggestion - during that time, the story was you could use a Palm to just "grab IR out of the air" and steal cars...kinda like the suggestive headlines and story here. :)

OmniRemote was cool, but made me wish my IR was stronger (remote not quite as effective when you have to stand next to tv).

Re: PIN

You are so full of shit.

Best Buy isn't the only one!

[Otto]

I know of several stores that use wireless point-of-sale systems. Most now use 802.11b. Not one of them uses WEP. I went war driving one time and found several stores networks. No WEP. Some obvious SSID's.

This setup is *extremely* commonplace.

Re:Best Buy isn't the only one!

I agree. I've seen the same using Kismet.

The answer: CQ DX 13cm

Well, I guess one way to thwart these assholes would be to set up some of my ham gear (and, yes, I'm licensed and have been for 30+ years) on the 13cm amateur band - maybe some wideband ATV running an F5 (not A5) emission. If the fundamental overload doesn't get them, maybe the adjacent channel (and, trust me, it will be a wide effing channel) desensitization will help.

Whoever designed these stores ought to have 220V applied to their genitalia - idiots like that should NOT be permitted to breed, or even enjoy sex, for that matter. If the effing registers need AC power to function, why couldn't they run shielded network/communications cables for the registers at the same time? This is NOT rocket science!!

Now that this article has been broadcast by MSNBC and splattered by Slashdot, I can just envision some "hackers" prowling around car rental parking lots (e.g. Avis) sniffing the wireless terminals as folks turn in their rental cars. I'm sure there are dozens or hundreds of other similar scenarios possible throughout our various cultures.

I helped develop some of the original Thickwire Ethernet stuff. Yeah, the cables were fat, bulky, and expensive. But, for RF interference/radiation, they were an overkill. Now I'm wondering what might constitute an "overkill" today... I'm not privy to the Tempest specs, but what was good enough 10 years ago isn't today, and perhaps ordinary citizens and business ought to ponder that and make appropriate infrastructure changes.

Speaking of ?Best Buy...

[Newer+Guy]

How about an update to the video card arrest last week? I emailed Best Buy a complaint, and heard...nothing from them.

Re:How i gave away my credit card details.

[MarkGriz]

>> You have to have a license in England to have a TV??
> Yep, anything that can recieve TV signals.

Shhhh... Don't let Turner Broadcasting hear about this. They might try to require you to buy a PVR license, to cover the losses from all of the "PVR thieves"

How secure anyway?

[essdodson]

How secure is it even if they were wired? Most large retailers connect to their credit handlers via a satelite mounted on the roof. Does anyone know how secure that is? Are they using the highly respectable DES that should be enough for everyone, least according to some.

Wireless registers have 200ft range, the satelite beams stuff into outerspace. Maybe seti@home will find our alien friends stealing credit card numbers. See, after all, that project does have a use!

Re:Why is this modded 2??

They aren't godless ... they just worship Cazic-thule

ECPA, Part 15, and you

[AB3A]

This is a classic example of a foolish notion that radio communications ("wireless" for those of you who didn't realize what technology this is) can be made private. Yes, our Federal Communications Commission (and many other such agencies world wide) believes that you'll be a good citizen and not monitor your neighbor's juicy conversations.

This goes against everything we've known about radio for the last century. However, given this sort of legislation, nobody can hold Best Buy or any other retailer liable for sending your credit card information out over the airwaves where everyone can see it.

Idiots

[darth+dickinson]

However, Ray Martino, Symbol's vice president of wireless network products, said that credit card data wouldn't normally be among the traffic that's broadcast through the air. Credit card purchases still require authorization from a bank, meaning the traffic must travel over a phone line.

This just goes to show how incompetent VP's can be. How do you think that the data gets from the wireless registers to the device that dials the auth co, or that routes it across the leased line?

Just another example of the Peter (or Dilbert) principle at work.

huh

[NickRob]

numbers. Now you don't even have to be online to have your number stolen.

Really? I'll have to ask muggers and dumpster divers about their wireless connections that allow them to be online when they do that sort of thing.

How often do cash registers move?

Why the hell do they have to be wireless?

Re:How often do cash registers move?

[porkchop_d_clown]

Moving them isn't the problem. Stringing wires is.

It's even easier than that.

[Cheetahfeathers]

To get your card stolen all you need to do is use it at a restaurant. They take it in back, swipe it for payment, swipe it again in another reader to clone it, make a note about the name & expiration date, take it back to you and it's done. Now they can make a copy that is good at most places, can be used online at many places (to be delivered to a nearby abandonded house for pickup).

These type of folks are rarely caught. Banks and credit card agencies find it easier to eat the loss rather than track down the thieves. If it happens in multiple cities (thief buys in one city, then one next to it, but it was stolen in a third city) it's even worse. You expect cops to work with nearby cities? Ohh, the paperwork! We can't do that for such petty crimes!

Credit card systems like we have now are currently very insecure, wireless insecurity aside. We need something better.

as best buy I would be equally worried about....

What other stuff is floating over those airwaves.
this situation is ripe for industrial espionage scenario. original post mentioned sql queries etc. As a hired gun of competing chain, I can gain lot more info this way. but if it hadn't been for CC info, they prolly wouldn't have listened. blurb about CC made it a public perception thing & made them respond faster

There is security

[dxkelly]

According to the article security is available but the store can turn it on or off.

Not that I sleep with Best Buy, or anything...

[asdfx]

I think we are far to hasty in our blaming Best Buy. The company I would point blame at would be the creator of the wirelss network. At some point they (probably willingly) neglected to add any form or security.

From the Article:
The company [Best Buy] responded quickly on
Wednesday --
spokesperson Donna Beadle, in an e-mail, said
the company had "deactivated our wireless
temporary cash registers that transmit
information via LAN connections."

If we can assume this is true (although I realize that would be naive :-p), it seems Best Buy is doing what it can to protect its customers. There are other companies mentioned in the article, as well, but no mention of what they are doing about the situation.

Streaming Video

The problem with their setup is Best Buy did not have any encryption. They disabled SSID broadcasts so Netstumblers would not see them. But sniffers had no trouble at all.

This is bad news for WLAN in general. Large companies roll out large scale wireless networks without taking minimum precautions. Then tell everyone the sky is falling when their implementation is discovered to be insecure.

Shame on the consultants that designed and implemented this!

Tonight at 8pm (pacific) for 30 minutes or so. I'll be discussing the Best Buy issue, Kismet and others issues similar to it. Check http://www.lpbn.org for any last minutes changes and for the link to the stream. It's streamed in Real Player only.

Tonight it'll be me the whole time but starting next week I have guests.

Before and during the show I'll take questions, comments and rants at this email (frank@pasadena.net) or on AIM: fkeeney4

fungus

Re:Streaming Video

forget about real player
there is only quicktime

keygens

There are many credit card keygens already out there for Visa and Mastercard. The algorithms for generating the numbers has been cracked a long time ago.

Re:What about "People" transmitted credit card num

Love your subway site dude! Good stuff!

re: retail chains and wireless AP's

i am the former employee of a now out of business retail chain(wont say which, but it was in business for like 40 years or something stupid like that). during the fixture liquidation we had all the office/server items on sale cheap, so i picked up a few things, one of which was an access point that we used for the hand held scan guns and registers. it was a symbol technologies spectrum24 acess point, fully supporting 802.11 at a whopping 1Mbps. for those of you not familiar with symbol, they provide the majority of equipment of corporations, including retail chains, such as best buy and meijer. i've had fequent encounters with their equipment and have found it quite good, in this case, too good.

to adress the issue people are mentioning about "how often do you move a cash register? why does it need to be wireless?" it's not the cash resgiter that's usually wireless, it's the credit terminal that you sign and scan your card in. these are most often wireless at makeup or jewelry counters where the registers are on islands away from the counters. they usually will ring up the items you are purchasing and then bring a wireless pad to the counter for you to scan your card and sign. ifyou're worried about people intercepting your card, have them scan it at the register(which then the only two ways that someone can get your number is with a keystroke logger or with magnetic transfer(which takes about 1 minute, requires iron powder, a piece of tape, and a quick evaporating liquid). luckily, not all wireless pads are unsecure. our company soon realized that the acess point was inscure in the implementation it was in, and invested in another solution for wireless communications at the POS. ours used an encryption scheme that was integrated into the hardware, but still used 802.11. it worked in a manner that the pad encrypted the data, and the base of the pad decrypted it before sending it to the keyboard port of the register. also, not all credit card pads are wireless, alot of the ones that are mounted to the counter are still wired, and the ones integrated into the keyboards of the registers are still secure, as well as most all the checkmate hardware made in the past few years(the most common checkmate hardware is about 2 inches high, 2.5 inches wide, and 7 inches long, and scans checks and credit cards, they often use a terminal based systen with rj45's)

i guess it's time to start going around town with my AP and my other symbol bargain, a mitsubishi amity cp, seeing what i can find, as most stores use ipx or tcp/ip based traffic, in clear text, although it's mostly terminal(vt-220 is the most common) traffic.

Reality sets in

No offense, but it looks like many of you have
not worked within I.T. in the large corporate world, or at least in the areas of system architecture or implementations. I don't blame Best Buy at all. However, I do blame companies such as IBM or Symbol who sell the POS equipment used by stores. The reason is because they make implementing security for wireless networks next to impossible if not impossible, at least for large store chains. You may be able to enable WEP, but you won't be able to manage it. You may be able to lock down MAC addresses, but it's almost useless. Someone can determine what MAC's are in use and use it... plus units are replaced for maintenance all the time, and it's one more thing to troubleshoot if procedures to add a MAC are not followed. The vendors use the technology available, but the won't develop management products to secure their devices, they lose money on something that people aren't demanding.

Someone mentioned seeing the SQL queries across the network. Don't you think it will be just as easy to attach to the network, and hack the database server(s) ? I would bet they use default login IDs and passwords. They may even have accounts with no passwords. You'll probably find the same thing at Circuit City, Walmart, Home Depot, Lowes, Franks Nursery, etc. Places that do sidewalk sales or have an outdoor lumber area or place to sell plants.

You've got to admit, Best Buy has great toys in a neat environment. You won't find such a nice display of wide screen high definition TV's at a radio shack.

Sorry for not having a regular account for posting, but I'm a visitor who was only pointed here by a concerned friend.

And here is Best buys response

[m0rningstar]

Again, taken direct from the vuln-dev list:

From BestBuy:

> Thank you for contacting Best Buy's corporate headquarters with your
> concerns. Regarding this issue, Best Buy has deactivated our temporary
> wireless cash registers that transmit information via LAN connections.
> These registers are not Best Buy's main register terminals and represent a
> small percentage of the transactions processed within our stores. Please be
> assured that customer privacy is of the utmost importance to Best Buy and we
> will further investigate this matter.
>
> We do appreciate your taking the time to share your concerns with us.
>
> Respectfully,
> Alex Reynolds
> Contact Center Escalations
> Best Buy Enterprise Customer Care

Hi guys!

I just want to send out a big hello to all of the Secret Service guys that are scouring and harvesting names from this thread.
Hey, how's it goin'?

Good idea

[ahde]

Visa doesn't give a shit about your credit rating, and they make a profit on every chargeback, so lets go to using one time pad encryption? The problem was solved a long time ago. What we need to do is make the credit card companies liable for lack of security.

Folks, it's not that hard...

[Adam+Wiggins]

http://trustcommerce.com/security.html

Re:How i gave away my credit card details.

[Zonekeeper]

Why???

It was

That is why the person was waiting. They need a number of packets to calculate the code. Then it is game over. They should be using SSH or IPSec. Instead, Worst Buy uses MS.

CardWatch

The UK Banks APACS www.cardwatch.org.uk have got a scheme underway ot make every Credit/ Debit card by 2003 contain the "chip" and have PIN identification. Although not exactly rocket science it will cut down on averege skimmer who buys a track 123 reader writer from Maplin for £100.

Re: PIN

[seaan]

The PIN is the DES-encrypted version of the card number (account number, whatever), translated to decimal digits by substitution from the encrypted block's hex representation. If you can specify your own PIN, you actually specify an offset between the above value and the value you type to the sniff^HATM keyboard.

This is true only for the most common (US) algorithm, often called the IBM-3624 algorithm. Other algorithms handle PIN encryption differently.