Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wireless Registers May Expose Your Credit Card

Posted by timothy on from the remember-dilbert's-waitress dept.

flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."

8 of 229 comments (clear)

  1. Hang on... by enneff · · Score: 2, Informative
    What the fuck?

    This is obvious gross negligence on behalf of the point-of-sale software/hardware vendor. How could any remotely security-conscious developer send credit card details in plain text, even over a wired network?

    Absolute insanity. I am in awe.

  2. Re:encryption by GrenDel+Fuego · · Score: 4, Informative

    Yeah, wireless encryption sucks....

    However, you can add encryption to the tcp/ip running over the wireless. With something like Cash Registers, you can be sure that they're all running the exact same software.

    Enabling IPSec, or something similiar shouldn't be too difficult. it's not like you need to make sure it's compatable with all the different OSes.

  3. Original source by Omega+Hacker · · Score: 3, Informative

    You can find what appears to be the original fwd'd (anonymized) copy of the mail from the guy who first checked this out at this location.

    --
    GStreamer - The only way to stream!
  4. Re:More validation is needed by EasyTarget · · Score: 4, Informative

    Sure, the PIN number may be picked up over a wireless network

    Not necesserily.. the PIN is stored on the card itself (one-way encrypted or sumething.. I'm not well-up on crypto stuff). So therefore the whole pin-processing can go on within the POS (Point-Of-Sale) terminal which just needs to return a success or denial message.

    --
    "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
  5. Re:Trust - bzzzt! wrong def? by nalfeshnee · · Score: 2, Informative

    ummm ... last time i looked, using a credit card is patently NOT the same as handing someone the keys to your safe. the money is NOT yours, and if someone other than yourself manages to gain access to it, you do NOT have to pay it back (at least, above a certain limit, $50, whatever).

    that is the whole point of credit cards, after all. a way to deal with cashless transactions in a way that ensures your money is not technically at stake should something go tits up with the system. now, if we are talking about DEBIT cards, such as the Switch cards in the UK, that is a totally different kettle of fish, and your point about the safe is entirely correct.

    nalfy.

    --

    -- Despair is an operating system that ANY human being can run, sort of a psychological JAVA --

  6. Original message (FYI) by Denium · · Score: 4, Informative
    To: Vuln-Dev
    Subject: Wlan @ bestbuy is cleartext?
    Date: May 1 2002 3:57PM
    Author: Blue Boar

    I was asked to anonymously proxy this question to the list. Here ya go.

    BB

    This past week I went to bestbuy to purchase a D-link wlan card... egar to get my laptop up and running while in the car I put my card in and installed the driver. I noticed the traffic light was lit up as if I had a connection. Out of curriosity I fired up kismet and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card. Non the less I decided to run to the store next to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted through the data collected and this time I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number.

    Heres my delima... I checked out a few of the other best buy stores for "beacon packets" and everyone I drove by was sending them out...so I assume all BestBuy's are wlan enabled. What I need to find out is ... are BestBuys's Cash register terminals indeed using wlan and are they indeed sending out MY data in the clear... I am NOT comfortable using my credit card at ANY BestBuy as of right now... due to legality though I don't feel comfortable walking into the store and confronting someone about it.... for all I know it could be standard BestBuy corp. practices to use nonsecure wlan. I figured by starting a thread other people that have attempted this may have more info or some from BestBuy may be reading the list and they may pipe up.

  7. I'm going to restate this over and over again. by mindstrm · · Score: 3, Informative

    Check your credit card contract.

    Most say you are liable for fraud only if your CARD is stolen, and only for the time between it's theft and when you report it to the company.

    Any other fraudulent use of your credit card number you are simply NOT liable for. Remember, it's not really your number, and the card is not really yours. It's the property of the issuer, it says so on the back. It's a (weak) security token they issue you in order to identify yourself as someone who has a line of credit. If someone uses that, fraudulently, it is a screwup on the part of the merchant, or the bank. You do not pay.

    If your contract says otherwise, or puts any other liability on you (other than normal, responsible behavior of course), shop around and find something better.

    I realize it's a pain if someone has your number, and starts using it. It can be really inconvenient. But my point is.. rather than treating this like property that they have stolen from us, just like stealing our cash, we should be looking to the credit card companies to make sure this does not become our problem... because ultimately, it's theirs.

  8. Re:security by omnirealm · · Score: 3, Informative

    I am developing a financial application for use over Bluetooth from a PDA to a cash register, and I can say from first-hand experience that the problem of security over a wireless domain is not trivial. Your solution to channel everything through SSH is not economically feasible when you consider the processor and memory requirements necessary for *every single* vendor system out there to do this. The problem gets worse when you start talking about cell phones and wristwatches transmitting credit card numbers to vendor systems.

    Bluetooth and 802.11b both have link-level encryption built in, but they both need some work before I would trust them with my financial information. For example, brute forcing the Bluetooth's E0 cipher can be reduced from a complexity of 2^128 to 2^100, and generating a database of keys and sample encrypted data can reduce the problem to a complexity of 2 if a match is found while listening to the communications!

    You will have to clarify what you mean by "the account number is sent to the central server." Is it encrypted before it's sent? Against what key? How does your solution deal with non-repudiation (the device is authenticated, but not the user)?

    One idea I came up with while working on this project was to incorporate the one-time use credit card numbers with client-to-vendor system. Before you leave home, your financial institution transmits a set of randomly generated one-time numbers to your PDA, wristwatch, cell phone, whatever, and the client sends a different number from the set each time he wishes to pay for something. That way, it doesn't matter if the number is compromised after the transaction is completed.

    --
    An unjust law is no law at all. - St. Augustine