Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wireless Registers May Expose Your Credit Card

Posted by timothy on from the remember-dilbert's-waitress dept.

flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."

3 of 229 comments (clear)

  1. Re:encryption by GrenDel+Fuego · · Score: 4, Informative

    Yeah, wireless encryption sucks....

    However, you can add encryption to the tcp/ip running over the wireless. With something like Cash Registers, you can be sure that they're all running the exact same software.

    Enabling IPSec, or something similiar shouldn't be too difficult. it's not like you need to make sure it's compatable with all the different OSes.

  2. Re:More validation is needed by EasyTarget · · Score: 4, Informative

    Sure, the PIN number may be picked up over a wireless network

    Not necesserily.. the PIN is stored on the card itself (one-way encrypted or sumething.. I'm not well-up on crypto stuff). So therefore the whole pin-processing can go on within the POS (Point-Of-Sale) terminal which just needs to return a success or denial message.

    --
    "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
  3. Original message (FYI) by Denium · · Score: 4, Informative
    To: Vuln-Dev
    Subject: Wlan @ bestbuy is cleartext?
    Date: May 1 2002 3:57PM
    Author: Blue Boar

    I was asked to anonymously proxy this question to the list. Here ya go.

    BB

    This past week I went to bestbuy to purchase a D-link wlan card... egar to get my laptop up and running while in the car I put my card in and installed the driver. I noticed the traffic light was lit up as if I had a connection. Out of curriosity I fired up kismet and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card. Non the less I decided to run to the store next to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted through the data collected and this time I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number.

    Heres my delima... I checked out a few of the other best buy stores for "beacon packets" and everyone I drove by was sending them out...so I assume all BestBuy's are wlan enabled. What I need to find out is ... are BestBuys's Cash register terminals indeed using wlan and are they indeed sending out MY data in the clear... I am NOT comfortable using my credit card at ANY BestBuy as of right now... due to legality though I don't feel comfortable walking into the store and confronting someone about it.... for all I know it could be standard BestBuy corp. practices to use nonsecure wlan. I figured by starting a thread other people that have attempted this may have more info or some from BestBuy may be reading the list and they may pipe up.