Slashdot Mirror
Wireless Registers May Expose Your Credit Card
flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."
Why didnt they just encrypt it, the whole network/transmission that is? That would be an obvious thing to do if I were programming anything of this nature. Heck, I went to the bother of XOR`ing the TCP stream on my high school computing project, surely the nitwit who wrote/engineered this system should have taken the time to add security to it?
loply.com
wireless needs some decent encryption schemes before it becomes accepted in the public domain
This is obvious gross negligence on behalf of the point-of-sale software/hardware vendor. How could any remotely security-conscious developer send credit card details in plain text, even over a wired network?
Absolute insanity. I am in awe.
I've always thought it to be inconvenient, but if this is true maybe more people will purposely disable their cards in such a fashion.
the whole concept of having a card with a number on which you can tell people down the phone, send down the internet, give to people in shops/restauratns is very very insecure, I've ordered stuff on my mums card before, do they care that i'm not my mum, do they shit. If people have to resort to wireless scanners to get card numbers they are throwing way to much money at the exercies, you can get card details much esier from bins, old till rolls etc...
i have developed a foolproof method of fooling them though, dont have a credit card, ok so they wont actully give me one yet but hey...
Burt "Out of my mind back in 5 minutes"
this is an issue absorbed by the credit card company, so it doesn't effect the consumer in any other way than inconvenience.
Why on Earth would a store be "beaming credit card numbers about" with no though to security? Seems they've opened themselves to a wave of court cases and possible fraud. Then again, every time you give your card to a waiter or till operator there's a chance the underpaid employee will be stealing the details via a personal "swiper". There was a programme on UK tv recently discussing this widespread fraud...
Code, Hardware, stuff like that.
I can't believe Best Buy would be so lame as to have unencrypted credit card information being sent around like that. I was always under the impression that credit card information was encrypted electronically when you made your purchase, boy what a fool I was. Why is all this being transmitted wirelessly to begin with? I don't know if this is the norm, but would it really be that hard just to run a few wires from the checkout lanes to the server when they built the place?
People seem much brighter once you light them on fire.
Apparently, these stores didn't even bother to turn on WEP. AT ALL. Thats just stupid. WEP has lots of supposed insecurities but GOD DAMN, how stupid is that??? It's better than nothing.
Do you want to remove linux?
It's nice technology, and has some pretty good uses, but overall people don't pay enough attention to security. And that's just plain dangerous.
:-)
We've had a seminar recently at our university with a security expert talking about cellular phones. There's a lot of encryption going on in these devices, but it's apparently not very solid. In one standard made by the big boys of the industry, an example encryption method was presented that wasn't fully secure. The little ones didn't have the knowledge to implement their own, so they adopted the example. Only to pay a lot of cash to some experts afterwards to get it out again.
Now, them paying a lot of cash is not the dangerous part, but the lack of security is. It's only a matter of time before the first big virus strike in bluetooth-gsm-cash register-insert your favourite device here.
Come to think of it, that would be rather cool
Lock down all ports on the server except SSH, and force the cash register client machines to tunnel through SSH for everything. I use it at home, work and university. It's better to be over security-conscious than being to relaxed about it.
However, that's just covering up the symptoms of a greater problem. It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use.
Follow me
You can find what appears to be the original fwd'd (anonymized) copy of the mail from the guy who first checked this out at this location.
GStreamer - The only way to stream!
There was a story here a couple weeks ago about the evils of best buy.
Why are we suprised that they don't care about their customers, they've already proved that with the nVidia 4600 Ti scandal.
I had a call the other day, from someone the BBC T.V. licensing department; or so I thought.(The BBC is a non-optout subscription service)
The caller said that I hadn't paid my licence for the year, and asked if I would like to.
Being a bit crap with bill payments I found this quite handy, I searched around for my credit card, but couldn't find it, so,
I told the caller that, "I couldn't find my card and would I be able to pay over the phone tomorrow". She said that, "they were open tomorrow", but expressed great concern, because they were, "checking licences in the area", so I had another look for my credit card and found it, gave the caller my details.
A few days later the T.V. licence arrived,
I have cancelled my credit card because I couldn't be sure if the caller really from the BBC, if so they've started demanding money with menaces.
thank God the internet isn't a human right.
Government inspection doesn't mitigate any responsibility that a food plant or an airline has. It merely provides the consumer with some assurances. And in most cases (not all) it works. Most of us buy food every week, and most of us don't die of food poisoning. Most planes take off and land safely. However, the food producer or the airline company is still responsible for the product.
As we rely more system security in our daily business transactions, I think that rigid standards of system security should be created and enforced.
If we start holding irresponsible retailers, like Best Buy in this case, accountable for damages, you'll see consumers *and* retailers lobbying for such an effort.
Social security numbers used as identification, credit card numbers, and a whole host of other "real world" identifiers and systems are simply extremely sloppy security. In the past, that meant that only a few customers got screwed. With modern computer equipment, a lot of people get screwed.
What is particularly annoying about it is that the companies that put this sloppy security in place never really have given a damn about protecting their customers--as long as the casualties are not too many and don't frighten the masses away, it's acceptable. In most cases, companies that use sloppy identifiers or security end up not even being legally liable for the trouble and expenses they are causing their customers.
On vuln-dev (vulnerability development, a list on security-focus.com) there has been a discussion going on about this for over a week, and people are pointing out all the stores that have problems, and its getting to the point where it is easier to say who DOESN'T have a problem than who does.
--"Karma is justice without the satisfaction"
Is anybody actually surprised that nobody at Best Buy knows how to configure an encrypted wireless network?
Someone down the line knows your credit card number. If you hand your card to the person at the register, then you are placing trust in them. If your information is stolen by a 3rd party, then it is because of the incompetence of whoever you placed your trust in.
According to the article, Best Buy has since stopped using wireless cash registers. Still, I think the problem is not with wireless itself, but the particular implementation Best Buy was using. Couldn't they simply encrypt the data?
Of course, credit cards are inherently problematic. Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal) Thus, everyone would be able to give, but not take. As it stands, credit cards have the worst security of anything. It's ironic too, since a lot of us computer enthusiasts will rant all day about how everyone should be using ssh and GPG, yet we give our login and password to the waitress next time we eat.
this is why you need a wireless scanner, so you dont have to give your credit card details out to callers, give somone elses.
seriously though, i didnt think the bbc where actually in charge of issuing licences, i thought they just got the money...
Burt "Out of my mind back in 5 minutes"
Like you ever did need to be online to get your number stolen - easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.
This is *the* classic error in security thinking - only consider the hardware, ignore the human factors.
Ok, I have known about this for about five months. Prirry sad huh? You can even pickup logins, passwords, and get EIGRP broadcasts from their router for best buy's data network. One thing I have noticed recently, as of last weekend, the best buy I pass as I head to work dosen't make my laptop beep twice.....
Credit card transactions such as this validate the credit card number against an algorithm, and ensure that number matches the bank who issued the card and the type of card (VISA, Mastercard et. al.)
Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.
The practice of skimming credit cards and capturing numbers over wireless networks will continue, and credit card fraud will continue because it is easy to commit . . . probably until some form of smart cards encompassing biometrics are in mass use in the marketplace. Incorporate a finger print into a smart card and small recognition scanner at the point of sale. If your fingerprint doesn't match that on the card then the treansaction will be denied. This won't help on-line fraud or fraud perpetrated during transactions when the cardholder isn't present, but it will cut down on innocent people being ripped off.
So why don't banks incorporate this? It's purely down to cost. They're not interested in consumers being defrauded, what matters to them is the money the banks lose. Fraud is a big problem, but until the levels of fraud amount to more than the cost of issuing and installing smart card or biometric technology, banks aren't going to be interested.
In the case of validation, European countries with lower levels of credit card fraud are those with higher levels of validation. Many countries in Europe require a matching signature as well as a PIN number. Sure, the PIN number may be picked up over a wireless network, but it goes to show that more stringent validation checks will reduce levels of credit card fraud.
And as for using encryption - surely that is just common sense?!
~~~~~~~~~ "I must create my own system, or be enslav'd by another man's." William Blake, Jerusalem.
Best Buy sends the credit card info cleartext over 802.11....... hmmmm maybe they really truly are best buy then! They went out and found the cheapest Wireless Point of Sale system.. to them it was the BEST BUY :)
The general point is, I'm a fairly cautios person, I always ask the police for ID, throw away all those 'You have won £30,000', all you have to do is sent £10 to claim you prise junk mail letters etc... It was only the aggressive nature of the caller that made me susspitious, basicly you can
get anyones credit card details,
Pick a number from the phone book,
Just phone up the TV licensing people, and enquire about 'your' license,
If it's about to run out etc... then
Phone the number in the phone book,
tell them there TV licence has expired,
Take there details,
Pass them onto the TV licensing people (so that they think evrything is ok).
And use there credit card details for making calls to phone sex lines, or whatever.
thank God the internet isn't a human right.
with everyone paranoid about credit card theft using high tech means people seem to forget that while most internet transactions are safe, what you really need to worry about are people who actually handle your card.
The cashier has access to your nubmer. the accountant has access to your number. the manager of the store has access to your nubmer. some stores print the entire number on reciepts so anybody willing to dumpster dive has access to your number. waiters and waitresses who carry your card off to the register in a restaurant has access to your number...
and now people in the parking lot have access to your number.
I don't know about you guys, but I'm much more worried about people writing my credit card number down and passing it to somebody else or overhearing me when I order something over the phone than I am about it being picked up wirelessly by some chump with a laptop in the corner of the store.
Most -- note that I said "most" and not "all" -- of the people that are going to defraud me by using my CC number are not going to have access to a computer with equipment capable of sniffing the air packets (that sounds kind of gross) to get that number in the first place.
If I told you I had devised a way of connecting to the internet via the ocean (Im am trying to make a point) you would say hay (if you are american) thats pretty cool, when are you going to have that on the market. I reply (cos it is still in development) 2-3 years.
So for the next 2-3 years I have my amazing tcp/ip over large bodies of water running just for testing, why should I encrypt? no on else knows how it works I problery have a custom packet handling system etc.
Same with wi-fi, no one expected everyone to have access to it so soon.
The wi-fi tills are proberly well over a year old (even if they are new to the store).
I worked on a number of etransaction systems for orders over the internet between businesses and the number that had no security except the fact nobody knew which URLs were being used was stagering.
ERR 411[Max number of witty sigs reached]
in a couple of decades encryption will be more powerful also.
ummm ... last time i looked, using a credit card is patently NOT the same as handing someone the keys to your safe. the money is NOT yours, and if someone other than yourself manages to gain access to it, you do NOT have to pay it back (at least, above a certain limit, $50, whatever).
that is the whole point of credit cards, after all. a way to deal with cashless transactions in a way that ensures your money is not technically at stake should something go tits up with the system. now, if we are talking about DEBIT cards, such as the Switch cards in the UK, that is a totally different kettle of fish, and your point about the safe is entirely correct.
nalfy.
-- Despair is an operating system that ANY human being can run, sort of a psychological JAVA --
It's not only the shops that don't believe in encryption. I recently worked on an electronic payment project, and we told the bank (Major UK high street bank, not saying which one) that we wanted to encrypt our connection to them. We were basically told "Don't be paranoid, no one does that. We don't accept encrypted links."!
If the transactions are in plain-text, is there any checksumming etc.. that takes place.
It occurs to me that what you could do is be able to intercept (or pre-empt) and replace data in valid transactions.
Then sit in the car-park, and substitute a different card number in to any refund transactions encountered. Create an account specifically for this, and drain it before any fraud is likely to be detected, easy money.
All of this is assuming that the systems do not use basic checksumming double-verification etc.. but given that they already transmit them wirelessly and unencrypted, what chance is there that they take even basic protections against false data beiong injected into the network.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
However, what makes the scam your are linking to interesting, is not the fact that the criminals were brute forcing the numbers, but rather than they were using merchant accounts other than their own to do it. That way, some unsuspecting victim was stuck with the bill, rather than themselves. It was more an exploit of authorize.net's online card validation system than a problem with the credit cards themselves.
Say no to software patents.
This is bad, because it's probably able to be automated but on the other hand, how many people throw their cc receipts away in the first bin they come to?
>>The BBC is a non-optout subscription service
You aren't obliged to own a television. Throw it away.
which is exactly what happened to me at Best Buy.
"I don't think it's selfish, to eat defenseless shellfish." -NOFX
One of the major reasons I dont own a credit card and haven't ever, is the loose security generally. By simply trusting the clerk wont look at the numbers on the card is a rediculous gamble with money you don't have.
Hey, gimmy your root password on a bit of paper and ill give it back to you if you forget. Promise I won't look.
You're worrying about people stealing YOUR credit card number, and the people stealing want A credit card number (actually, lots of them). It's a waste of time to randomly tap phones, and the old writing them down from your retail job works but has alot of potential risk involved. Sitting in a parking lot for a couple hours with a laptop is practically risk-free (just need to find a Best Buy next to a McDonalads or something) and will let you gather LOTS of numbers. Therefore, while someone wanting your specific card isn't any better off, the odds of your card being stolen this way, and used in a way that will cause you a huge mess, is higher.
I've noticed a wireless base station at the back of my local Home Depot. I seem to recall it had a directional antenna pointed at the cash register area. (And by extension, towards the parking lot as well.) I hope they have enough clue to use at least minimal encryption. The hell with parking lots. Get an iPaq or Zaurus with an 802.11b card and you could walk around the store with it turned on and hidden in your pocket. For as long as the batteries held out, anyhow.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
"Now you don't even have to be online to have your number stolen."
right, before the internet, credit card numbers couldn't be stolen. I also understand that before the internet, no music was ever pirated.
---
you're all figments of my deranged imagination
here is a good gpl project slan
http://slan.sourceforge.net/
that does exactly that. it is
a bit sparse on details but
it basically secures 802.11.
it fakes a network driver and
creates a secure link so there
is little need to modify much.
it needs a shot in the arm
and a bit of "hype" but
looks good otherwise.
They can somehow get the equipment to sniff CC numbers? But they can't get CC's by themselves? Castrated...
Will shop security turn the tide towards the Internet for secure transactions when it was previously critisized for being prone to "hackers"?
cunning... i never thought they would be clever enought to fool me into thinking everything was ok, but actually sending you a real licence is pretty dam good, if it wasnt so low down and dirty i would be impressed! ;)
Burt "Out of my mind back in 5 minutes"
Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen.
This should come as no suprise seems it has been easier to steal credit card numbers offline than online for some time now. Think about that pimply faced waiter disapearing in the back with your credit card at a restaraunt. Who cares if you lose your credit card/number anyway?
You are receiving this message because your browser supports Slashdot Sigs and you have Slashdot Sigs enabled.
The transactions appear on my normal CC bill so I don't have to manage lots of CC numbers.
Not a total solution but helpful none the less.
These scams predate Internet credit card payments by many years. People used to guess credit card numbers and "verify" them over the phone or at various convenience locations. Banks have made this particularly simple by making valid, recently issued numbers easy to guess.
"Now you don't even have to be online to have your number stolen."
Someone tell this dude about cc receipts, people on phone orders stealing your cc number, and all those dozens of other offline methods of cc fraud which existed waay before cc fraud came online. It's not a new thing.
Daniel
Or, that is, a lot of banks and merchants get screwed. Last I checked, I wasn't liable for any mysterious charges that showed up on my bill. When the CC companies feel that a more secure system will protect their profits, they'll implement it.
The original message is available at SF's archive.
Subject: Wlan @ bestbuy is cleartext?
Date: May 1 2002 3:57PM
Author: Blue Boar
I was asked to anonymously proxy this question to the list. Here ya go.
BB
You got it wrong. The social security number space (9 digits) is too small, but the credit card number space is perfectly adequate.
Most credit card numbers (not counting store-issued cards here) are 16 digits, for a total of 1E16 possible numbers. There are 6E9 people in the world, and less than one credit card per person. That leaves you over a million invalid credit card numbers for every valid one.
Now, granted, there are some regularities in the set of valid credit card numbers that you can use to increase your chances of guessing one, but that's not enough to overcome the million to one shot that you start out with. Moreover, in most cases, actually using a credit card number requires knowing the name and expiration date of the account as well.
I agree that banks assigning credit card numbers predictably is a problem, but this problem would exist regardless of the size of the number space. The size of the number space itself is not a problem.
Well, they allow us to get free credit card numbers!
OK, you can have a satalite disk, but don't have to pay for any services, i.e. you can opt-out.
everytime you buy a can of coke etc.... you are indirectly paying for advertising this is a non-optout non subscription service, even if you don't have a TV
I prefer direct payment.
thank God the internet isn't a human right.
if someone other than yourself manages to gain access to it, you do NOT have to pay it back
This is true. Using credit cards can sometimes be safer for an individual than other monetary transactions, because the credit card company will insure you if something goes wrong (within limits, as you say).
Still, this doesn't make the system technically better... it just moves the risk onto the credit card company. Although now that I think about it, would the average credit card user be able to handle the risk themselves if the system were implemented my way? We all know how people write passwords on their forehead.
Gives more credence to the idea of one time use credit card numbers
Sounds like a great idea, one-transaction cards, with a unique number on each of them, all tied to one account.
But plastic swipe cards are too expensive to use once and throw away--make them out of paper, better for the environment.
While you're at it, you could eliminate the need for the seperate credit card reciept by putting the amount and signature on the (paper) card, and handing it to the retailer... you could even that funny non-carbon carbon paper if you wanted a reciept for yourself.
Print them up in a handy-little tear off pack, maybe throw in a balance sheet so you can keep track of your expenses (if you're so inclined).
If you let little old ladies get ones with puppies or kittens on them, this radical idea of yours might just be a success!
--
Benjamin Coates
Yet another reason not to shop at Best Buy
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
I guess that's why cc:s have expiration dates.
Yep, anything that can recieve TV signals.
thank God the internet isn't a human right.
We must remember that the reason credit cards exist in the first place is to simplify the transfer of money from entity a to entity b. Although it is true that the securtiy is a joke on the current implimentation, the reason it hasn't been upgraded is that nearly any addition of security will add overhead to the user, and complicate their interaction with the credit system. Instead, the credit cards use a system of zero liability for unauthorized transfers for the end user (which nulls their complaints about securty) and a heavy handed, we will find you and prosecute and screw your life over if you rip us off philosophy. Therefore their overall security in the big picture with respect to fraud isn't quite as bad as many people have claimed it to be. They may not have information security, but they have legal security, and as long as their technology people keep up with those people committing fraud (ask a guy in my residence hall at uni whether or not the three guys he knows that did this think that they can keep up ... i'm sure he'll get back to you in about 6 months when his friends get out of jail (yep they're about 19 btw)) then the system will continue as it has been.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
is there a known list of stores that use this wireless - or is there an easy way to tell?
There are some odd things afoot now, in the Villa Straylight.
SecureID and Credit card companies should get together. Those neat little keychain FOBs that change numbers every 60 seconds would be a good tech for the one-shot credit cards. If your card number changed every 60 seconds It'd be pretty hard to snag it and use it.
;)
It should be somewhat easy to implement, credit cards would cost a bit more so of COURSE annual fees would have to go up at least 150%
As a rock-in-roll Physicist once said, No matter where you go, there you are.
Check your credit card contract.
Most say you are liable for fraud only if your CARD is stolen, and only for the time between it's theft and when you report it to the company.
Any other fraudulent use of your credit card number you are simply NOT liable for. Remember, it's not really your number, and the card is not really yours. It's the property of the issuer, it says so on the back. It's a (weak) security token they issue you in order to identify yourself as someone who has a line of credit. If someone uses that, fraudulently, it is a screwup on the part of the merchant, or the bank. You do not pay.
If your contract says otherwise, or puts any other liability on you (other than normal, responsible behavior of course), shop around and find something better.
I realize it's a pain if someone has your number, and starts using it. It can be really inconvenient. But my point is.. rather than treating this like property that they have stolen from us, just like stealing our cash, we should be looking to the credit card companies to make sure this does not become our problem... because ultimately, it's theirs.
I've always said that I trust secure web transactions more than I trust giving my credit card to a waiter and having him carry it into the back of the store for five minutes.
When I was in Paris last month, I was, at the time, pleasantly surprised that every cafe or restaurant I went to had wireless credit/debit card readers that they carried to your table so that the card never left your sight. These may be in use more in the U.S., but I don't think I've seen them.
Do these European devices have decent security, or would I have been better off giving Pierre the card to use on a wired reader?
-- stream of did I lock the front door consciousness
If someone taps your phone or otherwise gets your number and uses it, why does this concern you?
The worst that can happen is you have to make one phone call to your card issuer to tell him you didn't make the charges.
If they use your number, they are not defrauding you. They are defrauding the merchant by using a card that is not theirs (the issuer will cancel the transaction and the merchant will not get paid.)
One of the main benefits of credit cards are that the responsbility for validation rests on the merchant, not on you. Unless your card is physically stolen and you don't report it, you do not have to pay for fraudulent use whatsoever.
Here in Canada, the debit card system is called Interact. There're no signatures as it is all based on PIN numbers.
In the last few years I've been seeing an increasing number of wireless payment options. This is great in bars as it saves going and hanging around in an obscure corner with the wait staff constantly trying to squeeze by.
It makes me wonder how secure it is... I wouldn't want somebody to get my bankcard and PIN number.
I like how the /. blurb said - Now you don't even have to be online to have your number stolen. You never did. Anyone who knew anything about credit card security said that your card was more secure during internet transactions that using it out and about in the real world. This is just another case of that.
I love how people want to make it seem that these are all new ways of credit card fraud. Fact is that it was out there long before technology, and as long as CCs are used, it will be around for a while.
RonB
It is human nature to take shortcuts in thinking.
Incidents like this remind me why I do nearly all my
business in cash. Cash is and will always be more secure
than any electronic substitute.
"The moment "pride" is lost, "freedom" is also lost." - Ramza.
The article makes no mention of people actually grabbing cleartext passwds out of the ether, just:
2 7. html
"But several computer hackers contacted by MSNBC.com said they had spied credit card data in among the wireless traffic they'd captured."
Uh huh. And I can use my PalmPilot to grab IR signals out of thin air and steal cars.
http://www.monkey.org/geeks/archive/9812/msg000
I know of several stores that use wireless point-of-sale systems. Most now use 802.11b. Not one of them uses WEP. I went war driving one time and found several stores networks. No WEP. Some obvious SSID's.
This setup is *extremely* commonplace.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
How about an update to the video card arrest last week? I emailed Best Buy a complaint, and heard...nothing from them.
>> You have to have a license in England to have a TV??
> Yep, anything that can recieve TV signals.
Shhhh... Don't let Turner Broadcasting hear about this. They might try to require you to buy a PVR license, to cover the losses from all of the "PVR thieves"
Beauty is in the eye of the beerholder.
How secure is it even if they were wired? Most large retailers connect to their credit handlers via a satelite mounted on the roof. Does anyone know how secure that is? Are they using the highly respectable DES that should be enough for everyone, least according to some.
Wireless registers have 200ft range, the satelite beams stuff into outerspace. Maybe seti@home will find our alien friends stealing credit card numbers. See, after all, that project does have a use!
scott
This is a classic example of a foolish notion that radio communications ("wireless" for those of you who didn't realize what technology this is) can be made private. Yes, our Federal Communications Commission (and many other such agencies world wide) believes that you'll be a good citizen and not monitor your neighbor's juicy conversations.
This goes against everything we've known about radio for the last century. However, given this sort of legislation, nobody can hold Best Buy or any other retailer liable for sending your credit card information out over the airwaves where everyone can see it.
Nearly fifty percent of all graduates come from the bottom half of the class!
However, Ray Martino, Symbol's vice president of wireless network products, said that credit card data wouldn't normally be among the traffic that's broadcast through the air. Credit card purchases still require authorization from a bank, meaning the traffic must travel over a phone line.
This just goes to show how incompetent VP's can be. How do you think that the data gets from the wireless registers to the device that dials the auth co, or that routes it across the leased line?
Just another example of the Peter (or Dilbert) principle at work.
numbers. Now you don't even have to be online to have your number stolen.
Really? I'll have to ask muggers and dumpster divers about their wireless connections that allow them to be online when they do that sort of thing.
To get your card stolen all you need to do is use it at a restaurant. They take it in back, swipe it for payment, swipe it again in another reader to clone it, make a note about the name & expiration date, take it back to you and it's done. Now they can make a copy that is good at most places, can be used online at many places (to be delivered to a nearby abandonded house for pickup).
These type of folks are rarely caught. Banks and credit card agencies find it easier to eat the loss rather than track down the thieves. If it happens in multiple cities (thief buys in one city, then one next to it, but it was stolen in a third city) it's even worse. You expect cops to work with nearby cities? Ohh, the paperwork! We can't do that for such petty crimes!
Credit card systems like we have now are currently very insecure, wireless insecurity aside. We need something better.
Moving them isn't the problem. Stringing wires is.
Clear, Dark Skies
According to the article security is available but the store can turn it on or off.
I think we are far to hasty in our blaming Best Buy. The company I would point blame at would be the creator of the wirelss network. At some point they (probably willingly) neglected to add any form or security.
:-p), it seems Best Buy is doing what it can to protect its customers. There are other companies mentioned in the article, as well, but no mention of what they are doing about the situation.
From the Article:
The company [Best Buy] responded quickly on
Wednesday --
spokesperson Donna Beadle, in an e-mail, said
the company had "deactivated our wireless
temporary cash registers that transmit
information via LAN connections."
If we can assume this is true (although I realize that would be naive
Again, taken direct from the vuln-dev list:
From BestBuy:
> Thank you for contacting Best Buy's corporate headquarters with your
> concerns. Regarding this issue, Best Buy has deactivated our temporary
> wireless cash registers that transmit information via LAN connections.
> These registers are not Best Buy's main register terminals and represent a
> small percentage of the transactions processed within our stores. Please be
> assured that customer privacy is of the utmost importance to Best Buy and we
> will further investigate this matter.
>
> We do appreciate your taking the time to share your concerns with us.
>
> Respectfully,
> Alex Reynolds
> Contact Center Escalations
> Best Buy Enterprise Customer Care
Visa doesn't give a shit about your credit rating, and they make a profit on every chargeback, so lets go to using one time pad encryption? The problem was solved a long time ago. What we need to do is make the credit card companies liable for lack of security.
http://trustcommerce.com/security.html
This is true only for the most common (US) algorithm, often called the IBM-3624 algorithm. Other algorithms handle PIN encryption differently.