Slashdot Mirror
Wireless Registers May Expose Your Credit Card
flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."
the whole concept of having a card with a number on which you can tell people down the phone, send down the internet, give to people in shops/restauratns is very very insecure, I've ordered stuff on my mums card before, do they care that i'm not my mum, do they shit. If people have to resort to wireless scanners to get card numbers they are throwing way to much money at the exercies, you can get card details much esier from bins, old till rolls etc...
i have developed a foolproof method of fooling them though, dont have a credit card, ok so they wont actully give me one yet but hey...
Burt "Out of my mind back in 5 minutes"
Yeah, wireless encryption sucks....
However, you can add encryption to the tcp/ip running over the wireless. With something like Cash Registers, you can be sure that they're all running the exact same software.
Enabling IPSec, or something similiar shouldn't be too difficult. it's not like you need to make sure it's compatable with all the different OSes.
Lock down all ports on the server except SSH, and force the cash register client machines to tunnel through SSH for everything. I use it at home, work and university. It's better to be over security-conscious than being to relaxed about it.
However, that's just covering up the symptoms of a greater problem. It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use.
Follow me
You can find what appears to be the original fwd'd (anonymized) copy of the mail from the guy who first checked this out at this location.
GStreamer - The only way to stream!
This is WORST Buy we're talking about, remember?
The same guys who want to foist copy protected CDs as a standard on their customers? The ones who tried to arrest a customer for trying to pick up a video card that he bought on sale online? The ones with the ultra-crappy customer service?
If you're still shopping at Best Buy, this fiasco with the wireless registers should be enough to make you go somewhere else.
Government inspection doesn't mitigate any responsibility that a food plant or an airline has. It merely provides the consumer with some assurances. And in most cases (not all) it works. Most of us buy food every week, and most of us don't die of food poisoning. Most planes take off and land safely. However, the food producer or the airline company is still responsible for the product.
As we rely more system security in our daily business transactions, I think that rigid standards of system security should be created and enforced.
If we start holding irresponsible retailers, like Best Buy in this case, accountable for damages, you'll see consumers *and* retailers lobbying for such an effort.
Social security numbers used as identification, credit card numbers, and a whole host of other "real world" identifiers and systems are simply extremely sloppy security. In the past, that meant that only a few customers got screwed. With modern computer equipment, a lot of people get screwed.
What is particularly annoying about it is that the companies that put this sloppy security in place never really have given a damn about protecting their customers--as long as the casualties are not too many and don't frighten the masses away, it's acceptable. In most cases, companies that use sloppy identifiers or security end up not even being legally liable for the trouble and expenses they are causing their customers.
Is anybody actually surprised that nobody at Best Buy knows how to configure an encrypted wireless network?
Someone down the line knows your credit card number. If you hand your card to the person at the register, then you are placing trust in them. If your information is stolen by a 3rd party, then it is because of the incompetence of whoever you placed your trust in.
According to the article, Best Buy has since stopped using wireless cash registers. Still, I think the problem is not with wireless itself, but the particular implementation Best Buy was using. Couldn't they simply encrypt the data?
Of course, credit cards are inherently problematic. Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal) Thus, everyone would be able to give, but not take. As it stands, credit cards have the worst security of anything. It's ironic too, since a lot of us computer enthusiasts will rant all day about how everyone should be using ssh and GPG, yet we give our login and password to the waitress next time we eat.
Like you ever did need to be online to get your number stolen - easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.
This is *the* classic error in security thinking - only consider the hardware, ignore the human factors.
Credit card transactions such as this validate the credit card number against an algorithm, and ensure that number matches the bank who issued the card and the type of card (VISA, Mastercard et. al.)
Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.
The practice of skimming credit cards and capturing numbers over wireless networks will continue, and credit card fraud will continue because it is easy to commit . . . probably until some form of smart cards encompassing biometrics are in mass use in the marketplace. Incorporate a finger print into a smart card and small recognition scanner at the point of sale. If your fingerprint doesn't match that on the card then the treansaction will be denied. This won't help on-line fraud or fraud perpetrated during transactions when the cardholder isn't present, but it will cut down on innocent people being ripped off.
So why don't banks incorporate this? It's purely down to cost. They're not interested in consumers being defrauded, what matters to them is the money the banks lose. Fraud is a big problem, but until the levels of fraud amount to more than the cost of issuing and installing smart card or biometric technology, banks aren't going to be interested.
In the case of validation, European countries with lower levels of credit card fraud are those with higher levels of validation. Many countries in Europe require a matching signature as well as a PIN number. Sure, the PIN number may be picked up over a wireless network, but it goes to show that more stringent validation checks will reduce levels of credit card fraud.
And as for using encryption - surely that is just common sense?!
~~~~~~~~~ "I must create my own system, or be enslav'd by another man's." William Blake, Jerusalem.
Best Buy sends the credit card info cleartext over 802.11....... hmmmm maybe they really truly are best buy then! They went out and found the cheapest Wireless Point of Sale system.. to them it was the BEST BUY :)
but it's not really stealing if i ipurchase things with someone else's card because i would not have bought anything if i did not have someone else's credit card number.
oh wait... I have been reading slashdot for too long!
with everyone paranoid about credit card theft using high tech means people seem to forget that while most internet transactions are safe, what you really need to worry about are people who actually handle your card.
The cashier has access to your nubmer. the accountant has access to your number. the manager of the store has access to your nubmer. some stores print the entire number on reciepts so anybody willing to dumpster dive has access to your number. waiters and waitresses who carry your card off to the register in a restaurant has access to your number...
and now people in the parking lot have access to your number.
If the transactions are in plain-text, is there any checksumming etc.. that takes place.
It occurs to me that what you could do is be able to intercept (or pre-empt) and replace data in valid transactions.
Then sit in the car-park, and substitute a different card number in to any refund transactions encountered. Create an account specifically for this, and drain it before any fraud is likely to be detected, easy money.
All of this is assuming that the systems do not use basic checksumming double-verification etc.. but given that they already transmit them wirelessly and unencrypted, what chance is there that they take even basic protections against false data beiong injected into the network.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
"Now you don't even have to be online to have your number stolen."
right, before the internet, credit card numbers couldn't be stolen. I also understand that before the internet, no music was ever pirated.
---
you're all figments of my deranged imagination
Subject: Wlan @ bestbuy is cleartext?
Date: May 1 2002 3:57PM
Author: Blue Boar
I was asked to anonymously proxy this question to the list. Here ya go.
BB
Gives more credence to the idea of one time use credit card numbers
Sounds like a great idea, one-transaction cards, with a unique number on each of them, all tied to one account.
But plastic swipe cards are too expensive to use once and throw away--make them out of paper, better for the environment.
While you're at it, you could eliminate the need for the seperate credit card reciept by putting the amount and signature on the (paper) card, and handing it to the retailer... you could even that funny non-carbon carbon paper if you wanted a reciept for yourself.
Print them up in a handy-little tear off pack, maybe throw in a balance sheet so you can keep track of your expenses (if you're so inclined).
If you let little old ladies get ones with puppies or kittens on them, this radical idea of yours might just be a success!
--
Benjamin Coates
Check your credit card contract.
Most say you are liable for fraud only if your CARD is stolen, and only for the time between it's theft and when you report it to the company.
Any other fraudulent use of your credit card number you are simply NOT liable for. Remember, it's not really your number, and the card is not really yours. It's the property of the issuer, it says so on the back. It's a (weak) security token they issue you in order to identify yourself as someone who has a line of credit. If someone uses that, fraudulently, it is a screwup on the part of the merchant, or the bank. You do not pay.
If your contract says otherwise, or puts any other liability on you (other than normal, responsible behavior of course), shop around and find something better.
I realize it's a pain if someone has your number, and starts using it. It can be really inconvenient. But my point is.. rather than treating this like property that they have stolen from us, just like stealing our cash, we should be looking to the credit card companies to make sure this does not become our problem... because ultimately, it's theirs.