Slashdot Mirror
Wireless Registers May Expose Your Credit Card
flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."
Yeah, wireless encryption sucks....
However, you can add encryption to the tcp/ip running over the wireless. With something like Cash Registers, you can be sure that they're all running the exact same software.
Enabling IPSec, or something similiar shouldn't be too difficult. it's not like you need to make sure it's compatable with all the different OSes.
Lock down all ports on the server except SSH, and force the cash register client machines to tunnel through SSH for everything. I use it at home, work and university. It's better to be over security-conscious than being to relaxed about it.
However, that's just covering up the symptoms of a greater problem. It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use.
Follow me
This is WORST Buy we're talking about, remember?
The same guys who want to foist copy protected CDs as a standard on their customers? The ones who tried to arrest a customer for trying to pick up a video card that he bought on sale online? The ones with the ultra-crappy customer service?
If you're still shopping at Best Buy, this fiasco with the wireless registers should be enough to make you go somewhere else.
Social security numbers used as identification, credit card numbers, and a whole host of other "real world" identifiers and systems are simply extremely sloppy security. In the past, that meant that only a few customers got screwed. With modern computer equipment, a lot of people get screwed.
What is particularly annoying about it is that the companies that put this sloppy security in place never really have given a damn about protecting their customers--as long as the casualties are not too many and don't frighten the masses away, it's acceptable. In most cases, companies that use sloppy identifiers or security end up not even being legally liable for the trouble and expenses they are causing their customers.
Someone down the line knows your credit card number. If you hand your card to the person at the register, then you are placing trust in them. If your information is stolen by a 3rd party, then it is because of the incompetence of whoever you placed your trust in.
According to the article, Best Buy has since stopped using wireless cash registers. Still, I think the problem is not with wireless itself, but the particular implementation Best Buy was using. Couldn't they simply encrypt the data?
Of course, credit cards are inherently problematic. Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal) Thus, everyone would be able to give, but not take. As it stands, credit cards have the worst security of anything. It's ironic too, since a lot of us computer enthusiasts will rant all day about how everyone should be using ssh and GPG, yet we give our login and password to the waitress next time we eat.
Like you ever did need to be online to get your number stolen - easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.
This is *the* classic error in security thinking - only consider the hardware, ignore the human factors.
Credit card transactions such as this validate the credit card number against an algorithm, and ensure that number matches the bank who issued the card and the type of card (VISA, Mastercard et. al.)
Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.
The practice of skimming credit cards and capturing numbers over wireless networks will continue, and credit card fraud will continue because it is easy to commit . . . probably until some form of smart cards encompassing biometrics are in mass use in the marketplace. Incorporate a finger print into a smart card and small recognition scanner at the point of sale. If your fingerprint doesn't match that on the card then the treansaction will be denied. This won't help on-line fraud or fraud perpetrated during transactions when the cardholder isn't present, but it will cut down on innocent people being ripped off.
So why don't banks incorporate this? It's purely down to cost. They're not interested in consumers being defrauded, what matters to them is the money the banks lose. Fraud is a big problem, but until the levels of fraud amount to more than the cost of issuing and installing smart card or biometric technology, banks aren't going to be interested.
In the case of validation, European countries with lower levels of credit card fraud are those with higher levels of validation. Many countries in Europe require a matching signature as well as a PIN number. Sure, the PIN number may be picked up over a wireless network, but it goes to show that more stringent validation checks will reduce levels of credit card fraud.
And as for using encryption - surely that is just common sense?!
~~~~~~~~~ "I must create my own system, or be enslav'd by another man's." William Blake, Jerusalem.
with everyone paranoid about credit card theft using high tech means people seem to forget that while most internet transactions are safe, what you really need to worry about are people who actually handle your card.
The cashier has access to your nubmer. the accountant has access to your number. the manager of the store has access to your nubmer. some stores print the entire number on reciepts so anybody willing to dumpster dive has access to your number. waiters and waitresses who carry your card off to the register in a restaurant has access to your number...
and now people in the parking lot have access to your number.
If the transactions are in plain-text, is there any checksumming etc.. that takes place.
It occurs to me that what you could do is be able to intercept (or pre-empt) and replace data in valid transactions.
Then sit in the car-park, and substitute a different card number in to any refund transactions encountered. Create an account specifically for this, and drain it before any fraud is likely to be detected, easy money.
All of this is assuming that the systems do not use basic checksumming double-verification etc.. but given that they already transmit them wirelessly and unencrypted, what chance is there that they take even basic protections against false data beiong injected into the network.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
"Now you don't even have to be online to have your number stolen."
right, before the internet, credit card numbers couldn't be stolen. I also understand that before the internet, no music was ever pirated.
---
you're all figments of my deranged imagination
Subject: Wlan @ bestbuy is cleartext?
Date: May 1 2002 3:57PM
Author: Blue Boar
I was asked to anonymously proxy this question to the list. Here ya go.
BB