Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Ever use a credit card at Best Buy? This should scare the bejeezus out of you...

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Ever use a credit card at Best Buy? This should scare the bejeezus out of you...

Old 05-01-02, 08:22 PM
  #1  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,600
Ever use a credit card at Best Buy? This should scare the bejeezus out of you...

As posted today on VULN-DEV, one of the preeminent InfoSec related mailing lists on the Internet:

This past week I went to bestbuy to purchase a D-link wlan card... eager to get my laptop up and running while in the car I put my card in and installed the driver. I noticed the traffic light was lit up as if I had a connection. Out of curriosity I fired up kismet and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table
headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card. Non the less I decided to run to the store next to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted through the data collected and this time I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number.

Heres my delima... I checked out a few of the other best buy stores for "beacon packets" and everyone I drove by was sending them out...so I assume all BestBuy's are wlan enabled. What I need to find out is ... are BestBuys's Cash register terminals indeed using wlan and are they indeed sending out MY data in the clear... I am NOT comfortable using my credit
card at ANY BestBuy as of right now... due to legality though I don't feel comfortable walking into the store and confronting someone about it.... for all I know it could be standard BestBuy corp. practices to use nonsecure wlan. I figured by starting a thread other people that have attempted this may have more info or some from BestBuy may be reading the list and they
may pipe up.
802.11b without WEP? Brilliant.

There have been about 30 replies at least to this with no one contradicting the validity of this information. In fact, there have been assertions that at least some stores in the Wal-Mart, Home Depot, PetSmart, etc. chains also do the same thing.

You can read the whole thread here:

http://online.securityfocus.com/archive/82

The good news is that this mailing list is MAJOR and is read by lots of people, including many technology journalists. This issue will be getting major exposure within a week.
jfoobar is offline  
Old 05-01-02, 08:41 PM
  #2  
DVD Talk Hero
 
D.Pham4GLTE (>60GB)'s Avatar
 
Join Date: Jul 2001
Location: Stick out your tongue!
Posts: 39,186
damn...and i've used my credit card many times there. Well, guess that's just another reason for me not to shop there.
D.Pham4GLTE (>60GB) is offline  
Old 05-01-02, 08:56 PM
  #3  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,701
Probably not an issue at my local BB. However leaving your car unlocked can be a problem...
X is offline  
Old 05-01-02, 08:57 PM
  #4  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,701
Originally posted by .
damn...and i've used my credit card many times there. Well, guess that's just another reason for me not to shop there.
You actually leave your house?
X is offline  
Old 05-01-02, 09:48 PM
  #5  
DVD Talk Legend
 
Join Date: Jun 2000
Location: Downers Grove, IL
Posts: 10,470
Jeez, you'd think they'd encrypt the data atleast, and what the hell do they need WLAN in the store for anyway? They can just run the wires under the floor.
huzefa is offline  
Old 05-01-02, 10:01 PM
  #6  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,696
hopefully the CC companies will hear about this and force the stores to change their ways
mikehunt is offline  
Old 05-01-02, 10:53 PM
  #7  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,600
Of course, what is really scary is the SQL statements they are sending in the clear, which strongly implies that the server authentication is sent in the clear also.

Why steal one CC number when you can hack into the Db from the parking lot and steal them all.
jfoobar is offline  
Old 05-01-02, 10:57 PM
  #8  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,701
Originally posted by JustinS
Why steal one CC number when you can hack into the Db from the parking lot and steal them all.
Yes, but unfortunately the BB that's 5 minutes from my house will only be sending credit cards with $500 limits or secured credit lines! Otherwise I'd go sit in the parking lot with my laptop.
X is offline  
Old 05-01-02, 11:48 PM
  #9  
wiz
DVD Talk Platinum Edition
 
Join Date: Aug 2001
Location: Suwanee, GA
Posts: 3,130
What I want to know is, how does this guy know that the supposed number he saw really was a CC #? Unless he tries to use it, he won't really know for sure if that is a real number or it just happens to be a random number.

I've looked around at my local BB (and Walmart and others) and see no wlan devices anywhere near the registers. That and I see CAT5 coming out of their registers makes me believe that not all BB's use wlan. Then again, who knows.
wiz is offline  
Old 05-01-02, 11:59 PM
  #10  
DVD Talk Ultimate Edition
 
Join Date: Apr 2001
Location: Minnesota
Posts: 4,292
Originally posted by wiz
What I want to know is, how does this guy know that the supposed number he saw really was a CC #? Unless he tries to use it, he won't really know for sure if that is a real number or it just happens to be a random number.

Visa and Mastercard numbers are fairly easy to spot, 16 digits with visa starting with 41XX or 42XX. I used to work at a national telemarketing place and our computers would check to see if the number was a legit cc # by the number/patterns but not specifically if it was good.
J-Dubya is offline  
Old 05-02-02, 12:54 AM
  #11  
DVD Talk Hero
 
D.Pham4GLTE (>60GB)'s Avatar
 
Join Date: Jul 2001
Location: Stick out your tongue!
Posts: 39,186
Originally posted by X
You actually leave your house?
yeah, well i do every once in a blue moon...i mean, once in a while i must go to BB to PM to Frys. It takes like 15 minutes, even though Frys is like half a mile away Of course, I'll have to think twice about it, now that people are getting arrested
D.Pham4GLTE (>60GB) is offline  
Old 05-02-02, 12:58 AM
  #12  
DVD Talk Hero
 
D.Pham4GLTE (>60GB)'s Avatar
 
Join Date: Jul 2001
Location: Stick out your tongue!
Posts: 39,186
Originally posted by J-Dubya


Visa and Mastercard numbers are fairly easy to spot, 16 digits with visa starting with 41XX or 42XX. I used to work at a national telemarketing place and our computers would check to see if the number was a legit cc # by the number/patterns but not specifically if it was good.
There are also CC generators. I know that people were able to use AoL back in the day (5+ years ago) using a CC generator. Of course, this isn't legal, so i don't try it. Besides, they fixed their system a couple of years back.
D.Pham4GLTE (>60GB) is offline  
Old 05-02-02, 12:59 AM
  #13  
DVD Talk Special Edition
 
Join Date: Jul 2000
Location: Dingleberry
Posts: 1,662
Originally posted by J-Dubya


Visa and Mastercard numbers are fairly easy to spot, 16 digits with visa starting with 41XX or 42XX. I used to work at a national telemarketing place and our computers would check to see if the number was a legit cc # by the number/patterns but not specifically if it was good.
Both of my Visa cards start with 44xx
jumbojp is offline  
Old 05-02-02, 01:03 AM
  #14  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,701
Originally posted by jumbojp
Both of my Visa cards start with 44xx
I'm looking at one that starts with 43xx.
X is offline  
Old 05-02-02, 01:04 AM
  #15  
DVD Talk Special Edition
 
Join Date: Jul 2000
Location: Dingleberry
Posts: 1,662
So I guess it could be between 41xx and 44xx so far

Do I see any others out there?
jumbojp is offline  
Old 05-02-02, 01:09 AM
  #16  
DVD Talk Hero
 
D.Pham4GLTE (>60GB)'s Avatar
 
Join Date: Jul 2001
Location: Stick out your tongue!
Posts: 39,186
Originally posted by jumbojp
So I guess it could be between 41xx and 44xx so far

Do I see any others out there?
i believe it could start with anything from 41xx to 49xx. I knew someone with a CC generator, so I'm assuming the sequence isn't too hard to come by. Of course, most places now are checking more than just the sequence.
D.Pham4GLTE (>60GB) is offline  
Old 05-02-02, 07:51 AM
  #17  
DVD Talk Legend
 
Join Date: Jun 2000
Location: Downers Grove, IL
Posts: 10,470
Actually, AFAIK, Visa #'s start with 4###, Mastercard start with 5###, and Amex start with 3##.
huzefa is offline  
Old 05-02-02, 08:07 AM
  #18  
DVD Talk Platinum Edition
 
Join Date: Dec 2000
Location: Edison, NJ
Posts: 3,463
Originally posted by huzefa
Actually, AFAIK, Visa #'s start with 4###, Mastercard start with 5###, and Amex start with 3##.
And I think Discover starts with 6###.
Ben732 is offline  
Old 05-02-02, 03:27 PM
  #19  
DVD Talk Hall of Fame
 
Join Date: Jan 2000
Location: Chicago, IL
Posts: 9,334
What is more scary - this scenario or some crooked employee with a receipt? I think a crooked employee. Somtimes these things just got blown out of hand.
chanster is offline  
Old 05-02-02, 04:33 PM
  #20  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,600
Originally posted by chanster
What is more scary - this scenario or some crooked employee with a receipt? I think a crooked employee. Somtimes these things just got blown out of hand.
This scenario is more scary, by a long shot. CC # theft by dishonest employees has always been a risk at any establishment that accepts them as payment. How do you know what that waiter does with your credit card when he goes around the corner to process your bill? This is more scary for two reasons:

1. It's new and, as such, exacerbates an existing problem.
2. It does not involve employees, which are at least tied to the store, whose presence in the store at a given time can usually be accounted for. Anybody can sit in the parking lot of a retail establishment that uses this technology in this fashion and steal CC #s.

BTW, here was Best Buy corporate's reply when they were informed of the issue:

Thank you for contacting Best Buy's corporate headquarters
with your concerns. Regarding this issue, Best Buy has
deactivated our temporary wireless cash registers that
transmit information via LAN connections.
These registers are not Best Buy's main register terminals
and represent a small percentage of the transactions
processed within our stores. Please be assured that
customer privacy is of the utmost importance to Best Buy and
we will further investigate this matter.

We do appreciate your taking the time to share your concerns
with us.

Respectfully,
Alex Reynolds
Contact Center Escalations
Best Buy Enterprise Customer Care
That sounds like a admission that there was a problem, at least on a limited scale, to me.

And here are some published articles on this from the last 24 hours or so (I knew it would get scooped up by the media):

The Inquirer
MSNBC
Silicon.com
jfoobar is offline  
Old 05-02-02, 08:27 PM
  #21  
Senior Member
 
Join Date: Jun 2000
Location: Clifton, NJ USA
Posts: 964
i was wondering why the wireless register wasn't working at for me at work. I guess this is why they disabled it.
vwbeetlvr is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.