Wireless cash registers leaks Credit Card info.

Thanks go to Slashdot for point me in the direction of this article over on MSNBC regarding Best Buy and their wireless cash registers and the insecurity therein.

Best Buy, the nation's No. 1 consumer electronics retailer with 480 stores, on Wednesday, said vial an email, that they had "deactivated our wireless temporary cash registers that transmit information via LAN connections."

This was in response to a posting in the SecurityFocus Vuln-Dev mailing list, where one anonymous users posted some details of how he snooped on the wireless traffic coming from the Best Buy store where he had just purchased a D-Link wlan card. As the posting says...

    Out of curriosity I fired up kismet (A Linux wireless packet sniffer) and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card.
He goes on to say that after going into another store next to the Best Buy store, he was surprised to find that this store was indeed broadcasting credit card numbers in "RAW clear text" fashion. He then checked out a few more stores, and low and behold he found that the Best Buy stores he approached all were wlan enabled.

Reports of other users sniffing wlan traffic at Home Depot and other stores have been popping up on this and the wlan underground. This gives rise to the notion that security has not been a big part of these retailers attempts to embrase wireless technology to make their stores work more efficient.

As Symbol Technologies (a major player in the wireless Point of Sale (POS) market) spokesperson Mark J. Ferrone says, that stealing wireless cash register traffic is feasible if proper security measures are not in place. Symbol makes hardware used by IBM in its wireless point-of-sale terminals (some of Symbols customers that have deployed wireless POS technology are Wal-Mart, Best Buy and Home Depot). Ferrone further pointed out that "there are security mechanisms in place, but whether or not (the stores) use them is a different story. If the security is not turned on, then the traffic would be open.".

So be careful when you next go into a wireless enabled retailer. Some person or persons unknown to you could be sitting in the nearby parking lot, sniffing not only your credit card info, but all those other customers who don't know that's is a very easy task to grab their credit card details right out of the air!

News source: MSNBC

View: Discussion on Slashdot: Wireless Registers May Expose Your Credit Card

View: SecurityFocus Vuln-Dev: Wlan @ bestbuy is cleartext? and the Vuln-Dev mailing archive

Previous Story
Philips Shows off Easier LCDs
Next Story
Solaris hole found