Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Mobile

    How Secure Are Wireless Terminals?

    By
    Dennis Fisher
    -
    May 3, 2002
    Share
    Facebook
    Twitter
    Linkedin

      An anonymous message on a security mailing list about credit card numbers flying through the air unencrypted has touched off a wave of hysteria over the security of the wireless point-of-sale terminals used in many large retailers.

      The frenzy has escalated to such a degree that Best Buy Co. Inc. this week decided to take all of its wireless cash registers offline.

      It all started with an anonymous post to the Vuln-Dev security list maintained at SecurityFocus.com. The author recounted a recent trip to a Best Buy store to purchase an 802.11b wireless LAN card for his laptop.

      The author installed the card and its drivers while sitting in the Best Buy parking lot and immediately noticed that the light on the card indicating network traffic was illuminated. Using a wireless packet-sniffing application called Kismet, the author then was able to capture numerous unencrypted packets, which seemed to be coming from Best Buy.

      To test the theory, the author went back into the store and made a purchase with a credit card. Poring over the logs of the captured packets, the author found database queries and some other data, but no credit card number. There was, however, a credit card number in some more cleartext packets captured from another nearby store that the author didnt identify.

      The 802.11b protocol includes an encryption algorithm known as WEP (Wired Equivalent Privacy). But many people fail to enable it, a fact that causes no end of aggravation for other network operators.

      “If you dont mind having your internal corporate data published on the front page of the New York Times or Boston Globe, then you dont need WLAN security and encryption,” said Kevin Baradet, network systems director at the S.C. Johnson Graduate School of Management at Cornell University, in Ithaca, N.Y.

      The Vuln-Dev message drew dozens of replies, many from people who reported that they, too, had been able to capture WLAN traffic from the parking lots of some large retailers. Others, however, pointed out that this was an old issue and was well-known among crackers.

      In response to a number of questions about the issue, Best Buy, of Minneapolis, on Wednesday closed all of its wireless terminals. The company did not return a phone call seeking comment.

      Some members of the mailing list questioned the original posters claims, pointing out that it was odd that the poster already had Kismet installed on the laptop even before buying a WLAN card.

      But the moderator of the mailing list says he has no reason to doubt the veracity of the message.

      “In this case, the poster has been active on the list for a while, and has proven pretty clueful in the past. I also exchanged mail with them prior to forwarding it to make sure the email address wasnt spoofed. I also took into account the content of the message, and decided that the scenario was plausible,” said the lists moderator, who goes by the handle Blue Boar. “Id also note that since then, multiple people have confirmed at minimum that lots of the big retailers are indeed using 802.11b. If thats true, and given human nature, I have no problem at all believing that something sensitive will be passing through the air. All that remains is for someone to independently confirm that they were able to capture credit card numbers with their wireless monitoring rig.

      “Best Buy has done the smart thing by shutting off their wireless until they figure out if they have a problem or not. Someone will probably report in about other retailers.”

      Regardless of the posters motives, security experts say even if Best Buy or other retailers are broadcasting credit card numbers in cleartext, its the retailer who is exposed, not the consumers who shop there.

      “The impact on the consumer is almost nothing,” said Daniel Baley, general manager of wireless networking at Ntru Cryptosystems Inc., a maker of wireless encryption products based in Burlington, Mass. “The customers liability is $50 on [fraudulent] purchases. But, Best Buy clearly has an exposure here.”

      Baley also pointed out that credit card processing is done on a device separate from the cash register because the purchase must be sent via phone lines to the cards issuing bank for approval.

      Dennis Fisher
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×