An anonymous message on a security mailing list about credit card numbers flying through the air unencrypted has touched off a wave of hysteria over the security of the wireless point-of-sale terminals used in many large retailers.
The frenzy has escalated to such a degree that Best Buy Co. Inc. this week decided to take all of its wireless cash registers offline.
It all started with an anonymous post to the Vuln-Dev security list maintained at SecurityFocus.com. The author recounted a recent trip to a Best Buy store to purchase an 802.11b wireless LAN card for his laptop.
The author installed the card and its drivers while sitting in the Best Buy parking lot and immediately noticed that the light on the card indicating network traffic was illuminated. Using a wireless packet-sniffing application called Kismet, the author then was able to capture numerous unencrypted packets, which seemed to be coming from Best Buy.
To test the theory, the author went back into the store and made a purchase with a credit card. Poring over the logs of the captured packets, the author found database queries and some other data, but no credit card number. There was, however, a credit card number in some more cleartext packets captured from another nearby store that the author didnt identify.
The 802.11b protocol includes an encryption algorithm known as WEP (Wired Equivalent Privacy). But many people fail to enable it, a fact that causes no end of aggravation for other network operators.
“If you dont mind having your internal corporate data published on the front page of the New York Times or Boston Globe, then you dont need WLAN security and encryption,” said Kevin Baradet, network systems director at the S.C. Johnson Graduate School of Management at Cornell University, in Ithaca, N.Y.
The Vuln-Dev message drew dozens of replies, many from people who reported that they, too, had been able to capture WLAN traffic from the parking lots of some large retailers. Others, however, pointed out that this was an old issue and was well-known among crackers.
In response to a number of questions about the issue, Best Buy, of Minneapolis, on Wednesday closed all of its wireless terminals. The company did not return a phone call seeking comment.
Some members of the mailing list questioned the original posters claims, pointing out that it was odd that the poster already had Kismet installed on the laptop even before buying a WLAN card.
But the moderator of the mailing list says he has no reason to doubt the veracity of the message.
“In this case, the poster has been active on the list for a while, and has proven pretty clueful in the past. I also exchanged mail with them prior to forwarding it to make sure the email address wasnt spoofed. I also took into account the content of the message, and decided that the scenario was plausible,” said the lists moderator, who goes by the handle Blue Boar. “Id also note that since then, multiple people have confirmed at minimum that lots of the big retailers are indeed using 802.11b. If thats true, and given human nature, I have no problem at all believing that something sensitive will be passing through the air. All that remains is for someone to independently confirm that they were able to capture credit card numbers with their wireless monitoring rig.
“Best Buy has done the smart thing by shutting off their wireless until they figure out if they have a problem or not. Someone will probably report in about other retailers.”
Regardless of the posters motives, security experts say even if Best Buy or other retailers are broadcasting credit card numbers in cleartext, its the retailer who is exposed, not the consumers who shop there.
“The impact on the consumer is almost nothing,” said Daniel Baley, general manager of wireless networking at Ntru Cryptosystems Inc., a maker of wireless encryption products based in Burlington, Mass. “The customers liability is $50 on [fraudulent] purchases. But, Best Buy clearly has an exposure here.”
Baley also pointed out that credit card processing is done on a device separate from the cash register because the purchase must be sent via phone lines to the cards issuing bank for approval.