Think you are safe from the cryptic world of wireless computer hacking? Think again. Security researchers who study wireless networks have found another embarrassing information leak, this one involving well-known retail giants. Some stores use cash registers with wireless networks that beam data — including credit card numbers — to a central computer elsewhere in the store. But a hacker can sit in a store’s parking lot and “listen in” to the data. Indeed, consumer electronics retailer Best Buy Co. shut off wireless cash registers at its stores Wednesday after being alerted to the potential problem, saying it was investigating the issue.
Networked cash registers are an important part of a large retail operation — they allow stores to change prices instantly and make inventory tracking easier. In addition, wireless networks offer added convenience, making temporary outdoor “sidewalk” cash registers much easier to install.
It’s not clear how many stores use the so-called “wireless point-of-sale terminal,” but they are clearly on the rise. For example, Kmart announced last year it planned to install wireless technology in all 2,100 stores.
But there’s a downside to the nifty wireless technology. The data is broadcast as a radio signal, which carries outside the store.
Hackers, using laptop computers equipped with a special antenna, can listen in on such traffic, and if it’s not encrypted, they can read it almost like office workers read e-mail.
An anonymous security researcher announced on a computer security research mailing list Wednesday that several U.S. retailers have made the mistake of installing wireless cash registers and transmitting the traffic in clear text, without encryption. By sitting in the parking lot, the researcher said, he could “listen in” on credit card numbers being beamed around the store.
Several researchers chimed in to say it was old news, discovered by the computer underground as much as two years ago.
Mark J. Ferrone, spokesperson for Symbol Technologies, Inc., said stealing wireless cash register traffic is feasible if proper security measures are not in place. Symbol makes hardware used by IBM in its wireless point-of-sale terminals. The firm couldn’t say which large retailers actually deploy their wireless point of sale technology, but Wal-Mart, Best Buy and Home Depot are among Symbol’s broad customer base, he said.
“There are security mechanisms in place, but whether or not (the stores) use them is a different story,” Ferrone said. “If the security is not turned on, then the traffic would be open.”
However, Ray Martino, Symbol’s vice president of wireless network products, said that credit card data wouldn’t normally be among the traffic that’s broadcast through the air. Credit card purchases still require authorization from a bank, meaning the traffic must travel over a phone line.
But several computer hackers contacted by MSNBC.com said they had spied credit card data in among the wireless traffic they’d captured.
BEST BUY QUICKLY RESPONDS
Best Buy, the nation’s No. 1 consumer electronics retailer with 480 stores, was the retailer most often cited in the notes. The company responded quickly on Wednesday — spokesperson Donna Beadle, in an e-mail, said the company had “deactivated our wireless temporary cash registers that transmit information via LAN connections.”
Beadle added that wireless terminals actually represented a small percentage of transactions. “Customer privacy is of the utmost importance to Best Buy and we will further investigate,” she said.
Several researchers told MSNBC.com they’d been able to spy traffic at Wal-Mart and Home Depot stores. Wal-Mart didn’t immediately return phone calls.
Don Harrison, spokesperson for Home Depot, said any wireless traffic at Home Depot stores is limited to price scanning information — no credit card data is ever transmitted through the air. Home Depot stores use “line busting” technology, where items being purchased by a customer on an excessively long checkout line are scanned by an employee with a wireless device, speeding up the checkout process.
“We do have wireless technology in the store, but it’s all back-end stuff. At the point of sale, everything is hard-wired, and there’s no way a hacker’s going to get that (data),” Harrison said.
While knowledge of the flaw might have been limited to a small group prior to Wednesday, its publication to a security mailing list serves as an invitation for curious computer hackers and computer criminals to try it out.
“I assume half the mailing list is going to be driving around their towns tonight scanning for this problem. I know I will,” wrote one.