Best Buy: May Day Mayday for Security

You could call it a security Mayday.

Imagine Best Buy’s surprise when it found on May 1 that customers’ credit card data and other transaction information at some of its 1,900 stores had been left vulnerable to electronic snooping, thanks to the use of portable point-of-sale (POS) terminals connected to the stores’ servers by a wireless local area network (LAN).

The POS systems in question relied on the increasingly popular 802.11b wireless networking standard, also known as WiFi. But the $15 billion consumer-electronics retailer apparently did not use even the most fundamental security features of WiFi, leaving information passed over the wireless network unencrypted.

While it’s not certain that any actual customer data fell into the wrong hands, or that credit card data was actually transmitted in the clear for all to see, the revelation quickly forced the company to pull the POS systems in question from store floors. At best, the company has had its reputation with customers tarnished.”It’s dumb not to encrypt [wireless data],” says Jonas Hellgren, managing director at data security consulting firm Guardent. “It’s a matter of five seconds to configure it.”

Best Buy Public Relations Manager Donna Beadle says that one to two of the wireless, computerized sales registers per store used 802.11, and those registers were only used during peak hours to shrink checkout lines. The company would offer little more information about its in-store wireless networks, including who manufactured the wireless POS systems they use. They were from “various companies,” says Beadle. “Our IT department is currently investigating the problem.”

Best Buy’s vulnerability became public in a May 1 posting to a mailing list on Security Focus Online, the Web site for a company that provides security threat management systems. The anonymous writer reported that he had been able to detect the network at a Best Buy store from his car after installing a wireless card he purchased there in his laptop.

Running “kismet,” a Linux network monitoring utility, he was able to record and examine packets of network data—and he claimed to have found what looked like credit card numbers in clear text within that data, along with other data about customer transactions and commands to the store’s database. He also found that other Best Buy stores in his area had wireless networks enabled. “I am NOT comfortable using my credit card at any Best Buy right now,” he wrote.

It’s not unusual for companies to operate WiFi networks without encryption. Hellgren estimates that over half of WiFi networks are running unencrypted. On a recent test in Boston, Hellgren says only five of the 50 networks his team intercepted while wandering through the city were using the Wired Equivalent Privacy (WEP) encryption scheme built into WiFi network hardware.

The gap in the Minneapolis retailer’s security apparently wasn’t limited to a specific geographic area. According to one analyst, the problem is widespread and has been publicized and discussed on other Web site mailing lists.

“All Best Buys use 802.11b, without WEP,” Eric Parker, an analyst at Mind Security, said on the Security Focus online site.