• Belcat (unregistered)

    Typical merchant covering their asses but not following up in their own practices..

  • (cs)

    Yay for insecure banking. In a lot of ways, this is the credit card company's fault as much as anybody. Instead of a credit card, give everybody an RSA SecurID token or something so that stealing the number is useless, because it's only good for that one transaction. It's not rocket science.

    Same goes for identity theft. I can't use my social security number to identify myself anymore because.... I've used it in too many places. So to be more "secure" they've stopped asking for my social security number. Now I have to fax them a copy of my driver's license and my mother's maiden name. Yup, nobody else has a copy of that information....

  • (cs)

    According to this article, credit card companies submit your info over WiFi all the time, even for card-present transactions!

    http://news.yahoo.com/s/pcworld/20070626/tc_pcworld/133405

  • (cs)

    Now, I could be wrong, but it should be possible to set up the sign-up process so the critical information is secured via a SSL session. It's be a bit tricky as you'd have to allow connections to certificate authorities for proper verification.

    Still, it's one of those things where you have to remember that any unencrypted communication is very much open to interceptions, while you'd still be okay if, for example, all your traffic is being routed through a VPN.

    I work in an area where they're paranoid about this stuff, we're finally getting wireless. It IS perfectly possible to secure wireless to the point that it's easier to tap a land line to get the info, it just takes some work.

  • Dar (unregistered) in reply to Pap

    There is no catch-22. The disclaimer is given AFTER the information has been transmitted and as such has no legal basis whatsoever. As such is can be safely ignored.

  • Rick (unregistered)

    No, it actually makes sense. The page you pay through is probably secured with SSL, so whether or not it's used over a wireless connection the user is safe. After signing up they might go to an unsecured site that asks for their information; while doing this at home will probably just expose you to people you know and trust, in an airport or hotel there could be a lot more people watching.

  • (cs) in reply to Firethorn
    Now, I could be wrong, but it should be possible to set up the sign-up process so the critical information is secured via a SSL session. It's be a bit tricky as you'd have to allow connections to certificate authorities for proper verification.

    The certificate authorities' keys come with your browser; you can verify them yourself. That's the great thing about asymmetric encryption.

  • l1fel1ne (unregistered) in reply to Belcat
    A). You should never transmit credit card information wirelessly

    Jake you're slipping man! It wasn't very clear to me whether you supported this position (of not sending cc info wirelessly), or were just trying to point out the obvious contradiction in the disclaimer.

  • (cs) in reply to l1fel1ne

    Catch-22 is when a requirement of some goal voids that goal.

    This situation doesn't satisfy that.

    It's one of my pet peeves when people call any old logical deadlock a "catch-22".

  • (cs) in reply to dhromed
    dhromed:
    It's one of my pet peeves when people call any old logical deadlock a "catch-22".

    Isn't that ironic?

    -- Seejay

  • (cs) in reply to dhromed
    dhromed:
    Catch-22 is when a requirement of some goal voids that goal.

    This situation doesn't satisfy that.

    It's one of my pet peeves when people call any old logical deadlock a "catch-22".

    A catch-22 is defined by three logical rules: If A, then not B If B, then not A C requires (is implied by) A and B

    That fits this case. The goal is for you to agree to the terms of service. But you can't view them until you have already violated them.

    Go join the crowd of schmucks who think that nothing was, is, or ever will be ironic since Alanis Morrisette sang that stupid song.

  • Kinglink (unregistered)

    My father worked for this company at one point. Let's just say this is the most public WTF, but there was others.

  • Aaron Z (unregistered)

    These devices typically use SSL to secure the transaction, so it's not really unsecured and therefore doesn't violate it's own disclaimer. We run a similar Aruba device and have the same sort of thing, but everything is secured over SSL. Can't tell from the screenshot if this is the case or not, however.

    More of a raised eyebrow than a WTF...

  • (cs)

    The logic operator ^ eludes me. Where I live it means exclusive or, but it is only A that implies C. If ^ really means XOR, then the whole scheme is consistent, only we cannot tell whether it is A or B that is true. But in reality, B simply has to be true a priori. So it's more like A & B => C.

  • (cs)

    Pretty clear, if you sign up, you're doomed. Don't say we didn't warn you!!

  • Vlad Patryshev (unregistered)

    It is not catch-22. It is an exception-based algorithm. A quote from a popular Russian movie:

    "You cannot trust anybody. You can trust me."

  • James (unregistered) in reply to Random832
    The certificate authorities' keys come with your browser; you can verify them yourself. That's the great thing about asymmetric encryption.
    Don't most browsers go out looking for a revocation list at least periodically? I should know more about this than I do, but I at least understand that the CRL is out there waiting to be queried, and I sincerely hope that *my* browser at least peeks in on it once in a while...

    Of course, if you can't reach the CRL, using a certificate that was at least valid the last time you checked is a pretty good alternative...

    I'd still rather get online through my cell phone than a hotspot, though...

  • Someone (unregistered) in reply to TGV

    ^ means "and" in mathematical notation.

  • Anonymous (unregistered) in reply to vt_mruhlin
    vt_mruhlin:
    Yay for insecure banking. In a lot of ways, this is the credit card company's fault as much as anybody. Instead of a credit card, give everybody an RSA SecurID token or something so that stealing the number is useless, because it's only good for that one transaction. It's not rocket science.

    CitiBank does something similar. If you have a credit card through them, they let you set up one-time use numbers. You go on their site, generate a new number/exp date/security code, and just use that for your purchase. If it gets intercepted, it doesn't do anything (unless, of course, if you're supplying it to someone that will batch process it later and the interceptor uses it first).

  • (cs) in reply to vt_mruhlin
    vt_mruhlin:
    Yay for insecure banking. In a lot of ways, this is the credit card company's fault as much as anybody. Instead of a credit card, give everybody an RSA SecurID token or something so that stealing the number is useless, because it's only good for that one transaction. It's not rocket science.

    Thats a cool idea acutally. I wonder why none of the banks/credit cards offer this?

  • Anonymous Bosh (unregistered) in reply to Someone
    Someone:
    ^ means "and" in mathematical notation.

    Not in any math I've learned. The logic AND (according to what I have been taught) is like a full-height caret, not that stubby little thing available in ASCII. It looks more like /\ than ^, and comes with a matching OR that looks like / (though v and V might also be substituted).

    Without a proper character set, I think it's better to stick with the more traditional ampersands and pipes (&& and ||).

  • fanha (unregistered)

    So...send your information to signup over a wired connection instead of a wireless one? Where's the catch-22? The real catch-22 is trying to signup for wireless with wireless. That's like trying to find a job by going to work.

  • (cs) in reply to James

    As I understand it, your browser comes with a set of keys for the certificate authority; that allows the cert to be trusted. When you go to a strange site a secure connection can be set up even without an issued certificate, but any joe can issue himself a cert saying whatever.

    In order for the site to be fully trusted, the client computer has to trust the issuing certificate authority; more than that, it has to be able to contact the authority to verify that it's a good certificate.

    Trying to download the whole store (good certificates and revoke list) for several root certs would take too much space and bandwidth.

  • Cowbert (unregistered) in reply to vt_mruhlin
    vt_mruhlin:
    Yay for insecure banking. In a lot of ways, this is the credit card company's fault as much as anybody. Instead of a credit card, give everybody an RSA SecurID token or something so that stealing the number is useless, because it's only good for that one transaction. It's not rocket science.

    Same goes for identity theft. I can't use my social security number to identify myself anymore because.... I've used it in too many places. So to be more "secure" they've stopped asking for my social security number. Now I have to fax them a copy of my driver's license and my mother's maiden name. Yup, nobody else has a copy of that information....

    They already have this feature on some cards (notably Visa cards). You can use a one-time-use CC # for online transactions. They even had a bunch of celebrity commercials for this a few years ago.

    Captcha: what a lot of DWTF readers need to do: bathe

  • (cs) in reply to Anonymous
    Anonymous:
    vt_mruhlin:
    Yay for insecure banking. In a lot of ways, this is the credit card company's fault as much as anybody. Instead of a credit card, give everybody an RSA SecurID token or something so that stealing the number is useless, because it's only good for that one transaction. It's not rocket science.

    CitiBank does something similar. If you have a credit card through them, they let you set up one-time use numbers. You go on their site, generate a new number/exp date/security code, and just use that for your purchase. If it gets intercepted, it doesn't do anything (unless, of course, if you're supplying it to someone that will batch process it later and the interceptor uses it first).

    Kind of hard to get to their web site in this situation...

    The one-time use sites are pretty cool, and I make use of them regularly. Problem is there's no equivalent for real world purchases. And as Pap points out above, those are often less secure.

  • (cs) in reply to savar
    savar:
    Thats a cool idea acutally. I wonder why none of the banks/credit cards offer this?

    Cost, I suppose. So many places with magnetic strips, you'd have to either put in new POSes or come up with some convoluted way to interface the card with it.

    Also, if anybody's doing batch transactions, this could put a damper on them. You'd have to talk to the server on each transaction. Bandwidth is pretty freely available these days though. I'm not even sure why anybody would do batch transactions. Couldn't somebody feasibly use a bogus card and get away with it?

    Of course if they shelled out the money to implement this, they wouldn't have to spend as much on "theft protection". I bet some jackass did the math 10 years ago and determined it was cheaper this way. Now that phishing's becoming a bigger problem, they may have to reconsider.

    Even if it is more expensive, it's the "right thing" to do. Right now we basically let thieves get away with free stuff.

  • (cs) in reply to akatherder
    akatherder:
    dhromed:
    Catch-22 is when a requirement of some goal voids that goal.

    This situation doesn't satisfy that.

    It's one of my pet peeves when people call any old logical deadlock a "catch-22".

    A catch-22 is defined by three logical rules: If A, then not B If B, then not A C requires (is implied by) A and B

    That fits this case. The goal is for you to agree to the terms of service. But you can't view them until you have already violated them.

    Go join the crowd of schmucks who think that nothing was, is, or ever will be ironic since Alanis Morrisette sang that stupid song.

    More precisely (and paraphrasing from the original source, the novel "Catch-22" by Joseph Heller):

    1. When assigned hazardous duty, you may request exemption.

    2. The request will be denied unless you are crazy. An exemption is granted only for mental illness.

    3. Requesting exemption from hazardous duty indicates a rational concern for self-preservation, which means you are not crazy and therefore don't qualify for the exemption.

    One of my pet peeves is when people are overly restrictive of analogies. When my company laid off 25 of the 250 people in our office, I commented at lunch that the company had "literally decimated" the office. One person at lunch said "It's one of my pet peeves when people say 'literally' to mean 'figuratively'. 'Decimation' refers to the practice in the ancient Roman army of killing one of every ten soldiers. We are not in ancient Rome, and therefore we cannot be 'literally decimated'."

  • bleh (unregistered)

    actually, C requires A and B is represented by

    C implies A and B

    not

    A and B implies C

    aka C is only true when A and B are both true

    sketch out the truth tables and youll see what i mean

  • wayport slave (unregistered)

    I used to work for Wayport and can assure you that the initial payment for access is secure. The disclaimer relates to other sites which may not be as secure as our own.

  • (cs) in reply to wayport slave
    wayport slave:
    I used to work for Wayport and can assure you that the initial payment for access is secure. The disclaimer relates to other sites which may not be as secure as our own.

    Does this qualify as astro-turfing?

    Anyway, you can relax. Nobody thinks less of you for this disclaimer.

  • Jon (unregistered) in reply to Anonymous Bosh
    Anonymous Bosh:
    Someone:
    ^ means "and" in mathematical notation.

    Not in any math I've learned. The logic AND (according to what I have been taught) is like a full-height caret, not that stubby little thing available in ASCII. It looks more like /\ than ^, and comes with a matching OR that looks like / (though v and V might also be substituted).

    Without a proper character set, I think it's better to stick with the more traditional ampersands and pipes (&& and ||).

    The characters you're looking for are ∧ and ∨. In Windows, you can type them as alt+8743 and alt+8744, preferably with num lock on.

  • encryption man (unregistered)

    Wayport and all responsible wifi hotspot operators use ssl encryption for credit card transactions. Other wise they would be in violation of the banking security standards. The entire page is encrypted by the ssl certificate hashes and most meet minimum criterion or will not be accepted by processing companies. Look for the padlock and https:// in the url to be sure. But the terms and services is strictly cover your ass and standard boilerplate for wifi so if you submit your Credt card number to an unsafe site they arent liable.

  • John (unregistered) in reply to vt_mruhlin
    vt_mruhlin:
    ...So to be more "secure" they've stopped asking for my social security number. Now I have to fax them a copy of my driver's license and my mother's maiden name. Yup, nobody else has a copy of that information....

    How do you send someone an authoritative copy of your mother's maiden name (MMN)? How would they know it's correct?

    Isn't the MMN simply considered password nowadays? I give out different MMNs to each company that requires it, so I don't have to worry about someone finding out the "real" one and abusing it.

  • Anonymous (unregistered) in reply to wayport slave
    wayport slave:
    I used to work for Wayport and can assure you that the initial payment for access is secure. The disclaimer relates to other sites which may not be as secure as our own.

    Correct me if I'm wrong, but doesn't the disclaimer apply to people sniffing packets on your wireless transmission, not the security of the end site. If it mean the other site's security, then it would be a disclaimer to never send your credit card information over the Internet, not just wireless.

  • FinMaster (unregistered) in reply to savar
    savar:
    vt_mruhlin:
    Yay for insecure banking. In a lot of ways, this is the credit card company's fault as much as anybody. Instead of a credit card, give everybody an RSA SecurID token or something so that stealing the number is useless, because it's only good for that one transaction. It's not rocket science.

    Thats a cool idea acutally. I wonder why none of the banks/credit cards offer this?

    Because it is a needlessly complex solution. Here's a real simple, totally secure solution. The bank gives you and every merchant an account number that can only be used to deposit money. When you want to buy something, the merchant gives you his number and you tell the credit card company to give him some money. The merchant never even gets your credit card info. Now stealing the number only lets you give money to the person you stole the number from.

  • Wayport Engineer (unregistered)

    Before we spend hours complaining and ridiculing the astoundingly foolish nature of this terribly insecure method of payment, maybe next time we could bother with the rest of the screen capture that says https?

    Yes, EVERY page that requests any sort of authentication handled by a Wayport server is done via https to a central, secure location and not even stored on the on site server. The message is a reminder that this same information should not be transmitted insecurely. If you are worried that https in nto secure enough, then feel free to never use a credit card, or any password for that matter online.

  • Phyzz (unregistered) in reply to newfweiler
    newfweiler:
    ...

    One of my pet peeves is when people are overly restrictive of analogies. When my company laid off 25 of the 250 people in our office, I commented at lunch that the company had "literally decimated" the office. One person at lunch said "It's one of my pet peeves when people say 'literally' to mean 'figuratively'. 'Decimation' refers to the practice in the ancient Roman army of killing one of every ten soldiers. We are not in ancient Rome, and therefore we cannot be 'literally decimated'."

    Wish I could find that piece my English teacher showed me from the 17 or 18 hundreds on that topic. Basically a semi-famous writer mocking people like your coworker. It's funny to think that even after a few hundred odd years some people can't get used to the fact that the word literally has two polar opposite meanings.

  • dar (unregistered) in reply to FinMaster
    FinMaster:
    Because it is a needlessly complex solution. Here's a real simple, totally secure solution. The bank gives you and every merchant an account number that can only be used to deposit money. When you want to buy something, the merchant gives you his number and you tell the credit card company to give him some money. The merchant never even gets your credit card info. Now stealing the number only lets you give money to the person you stole the number from.
    So, the company gets money in their "wireless pay account". There're 10 laptops trying to connect to the internet. How does it know which one of them should be allowed?
  • (cs) in reply to FinMaster
    FinMaster:
    Because it is a needlessly complex solution. Here's a real simple, totally secure solution. The bank gives you and every merchant an account number that can only be used to deposit money. When you want to buy something, the merchant gives you his number and you tell the credit card company to give him some money. The merchant never even gets your credit card info. Now stealing the number only lets you give money to the person you stole the number from.

    Leaving half the difficulties out is indeed a way of de-complexing it... How are you going to tell your creditcard company to pay, and how will they check your identity, assuming your standing on the market. Using a wireless network maybe? :P And, how does the merchant check you've actually paid?

  • Mike (unregistered)

    What you failed to show is the whole screenshot. If you did, you would have seen the lock on the bottom right of the browser. This indicates that you are on a secure site and all information is encrypted. So this really isnt a catch 22. Anyone with some simple common sense about the internet SHOULD know that by taking the proper precautions (ie. firewall, spyware, etc), internet transactions are not as dangerous as everyone may think. Personally, I think going to stores and handing the employee your credit card is worse. The store now has a hard copy of ALL the information at their hands. So is it a catch 22, I dont think so....

  • Just me (unregistered) in reply to savar
    savar:
    vt_mruhlin:
    Yay for insecure banking. In a lot of ways, this is the credit card company's fault as much as anybody. Instead of a credit card, give everybody an RSA SecurID token or something so that stealing the number is useless, because it's only good for that one transaction. It's not rocket science.

    Thats a cool idea acutally. I wonder why none of the banks/credit cards offer this?

    Maybe not in the USA (or where ever you are from), but in Switzerland every bank does this. Or if not RSA keys they send you a list of random numbers, which you have to use to login (ofcourse they don't send these lists over the internet).

  • Brad (unregistered)

    To the people saying, oh well...it's SSL to the hotspot so it's okay....no...it's really not. It's trivial to become a man in the middle, present a fake self signed cert to a client (to which they'll probably just click yes...face it), and happily steal their credit card data while forwarding the client to the real hotspot. :(

  • Wayport Engineer II (unregistered) in reply to Brad

    It's unlikely that a man-in-the-middle attack would succeed due to wireless port isolation, or port protection, which does not allow wireless clients to communicate with each other. Any man-in-the-middle attack on the Wayport network would require much more effort and is far from trivial.

  • あ (unregistered) in reply to Phyzz

    Erm, no. Literally has (literally) one meaning only. It's just that some people abuse it.

    'Decimate', however, has several meanings. Sometime after the fall of the Roman empire, it gained one that meant reducing by ten percent, but not necessarily killing anyone.

    Oh, and you can literally decimate a landscape mesh, even though you're removing way more than ten percent, and no-one bleeds on anything.

  • あ (unregistered) in reply to Wayport Engineer II

    And how the hell would that work?

    If you're between the AP and the client, you don't need the AP to forward your packets. You're impersonating the AP; it gets no say in your behaviour.

    The best it could hope for is that it might detect someone impersonating it, and alert the operator with a loud beeping noise.

  • あ (unregistered) in reply to dar

    The one corresponding to the unique token appended to the pay account number?

    You look at your bank statements, right?

  • Brad (unregistered) in reply to あ
    あ:
    And how the hell would that work?

    If you're between the AP and the client, you don't need the AP to forward your packets. You're impersonating the AP; it gets no say in your behaviour.

    The best it could hope for is that it might detect someone impersonating it, and alert the operator with a loud beeping noise.

    Exactly. You set up a fake AP, fake login/payment page, and route all their traffic through your connection to the real AP.

    Then you just sit back and sip your coffee. There's nothing the real AP can do about this. A wireless IDS may trigger alerts on seeing the fake AP, but I highly doubt many of those are even out there.

    All this is ridiculously easy for anyone with even a rudimentary knowledge of linux or unix to do. And while it's a little riskier since it's a meat world attack, I imagine there have been a small # of people who had no qualms about doing this. Then people wonder where their credit information was stolen from.

    It'd be hard to nail down for the cops too...looking for a link between people that they'd never find because they never actually purchased the wireless access. If they all bought coffee on their cards they might blame a crooked employee at the coffee shop, but they'd probably never find the real thief.

    Scary? It should be. I tell all the non-computer-savvy people I know to NEVER EVER do anything over wireless that they wouldn't want to be public knowledge. Not your credit card #, not your bank account website, not even your email. Sure I could warn them about disassociation attacks and self signed ssl certs and to use VPN and on and on...but which are they more likely to remember?

  • Wayport Engineer (unregistered) in reply to Brad

    While I can already feel the sarcastic comments coming, this sort of attack would not accomplish anything on a Wayport network. The usual answer, of course, is that I can't tell you how. Common security/NDA policies of course say that the more information you give about a network, the more you tell people what WON'T work, then they can narrow down what will, so of course I can't do that.

    But by all means, please give it a shot. Better than that, let me know ahead of time, I'll have you sign something that says we won't prosecute should it be successful and you won't do anything nasty at the same time.

  • We Rule The School (unregistered)

    Nice logic, but you are looking at "security information" not part of the "terms of service". It does not say that you MAY NOT transmit your CC over wireless, it just advises against it. This security advisory is basically a warning not to do anything foolish, like submitting sensitive information over an insecure connection or sending cash to recently-deposed Nigerian royalty. It also says that the company will not be held liable for any such ill-advised activity while using their network. However, as mentioned, the CC information you are passing during the purchase itself is transmitted securely. These types of companies are audited regularly by the CC companies and are not allowed to conduct CC transactions in an insecure manner (by the standards of the CC companies).

    You are certainly welcome to transmit your credit card information to any unsecured website or individual while using this WiFi service, but you may not sue the network operator or property owner. It's called a disclaimer. At least they gave you fair warning.

    This is not a "Catch-22."

  • Wayport Engineer (unregistered) in reply to Wayport Engineer

    Side note on this bit, if someone sets up an access point, provides a splash page to any user who associates with it and serves their own fake credit card auth, yes they could technically record CC numbers on that system without ever providing an internet connection. At the same time this could be done anywhere and has nothing to do with any enterprise wireless services.

Leave a comment on “The Wireless Catch-22”

Log In or post as a guest

Replying to comment #143132:

« Return to Article