Forgot your password?
typodupeerror
Crime Businesses Security Wireless Networking IT

Wardrivers Target Seattle Businesses 138

Posted by timothy
from the as-a-movie-plot-it's-too-obvious dept.
angry tapir writes "Seattle police are investigating a group of criminals who they say have been cruising around town in a black Mercedes stealing credit card data by tapping into wireless networks belonging to area businesses. The group has been at it for about five years, according to an affidavit signed by Detective Chris Hansen, a fraud investigator with the Seattle Police Department."
This discussion has been archived. No new comments can be posted.

Wardrivers Target Seattle Businesses

Comments Filter:
  • by billyea (2029384) on Friday April 22, 2011 @08:30PM (#35911666)
    SECURE YOUR WIRELESS ACCESS POINTS. Otherwise, unwanted traffic is your fault.
    • Why's the parent marked as troll? Securing your wireless access point is indeed your responsibility .. if you left your house unlocked most people would think you were being irresponsible, unsecured wireles points are just as irresponsible.
      • by Israfels (730298)

        It's worse than leaving your door unlocked. It's more like leaving your door unlocked and putting a sign out front in blinking lights telling everyone it's unlocked. (Broadcasting.)

    • by 1u3hr (530656)
      The access points were secured, but with WEP, which is easily cracked. I've got an old access point myself that only does WEP, but as I'm in a rural village the risk is minimal. In a city however, it'd be foolish.
  • by fak3r (917687) on Friday April 22, 2011 @08:36PM (#35911696) Homepage
    Why don't you have a seat over there? ... What were you thinking?
  • It's important to catch guys with laptops in a Mercedes, than gangbangers, murderers, or those guys who drive around in vans offering little girls candy.

    Did someone in the Department find a $20 charge on his credit card, or is this just a simple case of "We serve nobody and protect nobody, but if you're using a laptop and an antenna in receipt of lawful radio signals, WE WILL FIND YOU!"?

    I have done lots of wardriving. I can't afford a Mercedes tho. Does this put me halfway between the van-driving child-mo

    • Re: (Score:2, Redundant)

      by benjfowler (239527)

      If I had a dollar for every time I've read somebody try and justify their criminal activity by believing they're better than some other criminal. That's why paedophiles have such a hard time in prison: all the other criminals need to feel superior, while still remaining a complete and total waste of space. This happens so often, that this cognitive bias needs a name.

      • ICD10-V-F60.2 or maybe F60.8

      • by gavron (1300111) on Friday April 22, 2011 @09:02PM (#35911822)

        I hope you get lots of dollars, but wardriving is NOT a criminal activity. It's not a misdemeanor either. It's not against the law.

        Receiving openly broadcast radio signals is one of our rights in the United States. While driving is a privilege, combining these does not make it a criminal activity.

        I'm not trying to "justify" one event (not a crime) by comparing it to pedophiles (or paedophiles if you prefer an archaic and no longer correct spelling). There's no real comparison between NON-unlawful reception of open radio signals and molesting children. (Note: not all pedophiles molest children. I specifically referred to molesters because THAT IS criminal activity.

        Best regards to you,

        E

        • by ustolemyname (1301665) on Friday April 22, 2011 @09:17PM (#35911868)
          Using someone else's credit card is criminal. Doesn't matter if they use a megaphone and tell the whole world what it is. The fact the information is obtained through wardriving is simply the method.
          • by dissy (172727) on Friday April 22, 2011 @10:25PM (#35912182)

            Using someone else's credit card is criminal. Doesn't matter if they use a megaphone and tell the whole world what it is

            While yes using someone else's credit card fraudulently is criminal, I wouldn't say the megaphone bit doesn't matter.

            Screaming out their customers credit cards of course does NOT excuse the wardrivers crime in any way shape or form. But the separate act of sending all of their customers credit card information to the world should also be a crime as well.

            At the very least I wish the police would post a list of these companies, so the general public knows they can not be trusted with our business.

            At most, the companies should be brought up on charges of mishandling customer credit accounts and fraud.
            They will just need to schedule that court case for a different day than the wardrivers court date, so everyone can attend.

            • Sorry, I should have been more clear. I agree, third parties should be held accountable for poor security practices. However, if Bob broadcasts Bob's credit card information and Sally uses that information to make purchases without Bob's authorization, Sally is committing a crime. Don't get me wrong, Bob is an idiot, but just because Sally can lawfully receive the information doesn't mean she can lawfully pass it on (otherwise we'd have huge MITM issues with secretaries.)
        • by hedwards (940851) on Friday April 22, 2011 @10:08PM (#35912080)

          Did you even bother to read the summary? I get that this is /. and nobody RTFAs, but the summary was pretty clear that this wasn't just a case of wardriving, this was a case of wardriving until they found an unencrypted wifi connection and rummaging for credit card details. The details were then abused.

          Trust me, they wouldn't be wasting the money on that around here if it were just stealing a bit of bandwidth.

          • by rhook (943951)

            Read the article, the police are trying to say that because he has a wardriving setup in the car that he is stealing credit card numbers. They offer no evidence to support their claim.

        • While driving is a privilege, combining these does not make it a criminal activity.

          Driving is not a privilege. It is a right, under the broad umbrella of the right to travel freely.
          If you want to compare it to something that is inarguably a right due to being explicitly enshrined in the Bill of Rights, look at guns.
          You need a license to own a gun.
          That license can be revoked as a criminal penalty.
          Driving is pretty much the same.

          • by hedwards (940851) on Friday April 22, 2011 @11:58PM (#35912602)

            Since when? Around here you don't need a license to own a firearm. In fact if you're a woman capable of claiming to be stalked, you can even get a handgun the same day.

            • I'll stay where I'm at, then.

              I'm not a woman (nor do I play one on the Internet), I have never been -- nor have I ever claimed to have been -- stalked, but I was able to buy a handgun in a couple of hours recently.
            • Since when? Around here you don't need a license to own a firearm.

              Plenty of states do require you to have a license to own a firearm but yes, technically it is up to the individual state's laws. Just like requiring a driver's license is also technically up to the individual state's laws.

              • by Jawnn (445279)

                Plenty of states do require you to have a license to own a firearm.

                Name one.

              • by rhook (943951)

                Those should be going away soon since the US Supreme Court has ruled that the second amendment does in fact guarantee that individuals have the right to own a firearm. Lots of the draconian firearms laws will be going away in the next 10 years thanks to that ruling.

            • by dryeo (100693)

              Most places you don't need a license to own a car or to drive it on private property. Requiring that you know how to drive (for using public roads) or use a firearm is quite reasonable. I've almost been killed by bad drivers and I've had too many bullets go by my head to think that any person should just be handed a dangerous tool without them having some knowledge about the tool.
              Guns and automobiles have one thing in common, a bit of stupidity can kill innocent bystanders very easily.

          • by schwit1 (797399)

            I never understood why did something become a privileged just because the state says it is. Rights can be limited or revoked if you break society's laws.

          • If driving is a right, and the ADA says you can't restrict rights based on a disability, why are the blind prevented from driving? Wouldn't the blind need to cause a few crashes (each) before their license could be revoked?

        • Paedophile was never a correct spelling. Pædophile might have been, though.

        • by rolfwind (528248)

          While driving is a privilege,

          Driving is not a "privilege". The state cannot revoke your license because the governor or one of his officers just feels like it. It can only be taken under due process of law. That is the difference between a right and a privilege. Privileges can be revoked by the executive (doing what they feel like, not following any legislation.)

          "The Right of the Citizen to travel upon the public highways and to transport his property thereon, either by horse drawn carriage or by automobile

          • by WorBlux (1751716)

            A license is permission to do what would otherwise be illegal. If something really is a right, you don't need a license to do it, if you need a license to do it, it's not a right. Also the fact is that these licenses can be revoked by administrative rather than court procedures in certain situations. (Refusing a Breathalyzer test for instance)

            Also a lot of statutes read, whoever operates a motor vehicle on the highways of this state whose privilege to do so has been revoked, shall by guilty of... (Most s

        • by lee1 (219161)

          Receiving openly broadcast radio signals is one of our rights in the United States. While driving is a privilege, combining these does not make it a criminal activity.

          Then how can states make radar detectors illegal?

        • by Anonymous Coward

          an archaic and no longer correct spelling

          I always find it amusing to see US linguistic pedantry - from a country where people call a liquid 'gas'

        • by Jawnn (445279)

          I hope you get lots of dollars, but wardriving is NOT a criminal activity. It's not a misdemeanor either. It's not against the law.

          Receiving openly broadcast radio signals is one of our rights in the United States. While driving is a privilege, combining these does not make it a criminal activity.

          Did you read TFA, numbnutz? Breaking someone else's encryption, even if it's as lame as WEP, is a crime.

    • by Posting=!Working (197779) on Friday April 22, 2011 @08:56PM (#35911796)

      I can't afford a Mercedes tho

      It was a 1988 Mercedes. The laptop and antenna might have cost more than the car.

    • by coryking (104614)

      Well, according to the Seattle PI, they are accused of stealing more than $750,000 In computer equipment and other items. So no, these guys did just a little bit more than a $20 charge on some dudes card.

    • by artor3 (1344997)

      I, for one, am glad that the Seattle PD is finally going after actual criminals instead of beating the shit out of teenage girls [youtube.com] and punching jaywalkers [youtube.com].

      To answer your question, you should fear going to Seattle only if you're a teenage girl. The Seattle cops aren't racist, they just prefer to beat on people who can't defend themselves.

      • by hedwards (940851)

        Just out of curiosity, how do you think a reasonable police officer should handle being assaulted? That woman in the second video is damn lucky she was only punched, the officer could very easily have hit her with pepper spray or shot her under those circumstances.

        • Cop had his hand around the neck of the first one when the video started, choking her. That's unreasonable force for someone that was not seriously resisting.

          In Canada, if you're arrested illegally, you have the right to resist arrest. So says the Supreme Court.

          If a cop tried some shit like this with me for jaywalking, of all things, I would not go peacefully. And if they ever, for any reason, put their hand on my neck like this cop did to the first girl, they'd find some parts of their body mysteriously

          • by d6 (1944790)
            Fighting with the cops is bad math.

            You can kick the shit out of a cop? way to go.
            Can you kick the shit out of 6 cops? Cuz that is what round two is going to be.

            Better to hold your temper while they are in control of your immediate destiny, remember names, remember faces and unload on them legally, after the fact if you feel compelled.
            • Better to hold your temper while they are in control of your immediate destiny, remember names, remember faces and unload on them legally, after the fact if you feel compelled.

              Actually, that's exactly what I'm going to be doing, soon. There wasn't any violence involved in my contact with police abuse, but there were at least 6 of them in the first round. It's still ongoing, which is why I'm not going into any more detail, but suffice it to say, they'll regret it eventually...

        • by artor3 (1344997)

          I think a reasonable police officer should respond with reasonable force. A seventeen year old girl grabbing the wrist of a trained adult man does not warrant a full-on punch to the face.

          And where's your defense of the first video? That girl, only fifteen years old, kicked her shoe off in the direction of the cop -- with an amount of force that a 90 year old cancer patient could shrug off -- and how does he respond? Throws her head first into a wall, grabs her by the hair and yanks her backwards onto the

          • by hedwards (940851)

            I see, so you're an expert on this? On what basis do you assert that it's not reasonable? The review on that incident has been completed and the conclusion was that he was well within both his rights and his training. The girl he hit apologized for assaulting him and has since been sentenced. Can't recall what the terms of it.

            As for the second one, that's a straw man argument, it's got precisely nothing to do with anything I said. I never said that officers never abuse their power or make mistakes. I also n

            • by artor3 (1344997)

              What the hell do you mean, am I an expert in this? Since when do you need a PhD in knowing that beating up little girls isn't okay?

              The reviews of incidents like this are a joke. The cop gets a two week paid vacation while his buddies from work get to decide that, "nah, that bitch was asking for it". Meanwhile, they plant evidence or make up lies to charge the victim with some crime. The victim, desperate to get their life back and by now fully aware of just how corrupt the cops are, gives up and begs fo

        • by flyneye (84093)

          Sorry ,if officer O'Ryan has any testosterone at all he can handle a "female" suspect on his own or face ridicule in the locker room.
          Even sister-boy pork is expected to be able to handle basic stuff like a man. I can see some whiney low impact professions using any tech or method to make things easier, but there is an image to protect.
          But if that were my daughter in the first video, brat or not, both those officers would fall under deer rifle crosshairs in

      • by richlv (778496)

        hmm. fuck. "disturbing" isn't the correct word for it (even disturbing is the though that this was way, way more common when cameras were not placed almost everywhere...)

        even more disturbing is the small amount of publicity any abuse of power actually gets.

    • Oh how I love answers like "Why do they prosecute $some_crime while there are still people doing $much_worse_crime at large?"

      The reason is simple: Crimes are not solved serially. You might notice that they are also hunting murderers and gangbangers. It's not like the whole police department dropped everything they were doing, released suspects of murder crimes and are single mindedly hunting down wardrivers now.

      What would you suggest? Let's ignore "minor" crimes for now 'til we got all the murderers, rapist

    • by Journe (1493651)

      It's a crime because they're using these credit card numbers to purchase things. It's a crime because, even though WEP is not that secure, it's still basic security. It's a crime because they're accessing data that they should not be accessing.

      They're not more important than the criminals you mention, they're not less important. They're criminals, period. Do you also think stopping murderers is more important than catching people who break into homes and steal things?

      I'd like to see you come home to a ransa

  • by Anonymous Coward

    If my coworkers and I shared your finacial information by tossing paper planes to one another, you'd think us nuts. Replace paper with electromagnetic waves and all is well.

    • Re:You know... (Score:4, Informative)

      by geniice (1336589) on Friday April 22, 2011 @09:39PM (#35911950)

      Tossing paper planes would probably be fairly secure.

      1)data would remain within your line of sight so any attempt to directly intercept would be obvious
      2)with correct folding data could be hidden making remote interception impossible
      3)It's not standard enough for no one to have developed a standard attack

  • by karl.auerbach (157250) on Friday April 22, 2011 @08:45PM (#35911742) Homepage

    It would be easy to set up a weakly protect access point that did nothing but generate bogus transactions with bad credit card numbers - that could pollute the crook's database, particularly if they don't do a good job of recording of which card number came from which network.

    And if the bogus numbers were timestamped and logged then when the bad card numbers are used (and bounced) one could use the bounced transactions to build a map of where the crooks were on any given day.

    • by men0s (1413347)

      It would be easy to set up a weakly protect access point that did nothing but generate bogus transactions with bad credit card numbers - that could pollute the crook's database, particularly if they don't do a good job of recording of which card number came from which network.

      They could do that, yes, but I would hope that these war drivers understand that nearly all credit card numbers are generated according to the Luhn check. They would run those bad credit card numbers through an algorithm that returns a boolean value denoting whether the credit card is valid or not. If not, they would simply send it to the bit bucket in the sky.

  • No surprise (Score:5, Interesting)

    by im_thatoneguy (819432) on Friday April 22, 2011 @08:54PM (#35911782)

    We discovered that the company below us a few years back (here in Seattle) had not only an open wifi but also had all of their drives shared. We immediately went down stairs and warned them after one of us accidentally connected to their wifi and saw a whole bunch of computers (with official sounding names even) pop up in the file explorer.

    Their reaction? "Whatever." They never put a password on it. I was actually surprised by their disinterest in locking down when alerted. Even after we told them that people could just drive by and steal all their company records... so stupid.

    • by blair1q (305137) on Friday April 22, 2011 @09:04PM (#35911828) Journal

      Let me guess. It was these guys [facebook.com].

    • Re:No surprise (Score:5, Interesting)

      by dissy (172727) on Friday April 22, 2011 @10:19PM (#35912150)

      That is unfortunately a very common reaction. I don't understand how people could not care either.

      Another unfortunately common reaction is, after trying to be nice and warn them about the problem, once someone else actually does exploit the problem, they likely will come back to blame you :/

      I do hope for your sake that doesn't happen, but I've had it happen to me before, and was shocked at the multiple layers of stupid their line of thinking was.

      These days I don't even bother unless I already know the person. Being accused of a serious crime for only trying to help just isn't worth the chance.

    • Re:No surprise (Score:5, Interesting)

      by PRMan (959735) on Friday April 22, 2011 @11:57PM (#35912590)

      A company I used to work for was next door to a lawyer and all her drives showed up on our phones using Bluetooth (it was annoying when trying to reconnect your headset because you had to scroll past her 7 drives).

      I told her about it and she didn't care! I told her that anyone could read her clients' confidential documents. She told me that she would sue them...<facepalm>

    • by Dabido (802599)
      We used to have the same problem informing management about internal security problems. Their usual response was that we were to 'stop making holes' and no matter how many times we explained we weren't 'making holes' we were finding them and wanted resources to fix them, they'd just keep repeating that we were 'making holes'.
  • Wireless Security is no longer an academic problem; as we can see from the article, it's now going beyond miscreants merely stealing access/internet bandwidth, or possibly pirating/illegal activities using the internet connection.

    This goes to more serious crimes that more severely impact the operator of the network connected to the wireless AP.

    SMBs can no longer safely dismiss wireless security with excuses such as "only a real expert hacker could break in anyways; there's no harm anyone's actually goi

  • I thought all business that deal with CC transactions must be within a secured network. In fact, there's even PCI guidelines on recommended settings to secure your WiFi access points. Unless business are using WPA/WPA2, shouldn't they be busted for not adhering to PCI security protocol? I've included a link to a PDF below for anyone interested.

    https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf [pcisecuritystandards.org]

    • by plover (150551) *

      "Supposed to" and "are" are two different words.

      Besides, it doesn't have to be PCI compliant if it's not customer data. They could be sniffing employees shopping on the web.

      • I'm willing to bet 99% of the Credit Card accounts on file with these businesses are from customers. If the look hard enough, they may find the corporate AMEX card.

      • They could be sniffing employees shopping on the web.

        Unlikely. When was the last time you saw a web store that didn't use SSL for submitting the credit card information (or a merchant bank that will do business with a company that doesn't)? If the site uses SSL, then a passive eavesdropper can't intercept the data, they need to perform some kind of MITM attack.

        And this is why securing the access point is largely irrelevant. You should be treating the network as insecure, whether it's wired, wireless with WPA2, or carrier pigeons. Encryption should be en

  • Now people are going to think that Wardriving is synonymous with stealing credit card numbers, when it's just the act of finding wi-fi from a car.
    • by Maow (620678)

      Now people are going to think that Wardriving is synonymous with stealing credit card numbers, when it's just the act of finding wi-fi from a car.

      I think Google has found that what you say is true.

      They've faced a barrage of legal hassles for their "war-driving" whilst collecting Street View images. And it's never been shown, that I'm aware of, that they did anything remotely unethical with the data collected.

      In fact, they even refused to release the collected info to governments due to "privacy reasons", if I recall correctly.

  • "a group of criminals who they say have been cruising around town in a black Mercedes stealing credit card data by tapping into wireless networks belonging to area businesses."

    If the criminals hadn't been wandering around blabbing about their exploits and saying it for everyone to hear then maybe the police wouldn't have even noticed them.

    • by jd (1658)

      Apparently it took five years of screaming at the top of their lungs for the police to notice them. Seattle apparently has rather more Lestrades' than Holmes'.

  • Criminal negligience (Score:4, Interesting)

    by ndogg (158021) <the.rhorn@ g m a i l.com> on Friday April 22, 2011 @10:00PM (#35912050) Homepage Journal

    Firstly, let's be clear, I want the people stealing the information caught, and locked up. They are criminals.

    The business should be fined though if they did nothing to protect their information. This is like leaving a toddler at home alone all day (though not to the same degree.)

    • They should be facing private-sector penalties. They're answerable to their banks for compliance with the Payment Card Industry Data Security Standard, under their merchant account contract. The standard emphatically does not permit sending card numbers over open wireless networks.

    • I want the people stealing the information caught, and locked up. They are criminals.

      If the suspects were actually breaking into the business and removing papers from filing cabinets, you could call that "stealing information". What's actually occurring is that these businesses are broadcasting their information in an insecure manner. In a free country, how can it be a crime to pick up on that information?

      Now, if they then use that information to commit fraud, that's where the true crime is taking place.

  • My money's on the Mix-a-Lot Posse.
    Benzo? check.
    Tinted windows? check.
    One member of the gang, Larry, an allegedly-funny 'white guy' and 'real estate investor' has struggled in recent years to make payments on his many properties.
    I predict the Benzo is an SEL, a 190 or an SEC, and that a search of the Benzo will reveal traces of buttermilk biscuits.
  • by jafo (11982) * on Saturday April 23, 2011 @12:35AM (#35912746) Homepage
    When google gave us a wake-up call that someone in a van could drive around and gather all sorts of information we didn't realize we were broadcasting.
  • "Why don't you have a seat over there"
  • This looks like the Russian Mafia.
  • In the real world most businesses really don't care about security, particularly SMBs. They are such easy targets it's ridiculous. They pay their tech dude to come in and do a little bit of work, fix things if they're broken, etc.

    "I have a virus on my system popping up stuff all the time and blocking my internet" is a case of calling a technician in.
    "I want you to audit my network for security" is a question they wouldn't even know how to ask and whether or not they should ask, and they really wouldn't know
  • Why aren't the connections with card processors encrypted end-to-end with SSL/TLS? Then the wifi security, which is outside the card processors' hands, would be irrelevant, and the card numbers would not be exposed to internet routers either. This is the responsibility of the card processors IMO. Everyone knows you don't send credit card numbers over the internet without TLS.
    • by rfugger (923317)
      Ah, I see it was probably stealing card numbers stored or entered into computers using keyloggers or other malware, so never mind the TLS.
  • should be outlawed!

"If truth is beauty, how come no one has their hair done in the library?" -- Lily Tomlin

Working...