Best Buy Insecure Customer Information, Identity Theft Vulnerability Palmdale California
Well I just saw this website on the television, and nobody else has listened to me so far, so here goes...
I was shopping Best Buy, browsing for speaker systems, and I spotted one of the in store internet Kiosks. I started browsing thier site, and soon their programming crashed.
For a brief second I saw the consumer information, that Best Buy Employees enter when signing up customers. This intrigued me, so I decided to investigate.
In a few short keystrokes, thier programming was compeltely exited, something that anyone with basic knowledge of internet explorer and windows could do, due to weak security on the system.
I was astounded to discover an entire list of customer data: Full name, Address, phone number, Two credit cards, with 3 digit security codes, expirations, type, etc. Not to mention social security information. And it was not just one consumer.
There was complete data for thousands of customers. I immediatly asked to see a manager. The woman I spoke with, whom I assumed was a manager, wanted to know more, how i did it, and everything. I showed her everything, but she didn't really know what I was talking about.
I was explaining to another person, whom I also assumed was a manager, when a guy came up and inquired, rather roughly, what I was doing. This turned out to be the store manager, and he proceeded to question me rudely, even when I was trying to explain that they had a major security flaw in thier system.
At that point they escorted me from the store. I tried speaking to corporate, and offered to provide my services as a Security Tester for thier programming, "I'll tell you how to fix this, but I'm gonna charge you for it."
They tried accusing me of blackmail, which I understand it might seem like, which is where I explained about freelance programming testers that find errors have a right to explain the exploit and charge for it. Either way, they said that I wasn't going to deal with anyone in best buy, and basically had an attitude that thier customers privacy was a non issue to them.
I recently spoke to a man who's credit card information had been stolen, and he only used ATM's and in store debit. The link to his stolen credit card info? Best Buy.
Chris
Palmdale, California
U.S.A.