Slashdot Mirror
Western Union Cracked, Credit Cards Stolen
TrumpetPower! writes "NPR just reported that Western Union is recommending that customers who used their web page to send money should cancel their credit cards after somebody cracked their online credit card database.
As I type this, the Western Union homepage simply states, "Our Web site is temporarily out of service We apologize for any inconvenience To find the nearest agent location plase call: 1-800-325-6000."" Not much online yet
besides the AP brief. (Normally we don't post this stuff, but its getting submitted a lot, and it is kinda a big deal). Lends more credibility to the disposable credit card concept.
How do you store the random 56 character string so you can verify it later though? If you need to put all these pieces back together again at a later date, and the only thing the customer is entering is the credit card number, you have to store the other pieces in cleartext or a cleartext-equivalent. If the hypothetical cracker can get their paws on that table and the customer id table, you're back to a few dozen bits to bruteforce.
Of course, I think Western Union should be held liable anyway: their poor security is causing their customers and credit card companies a lot of effort and expense, whether the cards were stolen or not. Keeping personal information, in particular credit card numbers, on a system that is accessible from the Internet is grossly negligent.
Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.
well, that seems to be quite a task to properly create and implement. Why don't you get on it and create such a system in a feasible manner and come back then?
And it's not like this is a big, big deal to consumers. Worst case, they pay $50. Probably won't even have to do that, since western union has money and won't flinch about reimbursing for that rather than risk a class action suit.
it'll probably just end up meaning that western union has to pay higher processing fees and take a charge off against earnings because of it. that's it.
Geez... either stupidity/carelessness, or intentional. Not to sound conspiracy-ish, but there is some, however unlikely, chance that the 'somebody' did this on purpose.
---
---
Impossible means no one's done it yet.
ugh. don't i feel stupid.
coulda sworn I quoted him there. oh well. still, my point was valid... it just took a little bit more reading ability (say, 4th grade) than I remembered.
This feeling seems to be borne out by reality, the few companies who have taken me seriously have provided the customer with the option to retain CC info. (some of those guys store it regardless) Suprisingly, most people choose to store it, security be damned.
Might this be because the general public is ignorant of the way these systems are connected to the internet? People are used to keeping their money in banks, with big physical barriers to theft, not on a computer that is subject to a seemingly endless stream of security holes.
-----------------------------------------
Cunning linguists
I think the time has come for a true electronic currency. Something like the credstick idea in Shadowrun. Cheap, disposable, and safe, just like cash.
Fear the power of NTie!
Some network client code has buffer overflow or other security problems. Running network client code as root is therefore riskier than running it as an unprivileged user.
--
Ben "You have your mind on computers, it seems."
We run an ecommerce site and I went as far as to verify that our credit card processor doesn't *ever* store credit card details?
Doesn't anyone care anymore? Am I the only one that doesn't like my financial information being stored?
There is work in Linux and several other Unixen to move to a capability based systems and implement the principle of least privelege
As pointed out by the main EROS engineer (if it is right to put it that way), Linux and other systems can never evolve to pure capability systems.
Internally, Linux uses capabilities, but that does not matter at all, as the external API of the system is not capability-based, and can never be one. In order for it to be capability based, the change will be so huge, you wouldn't recognize Linux in the other end. Pure capability systems have to be built from the ground up, because a combination of ACL and Capability systems seems to always end up worse than both.
Another issue with capability systems is that the machine state becomes more complex to set up, while implementing the principle of least privilege, and simplicity. The simplest solution is EROS's, to use Orthogonal Persistancy. This makes a file system obselete and redundant, and only a prone-ness to security holes, not to mention it is the basis of all which is UNIX. This means UNIX will never be able to EFFECTIVELY implement pure capability systems, not while remaining a UNIX.
CDNOW? Are you talking about the incident with CD Universe?
Well, it's probably pretty obvious, but all of these companies don't care about security. Security comes in a distant second compared when compared to money. They'd rather concentrate on methods of obtaining more revenue online, than securing their website. That's just my thoughts on these businessmen.
Although, it said that while performing routine security checks they found this problem, right? Well, at least they realized that they had an intrustion. The worst is when the company, and/or the public doesn't find out about the theft, until it is too late.
I was working on a project that involved building a website for a freight moving company, because of the way things are charged the credit card number do have to stored temporarily (Even though the details will be in the database for at most a day or two). Sometimes the requirement for the business mean that you have no choice but to store information better just sent to the bit (or in this case, decimal) bucket.
;)
But yes I agree, storing credit card numbers simply for the users "convenience" is BAD - afterall, who wants to use a stolen card number more than once
Kill'em! Kill'em all!
Comment removed based on user account deletion
hahahahahaaaaehheaoehaoahoeaeoheo
F /...
wait
haeiehaihaeehoeoeah
"my workstation". you mean your peecee right?
---
Solaris/FreeBSD/Openstep/NeXTSTEP/Linux/ultrix/OS
--- I do not moderate.
I've NEVER heard from a credit card company that the consumer would be held liable. In fact, if I recall, most have used the non-liability of a customer in the event of credit card theft as a selling point for their card.
rwalld
F /...
gnufingerd
both now fixed
---
Solaris/FreeBSD/Openstep/NeXTSTEP/Linux/ultrix/OS
--- I do not moderate.
That's true, but the blame that's put on the poor security should be blame for allowing hackers to do what they did. They shouldn't take the blame for what the hackers did.
Love, Stu
HAL9000: This sort of thing has cropped up before, and it has always been due to human error...
Here's how it works, site I would use for e-commerce-anything:
www.paypal.com: Server: Stronghold/2.4.2 Apache/1.3.6/L C2NetEU/2412 (Unix)
Site I would NOT 'trust' with such nfo:
www.westernunion.com: Server: Microsoft-IIS/4.0
Get a CLUE. Idiots building on retarded crap deserve it...blah...shame on whoever used westernunion.com or anysite that claims security with IIS.
bleah.
:wq
Comment removed based on user account deletion
There's the obvious problem that millions of /.ers have stated. Blah blah, firewalls, encryption, blah blah, blah.
/. without worring about being hosed.
While this is true, there is another problem. Recently I was camping and I found the previous camper's site reciept. After a milisecond I noticed that this person's credit card number was on it. Easy money I guess but it immediately found a fire.
This isn't an isolated incident. Has anybody ever heard of people digging in business garbage bins for reciepts that contain credit card numbers? I have. Restaurants are famous for this one.
I can never defend careless security, on or off the Internet. But either people must assume that credit card numbers are insecure or banks must find a way of making them secure.
Wouldn't that be cool; imagine if you could scream out your credit card number on
Ozwald
The question is - why on earth did Western Union keep an /online/ database of transactions. I can understand that companies need to keep records, but why this has to be kept online, and not simply downloaded and burnt onto CD or some other storage mechanism.
Having your security broken is one thing, but having databases like this easily available is another!
-Tom
They try to save a few nickels by hiring CHEAP PROGRAMMERS
Don't jump to conclusions. I've known many completely incompetent programmers who earned $100K - $200K per year. The problem is that, unlike other engineers, programmers are not licensed, and held responsible for their mistakes.
When a bridge collapses, you damn well want to know who designed it. An engineer who is caught making stupid mistakes will quickly lose his license. But in computer programming that engineering ethic is strangely absent. Most programmers seem to care only about whipping out a script that handles most test cases, and let QA catch the errors. But any programming team that follows this practice will sooner or later come to grief.
To me, the only way to prevent crackers from getting into some system and steal credit card numbers is to not store them in your system... I run an ecommerce site and every transaction made, once cleared with the bank, gets its credit card info deleted.
the advantages of storing users credit card numbers does not justify the risk. It's like a restaurant that keeps your credit card number so that next time you eat there you don't have to wait for the check...
sure there could be trojan horses that store credit card info as soon as it arrives to the server, but that seems to be less common.
There are two kinds of people in the world: Those with good memory.
No... Interest rates spiked at the end of the 70's due to inflation or deflation or what not. Once the card companies realized that they could charge that much interest, they never really bothered lowering them again even remotely match bank rates...
Interest rates are just profit for the card companies. they hype it up and say otherwise, but they're not really losing a dime over anything.
A Western Union spokesman said the vulnerability was caused when "performance management files" were left open on the site during routine maintenance, allowing the hacker access. He did not know when the maintenance began or how long the site had been left unprotected.
/. users in a positive light to anyone.
"We are still in the due diligence period," said Peter Ziverts, a spokesman for the Englewood, Colo.-based company. "But this wasn't an architectural problem; this was due to human error."
Repeat: "it wasn't an architectural problem; this was due to human error."
So, get off the IIS/SQL/NT crap - being desperate for ANYTHING anti-MS doesn't paint
This could have just as easily been a *nix box and it still would have been compromised if propery security methods weren't followed, as was the case here.
I couldn't agree more. But that being said, have you seen the view from the other side?
No. If someone breaks into Western Union's computers, and they even THINK about Napster, DeCSS, or anything involving Open Source, then they have some problems of our own. This doesn't concern "us" as a hacker community. I don't see the connection that you do, obviously.
Doesn't matter to them that you specifically didn't do it, just "one of your gang".
That's about as sensible as saying that since if a black man robs a convenience store, the store owners are going to blame black men. Blaming the faceless boogeyman might make some people feel better, but it doesn't solve any problems. I don't think that such scapegoating should be encouraged.
Who would sue them? Oh, a class action suit? The articles say that as of now, none of the potentially comprised card info has been used. Do you really think the 1337 D00d5 are going to use them with all of the media hoopla about the crack? I doubt it. WU will take a major loss of e-business over this, which will probably teach them not to be so careless next time. Plus everyone will forget this by Friday.
Matt Leese
Hey did you password the DB sa account after we finished the install? "Nah, I will get to it after lunch"
Microsoft aggravates my tourettes syndrome.
But see, to the proles, "proper safeguards" consist of what even the most larval of script kiddies knows is completely laughable. As for those who actually have a clue, we've seen how often they're truly in charge of decision making. So they go and Do the Right Thing, like a right and proper BOFH, and usually end up being yelled at or sacked for making things "difficult", or for just BEING "difficult".
Fuck Slashdot
I was one of the poor saps unfortunate enough to have been a one-time customer of CD Universe when their credit card database was stolen and held for ransom. I had purchased one CD (Nina Simone, for the curious) about 10 months before the hacker took the numbers, and I still had to go through all the pain of cancelling my credit card. Worse yet, I had several services (my newspaper, my ISP) auto-billed off the credit card, which I forgot about, and those services were cancelled once they were unable to bill to that old number.
I was very fortunate that there were no purchases made against my number, probably because I had it cancelled very quickly.
In any case, it seems ridiculous that sites should keep your credit-card information forever, thus amplifiying the damage caused by any hacks.
Maybe they only used MS for the brochureware. The rest might have been built on any vendor's stuff.
I will be interested to hear _why_ they believe any violence was done to the DB. What the clues were, etc.
I do know that once I was attempting to build a site for a company that had content which was going to be integrated into the [insert very large card company here] web site. This small fact was enough for two of their security folks to grill me, they sent a rep to conduct a physical security check, and they wanted a white hat to give our dev server a go. They wanted two firewalls in front of my dev server. I was fairly impressed. So on some sites yr info is considered important.
__________________________________________________ ___
rooooar
True it's not moral, but when you're in a country where there are no laws against this kind of stuff, why not?
Heck, you can rationalise it as improving the economy, weed out the weak.
Even better, do a $5 charge from each of the thousands of cards to a charity of your choice. Now no decent person would actually go to the bank and demand a refund from a charity, would they (I sincerely hope that still counts as a rhetorical question, or else I might as well start working on that doomsday device that'll obliterate the evil human race from this planet)?
Kill'em! Kill'em all!
a proper request is "GET / HTTP/1.0" or "GET / HTTP/1.1\r\nHost: www.porn_cc_database.com\r\n\r\n"
Ever need an online dictionary?
that's because you can't tell if someone has issued the query
"select name,credit_card_num,exp_date
from web_user_info;"
once it has been flushed from the shared pool. If you noticed that something strange was going on, the DBA could pull or the text from the recently issued queries from v$sqlarea and v$sqltext. Unless auditing is enabled (or logging is provided within the application), there is no record of queries issued against the database - its just too much overhead for most apps.
.
The varmints're gettin' away on their horses! We'll never catch 'em!
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
What's this "us vs. them" crap? I am no more part of a "we" that includes skr1pt k1dd13s than I am part of a "we" that includes Western Union. Give it a rest.
--
Ben "You have your mind on computers, it seems."
(Now if you used one of those silly "ATM + 'credit' card things" that lets people irreversably take money out of your bank account you'd better think again...)
Ummm... no. My card, at least, when used as a credit card, carries nearly the same consumer protection a normal credit card does.
I have found VNC to be a perfect utility for installing Oracle on a remote unix box. Its as good as X, but you can use it in disconnected mode so that if the network is slow or unstable, it doesn't kill all the stuff running under your session...you just reconnect and everything is still there as you left it. Look it up on FreshMeat or Yahoo!. --b
You can see information about this here:
_ ease_online_fears_AmEx_plans_one_time_cr edit_cards+.shtml# 2243? tag=st.ne.1007.thed.ni
http://www.boston.com/dailyglobe2/252/business/To
http://www.chainstoreage.com/news_desk/index.htm?
http://news.cnet.com/news/0-1007-200-2718520.html
--
There is more to this than what they say. Think blackmail......
Given that the credit card companies eat the cost of fraud, they have every motive to minimize it.
I do think the ball's in their court to develop more secure systems, but remember that they have a vast amount of infrastructure and investment to deal with.
I haven't looked into the details of American Express's new one-time-use CC numbers, but at first glance it looks to me like they are moving in the right direction.
--
Ben "You have your mind on computers, it seems."
Yup. Full of shit. Client: Can you guys do a one time install and configure of Oracle for us? My Boss: Sure thing. SSM, get to it.
Me: Sure thing, boss. I'm assuming that they've guarenteed that the Internet between there and here will be both fast and stable enough to keep an X session going for the several hours it will take to install and do basic configuration?
Boss: Huh?
Me: *points to docs that say no character mode install*
Boss: AAAARGH!
Clients: AAARGH@
Nobody was happy at the end of the day.
Vintage computer games and RPG books available. Email me if you're interested.
You typical user info are stored so that you can read them later - now imagine a few GB of data, think now bad the crunch will be when you change the key used to encrypt them. (Which you should, regularly)
And if they can get to your db, they can always just grab a copy of the data and proceed to brute force crack that single key.
If you are about to say "But you can have one key per user!" May I ask where you you're going to store those few thousand keys?
Kill'em! Kill'em all!
...the fastest way to send money to LEET HAX0RS.
It is not the credit card company that take the hit on this. It is the Merchant that accepted the card that looses out. The Bank just doesn't give them the money.
Maybe the hackers are searching for the letter Dr. Brown sent back in 1885?
Avoid The Rush, Hate OU Early!!!
The problem, as reported by NPR, was traced to human error .. Somebody left a database open, which is where the vulnerability existed. Western Union will correct the problem, says they.
I have the right to. I have the skills to. I don't have a credit card database on my workstation.
Well, if you use "normal" mathematically, he's probably correct. If /. posted every story about CC #s getting cracked, we wouldn't have time for Napster stories.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
...Lends more credibility to the disposable credit card concept.
/. readers who create an e-gold account and send me the number applies, as does my usual "I don't care if you moderate this comment down because you think it's 'spam' because I'm self-interest personified," and "my opinions are mine alone" attitude(s). Thanks.
That's not the only concept that should be considered (and neither is e-gold, I'd just like to see better/deeper thinking on payment options here).
Western Union has objected to e-gold-selling market makers in the past, ostensibly because some interesting sites use the currency for gram-based gambling. Of course, Western Union is owned by First Data, a giant credit-card payment processor, which I'm sure would NEVER process payments related to plastic-using-gambling on the internet, since I'm convinced that they're the very model of moral decorum compared to venal exchange-providers using the filthy yellow metal as a currency. (smirk!)
I want folks to play with our system, especially Slashdot readers, so my usual offer to click a bit to any
JMR
Try e-gold - (contact me). I'm NOT e-
Its the royal we. Notice that none of the names on that list reads "CmdrTaco." ;-)
-RickHunter
How many more thefts and breakins will it require, until people realize that for security, the principle of least privelege MUST be implemented!
This principle CANNOT exist in a UNIX system, which has very rough granulity to its security, and is based on very huristic security methods that form an extremely complex, impossible to secure system.
Most people gave up, "all systems are hackable", and basically give up the search for more secure technologies. I, on the other hand, am more optimistic.
The positive side of these cases, imo, is that people may finally start looking for more security in their systems, and divert the efforts from various near-useless OS kernels (that hardly add any functionality, albeit adding some elegance and sometimes even performance), to CAPABILITY based systems, which are the best security systems we can implement, and truly implement the principle of least privelege.
EROS technology is the future, it truly is the solution to all of this.
Progress will not be made, until we dump the unsecure designs of the past.
www.eros-os.org
Lends more credibility to the disposable credit card concept.
You hit the nail on the head. American Express, a huge corporation, but second fiddle to the likes of Visa and MasterCard, needs something to promote its new idea. With the Internet at hand, it has its weapon. It sends some crackers to crack Western Union, thereby pushing people to the 'safer' disposable credit card.
Or maybe they didn't send anyone at all. Maybe they just got Western Union in bed with them. Who knows. The point is, CT found the conspiracy.
I think its about time that the consumer became legitamately protected from the ignorance of copmpanies such as WU. 20,000 people now have to cancel their credit card numbers and debit numbers and obatin new ID. This is not an easy process and is time consuming. What if their are fraudulent purchases? Once again it wont be WU on the phone convincing an operator that they didnt purchase a pass to farmsex.com.
Their needs to be some sort of control over these e-commerce buffoons who screw us by running unsecure boxes and poor transaction servers. would a class action lawsuit be an idea? I wonder what the credit card companies are going to do to WU. I mean it is their property WU messed with. If I were MAstercard or VISA I would be laying some heavy restrictions down on WU, the cost to replace cards and cover any illegitamate purchases is reason enough.
Harder.. Better.. Faster.. Stronger
I don't see where. This is just a rehash of the AP article linked to in the story.
My wife's CC# was one of the ones posted on the Russian cracker's website after CD Universe was cracked last winter. One day, the credit card company called her to say they were cancelling her account and opening a new one and that she'd be getting a new card in the mail. It showed up a couple days later.
Wansu, th' chinese sailor
MD5's relatively generous 128 bits only helps if the text being hashed has 128 bits (or more) of randomness in it.
A 16-digit credit card number is 54 bits, the last twelve digits of it minus the check digit are 37 bits. I'd guess that real credit card numbers have less than 25 bits of randomness.
It'd be a magnitude easier to bruteforce than a DES-hashed passwd file.
OK, sometimes I drag the bait along the bottom to see what bites, but I wasn't doing that here.
If you are prepared to telnet to port 80 on a known compromised box, then you are also likely to be the sort of person who runs Netscape as root. Or [insert IRC client here] as root.
Doing unneccessary stuff as root is, um, bloody daft? If you are lucky, the worst that will happen is that you accidentally hose your entire filesystem. But connecting a client to the internet with root privileges? I can't stop you, but I don't think it's needed.
Ask yourself: Does this make the ankle-biters job harder or easier?
Don't be afraid. Be paranoid.
Well, the problem is not that the companies are keeping records of credit card numbers. In fact, you're supposed to keep the credit card numbers as part of your transaction records. That way you know who ordered what, for how much, and on what credit card from you in case those records are ever needed.
The problem is that the companies are keeping these records online. Most companies that keep credit card records keep them either on paper (rarely anymore) or on a special computer system not accessible to the outside world. This is what people should be doing, and I can only hope that this Western Union business will set an example for other companies that they need to take their security much more seriously.
kugano
Ouch!
Never underestimate the bandwidth of a truck load of tapes
Sorry... I don't have any reason to pay attention to the IIS security reports. Does IIS/4.0 have some security issues?
Slashdot is jumping the shark. I'm just driving the boat.
Doesn't matter to them that you specifically didn't do it, just "one of your gang".
That's about as sensible as saying that since if a black man robs a convenience store, the store owners are going to blame black men.
I beg to differ. The normal human response to an unknown group are (unfortunately) fear, mistrust and resistance, especially when it seems a representative of that group has attacked you. There have been people who looked at me, a hardware guy, sideways because in their mind, since I know how to build a computer, I _must_ be able to crack into them. Stupid? Youbetcha, but a reality none the less.
I am not encouraging scape-goating - I'm advocating that we use a measured and well thoght out response, instead of resorting to finger pointing and name calling. If anything, I'm hoping that we differentiate ourselves from the h4xor doodz by not adding any more fuel to the fire. I think a concilliatory attitude is best, not the "Well you stupid fucks, you were asking for it" that seems prevalant so far.
"Depression is merely anger without enthusiasm." - Anonymous
If Western Union can warn all 50K customers, they should much more easily be able to warn a couple of credit card companies.
--
Ben "You have your mind on computers, it seems."
www.westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98. Hahahahah.
Since the webserver must verify the CC-numbers, it has to have a connection to a system where these are stored. While it is easier to secure a simple API which implements only verification, this way of separating the database from the webserver is not automatically secure. You could still hack the webserver and move on from there to hack the verification API. That is theoretically possible even if there is no direct return channel (data can only be sent to the database-server). See ->IP-Spoofing for an example of what you can do without getting any replies just by knowing exactly how the other system will behave.
Thanks, I'll have to look into it. The problem is that clients aren't always amenable to having extra network service installed. Should be perfectly good for internal stuff, though. And some clients. ;-)
Vintage computer games and RPG books available. Email me if you're interested.
Why the hell do they keep a cr. card database? I'd be happier if they didn't. And it's not necessary for them to do so.
I bought someone a gift certificate card fom Barnes and Noble. Until it is activated at the cash register via a transaction, it is just a plastic card with a magnetic strip. I can't see a clerk at a 7-11 as being able to activate more that 1 of these per minute. If 10 are generated within 10 minutes, it ought to generate a notice that an irregular event is taking place. What robber wants a holdup in a 7-11 to take 10 minutes?
When a redemption trasaction is put through with the "stolen" disposable credit card, the local authorities and Fox's COPS and Deadliest Car Crashes would be notified for the ensuing car chase.
Up and at 'em.
.
Clearly, "they" "do"...
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
With this incident, I was reminded of many other services, like Paypal and Billpoint, that store credit card numbers. What would happen if someone was able to break these systems? What security measures have they taken? When I signed up for Paypal, I don't ever recall anything about their computer security, so I'm left wondering how vulnerable is the service to giving out my CC#?
-http://MSD.dyndns.org
Well, I'd give Oracle part of the blame for this. Nowhere in he installation instructions or printed documentation with ANY Oracle product do they tell you what users and passwords they are loading. I've only ever been asked for a password during installation on a windows system. I had to look through the setup scripts to find their damned default password.
BTW, this is a problem in alot of places. Software installs things you aren't aware of (esp. on windows.) And admins aren't paying attention or aren't trained to manage what they are handed.
This is NOT good. Western Union is Old Money - they've been around for a long, long time as far as companies go. This will get the establishment REALLY pissed. Do we really want an all out war with The Man? Something like this will not help the cause of Napster, DeCSS and Open Source in general.
/. usually garner more moderation points, and therefore direct the comment stream). Even in Internet startups, there is usually one person who starts the company and then hands over the reigns to an established Buisiness man to run the show (Yahoo!), not like what happens with Internet based projects, where the Alpha Geek or Lone Coder is regarded as the undisputed leader, regardless of how much education or money he has (a Good Thing, BTW).
The establishment is not used to how the Hacker culture does things - they are used to order and directed control. The Internet is a terribly chaotic place - if you want something done, you go ahead and do it. Also, the first one there usually controls the situation, no matter whom else joins them in the endeavour (witness that newer posts on
The establishment will likely view this as futher validation that we are out to kill. While the Hacker community has control of the Internet attacke like this may end up being more common. The only way the Establishment can ensure it's continued existatnce is to wrest control back. Napster being stamped out might be the first salvo in the Great Internet War. This little faux pas (likely by a script kiddie) will only accelerate the zeal and ruthlessness with which The Man deals with us. They just might see such attacks as a threat to thier very survival, and react accordingly.
OK, some of you may post "Yeah! Stick it to the man, l337 h4x0r d00dz" and think it's good that the rich are getting thiers. That's fine, and welcomed on one level. However, we need to look at the big picture - The Man can pull the switch on the Internet if he's really threatened (not literally, figuratively), so we end up out in the cold (InternetII, anyone). Or just toss your ass in jail, rights be damned. As much as we don't like it, we have to compromise and let the establishment have its way - for a while.
I hope we can start to see things from the other side of the firewall soon - and use articulate argument, humour, understanding and gentle persuasion to get our way instead of random guerilla attacks on established companies.
"Depression is merely anger without enthusiasm." - Anonymous
I believe "this stuff" was a reference to "stories that just came over the wire ten minutes ago with next to no details," not a reference to "stories about credit cards."
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
How can you possibly say that hackers aren't to blame? Just because someone was careless doesn't mean it's instantly moral to exploit the new weakness and use it for less than acceptable purposes. Hackers are to blame, because they're the ones who did it.
Love, Stu
4 MSNBC: Stealing Credit Card Numbers Online is Easy by Roblimo on Sun 16 Jan 05:22PM EST 341
4 Largest Online Credit Card Heist Ever? by Roblimo on Sun 09 Jan 04:59PM EST 359
3 RealNames Customer Data Stolen by emmett on Mon 14 Feb 06:55AM EST 129
4 British Crackers Demand Millions in Inforansom by Roblimo on Sun 16 Jan 11:52AM EST 195
On February 15 CmdrTaco saw the wrongness of his acts and decided to stop posting this stuff normally.
odbcping.exe -S 10.0.0.4 -U sa -P
If the returned text contains "CONNECTED", you are in.
This isn't ground breaking or anything, but now I can write a script that takes a list of hosts that were listening on port 1433 (use a port scanner) and I have an almost sure fire way of finding a server that is misconfigured(a.k.a. insecure).
The rest is trivial. If you can access the system as sa, you do just about anything(xp_cmdshell 'net user') or what ever you 31337 heart desires.
The admins of a system on the Internet with a blank a password need to have their fingers chopped off.
Regardless of how WU was vulnerable or hacked, the Internet is driving people online who don't belong there, and they are being put in possitions of power and they don't even know or care.
my .02 on personal security:
most people compromise their own privacy...
Silly Rabbit: tricks are for kids.
Comment removed based on user account deletion
Perhaps amazon.com's one-click patented technology will be less appealing after amazon.com's online customer database is ultimately hacked by 1337 h4x0r d00dz. What we really need is one-click class-action lawsuit technology.
The practice of keeping credit-card numbers around on an internet-accessible machine after a transaction has cleared is brain-damaged and companies that do that deserve to be sued.
When web sites tell their customers about how safe their transactions are because they are using secure sockets, etc., they should also be telling their customers that, after the safe, encrypted data has arrived on their server, it will be available in plain text to anyone who can type "system/manager".
Why not insert the CC#s into a "NO-SELECT" privileges table (encrypted of course, both at record level and at filesystem level)? Then grant select to a different user (that is denied login from non-priveged IP#s).
Simple solution for many online stores, yet it is NEVER done (at least that I have seen), except for on my own store that I am coding.
So now, you have 3 levels of security on top of the normal database server, firewall, etc.
Then follow a new standard procedure of deleting credit card #s after billing and possibly replacing the field with only the last 4 digits or an MD5 so that you can verify it later.
Common sense, but nobody seems to want to follow it.
Ever need an online dictionary?
How does that work? wouldn't having a -$25 balance make the card useless to you as well? I'm a wee bit confused...
From what I remember from personal issues with cc companies, it is fairly easy to dispute charges.
So you'd think. In my case, the company was Chase Manhattan, and it took over nine months to resolve a $200+ disputed charge which appeared on my acount after I'd closed it. The charge wasn't posted to me for over a year, following a resubmission by the merchant. I immediately notified Chase by phone and mail that I wasn't responsible for the charges (to a Florida hotel -- I live in California and have never been to Florida). The charges (and interest, and late charges) continued to appear on my statement. Repeated requests for copies of the actual charge slips failed to produce anything.
It was ultimately the threat of legal action, including criminal charges for fraud, misrepresentation, and malfeasance, and libel (credit history), if the dispute wasn't resolved within 30 days, which got the charges cleared from my account -- nine months after they'd initially appeared, seventeen months after they'd been made, a year and a half after I'd closed the account.
Yes, I got the dispute resolved, the dollar value was low, but it was a complete PITA.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
So where's the public key? And what has this bought you, at all? If you can't decrypt these numbers without the private key, which exists only on the non-networked machine, then why store them in encrypted form on a networked machine at all? They're not just useless to an intruder in that form, they're useless to you, too.
This is a very elaborate scheme you've cooked up, but its only advantage seems to be having the numbers stored on a non-networked machine, which could be done without the encryption and all the other hoops you have the merchant jumping through.
Why not? When the additional cost outweighs the benefits, the bottom line is what matters. Why else you think car manufacturers release cars with defects (if they CARE about your safety, would they so actively promote those big dumb SUVs?)
On to another god damn no good SUV killing off nice (and actually affordable) sports cars, utterly OT:
When you're charging down the motorway on a rainy day, would you rather be in a 2 ton truck or some 4WD sports car (call me a wimp, but I like the technology as a crutch when it comes to driving).
And when is the Subaru Legacy (what do they call that twin-turbo tweaked version again?), the Mitsubishi Galant VR-4 or the Nissan Skyline not big enough for a family?
Kill'em! Kill'em all!
--
"Convictions are more dangerous enemies of truth than lies."
"No fraudulent transactions had been reported"--YET. Have any credit card statements been sent out--YET?
I've been walking someone through covering her ass after having her CC# stolen (not through Western Union) and was astounded when the fraud unit of this company (again, not Western Union) admitted that it believed that someone had broken into its database. And she does no online commerce.
So far, it's been nearly a month from the time that she was notified that her card was over her credit limit that she's been able to dispute fraudulent charges (can't dispute charges until the credit card statement arrives; can't file a police report without a credit card statement; can't put an alert on other personal records without a police report).
Translate "No fraudulent charges have been reported [YET!]" to "The shit hasn't hit the fan [YET!]". It's going to take some time before fraud reports can even trickle in. Perhaps about the time of the Thanksgiving Day parades.
well, if you leave a default password open on a database that is publicly accessible, a simple (example) query against all_tab_columns such as
select table_name, column_name
from all_tables
where column_name like '%CREDIT%'
or column_name like '%CC%'
or column_name like '%EXP_DATE%';
might turn up the table that contains all of the user credit cards, not just one at a time when they're entered.
.
presumably by batches of tape several times a day, I would assume. *Shrug*.
Same reason Debian or RedHat or whoever you want to name releases software with bugs. They'd rather not, but it happens, and will continue to happen as long as people remain imperfect. When we all become perfect beings, then we'll start producing cars without defects. Until then, it's kinda stupid to expect that, and immediately decide there are conspiracies and/or shady motives involved when it doesn't happen.
if they CARE about your safety, would they so actively promote those big dumb SUVs?
If that's what people want to drive, sure they would. Your logic here is extremely spurious. The fact that other cars are safer than SUVs doesn't mean people selling SUVs don't care about safety. That's like saying because taking a ride at the county fair is safer than SCUBA diving, SCUBA instructors care less about safety than the idiots running the county fair, and I can assure you this is not the case, knowing representatives of both groups.
--
"Convictions are more dangerous enemies of truth than lies."
No, it's not a good analogy.
Computers are deterministic. Your 'con' is simply lock picking on a more complex scale. The fact that some logical constructs involving words similar to English are involved is not relevant. When you con someone into opening their house to you they make a voluntary decision. Computers can't do that.
Nonetheless, hacking computers is not equivalent to housebreaking, because no property is interfered with.
Hacking a system and looking around without making any changes or taking any information is, perhaps, closest to the crime of peeping tom or voyeurism in real life.
-----
Yes, that solves it!
All SysAdmins should be required to read Slashdot for accurate info as to how best to secure their boxes and networks.
maybe not.
.
I'd actually like to see guidelines coming out of the insurance industry. Sears, in your example, would be liable, but would have liability coverage through their business insurer if they'd taken appropriate risk-mitigation steps. OTOH, if the credit slips are in an unsecured area and free for the taking, the insurance company would refuse coverage. There's a whole field of risk management concerned with both financial and physical business risks.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
Christ, ever heard of sarcasm?
and various other nasties like that. In their defence, they never stored credit card numbers. But nonetheless, I couldn't believe it. IMHO, this all comes from abmitious young new media execs who know nothing about technology being given far too much money to throw around. They hire people who are good at BSing and dressing up their CVs, and they end up missing out the itsy little technical details, like getting a sysadmin who knows what routing is.
Just for fun, let me say that first bullet point again: "the sysadmin had never heard of apache".
This happens all the time people, the only truely uncommon thing is that they admitted to the public that they had a break in. Most of these are kept hidden.
As for cancelling your credit cards, why? With a database of zillions of stolen cards the chance that yours gets used is slim. It's less hassle to deal with the potential fraudlent charge appearing on your bill than to get new cards!
(Now if you used one of those silly "ATM + 'credit' card things" that lets people irreversably take money out of your bank account you'd better think again...)
99.9% of the places out there that encrypt their databases just use some lameass XOR scheme (b/c it has to be fast in and out) so that you wouldn't be able to look at it and immediately know what it is, but if yo uwant to crack it, you sure as hell can - esp if you have a full database of them and know the table name is something like "credit_cards".- -----------------
--------------------------------
There are some odd things afoot now, in the Villa Straylight.
What hold was left open? It looks as if they were on an MS syste - which would mean MS's SQL server, and I'm not sure what version they were using, but up until very recently (and perhaps still, haven't followed it) - the default login/password for the SQL server was "sa" loging and no pass wasn't it? Tight as a drum, nobody will ever figure that one out.- ------
-------------------------------------------
There are some odd things afoot now, in the Villa Straylight.
Perhaps credit card companies should now offer "hacker" insurance.
Possibly. But, unlike earthquakes, fires, flooding, and tornadoes, there are ways of protecting yourself from intruders in your computer systems.
On your house, you put a lock. If you're more protective, you get a noisy security system that alerts the police and you pay a fee. I suppose they could call it a "mandatory security fee" rather than "hacker insurance". Would you buy into a company which would basically be telling you "We know we will get hacked. Pay us if you want protection." ? They would at least have to make it sound nicer. A security fee sounds much nicer than "hacker insurance". And a security fee shouldn't even be NEEDED. This sort of thing should be AUTOMATIC when you got a service involving monetary transactions. There should not be optional security.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
AFAIK, most of them do. At least, all the banks I've dealt with demand that you follow certain security procedures before you use a merchant account for Internet transactions. The problem is, they get you to sign a bit of paper, but they don't enforce it, and their requirements are fairly lax (e.g. SSL and a firewall).
Is worth a ton of firewalls and proxies. The fact is, if you make it possible to get at the credit card numbers over a public network, someone smarter than you will work harder to get them than you worked to secure them. The solution is simply to physically isolate the long-term storage of credit card numbers -- put them on a database server which is not accessible to the Net. Use a zip disk or a tape or whatever to batch what comes in to your web site. Every day (or hour or whatever), you have a process on the web database server dump the info to removable media, you physically walk it over to the isolated server, and you load it there. Once the batch is transferred successfully, you run a second process that deletes the credit card numbers from the web database server. If anyone manages to crack your web server, they can only credit cards entered from the time the previous batch was completed. If you don't have repeat customers enter their information again (you have the transactions go through the isolated server), then there's even that much more protection. The compromise of a few dozen credit cards (or even a few hundred) is a very manageable situation.
Putting all customers' credit card info on a publicly-accessible server is saying "we don't think anyone can get in" because the result of someone getting in would be catastrophic. That's a foolish and arrogant position. It's like not having homeowner's insurance. If you design your system, which, to some people's surprise, includes actual physical and human considerations, to minimize the effect of failure on any one piece, then you don't have to say "everyone who was ever our customer is now at risk".
Well, now we are seeing the (possibly lack of) disaster recovery plans by Western Union. We didn't ever think it would happen -- now what do we do?
----------------
The truth is out th - oh, wait, here it is...
-------------
-------------
The truth is out th- oh, wait, here it is...
Here's what you did: You connected over the internet, while logged in as root, to a machine that is known to be compromised.
Trust me, if you knew enough about Unix to have a root password, you would't have done this. There is now a finite possibility that a nasty cracker type is looking through the web logs from the compromised box. When they find your connection attempt, you become a target. And now we know you connect to the internet with apps running as root.
You, madam, are now about to become just another roadkill on the information highway.
Share and Enjoy
Most banks who issue gold or platinum CCs will overnight you a replacement card for no extra charge. I've lost my credit card twice, in the last ten years. Each time the bank fedexed me a replacement by next morning.
---
No one is going to be able to just sit down and effectivly or securely run an enterprise DB. You're going to need either training or preferably real-world experience.
end communication
The title looks more like it would deserve a score of -1, in contrast to its current score of 2. Oh well, never judge a book by its cover.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
A write-only database is no good if the crackers control the web page front-end to the database.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
And the worst is having a project where the web "designers" are calling the shots.
"Can you please put in some helpful error messages to tell the user whether they've entered an incorrect user name or just a wrong password?"
"No problem, should I list the most likely username intended and display the password hint as well? Come think of it, why don't I just delete all the files and drop the database on the live site, and save the "user" some trouble?"
Knowing how to do fancy graphics (actually not all that fancy at all) does not a web designer make.
Kill'em! Kill'em all!
I agree to a limited degree I think both are at fault.
A parallel may drawn between this and the army. If you leave your locker open and have your kit stolen you will be punished for providing a temptation to others.
You have to be responsible for your kit and the army's kit (or credit card numbers entrusted to you).
I cannot even order pizza now on debit card in London due to the high level of fraud.
Slashdot Beta should die a painful death.
How do you get stuff from the one computer to the other if the other is not connected to the internet? via disk?
Well, one way to do something like this would be to use a protocol other than TCP/IP to connect the "offline" machine to the "online" machine.
-thomas
"Extraordinary claims require extraordinary evidence."
"And like that
wow, I hadn't thought of that.
Yes, its always NIMBY thinking until one's own account is compromised.
Looks like its time for me to get a dedicated credit card for internet use with a smallish limit - apply principle of least privilege to one's own credit cards.
.
Even my local newspaper, covering around 20,000 people, had as the main headline this week a story about a security breach on a local website. The report was laughable, with the web-hosting site believing that the attacker must have known the userid and password into the web publishing system, as they were unaware of any other means into the machine. Obviously someone else who has never heard of CERT, Nessus or Bugtraq. I'll probably be writing to the newspaper this week to put them straight, once I've let Nessus have a proper probe.
Yes, but in this case it's more like someone conned the president of the bank into giving out access to everyone's accounts. I'd sure as hell sue any bank president that stupid.
"If you look 'round the table and can't tell who the sucker is, it's you." -- Quiz Show
he did what I did and renamed the user with uid 0 to 'bob' and made a non-privledged user named 'root'. I just did this to confuse people at work.
Lends more credibility to the disposable credit card concept.
the whole system is screwed. which idiot decided that a merchant should be given authority by the customer to charge their bank account? bah
BPay rules. You tell your BANK to pay the money to the merchant. A payment consists of Biller Code (the company to pay) and the Customer Reference (your customer/account/bill # with the merchant).
Online ordering is easy - either you open an account with the company and all your purchases are pooled together and get paid for under your Customer #, or the website gives you a unique bill number after you confirm your order, and you pay for each individual purchase. Once you have your customer #/bill # you head over to your bank's website, log in, type in the details and your bill is paid.
AFAIK, it's only debit at the moment, but there's no reason it can't be extended into credit. It's no substitute for an in-person credit card, but for online shopping, it can't be beat, IMO.
They are testing something similar in my hometown. You can have a card with any amount of cash on it. At the store (or vending machine), you insert it in the slot, the amount is displayed, you press OK and you remove the card. You can fill it back if you want more cash on it.
You can temporarily (sp?) protect it with a PIN but the way to use it is without PIN. It has the same problem as regular cash though : you lose the card, you lose your money.
For now, I think you can't buy cards at 7-11 but still the concept is there.
Benoit Potvin
The issue is that upper-management wants their web presence NOW. They don't care what corners get cut as long as you meet your deadline and it looks like it works.
I'm sure that if some group came up with a basic list of best practices for e-commerce security this sort of thing would be less rare... I'm sure companies would love to show their probably-hack-free compliance(tm).
stv
They are just covering their asses. If this happened and they didn't tell peopel that maybe their credit cards were in the shit that was seen, then I have a feeling they'd get in more trouble with the lawyers that are inevitably swooping in as we type.- -------
------------------------------------------
There are some odd things afoot now, in the Villa Straylight.
Personally, I think that people who have ludicrously poor security should take some of the blame. Obviously the hackers are the problem, but its a lot harder to feel sympathy for people who take no measures to stop something that shuld be predictable.
Abandon ship!!!
ARGH!!!
Our data has been stolen!
{{ fade to black }}
Nope, that's not true. Even if you have a 1 way cipher for the credit card data, if you can break into the webserver, you can steal the credit card numbers before they even get encrypted.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I hate people like you who start the rumors.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
...and child pornographers. Yes sir, these anti-crypto laws sure are doing us good.
If they took the data that was more then a month old in there database and made a back-up and then deleted it (or least the CC numbers) off there server's maybe the world would be a safer place. yes if they ever needed it, they would have to put in the back-up disks back in the computer.but what really frights me are the companies that remember my Cardit card number, so "I" can use it again.
When I was a boy the goverment stole everything from us.
A perfectly viable method would be to send the pending credit-card number over to the database server, and have it (and it alone with access to the actual numbers) confirm it.
-----------
"You can't shake the Devil's hand and say you're only kidding."
The web server doesn't need to retrieve credit card numbers from the database server. It needs to be able to store the information, request an authorization, and submit a charge. I'm assuming that the authorization and charge submission is done on the secure database server. It can report success/failure back to the web server. If you want the user to verify the stored information, you could do what some web sites currently do, X out all but the last 4 digits of the card number.
Mea navis aericumbens anguillis abundat
Is there any indication how far the hackers went?
Westion Union is owned by First Data Corporation, one of the largest credit card issuers in the US. Assuming the networks of the two corporations were somehow linked (or have systems shared between the two), if the hackers were able to get into FDC's systems, this could be disasterous.
It may be wise to invest in some put options on FDC...hmm
Jason.
-----------
"You can't shake the Devil's hand and say you're only kidding."
Hmm. Last I checked, IKEA's core business was selling cool & affordable furniture. How does their bad expereinces with a website lead to the conclusion that they shouldn't be in business?
Many mistakes are made because people don't know any better. Really. "Cheap programmers"? More like "programmers that don't break the bank". It's hard to swallow that anyone with half a brain these days is worth well into a 6 figure salary.
-Stu
It seems like a fairly common practise for these web companies to store your credit card numbers in their database forever and ever once you make a transaction with them. The very same people seem to have no concept of how to keep a system secure. What will it take to get these idiots to design their sites with some level of security in mind? Maybe a class action suit (malpractise or something) on the behalf of all the customers and credit card companies inconvienenced by this is on order...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Comment removed based on user account deletion
It was probably one of those cheap self-assembly websites you can get.
Though they should have been warned when they saw the name.
HÅXØR
"Information wants to be paid"
"Helping people make their lives better, everyday". Right...
you steal the data before it's inserted into the database, not after.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Storing partially encrypted data in the database and keeping the decryption key on a separate, secure machine definitely sounds like a good idea - but has anyone here actually seen this done in practice?
Can you point me to any references I can quote for management?
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Not any more it doesn't...
I mean, do you still use "Gay" as a simile for "Happy"?
Words change. Get used to it. Stop moaning when people say "Hacker" to mean someone who breaks into computer systems. That is now what it means, as "gay" now is a simile for "homosexual"
"Information wants to be paid"
IKEA was cracked because you could do any query against their database by changing parameters in their URL.
Fortunately, a QA company caught this before it was too late.
IKEA has NO RIGHT TO BE IN BUSINESS. PERIOD. They try to save a few nickels by hiring CHEAP PROGRAMMERS and it's their own FAULT. p I hope IKEA and Western Union both go OUT OF BUSINESS.
--- Speaking only for myself,
Any company that does business on the Internet without proper safeguards ( which is what it sounds like ... ) deserves to be sued.
Granted, my view may change - because there is not enough information about how - but this has happened at other sites and it still amazes me.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
IKEA exposes customer information on catalog site
In short, a bit of URL hacking exposed their whole customer database. Dan Huddle (CTO of xanga.com) said: "What a spammer's dream!", commenting on the potential for abuse of that privacy breach.
Continuous coverage of butt-headed, idiotic eCommerce web page designs continues after these dotCOM messages.
---
Was the database encrypted? Or did they store thousands of people credit card information in the clear on a system that was online?
Who was the system designer who let that get through? When are people going to learn that even though nothing is totally secure, there are many steps you can take so that you don't end up looking like an ass (CDNOW! comes to mind)
Encryption! Encryption! Encryption!
Get some and use it... (especially if you run a large finacial database.)
I'm surprised that no one mentioned this: it is well understood in the security community that companies usually pay off instead of letting the news out.
:))
my theory is, Western Union and others have probably have payed off numerous times before and finally realized that they can't pay crackers to buy silence anymore.
security measure? How about maxing out your credit card
Lends more credibility to the disposable credit card concept.
Please. It lends more credibilty to the concept that big corps still don't have a clue. Technology security (unlike physical) is not a place to save a few buck by hiring a few minimum security wanna-be rent-a-drunks. Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.
1Alpha7
Live to be Moderated
We run a small ecommerce site and I don't understand why these companies keep doing this. I don't see why you need to store credit card numbers on your own local servers. In the payment system we use we can look up the credit card number for any transaction we have processed, thus negating the need for keeping them on our server. I think ecommerce sites should be REQUIRED to say if they do/don't store CC numbers on their own server. It just looks like a liability just waiting to happen. Why do they feel that they need to do this? Sorry for the mini-rant but sometimes corporations piss me off. JF
c|net's article has a little more information about the hack.
It was unclear whether the hackers obtained any personal account information. No fraudulent transactions had been reported by late yesterday [...] Only Web site users who conducted online transactions would have been affected. Company officials were using email, letters and phone messages to alert between 10,000 and 20,000 consumers to cancel their credit or debit cards and get new ones.
[
Are you on crack?:
This post isn't "insightful", it's delusional. Western Union getting cracked isn't about "hacker culture" any more than a convenience store holdup. Someone broke in and stole information (potentially money). This happens every day in the real world. Anyone who thinks that the same kind of attempts aren't going to be made against their electronic storefronts isn't paying attention. It's not new, and it's no more likely to stop in cyberspace than in the real world. If you have a resource that you regard as property then you must defend it, or someone else will take it. As far as we know, that has been true as long as humans have had property.
"Hacker culture" doesn't enter into it. I've never seen any evidence that "hacker culture" encouraged theft of the property of others. The only persons I can concieve would attribute such a thing to "hacker culture" are not even close to being a part of it. (That means you!)
ESR didn't break into the server. RMS didn't do it. Linus didn't mastermind the attack. This has nothing at all to do with Open Source, as a movement or software. It's got a lot to do with Microsoft's closed source software and stupid administrators.
No, this attack is "NOT good". However, if the corporate powers want to do something about it, that _would_ be a good thing. Invest in better software. Pay for better admins. Defend our (and their) property. Making their security better makes our security better, too.
Taken from the WU website...
Helping people make their lives better, everyday
n0w 7h3 f45735t w4y 70 53nd m0n3y (70 31337 h4x0r d00dz)
i cant wait until someone steals my toast from my ip-enabled toaster.
NEWS: cloning, genome, privacy, surveillance, and more!
who wanted a date this time?
William D. Freeman http://members.xoom.com/EvilGNU -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s+:++ a---
You slashdoted western union! What am I supposed to do for fun now?
Hey common man, according to netcraft Western Union is as good at security as:
:-)
- Burger King
- Gillette
- The NFL
Doesn't that make you feel better now?
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
If you really, really, want to keep it, set up a dot matrix and print it out. I think the Credit Card companies should charge the fraud back to the company that stored the number. That ought to promote securing a server!
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
One of the greatest misconceptions propagated by the credit card industry is that the consumer is liable for charges incurred on a stolen credit card.
Read your agreements carefully; most of my cards hold me with little if any liability (the worst is $50 maximum). The rest of the bill is footed by the credit card company/issuer, not the consumer. When the credit card company denies a charge to 'verify security', it is not doing so for 'your protection', as they say, but for their own.
So, if the credit card numbers were indeed stolen and used illicitly (which is not clearly the case), it's the credit card companies who have something to worry about, not the consumers.
Regardless, Western Union should have had more secure systems; I'm sure this is very embarassing.
if their security checks are so routine, then why did this happen?
/root]# telnet westernunion.com 80 /
[root@solstice
Trying 208.244.136.46...
Connected to westernunion.com. Escape character is '^]'.
get
HTTP/1.1 501 Not Supported
Server: Microsoft-IIS/4.0
Oh, I see now.
"Hmmm...i don't get it. the only IRC servers that will let me connect are those on undernet"
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
Hell, this would never effect me, I just mail cash. Ones are the best for mailing.
-josh
Its not just the fscking installer that's Java-based, but everything except for svrmgrl and sqlplus. The entire DBA studio, Oracle Enterprise Manager are java based - that's why you need 512 MB ram and 1 GHz in your desktop - to watch assinine rotating globe spin around. Assholes.
Have you ever tried to use DBA Studio over a dialup connection with remote control software?
The only way to do that is to use an ICA/RDP connection to the sites LAN to a Citrix server and run OEM from there.
Bastards.
.
that doesn't really make sense.. if the webserver can see the CC#'s, which it will to verify information.. then if the webserver is cracked.. they will be able to do the same thing..
'nuff said.
Perhaps. Oracle's 8.1.x installer (fucking Java based installer; can't install over telnet anymore on most systems) tells you system/manager and sys/change-on-install or the like. But anybody who's used Oracle even once knows about system/manager. Anybody who's used SQL Server knows about 'sa/'. Anybody who's used Windows NT knows Administrator, Guest, IUSR_MACHINENAME. Anybody who's used Linux knows about root, guest, etc etc. There honestly does need to be criminal liability for this sort of thing. If an armoured truck full of gold bricks were stolen because the driver left the keys in the ignition, or in the sun visor, there'd be hell to pay. Well, default passwords and blatently poor installation should be just as liable. Of course, the armoured truck driver doesn't have a CEO who's never gotten a driver's license sitting behind him telling him which pedal to push and which way to turn 'that wheel thing' all the time. It's not always the sys admin's fault. And heaven help the admin who's boss knows JUST ENOUGH to get himself in trouble.
Vintage computer games and RPG books available. Email me if you're interested.
I used to work as developer support for a web application development product. This often involved doing work dirctly on a customer's site. If I had a nickel for every time I asked for the login/password for an e-commerce related database, and it was the admin login with either a null password, or a default, I'd have a shitload of nickels. And if I also had a nickel for each time the database was installed on a computer completely exposed to the Internet, instead of, say, being installed behind a firewall, with possibly only the database access ports tunneled through (and only accepted from the IP of the web machine), or better yet, having both the web and database machines behind the firewall, and requests to the web machine being forwarded through, well, I'd have an even bigger shitload of nickels. Picking up SQL Server for Dummies or O'Reilly's Oracle In a Nutshell does NOT an e-commerce ready database make.
Vintage computer games and RPG books available. Email me if you're interested.
How could I be redundant? I was post #4!!!!!
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
of course, each card has to be individually activated at the register (like the gift cert cards at many places, prepaid phone cards at checkout line impulse areas, etc...)... that would take a long time...
--
"It's tough to be bilingual when you get hit in the head."
The reason it occurs to me that the card companies might want to partially reverse their long practice of not blaming the customer is that (a) these things are going to become more frequent, and especially (b) when this does happen, it happens en masse instead of a single, easily-tracked theft. If 50,000 cards are stolen and used for 50,000 medium-size automated purchases, it could be hard to seek redress. Indeed the paperwork in tracking down all the unauthorised purchases would probably be more expensive for the card company than the actual purchases themselves.
Nowhere in that article (unless I'm blind) does it say that any numbers were stolen. ALl they said is that it was unclear whether any 'personal information' was stolen.
And if it was stolen... that's shitty site design. You quickly stash cc#'s off in a secure location; you don't make them retrievable off the website, EVER.
I still don't understand why anyone would store sensitive information in a database on a system that is accessible from the Internet. Put the database on a secure server that provides a restricted set of functions to a predefined list of systems. Even if the web site gets cracked, and it will, the intruders would not get unrestricted access to the database.
Mea navis aericumbens anguillis abundat
If their security checks are so routine, then why did this happen?
[root@solstice /root]# telnet westernunion.com 80 /
Trying 208.244.136.46...
Connected to westernunion.com.
Escape character is '^]'.
get
HTTP/1.1 501 Not Supported
Server: Microsoft-IIS/4.0
Oh, I see now.
HAHA, Aw, did their little NT4 peice of shit
get hacked? "Your not going anywhere today."
Your bank, maybe...FDIC is a good thing, and 7-11 isn't.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Good reply. However, you are the type that I was warning against.
"ESR didn't break into the server. RMS didn't do it. Linus didn't mastermind the attack. This has nothing at all to do with Open Source, as a movement or software. It's got a lot to do with Microsoft's closed source software and stupid administrators. "
I couldn't agree more. But that being said, have you seen the view from the other side?
You are a hacker, and a hacker broke into the Western Union credit card database. Doesn't matter to them that you specifically didn't do it, just "one of your gang". This type of attack undermines what the establishment wants the Internet for - commerce. As such, they will just bear down more on ANY threat coming via the Internet, not just this specific type of attack. If that doesn't work, they may go after the Internet itself.
I agree that it is shoddy programming pratices, mis-configurations and bad administration that are the usual causes of security breaches, but to a CEO who talks to the lawmakers, it's "Some punk hacker who got through the firewall", key word being "hacker".
My post was to show that we as a group had better be accomodating to the interests of everyone, else they will not be accomodating to us - which could conceivably spill over into the other cases stated in my post. The Man won't care that you didn't do it - just that you could.
"Depression is merely anger without enthusiasm." - Anonymous
www.westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98
D'oh! Seriously, you'd think these big banks and money sending whatever it is western union does people would use a B1 Trusted OS or something.
May I suggest BullDog or possibly TrustedBSD? I haven't tried TrustedBSD, but I was quite impressed with BullDog's stats at this past DefCon. They put a server running thir OS (a modified Solaris) on the CTF (Capture The Flag) network running all sorts of insane services. A day into the competition they still hadn't been cracked so they posted the shadow password file. They never did get cracked.
jd@linuxgod [8:15pm] ~ > telnet www.westernunion.com 80
Trying 208.244.136.46...
Connected to www.westernunion.com.
Escape character is '^]'.
HEAD / HTTP/1.1
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/4.0
Date: Mon, 11 Sep 2000 01:29:08 GMT
Connection: close
Content-Length: 407
Content-Type: text/html
Connection closed by foreign host.
jd@linuxgod [8:19pm] ~ >
I'm curious...what does an attacker gain by this knowledge?
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Wasn't there something on Slashdot a short while back about MS using default passwords for SQL Server... Or more accurately, admins not changing the default password. That would be grossly negligent if this were so.
Comment removed based on user account deletion
The following is a true story about Discover Card and my dealings with them on a security flaw that exposed over 20,000,000 million credit card numbers and other confidential data.
/etc/passwd to the CGI and out came their system's password file. Using this same technique, I discovered (no pun intended) that the machine was an IBM server running AIX 4.3. Using IBM's online AIX documentation and some persistence, I was able to navigate throughout the server and read any file on the system that 'nobody' could. What I found next absolutely shocked me: Discover Card's complete database of account numbers, social security numbers, addresses and other contact information. Thus began my conversations with Discover Card.
***
A year ago or so I was browsing the Discover Card web site and noticed they allowed viewing of your account balance and transactions online. I went to their account login page (not that I actually have a Discover card) and what I saw horrified me -- a CGI taking a file name as a parameter. If my assumption was correct, they were directly opening that file and spitting it back out. A simple test confirmed it: I passed
I called Discover Card's toll-free number as they don't list any other way to contact them by phone. After convincing the rep that I really didn't want a Discover card and I just wanted to talk to someone in management, a lady came on the phone. I told her what I had found and that it was a serious issue. I don't think she knew what I was saying but she said she'd relay the information to the technical department and that they would get back to me quick style.
A week goes by and I have yet to hear from someone at Discover so I call again. I explain the whole story to this new manager and I'm told that I will be contacted about the matter.
A few days later I receive a call from the president of the technical department. After explaining the story for a third time he says that he will talk to his programmers about it and get back to me.
As the president promised, he did call me back -- this time with the president of security on the line. Once again I was asked to repeat my story and how I obtained access to their system. What happened next is a bit sketchy as I don't recall exactly how it took place or in what order: one of the presidents questioned me on whether I believed I was a 'hacker.' I assured him that what I had done was in good faith and even demonstrated that by contacting them as soon as I discovered the hole. I could have easily published a paper on it and sent it to the media and to their shareholders. Not only would their stock price have plummeted, but I'm sure someone would have found grounds for a lawsuit. Not to mention the damage it would have done to their credibility for touting excellent security.
The president of technical affairs mentioned that his programmers indeed looked into the problem but at this time they did not consider it a big issue. He said that if they needed anything more that they would contact me. In amazement of their lack of concern, I hung up the phone.
That was the last of my phone conversations with Discover. Over the next few days I periodically checked back at the site to see if the hole had been secured. I remember it being fixed the next day but then when I visited a week later the hole was back. I'm not sure how long the hole was sitting there in between my call and their permananent fix or even how long it was there before I called. As of today the hole has been plugged.
This just shows you what kind of companies we are trusting with our personal and sensitive information. It's one thing for someone to steal your credit card number -- they can easily be canceled. It's a whole different story if someone gets a hold of your social security number and private contact data. There is absolutely no excuse for these kinds of errors.
I came up with a great way to protect my check card. I always keep -$25 in my accts. That way if anyone tries to steal my number, flags immediately go up at where ever that the cards being used.
Life is a disease, sexually transmitted and fatal.
"PUT YOUR HANDS UP. GET THEM UP!"
Clerk does as he is told.
"Wha-What do you want?"
"GIMME ALL OF YOUR DISPOSABLE DEBIT CARDS! NOW!"
Clerk starts shovelling the cards into a bag.
"Don't you want the cash in the register?"
The Masked intruder shakes his head, and looks puzzled.
"...What?"
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Yeah I can't use it. But that's the beauty of the plan, you see. If I, the legimete owner of the card, can't use it, then no one else can either.
Life is a disease, sexually transmitted and fatal.
What would be even better than disposable credit card numbers would be disposable credit cards. I want to be able to walk to 7-11 and pay $51 for a $50 debit card (that can be used like a credit card.)
If we're ever going to move into e-cash, we have to have a system that is as anonymous as cash. This seems like the best way to assure that.
-Waldo
-------------------
CmdrTaco, define 'we'?
4 MSNBC: Stealing Credit Card Numbers Online is Easy by Roblimo on Sun 16 Jan 05:22PM EST 341
4 Largest Online Credit Card Heist Ever? by Roblimo on Sun 09 Jan 04:59PM EST 359
3 RealNames Customer Data Stolen by emmett on Mon 14 Feb 06:55AM EST 129
4 British Crackers Demand Millions in Inforansom by Roblimo on Sun 16 Jan 11:52AM EST 195
[
Well, a simple Netcraft query tells us that the website itself is Microsoft IIS probably on Windows NT. Part of the basic Microsoft ecommerce package is SQL Server, so I'm speculating that was the database that was compromised.
There definitely should be some litigation regarding this case. 10,000 to 20,000 possible credit card numbers?!? That is a lot of people and now they have to go thru the hassle of cancelling their credit cards and getting new ones.
This is Western Union, for crying out loud. A company that makes money by helping people transfer money. You think they would take better safety precautions and use encryption on their database. Or better yet, have the database server offline without a connection to the Internet.
-redking
Rangers Lead the Way!
Right! They put their website together with the Allen wrench included in the box!
--- Speaking only for myself,
'Hacker' has come to mean 'criminal' to the general public, and I think I've been seeing signs of the community accepting that.
I never use it to describe myself, nor do any other 'hackers' I know. Might I point out that even a Slashdot story recently used the word to describe computer criminals (I'm too lazy to look up the link). This is a Good Thing in my opinion, as I don't think we'd ever be able to reverse the meaning of the word in the public perception. As is, its use will only make us appear to be something we're not, and associate us with script kiddies like the ones that attacked Western Union.
I think the word 'geek' is replacing it. I think it is a great word to use because it is used by the general public to insult our kind. Sort of how homosexuals picked up the words 'gay' and 'queer' to describe themselves.
Jordan Bettis
``Wherever you go, there's another stupid sigfile quote.''Speaking from experience, it's a major pain in the ass to cancel a credit/debit card and get a new one, not to mention trying to figure out how to live without one for a week. (Heck, I buy coffee in the morning with my debit card.) Never mind the nightmare of straightening out the false charges with your bank.
So is Western Union liable for this time/expense/pain in the ass? Should you have an expectation, visiting an e-commerce site of some sort, that your CC# will be kept private against the ravages of crackers?
If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores? You can't really stop someone coming into your store with a gun and robbing you, but you can take much better precautions against someone hacking your site like this.
I see both sides of this - as an admin and a CC user. Should we have a zero-tolerance law? No mistakes, no excuses - the store that got hacked should just pay up, whatever its customer's expenses are? Honestly, I lean towards "yes." There have been enough public cracks in the last year to encourage even the most brain-dead (heh: "westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98" - NetCraft ) to really secure their stores and databases.
If you can't secure it, don't connect it to the web.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."