Slashdot Mirror
Western Union Cracked, Credit Cards Stolen
TrumpetPower! writes "NPR just reported that Western Union is recommending that customers who used their web page to send money should cancel their credit cards after somebody cracked their online credit card database.
As I type this, the Western Union homepage simply states, "Our Web site is temporarily out of service We apologize for any inconvenience To find the nearest agent location plase call: 1-800-325-6000."" Not much online yet
besides the AP brief. (Normally we don't post this stuff, but its getting submitted a lot, and it is kinda a big deal). Lends more credibility to the disposable credit card concept.
To me, the only way to prevent crackers from getting into some system and steal credit card numbers is to not store them in your system... I run an ecommerce site and every transaction made, once cleared with the bank, gets its credit card info deleted.
the advantages of storing users credit card numbers does not justify the risk. It's like a restaurant that keeps your credit card number so that next time you eat there you don't have to wait for the check...
sure there could be trojan horses that store credit card info as soon as it arrives to the server, but that seems to be less common.
There are two kinds of people in the world: Those with good memory.
A Western Union spokesman said the vulnerability was caused when "performance management files" were left open on the site during routine maintenance, allowing the hacker access. He did not know when the maintenance began or how long the site had been left unprotected.
/. users in a positive light to anyone.
"We are still in the due diligence period," said Peter Ziverts, a spokesman for the Englewood, Colo.-based company. "But this wasn't an architectural problem; this was due to human error."
Repeat: "it wasn't an architectural problem; this was due to human error."
So, get off the IIS/SQL/NT crap - being desperate for ANYTHING anti-MS doesn't paint
This could have just as easily been a *nix box and it still would have been compromised if propery security methods weren't followed, as was the case here.
Yup. Full of shit. Client: Can you guys do a one time install and configure of Oracle for us? My Boss: Sure thing. SSM, get to it.
Me: Sure thing, boss. I'm assuming that they've guarenteed that the Internet between there and here will be both fast and stable enough to keep an X session going for the several hours it will take to install and do basic configuration?
Boss: Huh?
Me: *points to docs that say no character mode install*
Boss: AAAARGH!
Clients: AAARGH@
Nobody was happy at the end of the day.
Vintage computer games and RPG books available. Email me if you're interested.
...the fastest way to send money to LEET HAX0RS.
The problem, as reported by NPR, was traced to human error .. Somebody left a database open, which is where the vulnerability existed. Western Union will correct the problem, says they.
This is NOT good. Western Union is Old Money - they've been around for a long, long time as far as companies go. This will get the establishment REALLY pissed. Do we really want an all out war with The Man? Something like this will not help the cause of Napster, DeCSS and Open Source in general.
/. usually garner more moderation points, and therefore direct the comment stream). Even in Internet startups, there is usually one person who starts the company and then hands over the reigns to an established Buisiness man to run the show (Yahoo!), not like what happens with Internet based projects, where the Alpha Geek or Lone Coder is regarded as the undisputed leader, regardless of how much education or money he has (a Good Thing, BTW).
The establishment is not used to how the Hacker culture does things - they are used to order and directed control. The Internet is a terribly chaotic place - if you want something done, you go ahead and do it. Also, the first one there usually controls the situation, no matter whom else joins them in the endeavour (witness that newer posts on
The establishment will likely view this as futher validation that we are out to kill. While the Hacker community has control of the Internet attacke like this may end up being more common. The only way the Establishment can ensure it's continued existatnce is to wrest control back. Napster being stamped out might be the first salvo in the Great Internet War. This little faux pas (likely by a script kiddie) will only accelerate the zeal and ruthlessness with which The Man deals with us. They just might see such attacks as a threat to thier very survival, and react accordingly.
OK, some of you may post "Yeah! Stick it to the man, l337 h4x0r d00dz" and think it's good that the rich are getting thiers. That's fine, and welcomed on one level. However, we need to look at the big picture - The Man can pull the switch on the Internet if he's really threatened (not literally, figuratively), so we end up out in the cold (InternetII, anyone). Or just toss your ass in jail, rights be damned. As much as we don't like it, we have to compromise and let the establishment have its way - for a while.
I hope we can start to see things from the other side of the firewall soon - and use articulate argument, humour, understanding and gentle persuasion to get our way instead of random guerilla attacks on established companies.
"Depression is merely anger without enthusiasm." - Anonymous
and various other nasties like that. In their defence, they never stored credit card numbers. But nonetheless, I couldn't believe it. IMHO, this all comes from abmitious young new media execs who know nothing about technology being given far too much money to throw around. They hire people who are good at BSing and dressing up their CVs, and they end up missing out the itsy little technical details, like getting a sysadmin who knows what routing is.
Just for fun, let me say that first bullet point again: "the sysadmin had never heard of apache".
AFAIK, most of them do. At least, all the banks I've dealt with demand that you follow certain security procedures before you use a merchant account for Internet transactions. The problem is, they get you to sign a bit of paper, but they don't enforce it, and their requirements are fairly lax (e.g. SSL and a firewall).
I would suggest that this is bordering on overkill. There are lots of brick-and-mortar businesses that handle credit cards without needing precautions like those.
Attacks over the internet are serious because they are relatively anonymous. Credit card numbers stolen by employees are less of a concern because the pool of suspects is small and you know where they all live.
Don't get complacent. As long as your system is working and those credit cards numbers are getting encrypted, you're okay. But if you're hacked that can change. Someone could capture credit card numbers as they enter the system- after they come out of the SSL-encrypted socket, but before they get encrypted by your application. A good rootkit could keep such a process hidden for a long time. Of course, this is a much more difficult attack than just dumping the contents of a database.
Not quite ideal, but a major improvement over what most people are doing right now.
What might be even better would be a Java applet running on the client side doing the encryption there. That way the plaintext never even enters the server. The applet should be signed so that if someone breaks into the server they can't simply replace the applet with a trojan. But this assumes that the users would notice if the applet was not signed- a bad assumption.
This principle CANNOT exist in a UNIX system, which has very rough granulity to its security, and is based on very huristic security methods that form an extremely complex, impossible to secure system.
Sure they can! There is work in Linux and several other Unixen to move to a capability based systems and implement the principle of least privelege.
EROS does look interesting though.
It seems like a fairly common practise for these web companies to store your credit card numbers in their database forever and ever once you make a transaction with them. The very same people seem to have no concept of how to keep a system secure. What will it take to get these idiots to design their sites with some level of security in mind? Maybe a class action suit (malpractise or something) on the behalf of all the customers and credit card companies inconvienenced by this is on order...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Any company that does business on the Internet without proper safeguards ( which is what it sounds like ... ) deserves to be sued.
Granted, my view may change - because there is not enough information about how - but this has happened at other sites and it still amazes me.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
Lends more credibility to the disposable credit card concept.
Please. It lends more credibilty to the concept that big corps still don't have a clue. Technology security (unlike physical) is not a place to save a few buck by hiring a few minimum security wanna-be rent-a-drunks. Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.
1Alpha7
Live to be Moderated
c|net's article has a little more information about the hack.
It was unclear whether the hackers obtained any personal account information. No fraudulent transactions had been reported by late yesterday [...] Only Web site users who conducted online transactions would have been affected. Company officials were using email, letters and phone messages to alert between 10,000 and 20,000 consumers to cancel their credit or debit cards and get new ones.
[
I used to work as developer support for a web application development product. This often involved doing work dirctly on a customer's site. If I had a nickel for every time I asked for the login/password for an e-commerce related database, and it was the admin login with either a null password, or a default, I'd have a shitload of nickels. And if I also had a nickel for each time the database was installed on a computer completely exposed to the Internet, instead of, say, being installed behind a firewall, with possibly only the database access ports tunneled through (and only accepted from the IP of the web machine), or better yet, having both the web and database machines behind the firewall, and requests to the web machine being forwarded through, well, I'd have an even bigger shitload of nickels. Picking up SQL Server for Dummies or O'Reilly's Oracle In a Nutshell does NOT an e-commerce ready database make.
Vintage computer games and RPG books available. Email me if you're interested.
Nowhere in that article (unless I'm blind) does it say that any numbers were stolen. ALl they said is that it was unclear whether any 'personal information' was stolen.
And if it was stolen... that's shitty site design. You quickly stash cc#'s off in a secure location; you don't make them retrievable off the website, EVER.
I still don't understand why anyone would store sensitive information in a database on a system that is accessible from the Internet. Put the database on a secure server that provides a restricted set of functions to a predefined list of systems. Even if the web site gets cracked, and it will, the intruders would not get unrestricted access to the database.
Mea navis aericumbens anguillis abundat
If their security checks are so routine, then why did this happen?
[root@solstice /root]# telnet westernunion.com 80 /
Trying 208.244.136.46...
Connected to westernunion.com.
Escape character is '^]'.
get
HTTP/1.1 501 Not Supported
Server: Microsoft-IIS/4.0
Oh, I see now.
What would be even better than disposable credit card numbers would be disposable credit cards. I want to be able to walk to 7-11 and pay $51 for a $50 debit card (that can be used like a credit card.)
If we're ever going to move into e-cash, we have to have a system that is as anonymous as cash. This seems like the best way to assure that.
-Waldo
-------------------
Speaking from experience, it's a major pain in the ass to cancel a credit/debit card and get a new one, not to mention trying to figure out how to live without one for a week. (Heck, I buy coffee in the morning with my debit card.) Never mind the nightmare of straightening out the false charges with your bank.
So is Western Union liable for this time/expense/pain in the ass? Should you have an expectation, visiting an e-commerce site of some sort, that your CC# will be kept private against the ravages of crackers?
If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores? You can't really stop someone coming into your store with a gun and robbing you, but you can take much better precautions against someone hacking your site like this.
I see both sides of this - as an admin and a CC user. Should we have a zero-tolerance law? No mistakes, no excuses - the store that got hacked should just pay up, whatever its customer's expenses are? Honestly, I lean towards "yes." There have been enough public cracks in the last year to encourage even the most brain-dead (heh: "westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98" - NetCraft ) to really secure their stores and databases.
If you can't secure it, don't connect it to the web.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."