Slashdot Mirror

← Back to Stories (view on slashdot.org)

Western Union Cracked, Credit Cards Stolen

Posted by ryuzaki0 on from the time-to-start-canceling dept.

TrumpetPower! writes "NPR just reported that Western Union is recommending that customers who used their web page to send money should cancel their credit cards after somebody cracked their online credit card database. As I type this, the Western Union homepage simply states, "Our Web site is temporarily out of service We apologize for any inconvenience To find the nearest agent location plase call: 1-800-325-6000."" Not much online yet besides the AP brief. (Normally we don't post this stuff, but its getting submitted a lot, and it is kinda a big deal). Lends more credibility to the disposable credit card concept.

10 of 246 comments (clear)

  1. .... by Anonymous Coward · · Score: 4

    ...the fastest way to send money to LEET HAX0RS.

  2. Putting out the fire - with gasoline by Soko · · Score: 4

    This is NOT good. Western Union is Old Money - they've been around for a long, long time as far as companies go. This will get the establishment REALLY pissed. Do we really want an all out war with The Man? Something like this will not help the cause of Napster, DeCSS and Open Source in general.

    The establishment is not used to how the Hacker culture does things - they are used to order and directed control. The Internet is a terribly chaotic place - if you want something done, you go ahead and do it. Also, the first one there usually controls the situation, no matter whom else joins them in the endeavour (witness that newer posts on /. usually garner more moderation points, and therefore direct the comment stream). Even in Internet startups, there is usually one person who starts the company and then hands over the reigns to an established Buisiness man to run the show (Yahoo!), not like what happens with Internet based projects, where the Alpha Geek or Lone Coder is regarded as the undisputed leader, regardless of how much education or money he has (a Good Thing, BTW).

    The establishment will likely view this as futher validation that we are out to kill. While the Hacker community has control of the Internet attacke like this may end up being more common. The only way the Establishment can ensure it's continued existatnce is to wrest control back. Napster being stamped out might be the first salvo in the Great Internet War. This little faux pas (likely by a script kiddie) will only accelerate the zeal and ruthlessness with which The Man deals with us. They just might see such attacks as a threat to thier very survival, and react accordingly.

    OK, some of you may post "Yeah! Stick it to the man, l337 h4x0r d00dz" and think it's good that the rich are getting thiers. That's fine, and welcomed on one level. However, we need to look at the big picture - The Man can pull the switch on the Internet if he's really threatened (not literally, figuratively), so we end up out in the cold (InternetII, anyone). Or just toss your ass in jail, rights be damned. As much as we don't like it, we have to compromise and let the establishment have its way - for a while.

    I hope we can start to see things from the other side of the firewall soon - and use articulate argument, humour, understanding and gentle persuasion to get our way instead of random guerilla attacks on established companies.

    --
    "Depression is merely anger without enthusiasm." - Anonymous
  3. Re:Oh, the things I've seen by beacon · · Score: 5
    Indeed so. I recently worked on a very large (>$1m) project for a multinational client, with a significant ecom component, where:

    • The sysadmin had never heard of apache
    • I and several other developers had full root access to the production environment
    • The oracle manager account was system/manager

    and various other nasties like that. In their defence, they never stored credit card numbers. But nonetheless, I couldn't believe it. IMHO, this all comes from abmitious young new media execs who know nothing about technology being given far too much money to throw around. They hire people who are good at BSing and dressing up their CVs, and they end up missing out the itsy little technical details, like getting a sysadmin who knows what routing is.

    Just for fun, let me say that first bullet point again: "the sysadmin had never heard of apache".

  4. This should _never_ have happened! by CTalkobt · · Score: 5
    This should never have happened. With the proper safeguards - ie: having a 1 way cipher to the credit card data and then another machine not connected to the internet to process it; the accounts would merely be a jumble of characters and digits encoded.

    Any company that does business on the Internet without proper safeguards ( which is what it sounds like ... ) deserves to be sued.

    Granted, my view may change - because there is not enough information about how - but this has happened at other sites and it still amazes me.

    --
    There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
  5. A Clue About Security by 1alpha7 · · Score: 5

    Lends more credibility to the disposable credit card concept.

    Please. It lends more credibilty to the concept that big corps still don't have a clue. Technology security (unlike physical) is not a place to save a few buck by hiring a few minimum security wanna-be rent-a-drunks. Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.

    1Alpha7

    --
    Live to be Moderated
  6. c|net's article by Speare · · Score: 5

    c|net's article has a little more information about the hack.

    It was unclear whether the hackers obtained any personal account information. No fraudulent transactions had been reported by late yesterday [...] Only Web site users who conducted online transactions would have been affected. Company officials were using email, letters and phone messages to alert between 10,000 and 20,000 consumers to cancel their credit or debit cards and get new ones.

    --
    [ .sig file not found ]
  7. Oh, the things I've seen by SuiteSisterMary · · Score: 5

    I used to work as developer support for a web application development product. This often involved doing work dirctly on a customer's site. If I had a nickel for every time I asked for the login/password for an e-commerce related database, and it was the admin login with either a null password, or a default, I'd have a shitload of nickels. And if I also had a nickel for each time the database was installed on a computer completely exposed to the Internet, instead of, say, being installed behind a firewall, with possibly only the database access ports tunneled through (and only accepted from the IP of the web machine), or better yet, having both the web and database machines behind the firewall, and requests to the web machine being forwarded through, well, I'd have an even bigger shitload of nickels. Picking up SQL Server for Dummies or O'Reilly's Oracle In a Nutshell does NOT an e-commerce ready database make.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  8. On-line Databases by Detritus · · Score: 4

    I still don't understand why anyone would store sensitive information in a database on a system that is accessible from the Internet. Put the database on a secure server that provides a restricted set of functions to a predefined list of systems. Even if the web site gets cracked, and it will, the intruders would not get unrestricted access to the database.

    --
    Mea navis aericumbens anguillis abundat
  9. suuuuuuuuuuuuure by kirwin · · Score: 5
    The problem was discovered during a routine security check Friday, he said.

    If their security checks are so routine, then why did this happen?

    [root@solstice /root]# telnet westernunion.com 80
    Trying 208.244.136.46...
    Connected to westernunion.com.
    Escape character is '^]'.
    get /
    HTTP/1.1 501 Not Supported
    Server: Microsoft-IIS/4.0

    Oh, I see now.

  10. liability? by legLess · · Score: 5

    Speaking from experience, it's a major pain in the ass to cancel a credit/debit card and get a new one, not to mention trying to figure out how to live without one for a week. (Heck, I buy coffee in the morning with my debit card.) Never mind the nightmare of straightening out the false charges with your bank.

    So is Western Union liable for this time/expense/pain in the ass? Should you have an expectation, visiting an e-commerce site of some sort, that your CC# will be kept private against the ravages of crackers?

    If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores? You can't really stop someone coming into your store with a gun and robbing you, but you can take much better precautions against someone hacking your site like this.

    I see both sides of this - as an admin and a CC user. Should we have a zero-tolerance law? No mistakes, no excuses - the store that got hacked should just pay up, whatever its customer's expenses are? Honestly, I lean towards "yes." There have been enough public cracks in the last year to encourage even the most brain-dead (heh: "westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98" - NetCraft ) to really secure their stores and databases.

    If you can't secure it, don't connect it to the web.

    --
    This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."