Western Union Cracked, Credit Cards Stolen

TrumpetPower! writes "NPR just reported that Western Union is recommending that customers who used their web page to send money should cancel their credit cards after somebody cracked their online credit card database. As I type this, the Western Union homepage simply states, "Our Web site is temporarily out of service We apologize for any inconvenience To find the nearest agent location plase call: 1-800-325-6000."" Not much online yet besides the AP brief. (Normally we don't post this stuff, but its getting submitted a lot, and it is kinda a big deal). Lends more credibility to the disposable credit card concept.

Re:Oh, the things I've seen

[beacon]

Indeed so. I recently worked on a very large (>$1m) project for a multinational client, with a significant ecom component, where:

• The sysadmin had never heard of apache
  
• I and several other developers had full root access to the production environment
  
• The oracle manager account was system/manager
  

and various other nasties like that. In their defence, they never stored credit card numbers. But nonetheless, I couldn't believe it. IMHO, this all comes from abmitious young new media execs who know nothing about technology being given far too much money to throw around. They hire people who are good at BSing and dressing up their CVs, and they end up missing out the itsy little technical details, like getting a sysadmin who knows what routing is.

Just for fun, let me say that first bullet point again: "the sysadmin had never heard of apache".

This should _never_ have happened!

[CTalkobt]

This should never have happened. With the proper safeguards - ie: having a 1 way cipher to the credit card data and then another machine not connected to the internet to process it; the accounts would merely be a jumble of characters and digits encoded.

Any company that does business on the Internet without proper safeguards ( which is what it sounds like ... ) deserves to be sued.

Granted, my view may change - because there is not enough information about how - but this has happened at other sites and it still amazes me.

A Clue About Security

[1alpha7]

Lends more credibility to the disposable credit card concept.

Please. It lends more credibilty to the concept that big corps still don't have a clue. Technology security (unlike physical) is not a place to save a few buck by hiring a few minimum security wanna-be rent-a-drunks. Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.

1Alpha7

c|net's article

[Speare]

c|net's article has a little more information about the hack.

It was unclear whether the hackers obtained any personal account information. No fraudulent transactions had been reported by late yesterday [...] Only Web site users who conducted online transactions would have been affected. Company officials were using email, letters and phone messages to alert between 10,000 and 20,000 consumers to cancel their credit or debit cards and get new ones.

Oh, the things I've seen

[SuiteSisterMary]

I used to work as developer support for a web application development product. This often involved doing work dirctly on a customer's site. If I had a nickel for every time I asked for the login/password for an e-commerce related database, and it was the admin login with either a null password, or a default, I'd have a shitload of nickels. And if I also had a nickel for each time the database was installed on a computer completely exposed to the Internet, instead of, say, being installed behind a firewall, with possibly only the database access ports tunneled through (and only accepted from the IP of the web machine), or better yet, having both the web and database machines behind the firewall, and requests to the web machine being forwarded through, well, I'd have an even bigger shitload of nickels. Picking up SQL Server for Dummies or O'Reilly's Oracle In a Nutshell does NOT an e-commerce ready database make.

suuuuuuuuuuuuure

[kirwin]

The problem was discovered during a routine security check Friday, he said.

If their security checks are so routine, then why did this happen?

[root@solstice /root]# telnet westernunion.com 80
Trying 208.244.136.46...
Connected to westernunion.com.
Escape character is '^]'.
get /
HTTP/1.1 501 Not Supported
Server: Microsoft-IIS/4.0

Oh, I see now.

liability?

[legLess]

Speaking from experience, it's a major pain in the ass to cancel a credit/debit card and get a new one, not to mention trying to figure out how to live without one for a week. (Heck, I buy coffee in the morning with my debit card.) Never mind the nightmare of straightening out the false charges with your bank.

So is Western Union liable for this time/expense/pain in the ass? Should you have an expectation, visiting an e-commerce site of some sort, that your CC# will be kept private against the ravages of crackers?

If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores? You can't really stop someone coming into your store with a gun and robbing you, but you can take much better precautions against someone hacking your site like this.

I see both sides of this - as an admin and a CC user. Should we have a zero-tolerance law? No mistakes, no excuses - the store that got hacked should just pay up, whatever its customer's expenses are? Honestly, I lean towards "yes." There have been enough public cracks in the last year to encourage even the most brain-dead (heh: "westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98" - NetCraft ) to really secure their stores and databases.

If you can't secure it, don't connect it to the web.