Slashdot Mirror
Credit Card Database Stolen -- 4 Months Ago
jeffw writes: "Once again a Russian cracker got into a online credit card database and attempted to extort money from the company . MSNBC has the details. Previous incidents were covered on Slashdot here and here.
This time it was the appropriately named CreditCards.com, a credit card processing service for merchants. You would probably expect to be notified by one of the processors, the card issuer or the merchant, but in this case victims have to notice the fraudulent charges themselves and contact their card issuer.
Hmm, CreditCards.com. I'm sure no cracker would ever think of that as a juicy target. Why not name your company FreeMoneyForCrackers.com instead?"
...has now become creditcards.rus
--
Sheesh, evil *and* a jerk. -- Jade
I found this press release by CreditCards.com from earlier this year. To summarize, "CreditCards.com is pleased to partner with CueCat to provide security to our database. We have been deeply impressed with CueCat's unbreakable Base64 encoding scheme. Rest assured that your financial information is now secure."
Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
They seem to have taken down their list of affiliates. Perhaps too many people were complaining to their customers. Another bold security step by Creditcards.com.
If nobody knows who the original merchant is responsible for leaking their credit card, nobody can complain (except to creditcards.com, who doesn't do business with the individual customer anyway). Of course, no one can check to see if they did business with on of Creditcard.com's customers and therefore might have a compromised number.
Not only were they careless with the data and refused to notify people after their info was compromised, they are actively trying to prevent people from finding out if they were victimised by Creditcard.com's incompetence. How slimy can they get?
Don't forget that Friday is Hawaiian shirt day.
From Netcraft: The site creditcards.com runs Microsoft-IIS/4.0 on NT4/Windows 98.
I wonder if their CTO (aka their MCSE) threw all the CC#s into an Access database on their one big server (also running Exchange)? Just kidding... I hope.
I'm waiting to hear someones cracked into Paymentech. They are one of the largest payment processors out there, including billing for AOL.
And it's bound to happen. They're ripe for the pickings, really. Nearly all of the credit card processors are so insecure it's mind boggling.
-- I'm the root of all that's evil, but you can call me cookie..
You wonder why the ones you hear about after they get caught are always seem so dumb? It is because if they were not so dumb, then they would not get caught, and then you would never have heard of them. Often they got caught by bragging about how 31337 they are. You can continue this logic to make the mystical connection with the fact that people who brag about themselves all the time are really idiots, and that in prison you can find many idiots bragging about how smart they are. There are numerous corolaries and converses to this, but they are too obvious to mention.
I don't pretend to know how the cracker got the credit card numbers from CreditCards.com. But judging from the way they've chosen to handle the problem, I'm not surprised they could be ripped off in the first place; they have all the earmarks of a company that still believes security through obscurity is their best approach.
In all honesty, this is a disturbing attitude that we seem to be seeing more and more from companies: the customer is no longer regarded as someone to be served with enlightened self-interest, so as to reap rewards. It's much easier instead to enter into near-conspiratorial relations with other companies; to regard the other company, the one with the large pre-existing legal team, as the entity who has to be kept happy -- and regard the customer with ill-concealed loathing, as the one who makes your 'job' of pleasing your partner company that much harder.
From this perspective, it seems downright logical to let people's credit cards be compromised and not tell them -- it's only important to please the merchants who want to take credit cards, not the people whose credit cards they are! And what are the chances that poor service to cardholders would ever result in them losing those merchant contracts? Not good enough to make them really care, it seems.
If people are to respect the law, perhaps the law should begin by respecting the people.
You can buy chips at Vegas casinos with credit cards and then return them for cash. That seems like money to me. I know that it works because someone racked up a $20 000 debt on a friends card using that method. She only found out when the FBI called her. But then that was nasty American hackers ripping off poor Australians, so it never got reported ;)
.sig
a guy i know had his credit card number stolen. the thief charged a lot of office furniture and office supplies on it and had it all shipped to his (the thief's) new home office (he wasn't too bright, huh?). my friend called the credit card company when he got the charges and got them reversed. he then did a little research and got the address the furniture was sent to. he went to the location and saw the new stuff, verified that at least some of what was there was charged on his card, and then called the CC company to tell them he found the guy who did this. he was told that it wasn't worth the trouble of going after the guy so they weren't going to do anything. no charges were filed. the stuff wasn't recovered.
at least my friend didn't end up paying for it, but i wonder, if they did prosecute more often on even little things (when they have proof of course), would this lower the amount of this type of fraud? and would i be living in a dream world to hope that this might lower those pesky interest rates and/or fees we all love to see?
"Leave the gun, take the canoli."
this is just a placeholder till i send back my real sig from the future.
I checked WHOIS, and it's available. Better register it and put a Linux box up serving a page stating that a secure windows server is only a dream.
Configure your payment system to do realtime auth so you don't need to batch cc numbers for later capture. Thus the cc number lives on your site for only a few seconds.
If your system is cracked, what's to stop Mr. 1337 hAx0r from putting a sniffer or something like that on your network, then returning in a month to harvest the many credit card numbers? Sure, it's slightly more work for them, in that they have to make two visits instead of one, but any script kiddie can install a root kit to cover his tracks in just a few minutes.
The whole idea of using credit card numbers for online transactions is flawed. Why not have the purchaser write a "digital cheque" and sign it with his private key? The merchant could then present the cheque to a bank to verify that funds were available. Voila! Now, even unscrupulous merchants can't rip you off.
In countless online transactions in the past year or two, I've only been asked for those digits once, by a company that only produces accounting software, a huge fraud target, I am sure!
During that time, its stored *somewhere*, right?
Wrong. It's sent directly to the CC company... but even if you (incorrectly) decided to store it anyway:
1. Sale is approved. You inform the customer and delete the CC#.
2. Sale is declined. You inform the customer and delete the CC#.
In either case, you gained nothing by deciding to store the CC# (even temporarily)
when you go later to settle on the card and collect your $, you will need the CC# along with the authorization # to transmit to the clearinghouse.
No, all you need is the authorization number to settle. If you haven't settled within a week (because you haven't shipped the goods), the authorization is cancelled by the bank.
It doesn't matter if you keep the records around for minutes or years, someone with the right skills and opportunity (ie. your underpaid DBA) can get through.
Huh?!?!?!? You're saying that you can't trust your employees, so you should just throw all security precautions to the wind? That would fly really well..
"Well, John, we can't trust our employees, so let's not spend the money on the safe, let's just keep all our money in the filing cabinet."
Having criminals as employees is completely irrelevant to your arguments. (Or, perhaps you could explain how keeping credit card numbers will somehow negate the fact that employees can't be trusted?)
I repeat again: You do not NEED to store credit card numbers.
Wrong. Debit cards that sport the Visa or MC logo have the exact same protection as do "regular" credit cards.
Why do people use them? Because it's a hell of a lot better to give someone your card to pay $9.00 for something, and only spend that $9, then to take a $20 out at the ATM every time, and blow it simply for the fact that there's extra cash in your pocket.
Plus, it's a great way to track where you've been spending your money, since you get an itemized statement every month. You don't get that with cash.
My bank immediatly put a freeze on the charge I was disputing, and within 2 weeks, reversed the charge, just like any credit card compnay would do.
So in most cases the card needs to be stored in order to meet customer expectations. Yes, the thing HAS to be encrypted, and yes, the whole friggin database needs to be behind another firewall so that only the webservers and call center can touch it. However, contacting the customer at every point in the transaction (pre-auth, auth, ship, return) is out of the question.
There is also the matter of reporting. Many online merchants are applying a few rules to prefilter out troublesome accounts (such as accounts that have too many chargebacks) because online retailers (unlike brick and mortar) are charged higher premiums for such things by banks. In these cases they run a script against the report that the bank provides and the only real way to match that up with an account is by card number.
I agree though, that after a couple of months the number can be scrubbed. This would keep the number of vulnerable card numbers down to a minimum. I don't work for a .com anymore so some other keyboard jockey is gonna have to do this :)
I had a credit card with one of their affiliates (a list of partners is linked from the MSNBC article). Is there any way of finding out whether my card was taken?
I just read a good article on this online... I knew I should have bookmarked it. Anyway, the problem with credit cards flying around is huge. Expedia lost about US$5 million to fraud this year... knocking out 1/3 of their profits. The credit card companies have had NO real incentive to stop it. Whether the charge goes through or not, VisaMastercard (the duopoly) gets their cut. They make a percentage on a successful sale, and they get a $40 chargeback fee from the merchant on a contested one. The merchants are screwed, where else can they go? They need to let people pay online, right?
American Express has extra numbers on the card... Visa and Mastercard are going to start using them, too... so what? 3 extra numbers for hackers to pluck out of ripe databases. And our current smart cards?? HA. All they do, so far, is enter your billing information for you. Real secure.
The bottom line is... this problem won't go away until we change the way credit cards work... most likely to a true smart card, like many of us have used with external corporate accounts. Then knowing a credit card number won't get you anything.
Portable versions of Firefox, GIMP, LibreOffice, etc
The list includes such e-nobodies as "iKnowledge", "eCashier", "SpyGate", and the "Christian Concert Authority." And those are the more plausible-sounding of the bunch...
Yeah, that's right. In fact: Mir was just an abandend alien warehouse in space, which the Russians cracked too.
- if you love something, set it free; if it doesn't come back, hunt it down and kill it
-Davidu
# Hack the planet, it's important.
I don't think I ever claimed that slashdot actually used the practices mentioned on their site :)
you IT "cerebral" types are a real pain in the ass. let me ask you something, have you ever tried marketing? have you ever tried to get an MBA?
here's a clue for you: Marketing is not a joke. it's actually real work, it's not trivial, and it's required to sell a product or service. at a technical company, the lines of communication between Engineering and Marketing must be open, and trusting. your IT superiority complex doesn't help things either, and it has been my experience (having worked in both Engineering and Marketing) that it's usually the Engineering or IT side of the equation that doesn't put in the effort to try.
Marketing people are instantly labeled "clueless" or "afraid of technology" or "phoney" but the IT staff. they make no effort to try to understand why Marketing is important and why it's essential to communicate with Marketing. in most cases, bad Marketing is a direct result of IT or Engineering personel's inability to communicate effectively. sometime's that's due to the inadequacies of the people in Engineering (ie, they're not good communicators) but more often it's a result of silly and childish attitudes such as the one you've displayed on the part of IT.
grab a clue: you need Marketing just as much as you need IT and Engineering!
there are always bad Marketers, just as ther are bad Engineers, but in my experience "bad Marketers" are usually a result of "immature Engineers."
but back on topic: what makes you think that this cracking was a result of Marketing not conveying IT's security interests to upper management? did you think for just one second that it might just be the clueless IT worker who's running an insecure Windows NT webserver?
- j
If the cc exist in a database, then anyone who can query the database can get the cards, meaning if the system is compromised, all bets are off.
blowfish (or any other symetric algorithm, for that matter) is absolutely useless in this case, as the key (which is used for both encryption and decryption) must be stored on the machine hosting the database. If the machine is compromised, the cracker can easily get the key, making the crypto as useful as storing the cc numbers plaintext. The only way to do this properly is to use ElGamel or RSA, along with padding generated by a PRNG to prevent known-plaintext attacks.
Using an asymetric algorithm, if the database is compromised, you have sucessfully protected all previous cards (that is, if the private key does not exist on the system; all plaintext cc processing should occur offline). You do have to worry about future cards being snarfed, but you address this with other security measures, not crypto.
When dealing with credit cards, allways assume that the machine that the database is on CAN be cracked, then work hard to prevent this from happening.
The article even mentions that the company had "test numbers" in the database. Am I the only one who thinks that those were left in there from the days the code was being developed because noone bothered to clean up the database?
Oh yeah, and these numbers are sold for a couple of dollars a piece in Russia. No joke.
--
Unix, I think it is...
We only hear about problems. We don't hear when things work correctly. We also don't know how many people do actually rattle doorknobs at Amazon, much less how many Amazon stomps on while it continues working.
OK, here is the message in all its glory. I have changed MY information in the header, but have left all sender information as I received it. I also had to change a bit of the formating to get around /.'s lameness junk character filter. The words of the text are untouched.
Return-Path: chad@microsoft.com
Delivery-Date: Mon Dec 11 15:08:14 2000
Return-Path:
Received: from mybigserver.my.domain (mybigserver.my.domain [10.0.0.1])
by mymail.my.domain (8.9.1a/8.9.1/FOO-3.0s) with ESMTP id PAA365001
for ; Mon, 11 Dec 2000 15:08:14 -0700 (MST)
From: chad@microsoft.com
Received: from eb.com ([146.101.3.203])
by mybigserver.my.domain (8.10.1/8.10.1/FooBar+Hesiod (MyConfig)) with SMTP id eBBM8GJ15524
for ; Mon, 11 Dec 2000 15:08:16 -0700 (MST)
Message-Id:
Received: from blu01650-4-1 [127.0.0.1] by eb.com [127.0.0.1] with SMTP (MDaemon.v2.7.SP5.R) for ; Mon, 11 Dec 2000 22:02:44 +0000
Date: Mon, 11 Dec 2000 22:02:44 +0000
Subject: HOT NEWS 11 DECEMBER 2000, HACKERS GOT INTO CREDITCARDS.COM !!!
To: me+myvendorid@my.domain
X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron
X-MDaemon-Deliver-To: me+myvendorid@my.domain
X-Return-Path: chad@microsoft.com
Dear Customers of CREDITCARDS.COM,
Security score rating: -100
Go there to read the STORY about creditcards.com !!!
http://venus.njcc.com/ccs/index.html
http://www.givit.com/content/ccs/index.html
http://203.29.170.11/ccs/index.html
We represent a group of experts trying to save you from companies, which
do not care about their clients. For your attention we have
designed the "Never trust companies" list.
Any simple hacker can get into Creditcards.com where your confident information stored.
We was contacted with President (Michael Butts) of CreditCards.com, and
they was say us " We don't care about information and about customers"
Today is the special time for every Internet user, e-commerce is still growing
and competitors are fighting each other to win your attention, your loyalty
and as the result your money.
But not all the companies are ready to offer their clients best service,
they trying to get you through low prices, quick delivery, etc., while is
it so important for you?
Basically what are you doing when you buy something via Internet?
You let somebody into your personal finances.
Till no completely secure way of transferring the confidential information
invented, the number one priority for each and every online company is
to secure transaction and to hide information about their clients.
Who knows, may be your partner or your online discount shop is one of them.
We are glad to provide you with this information; we want you to use secure
online resources and most important those who care about you.
Kind Regards,
_____
Today TOP Unsecure Company :
Name Specification Security Score*
Name Specification Security Score*
CreditCards.com Credit card Processing network - 100
Security Score:
-100 - no security
1 - simple security
100 - Very good security (firewalls + Crypt of confident information in database.)
It could be creditcardz.com.
Yeah sure - in the glorious US of A. You again seem to forget that there is a place called "the rest of the world" which is technologically more advanced and actually DOES use these highly secure technologies.
I can do 1024b RSA signatures from all of my various cell phones (or sigs with longer keys for that matter, if needed). And I can pay for things with'em too. All the major banks here use secure payment methods instead of lowsy age old credit cards. I don't have to use one single unsecure method for paying anymore if I don't feel like it.
All I'm saying is that: it's really up to you. If you want things to change in the US, then bloody change them! it's not any more harder than that. YOU are the customer and it's your right to demand things. Start demanding, and keep demanding until they deliver.
But seriously, there needs to be more analysis of what causes companies to make such obvious mistakes when it comes to security. It's very easy for all of us to sit back and say. "well, what kind of idiot would keep credit card numbers in a networked database?" Indeed. But take a look at the typical business model, which is even more screwed up where it comes to .com startups:
you've got youre IT professionals, some of whom may or may not know what they're doing, but who are mostly competent. But, nine times out of ten, they are not the people who run the show. Instead, marketers make big decisions side-by-side with accountants. Not to say that it's not a good idea to promote your business, or keep on top of the books, but look at the typical scenario - the IT or IS manager comes forward and says something to the effect of, "Look, we have a serious security situation here, and if we don't spend the money it takes to fix it right now, we MIGHT get hacked." Now the marketer, who is generally insecure around the IT person (who, after all, can connect all those scary looking wires and make the computers go), is thinking that the money would be better spent on a big campaign to attract investors. Since these cracking incidents are really flash-in-the-pan news events, the marketer doesn't have a clear sense that the risk is real. The accountant is more impressed by the charismatic marketer than by the somewhat cerebral IT person, and is further swayed by some financial need or another. Thus, the decision is all too often a pat on the head to the IT department, and some paternalistic garbage about "all of us doing the best we can under the circumstances," while the crackers gleefully move on.
While I can't claim to be familiar with the corporate perspective within creditcard.com, I personally find it very hard to believe that anybody who can write more than two lines of code would have been happy with the security situation that must have existed for the crackhead to get all those credit card numbers. More likely, it was a situation of all the money going to fancy-looking animated gifs(Ka Ching!), while the IT department was starved to a point of needing to scramble just to keep the servers running. A brief look around the creditcard.com website tends to bear this out: a lot of pretty pictures, but not much substance.
political_news.c: warning: comparison is always true due to limited range of data type
Everything is already computerized, so this merely adds a few more DB queries. You phone (or go to their website) AmEx and ask for one. They issue a disposable credit card number with a set credit limit that will become invalid after the first use.
--
if Mr 1337 h4x0r!#$ got in, putting a sniffer on your network should mean nothing, because all your transaction should be encrypted. If he is smart enough to perform man in the middle attack to ssl and your other transactions, then your F'd.
digital cheque is overrated, how many slashdoters use pgp, gpg? try to tell my mother to use that, credit card numbers for online trasnactions is not flawed, it is the weak implementations of infastructures and security around them that is flawed.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
lie, you no write that message, your english not broken like mine, i am the real slim^H^H^H^H h4x0r4!#$
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
Well, you could encrypt the CCs on one machine and just pass the encrypted string to the DB server... There's no reason why the DB server needs to know what the real CC # is, it just needs to keep it with the order info long enough to do all the proper processing.
And, not as a reply directly to you...
CC.com didn't need to keep the credit cards, they only do verification, the merchant can send a new transaction each time they need (to check during ordering, and to charge at shipping). This way there isn't one big master DB with all the numbers, CC.com would hang onto the #s only long enough to process the order. The CC never needs to get stored on a HD at any point, if CC.com crashes and they lose the numbers they're processing, the merchant just resends the transaction after the timeout.
The means you have to trust your merchant, but I'd prefer this. It means smaller DBs (less temping for crackers) and a well defined chain of trust. If I shop at Amazon, I should only need to trust Amazon, not three or four back-end companies that I've never heard of.
This is not only credit card processors. This is almost everybody. For example, UUNET, back before they were bought out, used to have a status page at 'nic.uu.net' where you could see the status of service outages. A few years ago they removed that page unless you're a UUNET customer. Problem: My ISP is a UUNET customer, and they have a service outage. Easiest thing to do is (from another Internet provider) go to the UUNET site and see whether it's a UUNET problem or a local ISP problem, and if it's a UUNET problem, when it'll be fixed. Noooo... UUNET no longer allows mere mortals to view such information. Even from my ISP, UUNET says "you gotta be a direct UUNET customer to view this page". Fuck the consumer. Fuck the poor slob sysadmin trying to figure out why his packets aren't getting from point A to point B (it'd sure be nice to see that the route C between point A and point B is flapping and that UUNET knows about it). The marketdroids rule, and the marketdroids say that ordinary people don't need to see that kind of data because ordinary people don't pay the bills.
That's just one example. The world is full of them.
-E
Send mail here if you want to reach me.
What is being discussed here is part of the Truth in Lending act. Chargebacks were set up as a protection for the consumer. Without them, credit cards might never have caught on. No one could forsee the problems which would eventually surface with online transactions because the internet didn't exist then. Get rid of chargebacks and people will not want to use credit cards.
Wansu, th' chinese sailor
With disposable credit cards, you have to go to the bank/AmEx, get the number, then go back to the store... Too much trouble. Also, the store can still rip you off for the difference between the cost of the item, and the credit limit.
If Digital Cheques were integrated into browsers, it would be as easy or easier for customers than credit cards are now.
Lazy marketing types are quick to grumble about mumbling engineers etc. But some of us engineers *DO* know marketing -- and get rather infuriated when the marketing types decide to go golfing rather than learn about their product, competing products, the marketplace that their product is to be sold into, and how to reach that marketplace given the product that they have. For some reason, ex-used-car-salesmen who've been jumped up to Marketing seem to think they can sell a complex piece of computer software the same way they sell soap -- i.e., with hype, sex, and tv commercials. And they get upset when us engineers start talking to them about marketing stuff, "go teach grandma to suck eggs" being a typical response.
Not my current company's marketing department -- they're quite eager to hear anything I have to say about the marketplace and how our product line fits into it (though as a perfectionist I sometimes get frustrated with the follow-through, but that's life). Prior to one presentation I was advised by both co-workers and by the project manager to eliminate some of the marketing materials ("they know this stuff", "they'll be insulted by an engineer trying to tell them about marketing stuff", etc). I didn't. Marketing ate it up. But that's very much an exception.
Regarding IT considerations and marketing: I've received pressure in the past to cut corners due to marketing reasons. My general response is, "Having that software for Comdex will do us no good if it gets us a poor reputation for having buggy software," then talk about goodwill and how valuable it is (especially on our balance sheet!). But undoubtedly there are many IT types who do not have that kind of clout.
-E
Send mail here if you want to reach me.
I've got a problem with all of these solutions though. They don't address the underlying problems. Creditcards.com showed a complete lack of competence and even a complete lack of accountability. It took FOUR MONTHS for them to go public and they had the audacity to say that customers credit cards weren't compromised.
Let me get this straight, an unknown third party might have my credit card information but it isn't compromised? I'm sorry, but at this point the COO, Michael Butts, should be brought up on charges of criminal negligence and if he maintains this stance in court, purgery and contempt of court as well.
This company deserves to go under, nothing less. They were in a position where due dilligence said they should operate in a certain manner (such as having no physical connection between the database of credit card numbers and the internet at all - or better yet - no database of credit card numbers) and they didn't.
I'm not excusing the cracker, he should be punished as well, but this company (and the bank that owns it) should go under. They aren't competent to operate in the banking industry.
Chris Kuivenhoven is a thief, beware
Yeah honey, it was a Russian Cracker that charged all thouse porn sites on our credit cards, yea...thats it.
A few hints: we may be in IT, but that doesn't mean we're clueless about Marketing. Some of us have 10 or more years experience in this industry, second degrees in Business Administration or even (gasp!) MBA's, etc., and choose to do IT because we like building stuff rather than selling stuff. That doesn't make us automatically unqualified to comment upon market focus and appropriate venues for reaching sub-markets and so forth!
-E
Send mail here if you want to reach me.
No wonder Russians are good at cracking things. The writing has those crazy cryptic backwards letters. They're already 1 step ahead of us.
Silly Russians.
If you get stolen credit card information, you get free stuff sent to you. You might be able to get people to pay you for the free stuff, but it's not directly cash.
For those who wonder how I know: Someone got my card number, from paper. I found out, when I got a call from Home Shopping Club trying to sell me an extended warranty for my new radar detector. My response was, "What new radar detector?"
The credit card company took the charges off, but beyond that, they didn't care about prosecuting the individual. The merchants had to foot the bill.
Fight Spammers!
From the article:
"The victim who originally contacted MSNBC, Michael Sayres, called the company this week to complain and was surprised that it had no
intention of contacting customers.
"It was explained to me that I would need to contact my credit card company and cancel my card," Sayres said. "It appears they have no responsibility with this problem."
Sayres received the e-mail from the hacker on Monday afternoon and spent Tuesday on the phone with CreditCard.com and American Express, complaining about the way the situation has been handled. "What's amazing is I didn't hear about it from CreditCard.com. I heard about it from the hacker," he said.
The hacker was trying to extort and notify at the same time? Maybe s/he called the customers in order to prove to Creditcard.com that they were serious. Or is there more than 1 person at work?
On another note, paypal.com insures your deposits to 100K just like FDIC (tho it is a money market account, not FDIC). Is there some plan for an anti-hacker "insurance" scheme for b2b and consumer credit card users online?
Goat sex free since 2001
This has very little to do with "leadership abilities", by the way. There are many different styles of leadership, and not all of them require that you be Mr. Used Car Salesman. They do, however, all require goal setting, effective communication of goals, and a meeting of minds with those you work with, as well as (gasp) initiative and drive (you can't lead from the rear!).
-E
Send mail here if you want to reach me.
>If you're leaving the window of your car rolled down on a busy street and someone keeps on stealing your stereo, do you think your insurance company will keep paying out forever?
they won't pay in the first place. Not the first time, let alone the next ones.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Repeat after me. DB's and their backend processes should be firewalled and limited. Heck, a simple socket that takes in a request and returns a success or failure isn't all THAT hard.
-s
---
-
ping -f 255.255.255.255 # if only
OK, I've got a question. Why do these relatively low-level sites get hit while sites like Amazon go virtually untested? Better security through better paid employees (or software)?
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Excellent advice. The most important thing, though, is just "ordinary" security - get a well-administered hosting service, or if you admin your own box, use all the good security practices you read about on slashdot, Security Focus, and so forth.
I would also recommend a payment gateway that makes security a top priority. Obviously the merchants weren't at fault in the creditcards.com case; they could have all the security they wanted, and the database would still have been stolen from their payment processor.
If I may be so bold, I can recommend a payment processor who makes security a top priority...
If you absolutely must store cc numbers, put them on a backend server behind a firewall.
Nope, this part is wrong - it should read like this:
"If someone in your company thinks you absolutely must store cc numbers, fire them. You absolutely do not, ever need to store credit card numbers."
There is no reason (at all, EVER) for a merchant to store CC numbers. You don't need them to do returns, you don't need them for "one-click shopping" (if you think you do, you don't need to do one-click shopping) you don't need them.
I don't care how much security you have (or think you have) if the data isn't there, you don't need to worry about it.
They mention creditcard.com specifically by name and give it a score of -100 for security (no security).
Using my address tracking I could tell they sent me this e-mail using the address I gave to a merchant I used nearly a year ago. Of the 100s of online purchases I make a year, it looks like one of the few places where I made a personal purchase processed their information through creditcards.com. If it had been one of my many corporate purchases I wouldn't have cared too much, but I guess now I will have to go and change the number on the card I used.
If people care, I can post the entire message.
Creditcards are by nature very unsafe, because their security depends on a single "public key" that's printed on the outside, and that's given out and stored by everyone that accepts payment with them. Moreover, they are handled in a very insecure way. Why do some on-line institutions insist on keeping their credit card database on an networked computer. Why do they insist on keeping the number anyway ? I'd rather type it in every time it was used, and then have it thrown away after the transaction. And why do they apparently store them in clear text ? It would be pretty easy to encrypt them using a cookie that's stored on my browser.
It's time to move towards a more cryptographically secure way of making payments. These secure methods have been developed years ago, and are still not being used on a wide scale. As long as the costs associated with the occasional credit card theft isn't too high, the banks will not take action. So, it's good that things like this happen once in a while, since the banks will take most of the damage anyway (their biggest loss is probably loss of confidence by big consumer groups).
E-commerce merchants need to use common sense when dealing with credit card transactions.
In addition to the above, do the usual security procedures that you would do for any secured site (e.g., do anti-virus checks, checksum system files, sweep for trojans, etc.)