Caveat Emptor: Egghead.com Credit Records Nabbed

Voorshwa and at least a dozen others wrote with this news: "Found this one over on ZDNet.com news. Turns out the security over at Egghead wasn't very good. Losing 3.1 million credit card numbers has got to put a damper on a lot of Christmas cheer!! Wish these big companies would learn a little ..." No yoke. It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions. Reader insmod points to coverage at MSNBC as well which mentions that Egghead was not the only site hit this holiday season.

strict legal data protections are needed

[q000921]

It is for this and many other reasons that companies should be prohibited from keeping personal information beyond the immediate transaction between the consumer and the company. It's the law in the EU, and it should be the law here.

I worked for egghead until a month ago

[Jeff+Knox]

I am a former employee of egghead. I was let go because I downloaded a remote admin tool, so I could connect to my home windows boxen. I also had putty to ssh into my linux boxes. They found those tools to be "hacker tools" so they let me go. The entire IT security team consist of two people. Everret and Ben, they are two 20 something year old punk asses who lack a basic knowledge of computer security. Egghead security consist of daily virus checks of the work stations and a firewall. THATS ALL. Because I am young, they automatically assumed I was a hacker and a risk to security, when I got a job there doing Ecommerce Analyst work at my young age. Young does not equal hacker. I still was never given a reason as to why I was fired, except for that if the media found out I had remote admin tools on my workstations it could be bad publicity for the company. Now this comes along, Im suprised i havent been blaimed for this attempt. Unfortunate, if they would of hired me on as IT security like I wanted to be int he first place, this would of never happened. :P

Re:I worked for egghead until a month ago

[xscarecrowx]

Dude don't be so sure you wont get looked into.
Alot of things like this can come from former employees who were let go and might have grievences, and might know a thing or two about computer security or how things were running in the office.
This just adds to the stack of things im mad at Egghead about, Including my $35 ram that never got shipped....

Re:I worked for egghead until a month ago

[xscarecrowx]

Oh and another thing, if the system really was compromised, and the FBI gets involved. First thing they are gonna ask for are list of employees who have come/gone in the last 6mo/1yr.

Re:I worked for egghead until a month ago

[Jeff+Knox]

Fine with me. I have nothing to hide, because I didnt do it. But anyway, the ram thing, dude, that was a typo. The company is not legally responsible for a typo and does have the right to cancel the order. It is not false advertising. I may not like Egghead, but they were right to cancel it. Why should they suffer millions of dollars in loss (when they dont have the money, look at the stock price) because of a typo, to make a few customers happy. Thats just silly.

Re:This cries out for one-time use credit card num

[alecto]

It does answer the question--the refund, if needed, is made to the one-time number, which is linked to your account in AMEX's database. More detailed explanation is farther down in the FAQ, but I thought you'd get it from that.

Who cares

[ch-chuck]

All I wanted to know was: credit cards stolen, yep, they're using Microsoft. This is the exact same type of image mongering, fud slinging, guilt by association that Msft mktng would gleefully use to smear any competitor, so I've no qualms whatsoever whenever something like this shows up in the public prints that puts a big fat egg pie in their face. Tit for tat, bubba.

Re:Blame

[gimpboy]

i would tend to agree with you. it will depend on how they got in really. if they broke in due to a porly maintained server, then i would equate the crime to the manager of nordstroms leaving the keys in the front door... sure the crackers are criminals and should be blamed, but the manager should be fired.

as much as i dislike ms, they cannot be held responsible for mismanagement of their software. if the software was faulty (ie there was a bug and they didnt notify their customers), then hopefully they will be held responsable (although their eula probably obsolves them of that). when the eula bails them out the IT person who made the decision to go with ms should be smacked around with a stick....

but it's really too early to lay any blame on anyone but the crackers...

use LaTeX? want an online reference manager that

Re:Any idea what part was cr/hacked?

[lrollins]

No I don't work for Egghead in Vancouver. I've had a couple of people that are either employeed or contract over there apply for openings we've had. I've worked on 3k's since the mid 80's, great machines. I also looked at ecometry very briefly, it just doesn't fit our business well.

Part of the reason I believe it's a hole in the firewall is that I control the one in our office. I run it in paranoid mode. Some people in the office don't like it. If there are legitimate business reasons I will open things up, it's just not going to be a free for all.

Merchant Accountability

[booch]

If MC and Visa aren't already doing it, I would expect them to start including a clause in their merchant contracts (which allow merchants to process credit cards) that if the merchant has a large number of credit card numbers stolen, the merchant will have to pay some sort of damages.

Re:IIS is known to have had many security flaws.

[proberts]

Since it's my quote, I'll defend against the FUD charge...

It's a fact that most reported Web Site compromises for Microsoft sites happen via IIS. It's also a fact that most of those are RDS. It's another fact that the last significantly visible break-in was reported as the Unicode ../ bug.

The quote is definitely based on currently available information. It's also got a greater than 75% lieklyhood of being the true vector of attack. FWIW, we also called the Microsoft vector of attack correctly about two days before MS figured it out.

I challenge you to take the top 6 IIS exploits and run scans against your ~60 NT sites and report the results. If they're not all virtual servers, I'd bet you'll find at least 30% of them vulnerable to one form of attack or other.

Given the initial information circulating in the press and in the community, I blamed the attack on incompetent administration. While IIS has more holes per pound than Apache, it's trivial to make any Web server vulnerable, and I was careful to state that it didn't matter *what* server you were running (and Rob quoted that at the very end of the article- so it was obviously clear to him that my intent was to ensure that he understood that the likelyhood of the attack being due to poor administration was fairly high.)

If you design sites where the DB is on the same server as IIS, you'd better get down off that high horse, you bear some culpability for poor design practices.

Paul

Comment removed

[account_deleted]

Comment removed based on user account deletion

AMEX? I'd rather be in the pan than in the fire!

[phillymjs]

AMEX isn't so great, either. I spent the better part of a year trying to get them to remove over US$12,000 in bogus balance transfers to my "Blue" account.

These transfers were not authorized by me, were from accounts that didn't belong to me, and went through before I had received the card in the mail, or indeed even knew the account number.

AMEX, when I finally rattled enough cages to get them to look into the matter, removed the charges as 'Fraud'. They refused to explain to me how this fraud occurred, without being subpoenaed. But you figure it out. It was either an inside job, or there was some hacking involved somewhere.

They pissed me off so badly, I did up an entire website about their piss-poor customer service, and I got threatened by their lawyers over the domain name. The site has been down since the problem was finally fixed, but I just threw it back up into my webspace for anyone who's interested in reading it (there are a few things that need to be changed before I make it a permanent part of my forthcoming personal site).

~Philly

Re:IIS is known to have had many security flaws.

[banky]

MS is the largest software company in the world. I just went to Borders tonight for some last-minute Xmas shopping. The store is FILLED with books on MS products, and many of them have large, reasonably comprehensive sections on security. There are probably millions of MCSE's and similar MS** professionals out there. The MS KB is FULL of articles on securing the machines. Bugtraq and NTBugtraq are likewise full of articles - good, technical ones - on security flaws, the NT/IIS security model, and security in general. ALl of these comments apply to Oracle, as well.

Why can't they secure the fscking box, then?

Personally, I believe that this is not a question based on the techical merits, rather, the social or cultural merits. These kinds of problems are, in the oh-so-eloquent words of my father, "dumb-boy shit".

I don't think IIS is inherently insecure; I think the computing model promoted by Microsoft - that an accountant, secretary, or poorly-trained nobody can set up a fully functional e-boz site - is the inherent insecurity. That MS's "bring computing power to the masses" crusade is what's biting them on the ass.

Any idea what part was cr/hacked?

[lrollins]

The backend of the system is MACS or what's now called ecometry from Smith-Gardner. The main part of the system runs on an HP3000. Since until recently there wasn't a secure web server on the 3k they used NT/IIS to front end the system on the web.

So was it actual access to the 3k?
A problem with NT/IIS?
A weakness in the S-G software?
Bad home grown code on eggheads side?
Poor security practices?

The later is my guess... it would be rather hard to get to the 3k if it was firewalled properly.

By the way the Smith-Gardner software is fairly widely used... if you don't believe me take a look at http://www.ecometry.com/clients/cl_list.htm

Re:Any idea what part was cr/hacked?

[Jeff+Knox]

I assume you work at egghead? Or worked at Egghead like I did. Is the ecommetry upgrade complete? They were supposed to have it finished mid september, but we were still using ARC (customer built software by OnSale.com, which Egghead inherited when they merged) mid November.

Shouldn't EggHead be responsible?

[evanbd]

Shouldn't EggHead be held responsible for the loss of those CC#'s? As in, there were plenty of industry-accepted techniques for securing CC#'s that they didn't use. Shouldn't they be legally responsible for, at the very least, all costs to the credit card company of dealing with bogus charges and replacements on those cards? I really don't think the credit card company should have to pay. suppose it costs $10 worth of time and resources to reprint a CC. thats thirty seven MILLION dollars that I really don't want to pay for in the form of interest rate hikes. I think the CC companies should file a lawsuit demanding recompense. Yes, it was bad luck that it happened to egghead. but they were negligent. In the same sense that if I don't put a fence around my pool and some kid drowns in it, I am responsible because I was negligent. Perhaps that very direct cost to egghead would help wake up the industry to this very real danger.

Re:Shouldn't EggHead be responsible?

[�nubis]

The credit card companies should no longer allow Egghead to be a merchant for their cards. This would effectively put Egghead out of business. (However I'm sure Egghead would reach a settlement with the CC companies in order to keep their merchant status and stay alive. Also I'm sure there's some massive contract between Egghead and the CC companies that *might* prevent this.)

Re:Shouldn't EggHead be responsible?

[hideoclone]

A hacker didn't stumble into the credit card database by mistake. A better analogy would be if some criminal drowned a kid in your unfenced pool - not your fault, though if you had a barbed wire fence it might not have happened. It think it would be an easy civil suit to defend against; they would just paint the stereotypical evil-genius "hacker" that everyone knows from the media -- the court would buy this. Then again, Egghead might settle out of court to avoid more bad PR. Either way thier image will suffer: admit negligence or drag things on in long court battle. Then there is the cc companies to consider (class action?). They dont want ppl to stop using credit cards on the net, so they will probably not take any action at all. All things considered its best for everyone (excluding of course the public) to forget this incident.

Comment removed

[account_deleted]

Comment removed based on user account deletion

IIS is inherently insecure

[bad-badtz-maru]

=
As a person who has developed literally hundreds of smaller- to mid-size e-commerece sites, it always astounds me to find the number of people who assume that IIS is inherently insecure.
=

As a person who administers scores of NT boxes that currently services over 500 domains in both a dedicated server and shared-hosting environment, I can assure you that IIS is "inherently" insecure. By this I mean that extraordinary steps are required to provide an acceptable level of security, security is not inherent in the software by any means.
If you foolishly believe that IIS is secure, take a look at

http://www.securityportal.com/list-archive/bugtr aq /2000/Dec/0202.html

and start from there, it's really just the tip of the iceberg. IIS has no suexec-type mechanism, so there is very little security flexibility and compartmentalization, as you can see from the content at the URL above it is even possible to execute ASP code in the SYSTEM context. Unless of course you have made manual registry changes to obscure keys. How exactly does that meet the "inherently secure" definition? It's not like it's just one issue, either. The software is plagued with poor design.
While I am on a roll here, should I touch on the issues with the FTP service, since it is part of IIS? How about the fact that users can walk all over the directory tree because the software doesn't support the equivalent of chroot jailing? How about the fact that when frontpage extensions are installed on the web site and anonymous FTP is enabled, the _vti_pvt directories become warez repositories because the "everyone" user has read and write access to that directory? Some of the largest hosting facilities in the US, such as Interland, have been waiting for an answer from MS on that one.
I had better stop now.

badtz-maru

Re:IIS is inherently insecure

[bad-badtz-maru]

=
I agree that IIS is insecure, but I dont agree that it is fundamentally a bad model. IIS could be workable, but MS needs to get moving on it.
=

I agree with you.

badtz-maru

What, Me Worry?

[Alien54]

;-)

1. I never shopped online there
2. When I shopped at their old brick and mortar stores, the credit card I used then has long since expired, and I cancelled that credit card account.
3. Any kiddie can find a script to generate fake numbers that pass the crc tests that they use.

That being said, since I do shop online from time to time, you would expert that they could do better. That is a rather large amount of plastic.

Maybe that is how Saddam Hussein is paying for all of those Sony PS2s

Re:Blame

[GroundZero77]

I think the real problem is that most of the hacking that goes on in the US does not originate from the US. It's really hard for the US government to deter or prosecute hacking in other countries. Most of the hacking I have seen lately has originated in the former Soviet Union. By some Soviets, hacking is even encouraged ( http://www.infowar.com/hacker/99/hack_122199a_j.sh tml ). I recently read somewhere that the US government has actually come out and tried to recruit hackers in the US, saying that they can't pay as much as hacking can provide, but that they have some really neat equipment. Egghead bears some responsibility, but I don't think they can be held totally responsible. New exploits are found all the time and it's kind of hard to release a patch to prevent an exploit, unless you know it exists. GroundZero

Using IIS, no less. Hello, security?

[tchristney]

Is it any suprise that they are using MSIIS for there server? Or that the crackers almost certainly used a well-known exploit? Or that their server software probably did not have the most up to date patches installed?

This doesn't even begin to address the issue that I (and apparently others that have commented above) feel that storing CC#'s after the transaction has finished is highly negligent. When you go to a restaurant, do they maintain a database with your CC# to speed up your next purchase? NO! If they did, there would be serious hell to pay. So why to e-tailers (god I hate e-words) feel that it is an acceptable practice? And then they have the nerve wonder why people have little confidence in purchasing online. It's because we are not morons!!!

Security is always less strong than it's weakest link. It's about time that people start taking that fact seriously.

MS rulz

[jlrowe]

Yet another quality site run on Microsoft software .

My personal rule of internet purchasing: Go to Netcraft, figure out what software they are running, and if it is MS, it is not worth the risk to buy there.

Analysis of www.egghead.com
The site www.egghead.com runs Microsoft-IIS/4.0 on NT4/Windows 98

Re:MS rulz

[bobthemonkey13]

Which tire would be better: A. One that runs for a long time, with an occasional flat? B. One that pops every 4 miles, requiring you to fix it with a manufacturor-supplied patch? The point is that faulty software that is fixed continuously is still worse than software that is fairly secure in the first place. No, *nix (or any software) is not bulletproof. Yes, it does need to be patched. But the MS strategy of release now, patch later is not the best way.

Re:MS rulz

[tristan+f.]

For the record, the system did not have all current patches installed. The exact same thing could have easily happened to the Unix/Linux/Other system of your choice, had it been run by similarly incompetent "professionals."

Re:MS rulz

[CodeMunch]

As soon as they crack the web server, they can search for pwordz for the DB. You aren't cracking a DB if you have the pword.

--Clay

Re:MS rulz

[jlrowe]

Update: Cnet [http://news.cnet.com/news/0-1007-201-4245328-0.ht ml?tag=pt.abc.tech..ne_4245328] notes that two others have been cracked in recent times, CD Universe and Creditcards.com. And all three lost creditcard info.

These two and Egghead all run MS software.
And Microsoft itself has been hacked recently.
I know all about patches and all. But don't the facts point to a real security problem with Microsoft software???

Re:MS rulz

[jlrowe]

No. I think I'll stand by my original assertion. Security at MS is, well, poor.
Check this out.
Microsoft goes ton up for security bugs in 2000 By: John Leyden
Posted: 22/12/2000 at 17:50 GMT
Microsoft has issued its 100th security notice for the year 2000, proving that its productivity in generating exploits for crackers to exploit has reached unprecedented heights.

Fittingly, the problem concerns Internet Information Server, the number of exploits for which is a standing joke amongst many members of the security community.

[...]

Re:What type of databases were broken into?

[Jeff+Knox]

Its an Oracle database. I worked there, I know.

Re:yeah my cc is one of them

[jallen02]

BZZZZT

You can store the transaction number which does not contain the CC number at all or a way to generally access the account AND just MAYBE the last 4 numbers of the card.

I have written several e-com sites and dealt with cybercash and authorize.net... customers HAVE gotten their money back on purchases but we dont store credit cards plain and simple.

And if you REALLY must store them oh please oh please encrypt the damn things and store the private key EXTERNALLY, the simple version is you have to type the thing eery time, typically we make the customer enter it in twice just for verification because I personally have only worked with one site where we stored (encrypted using a public key with priavte keys far from the net) which was only for bad cases or customer service, the process to retrieve a CC from the DB was pretty easy but still took human intervention.

Overall if your storing them as plain text you DESERVE to be hacked big time.

That is just how it is

Excuse the formatting of my post I just wanted to mention this, thanks.

Jeremy

This cries out for one-time use credit card number

[alecto]

This incident underscores the usefulness of one-time credit card numbers, such as those provided by American Express' Private Payments service. This service allows the cardholder to generate an account number for each transaction. So if that number is stolen from a merchant's database later, it's useless. This also comes in handy for preventing unauthorized billings from the same merchant later on.

Simple solution to the credit card theft.

[Restil]

There are two ways you can spend money using your credit card. In meatspace, you hand a cashier your credit card, they run it through a machine, enter the amount to charge, its deducted, and if they're smart, they'll ID you to confirm that it really IS your credit card, or at the very least, you have the same name as the cardholder. Then you sign the receipt.

The other method is calling someone on the phone, or using the internet, reciting the credit card number and expiration date, giving some personal information and the charge goes through, no signiture required, no problem until someone (hopefully YOU) gets the bill.

Well, credit card companies, at the option of the cardholder, should be able to implement some type of confirmation scheme to prevent anyone with your credit card number from actually using it. For instance, if I provide my credit card to a company, I would then have to validate the transaction (by phone or web page) using information not provided to the merchant before the money would actually trade hands. For convienence, this could also be done in advance, or allow a certain merchant to always be authorized, so although that merchant could always charge the card, nobody else would be able to.

Since the service would be an optional one for cardholders, it would not infringe on anyone's convience if they're not willing to go through the extra effort to avoid having their card maxed out by someone ten thousand miles away. We have to assume that credit card numbers will get stolen and distributed. You can't rely on the security of some website or server to keep that information safe, as you have no control over that security.
Perhaps I'm missing something obvious here, but this seems like a good idea to me.

-Restil

Re:Simple solution to the credit card theft.

[Chagrin]

The major credit card companies (Mastercard or Visa) charge the retailer 2% on every transaction - Discover and American Express probably charge even more. Althought I'm sure that schemes similar to yours would probably work, the cost of implementing them would likely be higher than just accepting the costs of credit card fraud.

what do you do about your CC?

[MicroBerto]

the one thing i haven't seen answered is, what should I do if my card got stolen? Get rid of this one? Mommy's gonna be PISSED. :-(

This is awful, 3.1 million! Wow. Please let me know what we should do, if its safe to use the same one (and monitor it well), or if that's a bad idea...

Mike Roberto
- GAIM: MicroBerto

Comment removed

[account_deleted]

Comment removed based on user account deletion

one-way encryption?

[jcs]

why do all these companies insist on storing credit cards in plain text, let alone storing them at all? is it really that hard for people to pull out their wallet and type in their card number each time they want to buy something?

if these companies insist on storing credit cards on their servers, why not encrypt them? since just about every site that would store your credit card makes you login with a username and password, why not encrypt them with that account's password? this way if the security is comprimised, they'd have to brute force every single account to get each one's credit card number. if you use a strong password on the system, you won't be subject to the site's lame security should their database get illegally accessed.

Re:one-way encryption?

[tweek]

The real problem is why the fuck they are storing credit card info on publicly accesable servers? Even the most basic secure layout should have the database behind a router and a firewall that has restrictions and ACL's tighter than a nun's ass. That's what pisses me off the most.

Re:one-way encryption?

[jcs]

i doubt any of them have this information on a publicly accessable server. however, the web server has to be able to access the db server somehow, so an attack on the web server will yield access to the database server.

Re:one-way encryption?

[pod]

Well, I fully agree if the CC is stored it should be for a limited time only and crypted© The problem is where do you get the key from? From the account password, hmm? And _where_ is that stored? Well, ok, that's a stupid question© What would _my_ scheme be? Save account password, hashed ¥MD5, whatever© Save live password in session space ¥actually stored in a db for large sites, but for anything not egghead/amazon-class server process memory suffices, it's only there for an hour© Use that password to crypt the cc info© Everytime the user logs in compare the hashed passwords to authenticate, save plain text in a session and use to decrypt cc # when needed© Even better, the plain text password can be stored in a session cookie sent over SSL, right with a session id©

I mean, really straight forward stuff, but it's scary how many people would be totally amazed how you can put a couple simple concepts together to get something working©

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:search bugtraq

[hammock]

I may be an idiot, but the fact is that Microsoft would not allow that box to be cracked, secure or not. Unplugging the network cable is the most effective security as far as they were concerned.

Sunday August 08, @05:29AM EDT
% lynx www.windows2000test.com
Looking up www.windows2000test.com first.
Looking up www.windows2000test.com.
Making HTTP connection to www.windows2000test.com.
Alert!: Unable to connect to remote host.
lynx: Can't access startfile http://www.windows2000test.com/
47 %
The windows2000test site is still not reachable.

bash$ telnet www.windows2000test.com 80 Trying 207.46.171.196... telnet: Unable to connect to remote host: Connection refused

C:\WINDOWS>ping www.windows2000test.com
Pinging www.windows2000test.com [207.46.171.196]
with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 207.46.171.196:
Packets: Sent = 4, Received = 0, Lost = 4
(100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

yeah my cc is one of them

[x-empt]

But why have they not contacted me? Email is an EASY way to contact customers, yet they haven't.

They keep your CC# on file indefinately, even if you have your account suspended. I honestly don't know why they keep your CC# in the databases?

This is always the problem with all these sites that a broken into.

Plus, for pete's sake.... deny (YES DENY) all select requests on the tables that contain cc#s... if your database can't deny SELECTs then you need a new DB server!

Re:yeah my cc is one of them

[coolgeek]

OK then, why not ship the CC#'s out a serial port or USB to a computer that is not connected to any of your networks and store them there?

Re:yeah my cc is one of them

[coolgeek]

synchronously while the customer waits (ick!!!!!),

Personally, the wait is never that long and I prefer the knowledge that my card was processed while placing the order rather than having to wait for an email to come whenever it does (like the next day).

I like ecommerce sites that require me to re-enter my card (or give me the option to not store CC#) because I am confident that when (not if) their security measures are compromised, my CC# will not be given away. Additionally, it protects me from a different kind of fraud, the kind where someone I work with accesses my computer while I dash out for a cup of coffee or discovers my password to an ecommerce site and buys stuff they want.

You're idea of a secondary ID code with the CC processor and processor keeps credit card number is a good balance between convenience and security, but still doesn't protect against someone masquerading as the buyer and simply redirecting shipments.

I like the idea (haven't tried it) of AMEX's disposable credit card numbers.

Re:yeah my cc is one of them

[elitaylor]

Well, I got burned by this.

I stopped to buy gas after church on Christmas Eve. My card got rejected at the pump, but I'd had that happen before due to the cold weather. I changed it to "Pay Inside". It was rejected inside as well, so I had to put it on another card.

I got home, logged into my card's website to check and see if I could see any problems. My card was marked as "revoked", which panicked me.

I called customer service and they explained the
Egghead problem and said they had to close my account. Because of this, I have to get a new credit card. Normally, I wouldn't see it as that big of a problem, but since my ISP, my website's hosting company and other things automatically charge to this card, so I'll have to contact them individually and transfer them to another card.

Add all that to the fact that I'm out of town for the holidays, and I've got one mess to clean up.

This sucks.

Eli

Re:yeah my cc is one of them

[Fly]

Jeremy corrected me above in that the card number usually is not needed. However, one case for which it is needed is when there is a partial shipment of an order, and the remainder must be reauthorized. Some (at least those with which I am familiar) only allow one charge per authorization, so the card number is needed to charge for the second part of the order.

Re:yeah my cc is one of them

[Fly]

They need to keep your card number around for at least a while. If you are dealing with an online merchant, the merchant is not allowed to charge your card until items are shipped. However, the merchant will authorize your card immediately, or at least pretty quickly. In addition, the merchant may need to credit you account in the future for whatever reason. At any rate, the merchant needs to hold onto your card number for some time. Here's what typically happens:

1. You check out for a new game on Tuesday.
2. The merchant authorizes your card to make sure that it can charge the $43.64 that the game costs. Note that there is no charge yet, but the merchant has reserved $43.64 for it to take later when it ships the game to you.
3. On Wednesday, the company ships the game to you.
4. On Thursday, the warehouse updates the accounting system so that it knows the game has shipped.
5. Thursday evening, the company charges the $43.64 that it reserved early during the card authorization.
6. Monday comes, and you receive Virtual Barbie instead of Tom Braider. What's the difference? You tell me, but you wanted Tom Braider, so you call the company.
7. Their customer service representatives apologize and promise to credit your account for the $43.64.
8. Ten minutes later, the credit to your account is performed, and you don't have to give your card number again. Plus, the customer service rep never has to know your card number because it is already in the merchant's database, and access to the actual number is, hopefully, tightly controlled.

The point is that the company needs your card to be able to process monies later. There is a point at which the liability of keeping card numbers exceeds the usefulness gained, and apparently many companies have chosen that time poorly. I imagine that those who do purge records from their main systems keep the card numbers for at least as long as they would typically provide a money-back return to the customer. Also note that online merchants are not the only ones who keep these records. All companies follow a similar process, but online companies always have their systems connected to the Internet in some way, which makes them more obvious targets.

Re:yeah my cc is one of them

[jallen02]

Mmmk, thanx.. That makes sense.

Shouldnt these people still be encrypting with PKI infrastructure all of their credit card numbers?

Im not super familiar with credit cards and such just my (obviously) limited view of things.. :-P Thanks for buzzing me back :-)

Jeremy

Re:IIS is known to have had many security flaws.

[proberts]

Encrypting data in a database that a server uses means that the server has to have the key. That lowers the value of the encryption. It also doesn't provide a good scale point- that doesn't mean it isn't a good thing, it means that it's not always a likely thing.

There's been ongoing debate in the INFOSEC community and computing community at-large about the culpability of a vendor who knowingly fields bad software (the 32,000 known Win2k bugs fly immediately to mind)- in the automotive industry a manufacturer who knowingly fielded an unsafe product on such a scale would be sued into the poorhouse. Bridgestone/Firestone probably unkowningly fielded unsafe tires, and if they'd not done the recall, Congress and/or the court system would have stepped in because of the fact that they knew after the fact that the adhesive wasn't good and didn't rush to pull out the products until they had to. It's only the computer field that really hasn't felt the pain of product liability- licenses notwithstanding it's bound to get a legal precedent sooner or later.

Like many others, I feel that eventually we'll see some manufacturer culpability, and I don't like the idea of it at all. I'm even more worried about its impact on free software. Though with freee software the potential is probably less because you can pick what you use and fix it if it doesn't meet expectations, with commercial closed-source, the vendor picks when it hits the market and how it functions.

The thing I have little tollerance at all for is the lack of responsibility being placed on the attacker. We should be vilifying the hell out of people who have the ultimate responsibility for producing badness and creating victims out of consumers irregardless of the culpability of either manufacturers, retailers, adminsitrators or anyone else in the chain. In a lot of states, if a motorist has a chance to avoid an accident and doesn't- regardless of their fault in creating the accident conditions, then they bear responsibility. We need to focus more on that responsibility on the behalf of attackers.

On the DB thing:

Typically, running the DB off the same box give you the problem that the entire database is on the same likely to be compromised machine. So are the keys to the database, and that means that it's significantly easier for an attacker to grab all the cookies and go home to eat them. Also, SQL Server is its own nightmare of twisty waiting-to-be-exploited passages (as is Oracle for anyone out bias-hunting.)

Happy Holidays,

Paul

Christmas Cheer (ot)

[Proud+Geek]

Err... exactly how is this Christmas cheer?

I'm lucky enough not to be hit. I like to buy computer junk locally. I have had trouble with stuff, and it's easier to get service from a reputable local dealer who you can visit during lunch or after work. Better prices than the large chains, too. And the University Bookstore has all the good books and software that you are hard to find otherwise.

Re:Christmas Cheer (ot)

[atrowe]

I'm sure the guys(or girls) with 3.7 million credit cards are pretty cheerful right about now.

Re:Christmas Cheer (ot)

[andyh1978]

I'm sure the guys(or girls) with 3.7 million credit cards are pretty cheerful right about now.

3.7 million credit cards each?

Actually, that's probably possible. The amount of junk (snail) mail that comes through the door, I could probably have applied for 3.7 million credit cards already.

Re:respect?

[mightbeadog]

This does not sound like a troll to me.

Maybe not a typical troll. Maybe more of a social hack, or a very sad sort of troll. Of course, I can't say 100% it isn't real, and this is somewhat a matter of gut feeling, but here's what seemed wrong to me:

Yes, I've already posted this, but someone moderated it down and I just want to have people hear my message. Please don't moderate this down so others can hear me.

If I had a week, I wouldn't waste any of it trying to get modded up. Express and move on. There's a lot to wrap up before I go.

Hello, I'm a Linux kernel hacker.

Hello, I'm the thing most respected in this forum.

I just wanted to talk to the community one last time.

Slashdot is mostly a user community.

I'm uploading the latest versions of my code so they'll be out there before I'm gone.

For a regular contributor, it think this would be too obvious to say, and "uploading the latest verions of my code" has too much of an aura around it, and uses only terms known to a user. Wrong jargon level.

The reason I'm posting anonymously is I don't want people to find out about my illness over Slashdot. I want to spend my last remaining days with my family, not a bunch of people calling me and wishing me luck.

Too much of a tease. Also, sounds like more of a sad fantasy.

I get angry when people in the Linux community do stuff for themselves. A person may suggest a feature and people will say, "You got the source, go ahead and make it." Why not take the time to help that person if they have trouble? Maybe they'll learn and help you later, or maybe they don't have time to do it themselves (too much work, new baby, cancer).

Some of this might be real. "Take the time too..." would have been believable. "I get angry when..." smells seriously fishy. No one with a high level of skill has time to answer everything in the net that they have the knowledge to answer. Also, teaching is it's own reward. "Maybe they'll help you later" is bargaining form the POV of the side asking for help.

Ugly guess: "I'm pissed someone else won't build what I want, so I'll die of cancer."

Also, "do stuff for themselves" sounds totally wrong. Good programmers program "for themselves", ie. because it's fun.

You'll probably see a small release about my death when it happens, maybe it'll be on Slashdot, maybe it won't.

Didn't quite peg the bogometer, but this one got close. If he knows this is going to happen, there's absolutely no reason to say it here. Also, I don't think people say when-I'm-gone's" when they're really dying. And who cares if it's on Slashdot?

But a good message otherwise. Heck, I hope even trolls have a nice Christmas.

It Was Santa

[gnarly]

Reason this comes under Christmas Cheer: FBI secretly suspects that the CCs were lifted by Santa whose normal Elvin work force were all laid off, due to their jobs being shipped overseas under NPFTA (North Pole Free Trade Agreement). The only way he could fulfill his duty was to acquire 3 million CCs. 3 million x $5000 limit = $15 billion. Enough for him to buy a $5 toy from Etoys.com for every Christian child on earth.

Re:Christmas Cheer (extremely ot)

[atrowe]

I get a lot of those mailings too. I probably shouldn't be saying anything, but I got a VERY interesting piece of mail the other day. Now, I don't want to jinx it or anything, but according to the letter I received, I may already be a winner of 10 million dollars. I don't want to get my hopes up, because I don't think everything's been finalized, but the letter seemed pretty official. Imagine, out of all the people who must have entered the contest, they chose me as the finalist. I'm so excited.

Can you really blame them?

[mikeylebeau]

Can you really blame them? Egghead just felt they had to give _something_ to crackers for Christmas!

Actually, this somewhat concerns me too as my credit card was probably on file there.. Hopefully it's just an old expired one. :/

-mikey

Online transactions...

[TWX_the_Linux_Zealot]

"It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions."

It's even WORSE when databases are cracked! I can easily call my credit card company when I have a dispute to a charge or suspect my credit card is screwed, but if millions of card numbers are stolen, then millions of people have to deal with it. Credit card companies probably don't like having to notify or handle millions of irate customers with disputed charges, and probably don't like having to re-print new cards for all of these cardholders. This is really sad, that this was even able to happen, and that Egghead left the credit card numbers on their server. If they'd be backed up to another computer that only has a hard connection while the backup is in place then this would much more difficult.

"Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."

Why the bad security?

[bellings]

I don't get this. It would be technologically trivial for the merchant to forward the credit card number and acount info off to the CC companies, and get back some a big n-bit number, consisting of enough information for the CC company to identify the card and the merchant authorized to use the card. Then, the merchant could totally forget the CC number forever, and just use the ugly number it got back from the CC company for any future correspondence with the CC company.

It's a long way from being a perfect system, but unlike other processes I could think of in the 30 seconds it took me to read the slashdot blurb, it wouldn't involve putting any additional software on the consumers machine, and it wouldn't involve any change in the habits of the consumer. And it wouldn't be painfully difficult to implement it for new e-commerce sites, and it wouldn't be particularly difficult to retrofit onto old e-commerce sites, either.

Oh well -- it wouldn't be much harder to implement a much more secure system than I described (i.e., the merchant wouldn't know the CC number either), but it seems credit card numbers are generally considered "disposable" by now, anyhow. There is certainly no effort made by anyone to actually keep the silly things secret.

Why store Credit Card info at all?

[Syn+Ack]

I know that it's more convienient but in the name of security why keep it in your customer's profile at all? I try, the best I can, to avoid sites that insist on keeping my credit card associated to my profile on their site. Sure keep the first few digits or whatever but I'd really love if some of these sites gave me the OPTION to save my credit card into my profile or not. Really, if I were VISA or Mastercard or who ever I'd virtually require that all online retailers DO NOT store credit card info for anything more than the amount of time it takes to verify and clear the purchase. This amounts to maybe 60 seconds maximum.

I once went so far last year as emailing a site to tell them that their site was COMPLETELY insecure. Sure they used a cert and my transaction was encrypted but after looking at the action assoicated to the credit card form I realized all they were doing was sending my credit card and all my info to a mail account using formmail.cgi. So I didn't buy anything from them. That simple. The company was a small DVD company in Canada that are not even in business any more.

So I ask people, why the heck do these companies insist on saving our credit card info at all? Shouldn't we have to give them permission to save this info? I don't care if they save my address, phone number but when it comes time to purchase ask me what my credit card number is, I'd really prefer it.

Later.

Syn Ack
paulm@nospam.spider.org | PM1819

Re:IIS is known to have had many security flaws.

[AintTooProudToBeg]

Apache is known to have zero security flaws.

Preach On, Brother! Preach On!

[Cheshire+Cat]

However, Robertson said such holes should have been patched.

"It really doesn't matter what Web server you are running ... if you are not keeping up with patches, you're insecure."

I couldn't have said it better myself.

Re:Preach On, Brother! Preach On!

[proberts]

Me either! ;)

Seriously, getting 10-20 minutes worth of interview into a few lines of quoted text, you always hope that the reporter will understand and report the gist of what you said.

The sad part is that over two years after it's been fixed, RDS is still the #1 attack vector for IIS. It's _really_ getting difficult to point to Microsoft as partially responsible for releasing crappy code when fixes that are eons old are never applied. If we could get wu-ftpd, sunrpc, RDS and the unicode ../ bugs out, we'd at least raise the bar a couple notches.

Paul

This is the Egghead letter sent to customers

[dmccarty]

[This was the note I received from Egghead regarding whether or not my credit card # was stolen or not.]

Subject: IMPORTANT MESSAGE FROM EGGHEAD.COM CEO
Date: Sat, 23 Dec 2000 09:43:41 -0800
From: "Egghead.com Special Update"
To: mcdan@CSI.COM

Dear Customer,

Egghead.com has discovered that a hacker has accessed our computer
systems, potentially including our customer databases. While there
is no indication that any customer information has been compromised,
as a precautionary measure, we have taken immediate steps to protect
you by contacting the credit card companies with whom we work. They
are in the process of alerting card issuers and banks so that they
can take the necessary steps to ensure the security of cardholders
who may be affected.

We wish to underscore that we have taken these steps as precautions.
We have no information at this time to suggest that any credit card
information has been compromised. We are investigating this possibility,
and we are doing everything we can to proactively protect you. If you
would like further information, you may wish to contact the issuer of
your credit card to determine what steps they are taking. We regret any
inconvenience this may cause you.

We issued a press release on this matter earlier today. It is appended
below this message. If you have additional questions, please call our
customer service team at 1-800-EGGHEAD (344-4323).

Respectfully,

Jeff Sheahan
President & CEO
Egghead.com, Inc.

[There was a press release below this but I cut it out. It was standard business stuff.]
--

Egghead should have been more humble..

[rigor6969]

Dude. Straight up. I would have been more sympathetic if egghead admitted their full guilt. "We're sorry, due to a piss-poor Operating system ridden with bugs,and our general lackluster knowledge of Security, We've been 0wn3d.." But i think their attitude, is completely wrong. They are trying to ignore guilt. They go as far as owning up to the guilt, just by sending the letter. Egghead, its your duty to let us know from the beginning straight up the truth,and not try to save your sorry ass stock prices any longer. I strongly believe, orders are going out to sell sell sell internally right now, and their hoping the can last long enough before delisting , to get their money back :) Once the guilt is in the open, their gone.

Incomprehensible rantings....

[mdtrent3]

This sort of thing just ticks me off so much! I absolutely LOVE shopping online. Disneystore.com is a fav of mine as well as a number of other mall-type store sites (how could i NOT love having a shopping mall in my room? I mean, seriously.) And eBay?-hello, it's not only shopping, but it's like a fun game too!
But when sites are stupid about the way they handle customer accounts (though i generally only trust credit card numbers to fairly reputable companies, like disney) I'm the one who ends up looking irresponsible.
As if my parents don't already think i'm a slack off, good-for-nothing college student with poor judgement half the time anyway, they then hear about all these sites that have been "hacked" or "craked" or WHATEVER (as if my parents have ANY idea what that is, anyway- even less than myself) They just can't believe that i would be dumb enough to do any online shopping and how could they have raised such a dumb daughter who'd just throw money away like that over the untrustworthy newfangled internet shit. geez....
Wow, that was random, thanks for listening....

Egghead's Response...

[jaredcat]

As an Egghead customer, I just received this spam..err target marketing bulk e-mail from the CEO:

Return-Path: <owner-CUSTOMERSERVICE*jry**INAME*-COM@MORPHEUS .EGGHEADLIST.COM>
Received: from chmls12.mediaone.net ([24.147.1.148]) by
chmls14.mediaone.net (Netscape Messaging Server 4.15) with ESMTP
id G61HU900.US2 for <jaredcat@ne.mediaone.net>; Sat, 23 Dec 2000
16:18:09 -0500
Received: from smv664-leg.mail.com (lmtp09.iname.net [165.251.8.91])
by chmls12.mediaone.net (8.11.1/8.11.1) with SMTP id eBNLI7e22988
for <jaredcat@mediaone.net>; Sat, 23 Dec 2000 16:18:07 -0500 (EST)
Received: from promo2.eggheadlist.com (promo2.eggheadlist.com [204.106.181.12])
by smv664-leg.mail.com (8.9.3/8.9.1SMV2) with ESMTP id QAA05037
for <jry@INAME.COM> sent by <owner-CUSTOMERSERVICE*jry**INAME*-COM@MORPHEUS .EGGHEADLIST.COM>; Sat, 23 Dec 2000 16:18:07 -0500 (EST)
Message-Id: <200012232118.QAA05037@smv664-leg.mail.com>
Received: from morpheus (morpheus.eggheadlist.com) by promo2.eggheadlist.com (LSMTP for Windows NT v1.1b) with SMTP id <4.0002D8CC@promo2.eggheadlist.com>; Sat, 23 Dec 2000 11:14:13 -0800
Date: Sat, 23 Dec 2000 09:43:41 -0800
From: "Egghead.com Special Update" <specialdeals@PROMO1.EGGHEADLIST.COM>
Subject: IMPORTANT MESSAGE FROM EGGHEAD.COM CEO
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
To: jry@INAME.COM
X-MIME-Autoconverted: from quoted-printable to 8bit by smv664-leg.mail.com id QAA05037
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by chmls12.mediaone.net id eBNLI7e22988

Dear Customer,

Egghead.com has discovered that a hacker has accessed our computer
systems, potentially including our customer databases. While there
is no indication that any customer information has been compromised,
as a precautionary measure, we have taken immediate steps to protect
you by contacting the credit card companies with whom we work. They
are in the process of alerting card issuers and banks so that they
can take the necessary steps to ensure the security of cardholders
who may be affected.

We wish to underscore that we have taken these steps as precautions.
We have no information at this time to suggest that any credit card
information has been compromised. We are investigating this possibility,
and we are doing everything we can to proactively protect you. If you
would like further information, you may wish to contact the issuer of
your credit card to determine what steps they are taking. We regret any
inconvenience this may cause you.

We issued a press release on this matter earlier today. It is appended
below this message. If you have additional questions, please call our
customer service team at 1-800-EGGHEAD (344-4323).

Respectfully,

Jeff Sheahan
President & CEO
Egghead.com, Inc.

Press Release:

Contact:
Joanne Hartzell
Egghead.com, Inc (650) 470-2713
John Stodder, Shoreen Maghame
Edelman Worldwide, (323) 857-9100

Egghead.com Investigates Breach of Company Computer Systems
Company Undertakes Immediate Precautionary Measures
MENLO PARK, Calif., December 22, 2000 - Egghead.com ®, Inc. (Nasdaq:
EGGS), released the following statement today:
"Egghead.com has discovered that a hacker has accessed our computer
systems, potentially including customer databases. As a precautionary
measure, we have taken immediate steps to protect our customers by
contacting the credit card companies we work with. They are in the
process of alerting card issuers and banks so that they can take the
necessary steps to ensure the security of cardholders who may be affected.

"Simultaneously, we have retained the world's leading computer security
experts to conduct a thorough investigation of our security procedures
and an analysis of this breach. We are also working with law enforcement
authorities, who are in the process of conducting a criminal investigation.

"For many months, we have been in the process of strengthening our security
systems in an effort to combat the increasing, industry-wide problem of
malicious hacking. We are committed to providing the highest security
standards in the industry, a process that has been ongoing and has
involved a considerable investment on the part of our company. Those
principles will continue to guide us going forward."

About Egghead.com: Egghead.com is a leading Internet direct marketer of
technology and related products. With an emphasis on Small- to Medium-sized
Business (SMB) customers, Egghead.com offers a wide range of products from
computer hardware and software, consumer electronics and office products,
to sporting goods and vacation packages. Its Clearance, After Work and
Auction formats offer bargains on excess and closeout goods and services.
Egghead.com combines broad selection, low prices, and excellent service
to provide an outstanding online shopping experience for businesses and
consumers. Egghead.com is located on the Internet at http://www.egghead.com

This press release contains forward-looking statements that involve
risks and uncertainties, including but not limited to statements relating
to steps taken to protect our customers. These forward-looking statements
are based on information available to the company at the time of this
release and we assume no obligation to update any such forward-looking
statements. The statements in this release are not guarantees of future
performance. Actual results could differ materially from current expectations
as a result of numerous factors. For example, our ability to protect our
customers from potential misuse of private information is limited, and the
impact of compromised computed security on our business is unpredictable.
Other risks and uncertainties associated with the business are detailed in
our most recent Forms 10-K and 10-Q which are on file with the SEC and
available through www.sec.gov

Shoreen Maghame
Edelman Worldwide
(323) 857-9100 ext. 231
e-mail: shoreen.maghame@edelman.com

Due to our desire to ensure every person who may be affected has been notified,
you may be receiving this message even if previously expressing a desire not to
receive email from Egghead.com. If this is the case, please be assured you will
not be receiving promotional emails from Egghead.com in the future.

To be removed from our mailing list please go to:
http://promo2.eggheadlist.com/blist.asp?e=JRY@IN AM E.COM

it's a sign of the times

[htmlboy]

The company who issued me my MasterCard has a pretty neat program aimed at preventing problems with situations just like this.

You basically get a new credit card number valid for x number of months and with a credit line of y dollars (you specify the details). You use the new number for one purchase and you're done with it.

Now, skip ahead a few months to the day the online retailer's database is cracked. The one-month valid card with the $90 credit line you used is long since expired, so you have no reason to worry.

MBNA (my issuer) isn't alone in providing services like these. I suspect that as cracking continues, you'll see a lot more people paying attention to the extra services their credit card company is trying to tell them about.

ck

Not quite on-topic, but...

[coolgeek]

Another credit card security issue I have observed is where the ecommerce site puts the CC expiration date on the "receipt" page that a lot of people print out as a record because it usually contains the order number.

Most people may miss this security feature. Since it is common to write your account number on the check when making a payment, the credit card companies came up with the guideline of asking for the expiration date, because (unless you're a dork or using ecommerce software written by dorks) the expiration date is printed only on the credit card itself. Not a foolproof defense against fraud, but a reasonable stop-gap measure that is now being compromised by some of the "larger" ecommerce sites.

Re:search bugtraq

[Legion303]

Don't blame IIS because of clueless admins. I don't recall windows2000test.com ever being hacked.

I agree with you on the IIS/clueless admins thing, but if I recall correctly windows2000test.com was too busy being continually rebooted and "down due to weather" to be hacked.

-Legion

Re:Unfortunate...

[mgkimsal2]

Almost not worth replying to, but

"as I really could care less if you make rich businesses pay"

does irk me some, as "businesses" that get hit with fraud

1. either pass those costs on to consumers (or other businesses which deal with consumers - our whole society is based on CONSUMING), which ultimately affects you and me.

or 2. pay employees less because they have to 'eat' the cost associated with the fraud. If you worked at one of those 'rich businesses' you'd probably care very much if you were going to get paid less (or NOT get the pay increase you deserve - same thing in the long run) due to fraud.

Re:search bugtraq

[hammock]

Linux is not Redhat.

windows2000test.com was not "hacked" because
1) No services were running
2) Whenever a breach was imminent, they took it off the network

I bet you think NT is C2 Secure too!

Re:What type of databases were broken into?

[mgkimsal2]

Probably doesn't mean much, but Oracle running on what OS? Sun? NT? W2k? Linux? Thanks for any more insider light you can shed on this.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Suggestion box @ egghead.com

[hammock]

Monkeys is a compliment!

I prefer to think of them as drunken, dyslexic chimpanzees.

Re:What difference does it make?

[swillden]

First, you're not quite right with regard to who loses with credit card fraud. The bank that issues the credit card occasionally, but rarely, eats the loss. Generally, it's the merchant who accepted the stolen card number who loses. Exactly which rules apply in a particular situation is far from simple. If by saying "CC company" you're referring to Visa or Mastercard then the CC company has nothing to do with it. They are just associations of banks that provide a brand and a set of standards; they're not real companies that you actually do business with.

Second, while you're right that in the near term there's no impact to the card holder, don't kid yourself that it will never hurt. You'll notice that both of those entities who stand to pay for the fraudulent charges make 100% of their income from you and people like you. What do you think they do with those additional costs? Further, this costs you and me even if the thief never uses the stolen numbers. How much do you think it's going to cost all of the banks involved to reissue the 3.1 million cards? I'll give you a hint: The industry figures that on average it costs approximately $8 to replace a card. You do the multiplication.

Fraud costs all of society, ultimately. In this case, I hope they find some way to make Egghead liable for at least a part of the damages for any abuse of the stolen card numbers. I wish they could be held liable for the banks' costs in reissuing all of those cards as well. Oh, and I hope the bozo that stole the numbers gets a very large, very hairy and very friendly cellmate.

Re:This cries out for one-time use credit card num

[AintTooProudToBeg]

Sounds good... now instead of securing ecommerce databases, we need to secure the American Express 'one time cc' database.

M$ make crackers go Ka-Chingg

[pranalukas]

Woohoo, yet another Micro$hit IIS hacked!!! Microsoft surely makes crackers go Ka-Chingg!! ;)

Any of you guys remember that a few weeks ago (or was it last week?) creditcards.com that uses Microsoft Windows NT was hacked and about 3 million credit cards was stolen? Again and again and again. Even Microsoft itself has been hacked twice this year, plus another www.microsoft.si hacked.

and apache doesn't?

[ArchieBunker]

Imagine how fast this would be modded down if they used apache and got 0wned. Oh the horror! they fought the good fight and lost.

You act as though linux or anything OSS has never had a buffer overflow or security issues.

Re:and apache doesn't?

[ibpooks]

Actaully if it was a Linux/Apache box, it wouldn't have gotten 0\/\/|\|3D in the first place.

Re:and apache doesn't?

[SuiteSisterMary]

Nah. Had it have been, say, a Linux/Apache box, people would be saying

Well, what do you expect? Linux is weak. They should have been using *BSD!

hrm

[PovRayMan]

Ok, I don't know much about credit cards since I've never used or owned one. I basically know how they work though, you have a limit as to how much you can spend, then you pay the people who gave you the card or whoever the ammount you spent on stuff and if you're a good spender you can get the limit increased. I think that's right..

ok so here's what I wanna know...

If someone gets my CC number, what can someone do with it. I really don't know so that's why I'm asking. I mean, it's just a number... Don't you need more than that to make evil/good use of the whole credit card?

Yeah this is kind of a stupid question, but I've just never used one or even asked about it. So I'm just curious now :)

----------

Re:hrm

[nomadic]

Its actually a bit harder to use than everyone on slashdot wants to believe. If you order something sent to an address other than the one listed on the credit card company, chances are they'll call you to confirm it. Even if they don't most people will catch unauthorized use pretty quickly, and under federal law you're only liable for up to $50 of unauthorized purchases. Only real problems start if you don't catch the credit card use fast enough, and let the thieves go wild for an extended period of time. And then unless you have an unrealistically high credit limit they won't be able to charge too much before they're maxed out.
--

Re:hrm

[SuiteSisterMary]

All ye need is the registered name and address of the card holder, the card number, and the expiry date. And if one bit is in a database, likely all bits are.

search bugtraq

[ArchieBunker]

Search bugtraq for apache and ssh some time. Anything can be hacked if you don't know whats going on. How many versions of redhat were 0wnable out of the box?

Don't blame IIS because of clueless admins. I don't recall windows2000test.com ever being hacked.

Consumer confidence

[perdida]

You kno what, Headline News said earlier this week that most people are still unwilling to shop on line. There were three reasons given, below in order.

1) The consumer prefers to see the gift before purchase

2) The consumer prefers not to give out his or her credit card on line

3) The consumer finds many Web sites difficult to navigate

All of these are problems of consumer confidence and arise from the need of the customer for accountability. Individual protections against unauthorized purchases are inapplicable in the case of a DB crack due to reasons of scale mentioned in above posts.

So what is the solution?

Buy locally.

If an individual merchant decides to cheat you, YOU can go down there with YOUR baseball bat or YOUR neighborhood constable and confront the jerk.

If the merchant defrauds many people, a MOB of folks with baseball bats,or preferably their team of lawyers, can do the same thing.

The average e biz, for reasons of security, will be wanting to move to data havens pretty soon. For the same sovereignty based reasons a data haven is appealing to such firms, they will have no way of tracking and enforcing national laws against crackers.

We need international standards systems w/r/t privacy, personal information, fraud, security and intellectual property. For once, let's create safe and sensible structures BEFORE the net's growth beats us to the curve.

Re:This cries out for one-time use credit card num

[FigWig]

You so funny! Too bad you so stupid! A one time CC is only one use, so if the DB is compromised there is nothing to lose - you have already used up the CC account.

Re:Dumbass

[Jeff+Knox]

No, I didnt sign any sort of NDA. Two, What exactly did I tell you that Egghead hasnt already told us? I didnt say anything very informative, essential that they just have 3-4 databases, unstead of 15. How is that a map to hacking egghead? To be honest, I dont even know how how many databases they have relate at all to get access to the databases. If I would of given you IPs (which I dont have) and logins and passwords (which I dont have) and exact versions of all the softwar eon the DBs (which I also have no clue about) that would be another thing. But all I told the slashdot community was that there are 3-4 databases, and the schedule in which they update (how is that important to keep secret? Alot of companys, like banks, tell you there servers update your accounts at midnight, or whatever). Just shedding some light that no matter what DB the intruder gained access to, they still would of got almost the entire customer DB.

Once again...

[glowingspleen]

Oh great, this again. It was on CNBC tonight and my dad called me into the room to watch it with him. He then raised his eyebrows as if to point out how crazy I am for giving out my credit card online.

Although these disclosures and media attention are useful for letting card holders know about it (thus reminding them to check their statements), I have to compliment CNBC on something: They took the time to explain the difference between a CC# stolen during a transaction and one stolen later on from a database. Kudos to them.

REGARDLESS, I am forced to point out once again that we do "risky" things every day. Having your card # stolen from a database is no different than handing it to the guy making $5 an hour at Olive Garden and having him jot down the card info when he leaves with your check.

Granted, one might point out that getting a card stolen online might mean more people will abuse it and make illegal purchases. I counter that arguement with the fact that being one of 300,000 known stolen cards means media attention which would result in you getting advance knowledge to go over your statement with a fine-toothed comb, which you might not do (but always should regardless) if some random waiter stole your card to buy a few DVDs.

Re:SUE EGGHEAD FOR DISCRIMINATION

[Jeff+Knox]

The company has no download policy. There is some sort of unwritten policy I guess, but no terms of usage that we were ever shown when we started working there. Never signed a computer usage agreement, never saw one, and they admitted thier is not one, but it should be assumed that I should know not to download things on my work computer. To make things worse, they have a double standard. They dont mind if you download napster and winamp and play mp3s (I know some peopel tehre with a 20+gig mp3 collection on their work computer), but they do if you download other things. The director of business sales (who I worked undeR) told me they look the other way for music and mp3s, but what I did they cant look the other way. Because the tools I downloaded could possible be used in a malicious way! (Or so they claim). The thing is, I never installed anything, the security they have in place would not allow me. I downloaded and had a zip file on the HD, but could not install it. I got fired over a zip file on my HD.

one-time credit card nums add significant security

[alienmole]

As someone already pointed out, security at financial institutions tends to be much better than at ordinary online stores. But in addition to that, in theory, someone obtaining the Amex one-time card customer database wouldn't necessarily have any direct way to profit from that - unless the database included a permanent credit card number (which in theory, it wouldn't necessarily have to), or gave the thief a way to generate bogus one-time numbers (which also shouldn't be possible, in theory.)

In practice, I wouldn't be surprised to find that Amex's database does include the customer's permanent credit card number, but that's an implementation detail. There's no question that any way you look at it, one-time numbers really do add significant security.

Re:SUE EGGHEAD FOR DISCRIMINATION

[Jeff+Knox]

Im 17.5 Years old. Ive been told by multiple people that I should sue for discrimination, because it is fairly obvious they they fired me because they fault threatened by my knowledge at this young age. I have neglected too for multiple reasons. One being I dont want to get a reputation for sueing my employer, that doesnt help when trying to get a new job. Two, and the biggest reason, I dont have the money for a lawyer and would not know where to start.

Re:Incomprehensible rantings.... (Sc0re:0,Boring)

[alienmole]

You're absolutely right. But you could turn this around: get yourself an Amex or Discover card with the one-time number capability (see the other messages here about one-time card numbers), and explain to your parents how you've taken steps to ensure that your web transactions are secure. Then they'll be impressed by what a smart and savvy daughter they have!

Re:What type of databases were broken into?

[Jeff+Knox]

Not sure to be honest, but according to another insider that posted in this forum, it was a HP 3000 server running NT and IIS.

It doesn't matter why, it's still less safe.

[Lord+Kano]

It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions.

Be it a hole in SSL or a lazy/stupid box admin that opens up the door for crackers and script kiddies to get access to your info, the fact remains that you have an annoyance on your hands. Canceling card, getting new card, notifying ISPs and other of the change in information.

I'd rather spend the time to drive to the mall, I can look at women in tight pants at the mall. Hell, maybe even score a phone number.

LK

Re:AMEX? I'd rather be in the pan than in the fire

[alecto]

You articulated your troubles with them very well. I hope they eventually own up to their mistake and give you the apology you deserve! My thought on AMEX and its "no pre-set spending limit" is that I know there's a limit, just not what it is--however, the first time they ever decline a charge would be the last--then I could use your confetti idea :).

Egghead sent me the following email Sat morning

[edwardames]

Date: Sat, 23 Dec 2000 09:43:41 -0800
From: "Egghead.com Special Update"
Subject: IMPORTANT MESSAGE FROM EGGHEAD.COM CEO
To: ***@***.NET

Dear Customer,

Egghead.com has discovered that a hacker has accessed our computer systems, potentially including our customer databases. While there is no indication that any customer information has been compromised, as a precautionary measure, we have taken immediate steps to protect you by contacting the credit card companies with whom we work. They are in the process of alerting card issuers and banks so that they can take the necessary steps to ensure the security of cardholders who may be affected.

We wish to underscore that we have taken these steps as precautions. We have no information at this time to suggest that any credit card information has been compromised. We are investigating this possibility, and we are doing everything we can to proactively protect you. If you would like further information, you may wish to contact the issuer of your credit card to determine what steps they are taking. We regret any inconvenience this may cause you.

We issued a press release on this matter earlier today. It is appended below this message. If you have additional questions, please call our customer service team at 1-800-EGGHEAD (344-4323).

Respectfully,

Jeff Sheahan President & CEO Egghead.com, Inc.



Press Release:

Contact:
Joanne Hartzell
Egghead.com, Inc (650) 470-2713
John Stodder, Shoreen Maghame
Edelman Worldwide, (323) 857-9100

Egghead.com Investigates Breach of Company Computer Systems,
Company Undertakes Immediate Precautionary Measures
MENLO PARK, Calif., December 22, 2000 - Egghead.com ®, Inc. (Nasdaq: EGGS), released the following statement today: "Egghead.com has discovered that a hacker has accessed our computer systems, potentially including customer databases. As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit card companies we work with. They are in the process of alerting card issuers and banks so that they can take the necessary steps to ensure the security of cardholders who may be affected.

"Simultaneously, we have retained the world's leading computer security experts to conduct a thorough investigation of our security procedures and an analysis of this breach. We are also working with law enforcement authorities, who are in the process of conducting a criminal investigation.

"For many months, we have been in the process of strengthening our security systems in an effort to combat the increasing, industry-wide problem of malicious hacking. We are committed to providing the highest security standards in the industry, a process that has been ongoing and has involved a considerable investment on the part of our company. Those principles will continue to guide us going forward."

About Egghead.com: Egghead.com is a leading Internet direct marketer of technology and related products. With an emphasis on Small- to Medium-sized Business (SMB) customers, Egghead.com offers a wide range of products from computer hardware and software, consumer electronics and office products, to sporting goods and vacation packages. Its Clearance, After Work and Auction formats offer bargains on excess and closeout goods and services. Egghead.com combines broad selection, low prices, and excellent service to provide an outstanding online shopping experience for businesses and consumers. Egghead.com is located on the Internet at http://www.egghead.com

This press release contains forward-looking statements that involve risks and uncertainties, including but not limited to statements relating to steps taken to protect our customers. These forward-looking statements are based on information available to the company at the time of this release and we assume no obligation to update any such forward-looking statements. The statements in this release are not guarantees of future performance. Actual results could differ materially from current expectations as a result of numerous factors. For example, our ability to protect our customers from potential misuse of private information is limited, and the impact of compromised computed security on our business is unpredictable. Other risks and uncertainties associated with the business are detailed in our most recent Forms 10-K and 10-Q which are on file with the SEC and available through www.sec.gov

Shoreen Maghame
Edelman Worldwide
(323) 857-9100 ext. 231
e-mail: shoreen.maghame@edelman.com


Due to our desire to ensure every person who may be affected has been notified, you may be receiving this message even if previously expressing a desire not to receive email from Egghead.com. If this is the case, please be assured you will not be receiving promotional emails from Egghead.com in the future.

To be removed from our mailing list please go to: http://promo2.eggheadlist.com/blist.asp?e=***@***. NET

[Only thing I changed was my email address. Ed.]

Any reaction from Egghead.com

[grunby]

"Your credit card and personal information is safe with Egghead.com - we guarantee it! "

I subscribe to the defaced mailing list put out by attrition.org. I find it interesting to see the reactions of the web site owners. I look for any notice about the breach that they may put up after they've restored (and hopefully patched). I checked out Egghead's Privacy Policy page and saw that guarantee. Kinda makes me wonder...I'd think that companies would first react and check out the wording on any of their privacy and security page. The following is an excerpt from Egghead's privacy page:

Guarantee Your browser and Egghead.com's secure server encrypt confidential information during transmission, ensuring that transactions stay private and protected. Egghead.com guarantees the safety of your credit card information in the following manner: if any unauthorized use of your credit card occurs as a result of your credit card purchase from Egghead.com, simply notify your credit card provider in accordance with its reporting rules and procedures. If, through no fault of your own, your credit card company finds credit card fraud but does not waive your entire liability for unauthorized charges, Egghead.com will reimburse you for the remaining liability, up to a maximum of fifty dollars U.S. ($50.00) per card. This guarantee applies to purchases made using Egghead.com's secure server (https: protocol).
Woah, check out the second to last line...only 50 clams...

- [grunby]

Re:Any reaction from Egghead.com

[blogan]

Read it again. I think what it's saying is that some credit card companies make you liable for the first x dollars of credit card fraud. Egghead.com will pay for that if it's their fault. So if you're liable for the first $100, you'll only have to pay $50. If you're liable for $50, then you won't have to pay anything.

Re:Any reaction from Egghead.com

[El]

By law, YOUR liability limit is only $50 if you report the loss within 3 days, so the $50 limit makes sense.

Suggestion box @ egghead.com

[Mongoose]

https://www.egghead.com/custserv/actreq/suggestion s.htm

How about firing your security team and hiring some monkeys to patch the damn servers?

I had a cc there too. =(

Re:This cries out for one-time use credit card num

[alecto]

Shamelessly lifed from the Private Payments FAQ:

How do I contact a merchant with an inquiry about a purchase if I have used a Private Payments number?

Because the Private Payments technology enables you to make on-line purchases without revealing your actual Card account number, you will want to be careful when contacting a merchant about a purchase inquiry (e.g. returns, exchanges, back-ordered merchandise, etc.) not to reveal your actual Card account number. When contacting merchants regarding a Private Payments purchase you should always provide your Private Payments number and expiration date and not your actual Card account number or expiration date.

This is going to happen more and more

[starvo]

As the market for stolen Credit card numbers.. (and Calling card #'s amongst others..) becomes increasingly more lucrative, we're going to see more and more of these attacks.

Maybe organized crime groups will soon be "sponsoring" crackers to break into websites, and to pilfer CC# databases... Or other groups.

CC# Fraud is a very proftiable endeavour for the criminals.. Even if they pass the #'s off for only $50 each.. Imagine the kind of haul they bring in, with 10,000 #'s, let alone 3.7 million.

I'd imagine that all of this might get worse beofre it gets better... I've been a Unix Security Analyst for a short time now, and the problems just seem to be increasing everyday.

Hopefully this is the beginning of a wake up call that will turn most companies on their ear, and get them to start auditing their systems much better.

Re:This is going to happen more and more

[Jeff+Knox]

I think 50 dollars a card seams completely unlikely. They would have to all be valid, and have to card alot more than that to make it lucrative. I remember reading that the 100,000 citibank cards that were stolen, were for sale for only like 3 million total. 3.7million cards, of which maybe 50% or less are are still valid (egghead.com's customer databse dates back to around 1997, of which alot of cards have expired) at day, 5 dollars a card (Still seams high) 18.5million. Still alot of money. It would be interesting to know how much these cards really go for.

Share the Wealth

[Col.+Panic]

We're in continuous crisis mode here," said a consultant

At least the cracker could use one of those numbers to send the sysadmins a recovery care package:

pizza

Mountain Dew

1/2 ton of candy in Christmas colors

151 proof "eggnog"

Re:Christmas....

[CiXeL]

>I donated too. and to the idiot who thought this was a troll, if it is, its the best kind of troll because its for a good cause.

This was me. Does that give you any authenticity you heartless fuck?

Bruce Schneier to the rescue

[Dusabre]

Now there's this certain program called Password Safe by a certain company, counterpane.com, run by a certain fairly trustworthy guy, Bruce Schneier... and guess what, it keeps a database of your passwords on your hard disk (and you can backup the encrypted database), it generates random passwords, you can paste usernames and passwords and basically its a godsend so now you don't have to use the same password everywhere. Unfortunately its Windows only for now though the site mentions an open source version soon.

Re:Customer Service Response

[KupekKupoppo]

I'm sorry that this is going to sound like a total flame, but it is.

You, my friend, are a moron.

Points of fact:
a. You're providing information about 'potentially' cracked databases, and rambling into details that you shouldn't give a shite about unless:

b. You're a disgruntled ex-employee.

My credit card # was in there (uggh, I'm _NOT_ using an online retailer who stores CC#'s ever again), so I'm slightly peeved that this could happen.

Anyway, don't make yourself look extra guilty, your moronic insights into the corporate strata simply make you a good target for law enforcement.

-k.

in the US we're always looking for people to sue..

[gimpboy]

why not sue amazon? i would think that storage of cc numbers is part of their one click shopping patent thing. if egghead were paying royalties to amazon, and their system failed... then they could be held accountable...

well only in america, but then again you could only get a patent like that in america.

use LaTeX? want an online reference manager that

Egghead

[rsimmons]

Don't they mean eggface?

I don't like CC's.

[IdeaMan]

I know someone that logs into their work network remotely using a "challenge-response" type system. The company issued each employee a pocket calculator like thing you type the code into from the remote side, hit enter, then copy the code from the calculator back to the remote interrogator. (Some kind of hash function with the response & a secret key, I guess).

Credit card companies should issue these challenge response cards instead of credit cards. Look at it this way: 95% of people that take CC's have some kind of connection to verify them anywayz.

Since the calculator requires you to enter a pin first, even you it got stolen it would still be useless.

Hmmm... What if you put a conduction sensitive keypad, a solar panel, & a electromagnetic strip into a credit card?? Take it out of your pocket, punch in your pin, it generates a new code based on the time and the # of transactions the card was used for, & you slide it through one of those gas pump card readers. Better yet, the credit card has a rf transducer that talks to the Mobil gas station, shows you how much money they want to charge you, then you tap in your passcode to authorize the transaction.

Thanks Egghead! They have mine!

[gelkote]

As a now former Egghead customer I thought I would check out my statement. Much to my surprise I discovered a $10.25 charge from 12/21 to "GLOBAL TELECOM MOSCOW RUS". The MSNBC article mentions Global Telecom so it kinda looks like I've been had.

Anyone else notice any recent oddities on their statements?

Isn't this information encrypted?

[samantha]

Why wouldn't an e-merchant heavily encrypted detailed user info including credit card numbers? I assume by the alarm that it isn't encrypted or that the encryption is inadequate. Why?

Re:IIS is known to have had many security flaws.

[proberts]

If you don't connect a box to the Net, you can't send it data (I condsider anything connected to a box connected to the Net to be connected to the Net, so that's possibly symantics in a first vs. second order connection, but I think an important distinction.)

I'm curious as to why you'd poll the database looking for unencrypted data versus arbitrating all DB access through a data broker that ensured it? In either case, the Web server has to be able to request and obtain the clear data, and while stored procedures are obviously the way to go, I've been hard-pressed to come up with a way to rate-limit the server's access to critical data if the server needs it (obviously CC#'s aren't the type of data a Web server needs access to, and stored procedures and second servers for customer service reps. fill that need quite well.) Especially in the "hundreds of thousands to millions of customers" category where queries per second are sometimes hardware limited instead of DB limited.

I've also asked folks to implement middleware changes in the past that would disallow any wildcard query and alert like hell on them. That helps reduces worst-case exposure pretty significantly even though it's not a 100% ideal solution.

My point on the number of bugs was twofold- first of all, I think that it's indicitive of the legal climate that such realities could be aggressively tilted toward contributary negligence. Secondly, one of the things that we rely on in the security community is history. Historical exposure provides significant help in determining relative security. For instance, BIND, which I now refer to as the "Sendmail of the 90/00's" has historically been insecure. Choosing DNSCache is more than likely going to produce a more secure system. It obviously shouldn't be the sole criteria, but I think it's important to add historical context to any architecture design decision.

OS Zealotry has such a limited place in any technical discussion or plan that it's minor, no matter what side the zealot fall on, but number of bugs does indeed indicate quite a bit once you normalize the results somewhat.

I've found history and current bug severity and number to be accurate in chosing firewall vendors, and in choosing at what point a firewall vendor has changed development/QA processes enough to significantly impact functionality (it's a shame there's not a money-back critical bug metric in software contracts.) 32k bugs says one good and one bad thing. It says a lot for the QA process and a bad thing about the development/release process. But then I originally worked on mainframes where you got a couple hours of scheduled downtime a year if you were lucky and vendors who produced significant recurring bugs got thrown out on their asses quite quickly.

I'm pretty happy working to secure alomst anything, but there are a lot of choices that I wouldn't make to host data *I* personally was responsible for the security of (Irix springs immediately to mind in its non-trusted varient.)

You should pause and ask yourself what the catchy number of bugs says about the design and implementaton of Win2k. The reason for its slow adoption curve is because that spoke volumes to a lot of people. Granted only a portion of those bugs have a significant security context, but security is but one piece of the whole. Win2k is where NT should have started in regards to features and stability, and I've little personal patience for any vendor who wants me to pay for QA (MS certainly isn't the only vendor on my list, just the extreme case.)

In an ideal world, we'd have easy to use and administer compartmented systems. Compartmented systems fly in the face of Microsoft's productivity in producing OS', and I see that as a potential problem moving forward- we're only starting to see the tip of that iceberg now in process-based protection mechanisms failing with very recent MS products. As usual though, security is always about compromise and securing what you have instead of what you might want. In an ideal world, OS' are commoditized to a point where it doesn't really matter which one you use and you can pick secure ones for secure purposes. That however flys in direct competition with every commercial OS vendor. It'll be really interesting to see what IBM does with AIX. SGI actually gamed it out early, but it doesn't seem to be overly important that IRIX is basicly EOL'd as far as their sales go.

Ah well, if the world was the way I'd like it to be, I'd be looking for interesting work...

Happy Holidays,

Paul

Re:How were the CCs stolen?

[dszd0g]

I got the e-mail from egghead. It really surprised me since I had never purchased from them. I had an account with onsale, but hadn't trusted their security and gave their site a bogus credit card number and sent them an e-mail about their issues.

From talking to egghead it appears my bogus credit card number was stolen :) From the person I talked to on the phone their credit card numbers are "double encrypted." I thought it slightly rude to ask exactly what it meant. It could be double DES for all I know :>

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:This cries out for one-time use credit card num

[vaginux]

One of the greatest misconceptions propagated by the credit card industry is that the consumer is liable for charges incurred on a stolen credit card.

Read your agreements carefully; most of my cards hold me with little if any liability (the worst is $50 maximum). The rest of the bill is footed by the credit card company/issuer, not the consumer. When the credit card company denies a charge to 'verify security', it is not doing so for 'your protection', as they say, but for their own.

So, if the credit card numbers were indeed stolen and used illicitly (which is not clearly the case), it's the credit card companies who have something to worry about, not the consumers.

Regardless, Egghead.com should have had more secure systems; I'm sure this is very embarassing.


:::

Almost had cc# entered at egghead

[ratsrats]

I am looking for a laser printer to buy. A friend suggested Staples but they were out of stock." How about Egghead", he said. They are out of state and do free shipping. I was and now more afraid to buy anything on-line. Probably due to reading stuff on slashdot, securityfocus, 2600 magazine, hackernews, ... Oh well.

Re:Why does egghead blame "crackers/hackers"?

[_N0EL]

Absolutely right, they weren't keeping up with patches on a server with known security problems. That's more along the lines of negligence, not a hacker problem.

Re:Customer Service Response

[Jeff+Knox]

Thier is not 15 databases. They have Worfin, and Blue which are the main databases. Then thier is Lectroid which ARC (the software the customer service and sales reps use). Worfin is the main database, which is live, and Blue is updated at midnight. Lectroid (and I think one more, I forget its name) are updated in semi real time. So, if they cracked one database, and not another, it really doesnt matter. They have identical content, except that they might be one day behind in content then another database. So best case senario, they hacker got all the data upto the day before, I didnt get any new customer data the day he hacked it. Which is neglible when you think about how many credit cards he stole whole. And Im quite sure they would know which one was stolen, unless the IT people are stupider then they were when I left egghead.

It's amazing how common this seems to be

[glwillia]

I've worked for three companies that used e-commerce, and two of those were storing the credit cards and user passwords in the databases as plain text. (And this is by no means specific to NT/IIS users. One of the shops was using NT4/IIS, the other, Linux and Apache. The people at the Linux site were using telnet to access the database server remotely, on a default RedHat 6.1 install). Of course, I converted the scripts/databases to use encryption right away, but how many other sites are there that don't know better, and will go on storing everything plaintext until someone owns them?

Re:Christmas....

[CiXeL]

unfortunetly i dont think it will do any good, it seems the more money you pour into a problem the further you get from solving it. Do you actually think they will ever have a cure for aids or cancer? no. theyll make it a lifelong illness that they can milk forever. maybe im just disillusioned with my job. if you anyones hiring in the southern california area for jr network admin or helpdesk linux or nt email me plz.

Re:Customer Service Response

[x-empt]

This does not make Jeff look like a criminal. The truth is that ANYBODY can find out that information, any employee, any customer. Want to verify that statement? Call their customer service and ask questions about their database and servers (ever hear of social engineering?) .... don't ask directly, make them want to tell you the information you want.

Believe me, ANYBODY can get that information... fortunately Jeff is willing to speak out about it so that the general public can know the facts, instead of what some PR person tells the press.

Nice work Jeff, I support you totally.

Re:Why does egghead blame "crackers/hackers"?

Right, and it's YOUR FAULT all your valuables got stolen cause you LEFT YOUR FRONT DOOR UNLOCKED. Keeping burglars out of houses is a SOLVED PROBLEM!

You are CULPABLE, and you shouldn't be bothering the police with your whiney little crime report!

What difference does it make?

[electricmonk]

If your CC number is stolen, just call the Credit Card company and have them cancel the charges. The only people who lose any money in thefts like these is the CC companies themselves, because it is actually cheaper to let things like this slide than it is to pursue legal action or even track the people down. And, frankly, I don't think I will be crying for them any time soon.

Re:I was an Egghead customer

[Dennis+Hopper]

You would have been better off if you had torched a joint instead..

Legal

[Etriaph]

What is Egghead.com legally supposed to do about this? Can anyone file a lawsuit? This is important to find out for future reference.

Re:have fun doing some christmas shopping

[atrowe]

Um, actually all Visa card numbers begin with the number four. Get your facts straight

Why does egghead blame "crackers/hackers"?

[imagineer_bob]

When THEY are to blame? Not allowing you credit card #s to be accessed over the Internet is a SOLVED PROBLEM.

They are CULPABLE and should be made to pay pay pay!

Re:Why does egghead blame "crackers/hackers"?

[_N0EL]

Ever called the cops in a situation like this? Someone broke into my car several years ago by prying open the side window, thus breaking the retaining mechanism inside and allowing the window to be slid down quietly. I couldn't get the car into the shop immediately, so I put a wedge in to hold the window shut. Three days later someone forced the window open in spite of my half-assed wedge solution, and stole the stereo. You know who the cop blamed... ME for not getting the window fixed right away (never mind that the window mechanism could have just been broken again) and installing alarm (like the world needs one more alarm going off needlessly while people are trying to sleep). I don't know what dream land you live in, but in the U.S if you leave your front door unlocked and someone enters your house and rips you off, the cops will probably smack you up side the head for being such an idiot and then bothering them.

Re:IIS is known to have had many security flaws.

[proberts]

[We can take this to e-mail if you'd like]

NT4 Stability:

It's a combination of hardware, load and additional softare. These days it's *extremely* difficult to depend on a single motherboard being manufactured for more than 2 quarters, so I'm leary of anything that's hardware-finicky or driver related (having just had to try to track down some video and Ethernet chipset stuff, I'm particularly sensative to this at the moment.)

I've seen certified hardware with unescapable problems and random issues, though not as often as grab-bag stuff.

Bugs:

In the best environment, 2/3ds of bugs are known- while most won't have a direct security context, 1% of them would be pretty significant. I don't like at all the fact that Microsoft will release a product that they've no intention whatsoever of ever fixing/finishing. Instability has been a next release selling point for them, and that bothers me a lot, but mostly morally.

Some people like the idea of microkernels, I'm not convinced they have any real-world advantages, and side with Linus on that front. Given the APIs, I'm not sure that Win2k qualifies as "micro" anything ;)

You should try Apache under NT, it's been threaded for what about 2 years now? The server is modular enough that if you spend some time with it, you can pare it down pretty significantly, and it handles named virtuals as well as anything.

ACLs are only a beginning. If you want to see how a secure OS is built (secure to the level of potentially being able to give out writable CGI directories and open shell accounts and not worry about compromise) check out http://www.rsbac.de. That's the major advantage of an Open Source OS, for a relatively miniscule sized chunk of code (not to belittle the effort, the effort was and is tremendous) RSBAC gives us role based stuff (No more superuser compromise), full ACLs, Mandatory Access Control, compartments, malware control, and the European Privacy Model. Better yet, it's not just an implementation, it's a framework for creating new security paradynes. It's securelevel taken to the next level. That's where small *secure* dedicated machines should spring from. Best of all, it's still able to run normal programs. The only thing it could really use is more socket-oriented stuff, but there's already enough to use and gain from significantly as a base for secure systems.

Don't even get me started about Exchange- you *can't* pare it down, SQL Server is monsterous- very secure doesn't come in packages that large without a lot of dedicated work that MS will never do because it's not profitable. Lovebug's spread had help from Exchange's architecture issues.

They've already got massive version control issues with the current Service Pack/Hotfix stuff adding more products would be a death knell for QA. Regression testing is probably their longest lag time to fix on critical issues and why SPs take so long to get out and can't have last-minute fixes incorporated.

Given the inroads Linux has made into the high side, it's inevitable that MS will have problems down the road getting the successor to Win2k adopted since Win2k is at least mostly-stable.

Personally, I don't think Embedded NT stands a chance against Linux/*BSD. But I've been wrong before. Twice ;) I just don't think that 2k brings anything significant to the table to make it worth the embedded device premium- you've still got the same driver difficulty issues and none of the source to fix them. Hardware's getting cheaper- why spend those revenue dollars on driver development? That's why "embrace and extend" and MS-only features are necessary to them, they're not scaled to compete any other way at the low end where volume would devalue their mid-and high end stuff. That's also why they need desktop and server OS merging.

Back to real-world stuff- It's certainly possible to run real-world sites on NT, and we have no problem certifying our customers that do so once they've gotten through the essentials, but the level of dillagence for IIS is higher than that for Apache (mod_rewrite's last bug is the only significant security sensative Apache bug for a while now if you've configured conservatively.) Obviously because on-going reporting and testing are a part of our business, IIS is good for our model. Just like Word and the Macro Virus problem though, I personally think there are a lot of better choices that make more secure platforms. Beta was better than VHS though- and now the only Beta is the broadcast stuff, not consumer stuff (that wasn't one of the times I was wrong though, I went VHS all the way ;) )

BTW: I was serious in the first post about trying the top few exploits against your IIS servers- the last time I saw someone do it on what seemed to be well-managed sites, the results were astounding.

Best wishes,

Paul

Count 4 for IIS?

[jesseraf]

Let's see:
CDUniverse ~ 10^6 cc#s
Creditcards.com ~10^4 cc#s
Eggheads.com ~ 10^6 cc#s
Salesgate.com ~ 10^5 cc#s

And these are just the ones we know about. That's scary. Just to be completely objective, has there been any *ix breakins involving credit card lifts of any of those orders. I can't think of one off the top of my head, but there's gotta be.

How to remove your number from their database....

[ndege]

I have called, emailed, and used their "web-interface" to attempt to have Egghead remove my credit card information 4 times over the past 6 months. I was told that there was no way to remove that information and that their servers were secure.

If I do have any unauthorized charges to my credit card, I will NEVER do business with them again, and I will not do business in the future with ANY company that chooses to cache my credit card info.

BLARRRRRRRRR....
---

The Christmas Law

[cribcage]

For every additional use commercial advertisers can devise for "Santa Claus," the criminal element will devise three new ways to manifest "Ebenezer Scrooge."

crib

Credit Card Security...

[steppin_razor_LA]

Unfortunately, I just bought some 802.11 cards from Egghead about a week ago. I can't believe that hacking their web servers could compromise credit card numbers. If credit card numbers need to be stored in a database that is potentially exposed to the Internet, then they should be encrypted.

[OT]Re:Shouldn't EggHead be responsible?

[pod]

Bad analogy, it's not your fault the kid drowned in your pool© The kid was arrogant/disrespectful ¥entering private property and using someone else's pool and/or dumb ¥by falling in/drowning© Oh wait, you live in the US©©© what's your address again? ¥You can be sued even if you had the pool properly secured, it's amazing how civil suits have nothing at all to do with criminal law©

Re:This cries out for one-time use credit card num

[Coward,+Anonymous]

You can also use one-time credit card numbers with Discover.

Credit Card number retention is not required.

[fwc]

I do online processing for one of my businesses. In this case, I DO NOT keep any credit card information online. The only electronic CC info is the last four digits of the card, and a "Payment Network Reference ID" I obtained when I authorized the card.

From the Signio (verisign) API manual:

"C - Credit Returns the specified amount to the account holder. It is not necessary to have the credit card number available if you have the original Payment Network Reference ID (PNREF) that was issued with the transaction."

I've also done authorize.net transactions and they have similar requirements.

About the only thing I do is that each CC (and other) transaction is printed on a dot matrix printer complete with all information so that I am covered in the future as far as chargebacks are concerned.

I can't vouch for what verisign does with the credit card numbers, though...

Re:This cries out for one-time use credit card num

[AintTooProudToBeg]

Huh?

I'm talking about the database at the American Express office, not the database of spent numbers at Joe's Ecommerce Site.

Re:This cries out for one-time use credit card num

[Lord_Breetai]

It would also be a useless gesture when you probably have to activate the numbers before they're any good too.

Re:Christmas....

[Joe+Scsi]

you lying s-o-b! cancer isn't something to joke or troll about.

I'd been wondering . . .

[Ethidium]

Just today I was browsing the "security focus" headlines, and musing about the number of times egghead had been cracked. I'd been wondering when they were going to tell us that something important had been compromised; now i have my answer.

Chia

Site registration is bad

[Camel+Pilot]

Fucking Egghead.

I typically avoid e-commerce site that require me to "register" before I can buy, however I do happen to a "registered" egghead customer :(

First off you have to give them a user name/password which after a while you start using the same username/password unless you have a very good memory. Typically passwords are stored unencrypted on a database somewhere so that you (or some devious social engineer) can retrieve your password if you forget it. Once your username/password is compromised then a simple script can test for other accounts at major e-commerce and/or stock trading sites.

Also, I prefer to have the store where I buy from wipe out my cc number after processing the order instead of leaving it around for some disgruntal employee to access.

Education

[jafac]

Regarding my previous comments on "Security being the red-headed stepchild of computer science because consumers are too stupid to know or care about it".

Education can be painful. But in the end, it's better to learn a lesson than not.

Re:Will they let individuals know?

[Corgha]

Maybe they figure that not telling users is a form of damage control. Sure, maybe some people will get upset if this sort of thing happens and you don't inform those who may have been affected. Then again, if you send out a message to all your customers telling them that some hacker has their credit card number, you know your phone is going to be ringing off the hook. I certainly wouldn't be happy to sign my name to that sort of letter. Maybe they feel that they would lose more customers by admitting fault than by keeping mum.

This is not to say that I think keeping silent is right (taking responsibility for your mistakes is the Right Thing To Do), but it is certainly understandable.

IIS is known to have had many security flaws.

[blinko]

Here's a telling excerpt from the article.

>Hacked servers by Microsoft
>Robertson said that Egghead.com is using Microsoft's Internet >Information Server, a common e-business server, as the platform for >its online service.

>IIS is known to have had many security flaws.

Show that to your boss.

--

N'th time

[cvore]

This is about the fourth time I hear about some big credit card company getting cracked. It is realy wierd that the banking companies do not prioritize security more. It is evern worse that the credit card users do not get enough information. Every bank wants to make money off the users and therefor guarantees the users that the banks databases are totaly safe. It is cases like this that makes my trust for e-comerce drop down drasticly.. Network security is a very hard subject, but banks should invest alot more time in this..

How were the CCs stolen?

[geophile]

Does anyone know how the numbers were stolen? Were they obtained purely from the outside, or with inside help? Were the numbers encrypted in the database? So far, I haven't seen an account of how the theft occurred.

Well, Least Their New Security System Works!

Req:

http://www.egghead.com

Response:

Connection refused

Merry fscking Christmas

[AFCArchvile]

When I logged on to Slashdot, the sight was pretty grim.
Their god is Linus Torvalds and they'd live and die for him.
They believe in source code, and not in the corporate way.
So I'll go to "slashdot dot org" and post a comment and saaaaayyy....

HEY THERE MISTER SLASHDOTTER! Merry fscking Christmas!
Put down that disk of core dumps, and hear my holiday wishes...
In case you haven't noticed, it's Jesus's birthday
So get off your penguin-loving butt and fscking celebrate!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Suprisingly Reassuring

[chissad]

It's odd to find MSNBC, if you look in the article, to use the proper term "crack".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Customer Service Response

[Jeff+Knox]

Thanks. I believe i full disclosure. Id much rather tell the truth about the situation instead of having rumours spread around. Its not like im telling anythig sensistive anyway, i said they have 3 databases instead of 15, no biggy. The CS rep told you there was 15, I told you know more but that number is wrong. And spread some light on the true damage potential. BTW. Im typing this on a dreamcast using a hacked up web browser. You people should check this out. Also, My credit card is in the datbase also, so I feel with the rest of you.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:This cries out for one-time use credit card num

[acceleriter]

While there is risk for an attack on AMEX's database, I'd bet on the data security practices at American Express over those at J. Random E-commerce site. There is risk in everything we do, but these risks can be mitigated with innovative solutions and their intelligent application.

would someone mod this up?

[gimpboy]

it's always fun to blame it ms, but it's normally a sysadmin that didnt keep the system updated...

use LaTeX? want an online reference manager that

Bastards

[nd]

I have an egghead account, and there were more than 5 unauthorized transactions on my credit card statement this last month. Maybe it's coincidental, but this has never happened before so it's probably a result of this.

I'm not blaming egghead for being cracked, I'm blaming them for storing my credit card in their database. I should be given an option as to whether or not I want to use their "one-click" shopping. Granted, it was my choice to signup with them, but I generally do not deal with sites with those policies (made an exception for Egghead because of the free shipping -- shame on me).

I don't want to trust or depend on THEIR security. Just say no to one-click shopping.

caveat egghead

[hugg]

I used to work for a consulting firm who had a lot of startup online-store-making clients. One of these folks emailed us a plaintext file full of credit card numbers from their database. They just didn't know any better! Your credit card number, like your CC# and favorite member of Wham, are not safe.

What type of databases were broken into?

[MongooseCN]

So what type of databases were broken into? MS, Oracle, etc... The articles always fail to mention this. If it's consistantly the same database then people might take a little more caution when using it or not use it at all.

Convenience vs. Security

[cylence]

It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions.

Nah. Most people who are already shopping online will probably continue to do so. All security issues are generally a case of security vs. convenience, and when the convenience is great enough, seems like it usually overrules insecurities. Of course, the reverse is true if the insecurities are great enough to overrule convenience...

They should have used encryption

[AnotherBlackHat]

Yet another case where cryptography could have prevented a crime.