Slashdot Mirror

← Back to Stories (view on slashdot.org)

Caveat Emptor: Egghead.com Credit Records Nabbed

Posted by ryuzaki0 on from the hot-water-10-min.-for-hard-3-soft dept.

Voorshwa and at least a dozen others wrote with this news: "Found this one over on ZDNet.com news. Turns out the security over at Egghead wasn't very good. Losing 3.1 million credit card numbers has got to put a damper on a lot of Christmas cheer!! Wish these big companies would learn a little ..." No yoke. It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions. Reader insmod points to coverage at MSNBC as well which mentions that Egghead was not the only site hit this holiday season.

10 of 164 comments (clear)

  1. Re:IIS is known to have had many security flaws. by banky · · Score: 3

    MS is the largest software company in the world. I just went to Borders tonight for some last-minute Xmas shopping. The store is FILLED with books on MS products, and many of them have large, reasonably comprehensive sections on security. There are probably millions of MCSE's and similar MS** professionals out there. The MS KB is FULL of articles on securing the machines. Bugtraq and NTBugtraq are likewise full of articles - good, technical ones - on security flaws, the NT/IIS security model, and security in general. ALl of these comments apply to Oracle, as well.

    Why can't they secure the fscking box, then?

    Personally, I believe that this is not a question based on the techical merits, rather, the social or cultural merits. These kinds of problems are, in the oh-so-eloquent words of my father, "dumb-boy shit".

    I don't think IIS is inherently insecure; I think the computing model promoted by Microsoft - that an accountant, secretary, or poorly-trained nobody can set up a fully functional e-boz site - is the inherent insecurity. That MS's "bring computing power to the masses" crusade is what's biting them on the ass.

    --
    ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
  2. Shouldn't EggHead be responsible? by evanbd · · Score: 3

    Shouldn't EggHead be held responsible for the loss of those CC#'s? As in, there were plenty of industry-accepted techniques for securing CC#'s that they didn't use. Shouldn't they be legally responsible for, at the very least, all costs to the credit card company of dealing with bogus charges and replacements on those cards? I really don't think the credit card company should have to pay. suppose it costs $10 worth of time and resources to reprint a CC. thats thirty seven MILLION dollars that I really don't want to pay for in the form of interest rate hikes. I think the CC companies should file a lawsuit demanding recompense. Yes, it was bad luck that it happened to egghead. but they were negligent. In the same sense that if I don't put a fence around my pool and some kid drowns in it, I am responsible because I was negligent. Perhaps that very direct cost to egghead would help wake up the industry to this very real danger.

  3. Re:yeah my cc is one of them by jallen02 · · Score: 3

    BZZZZT

    You can store the transaction number which does not contain the CC number at all or a way to generally access the account AND just MAYBE the last 4 numbers of the card.

    I have written several e-com sites and dealt with cybercash and authorize.net... customers HAVE gotten their money back on purchases but we dont store credit cards plain and simple.

    And if you REALLY must store them oh please oh please encrypt the damn things and store the private key EXTERNALLY, the simple version is you have to type the thing eery time, typically we make the customer enter it in twice just for verification because I personally have only worked with one site where we stored (encrypted using a public key with priavte keys far from the net) which was only for bad cases or customer service, the process to retrieve a CC from the DB was pretty easy but still took human intervention.

    Overall if your storing them as plain text you DESERVE to be hacked big time.

    That is just how it is

    Excuse the formatting of my post I just wanted to mention this, thanks.

    Jeremy

  4. This cries out for one-time use credit card number by alecto · · Score: 5

    This incident underscores the usefulness of one-time credit card numbers, such as those provided by American Express' Private Payments service. This service allows the cardholder to generate an account number for each transaction. So if that number is stolen from a merchant's database later, it's useless. This also comes in handy for preventing unauthorized billings from the same merchant later on.

  5. yeah my cc is one of them by x-empt · · Score: 4

    But why have they not contacted me? Email is an EASY way to contact customers, yet they haven't.

    They keep your CC# on file indefinately, even if you have your account suspended. I honestly don't know why they keep your CC# in the databases?

    This is always the problem with all these sites that a broken into.

    Plus, for pete's sake.... deny (YES DENY) all select requests on the tables that contain cc#s... if your database can't deny SELECTs then you need a new DB server!

    --
    Ever need an online dictionary?
  6. Online transactions... by TWX_the_Linux_Zealot · · Score: 4

    "It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions."

    It's even WORSE when databases are cracked! I can easily call my credit card company when I have a dispute to a charge or suspect my credit card is screwed, but if millions of card numbers are stolen, then millions of people have to deal with it. Credit card companies probably don't like having to notify or handle millions of irate customers with disputed charges, and probably don't like having to re-print new cards for all of these cardholders. This is really sad, that this was even able to happen, and that Egghead left the credit card numbers on their server. If they'd be backed up to another computer that only has a hard connection while the backup is in place then this would much more difficult.

    "Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."

    --

    IBM had PL/1, with syntax worse than JOSS,
    And everywhere the language went, it was a total loss...
  7. Re:IIS is known to have had many security flaws. by AintTooProudToBeg · · Score: 3

    Apache is known to have zero security flaws.

  8. Share the Wealth by Col.+Panic · · Score: 3
    We're in continuous crisis mode here," said a consultant

    At least the cracker could use one of those numbers to send the sysadmins a recovery care package:

    pizza

    Mountain Dew

    1/2 ton of candy in Christmas colors

    151 proof "eggnog"

  9. IIS is known to have had many security flaws. by blinko · · Score: 4

    Here's a telling excerpt from the article.

    >Hacked servers by Microsoft
    >Robertson said that Egghead.com is using Microsoft's Internet >Information Server, a common e-business server, as the platform for >its online service.

    >IIS is known to have had many security flaws.

    Show that to your boss.

    --

    --

    --
    blinko - "the nail that sticks up gets hammered down"
  10. Comment removed by account_deleted · · Score: 5

    Comment removed based on user account deletion