Slashdot Mirror

← Back to Stories (view on slashdot.org)

Caveat Emptor: Egghead.com Credit Records Nabbed

Posted by ryuzaki0 on from the hot-water-10-min.-for-hard-3-soft dept.

Voorshwa and at least a dozen others wrote with this news: "Found this one over on ZDNet.com news. Turns out the security over at Egghead wasn't very good. Losing 3.1 million credit card numbers has got to put a damper on a lot of Christmas cheer!! Wish these big companies would learn a little ..." No yoke. It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions. Reader insmod points to coverage at MSNBC as well which mentions that Egghead was not the only site hit this holiday season.

5 of 164 comments (clear)

  1. This cries out for one-time use credit card number by alecto · · Score: 5

    This incident underscores the usefulness of one-time credit card numbers, such as those provided by American Express' Private Payments service. This service allows the cardholder to generate an account number for each transaction. So if that number is stolen from a merchant's database later, it's useless. This also comes in handy for preventing unauthorized billings from the same merchant later on.

  2. yeah my cc is one of them by x-empt · · Score: 4

    But why have they not contacted me? Email is an EASY way to contact customers, yet they haven't.

    They keep your CC# on file indefinately, even if you have your account suspended. I honestly don't know why they keep your CC# in the databases?

    This is always the problem with all these sites that a broken into.

    Plus, for pete's sake.... deny (YES DENY) all select requests on the tables that contain cc#s... if your database can't deny SELECTs then you need a new DB server!

    --
    Ever need an online dictionary?
  3. Online transactions... by TWX_the_Linux_Zealot · · Score: 4

    "It's too bad that this kind of theft will probably scare people away from online purchases even when it's a database that's cracked rather than their transactions."

    It's even WORSE when databases are cracked! I can easily call my credit card company when I have a dispute to a charge or suspect my credit card is screwed, but if millions of card numbers are stolen, then millions of people have to deal with it. Credit card companies probably don't like having to notify or handle millions of irate customers with disputed charges, and probably don't like having to re-print new cards for all of these cardholders. This is really sad, that this was even able to happen, and that Egghead left the credit card numbers on their server. If they'd be backed up to another computer that only has a hard connection while the backup is in place then this would much more difficult.

    "Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."

    --

    IBM had PL/1, with syntax worse than JOSS,
    And everywhere the language went, it was a total loss...
  4. IIS is known to have had many security flaws. by blinko · · Score: 4

    Here's a telling excerpt from the article.

    >Hacked servers by Microsoft
    >Robertson said that Egghead.com is using Microsoft's Internet >Information Server, a common e-business server, as the platform for >its online service.

    >IIS is known to have had many security flaws.

    Show that to your boss.

    --

    --

    --
    blinko - "the nail that sticks up gets hammered down"
  5. Comment removed by account_deleted · · Score: 5

    Comment removed based on user account deletion