Slashdot Mirror
Dear Sir: Your Credit Card Number Has Been Owned
An anonymous reader submits: "California has become the first state in the nation to require companies victimized by malicious computer attacks to disclose what might have been compromised to their customers. Dubbed the Security Breach Information Act, companies whose systems are cracked and have credit card, bank account, and/or other significant customer data stolen are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media. Law takes effect Tuesday, July 1 (tomorrow)."
Slashdot was compromised back a few years ago. The maintainers were very quick to notify everyone and recommend changing passwords immediately. If only other businesses were as forthcoming!
And there weren't any credit card numbers involved!
Helping with organizational effectiveness is our job.
When I first started using Credit cards 3 years ago, I never used it on the internet for 6 months, fearing the consequenses of a theft. But, one fine day, my statement showed charges from some cruise/vacation website and some discounts program I never heard of before for $200!! I got mad and called the credit card company and it took them 2 months to fix it. Then, I decided, what the heck, let's use'em on internet since the numbers will be stolen anyway. :(
New year Resolution: Don't change sig this year
"Umm, I would send out notices, but it appears that the crackers overwrote the mailing addresses of our entire userbase with 123 Sesame Street."
"required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media."
Nice try but I dont think the Judge would be amused
interesting idea, except that a CA senator introduced a similar bill for national basis last week. (RTFA) Second paragraph happens to also mention that it dont matter where a company is physically located, they just have to have customers in CA.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Sorry, wrong - HotMail was originally running on FreeBSD. When MS bought it, they transitioned to Win2K, which actually managed to perform BETTER in many circumstances - for example, negating the need for SSL accelerators, etc.
You can read the whole case study here.
Look at the bottom of this page - MS has a Java database driver for UNIX systems, distributed as a .tar file (direct link, installation instructions). It looks like Microsoft uses ksh, not bash. And according to the FAQ, the driver itself is written in pure Java.
There's something unsettling about all of this...
To quote the parent:
The other and far more difficult problem: what about when this information gets stolen and the company doesn't notice?
There's something in the laws already about how you cannot be held responsible if somebody commits crimes using your materials as long as you make a good faith effort to report it.
For example, if you find your car gone, you report it stolen, and the next day it's used in a bank robbery, you are usually held innocent unless they have your face on the videotape or something.
Which won't help any company in CA. As soon as somebody there gets hacked, and the attorney general starts seeing enough reports, they'll be investigated. Even worse, they might be forced to admit that they don't know what is going on with their servers.
Karma: Food Fight (Mostly affected by Date Plate).
I just got home a few hours ago from a seminar where I heard a Real Lawyer discussing this exact question.
If you advertise in a California paper and sell to a California resident, that's governed by California law even if your corporate home is in another state.
If you have a branch in California, same deal. You're considered to be doing business *in* California, as opposed to across state lines.
There are a lot of complicated rules about what consitutes "doing business in" a state, rules which evolved back in the meatspace era.
Remember all those "void where prohibited" disclaimers? Those were short for "If your state doesn't allow this, I'm not offering it there, so I'm not soliciting business from anyone in your state".
All legal errors in the above are my fault. If you get in trouble because you got your legal education from Slashdot, that's your fault.
I would say the majority of stolen CC #s are probably not on the net. Atleast personal ancedotal evidence seems to point in that direction. I've known atleast five cases, one of which being my parents who are generally anal in protecting their credit cards / bank accounts, in which the number was stolen and used. One interesting thing to note about these cases were that they all were either proven or most likely stolen at restaurants.
The next time you're at a restaurant, receive the bill, and you're about to give the credit card to the waiter or waitress you may just want to consider how much trust is required for that transaction. The waiter takes your card, walks off and runs the card, and comes back with your receipt and card. In that amount of time out of your posession, the number, name, expiration date, and the bank information on the back of the card could all be easily copied.
Hackers have used this attack many times before. The most recent one that I remember was PayPal. They claimed the password database had been corrupted or something, and asked people to click the link and reenter their passwords. Got a whole lot of accounts that way.
Someone else did it with a note that said they were putting a timer on service so that you had to log in every so often to keep your account active. People went and logged in by the thousands to the phony site they set up.
I hereby place the above post in the public domain.