Slashdot Mirror
Dear Sir: Your Credit Card Number Has Been Owned
An anonymous reader submits: "California has become the first state in the nation to require companies victimized by malicious computer attacks to disclose what might have been compromised to their customers. Dubbed the Security Breach Information Act, companies whose systems are cracked and have credit card, bank account, and/or other significant customer data stolen are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media. Law takes effect Tuesday, July 1 (tomorrow)."
Slashdot was compromised back a few years ago. The maintainers were very quick to notify everyone and recommend changing passwords immediately. If only other businesses were as forthcoming!
And there weren't any credit card numbers involved!
Helping with organizational effectiveness is our job.
"All your base is now belong to them."
Not a bad idea but, with them having a 38 billion dollar deficit one would think they'd be focused on that.
So glad not to be there now.
People should be responsible for poor security they implement.
autopr0n is like, down and stuff.
This looks like a good start for something that should have happened a long time ago. If people know their information (such as credit card numbers) has been compromised, they can solve the problem. Under Australian law, I think that companies have to tell you if you ask, but I'm not sure they actively publish that kind of information... If they don't, they should! Does anyone know if ISO has a certified standard for web services security? If not ... this might be a good time to make one...
"Umm, I would send out notices, but it appears that the crackers overwrote the mailing addresses of our entire userbase with 123 Sesame Street."
I don't think that posting the information on the website would be effective enough. Sites such as amazon.com may have my credit card number stolen. If I don't visit the site within the time frame that they are displaying it then I may never find out about it. They need to do something that requires less action from the users such as snail/e-mail. I don't think site postings should be allowed.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
guess we know what state hax0rs will target tonight, trying to be the first to make a company "go public"
way better that IPO'S!
Chicago2600.net more than a lifestyle, its a survival trait.
To quote the parent:
Yea, all you need to do is find the white-on-white "click here" hyperlink.
Like I'm supposed to go out every day and check every credit card site, all my bank account sites, every mutual fund site, every stock brocker site, etc, etc, etc?
Why? Why does the company that has been hacked have to engage in a deliberate act (e-mail, snail mail, phone calls, whatever) except for this? Why not force companies to own up to their mistakes?
Karma: Food Fight (Mostly affected by Date Plate).
...that this WASN'T required by law before!
CAn'T CompreHend SARcaSm?
Does anyone actually expect american express or a similar large company to post publicly on thier website that they were 0wnz3rd?
If so are they going to post a list of everyone who's information was possibly lifted?
(Translated to English, for readability purposes only.)
1337 h4xxor> The company I broke into published it in the morning newspaper!!!1!1!
5kr1p7 k1dd13> That's nothing!1!! I made the evening news!11!!!1!1
Aha, spelling Nazis, now the shoe is on the other foot!
Instead of fixing their security, companies will just find it cheaper to just move their servers out of California.
Linux O Muerte!
When I first started using Credit cards 3 years ago, I never used it on the internet for 6 months, fearing the consequenses of a theft. But, one fine day, my statement showed charges from some cruise/vacation website and some discounts program I never heard of before for $200!! I got mad and called the credit card company and it took them 2 months to fix it. Then, I decided, what the heck, let's use'em on internet since the numbers will be stolen anyway. :(
New year Resolution: Don't change sig this year
companies whose systems are cracked...are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media.
Now I'm not sure what I should be more afraid to find in my email, this or spam....
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
When the hacker breaks into the notification server?
Even if they didn't steal any information (other than some emails on the server) they could scare the living crap out of alot of people....like a BIG practical joke.
Then the company would have to send out another email via the notification system to their customers....this ought to be interesting...why trust the company that claimed it was hacked yet it wasn't?
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
Increased costs take effect Wednesday, July 2 (the day after the day tomorrow).
Sorry for that. While this is good for the Consumer, it is even better for hosting companies and businesses deciding to move elsewhere. The sad fact is that without really good analytical tools - most companies do not know what was cracked at all.
Tripwire is one that comes to mind, and if used properly is an excellent forensic tool. Too bad some schmoes don't know that. I know an IT director who believes that wiping everything down and reinstalling from a backup image is the way to go. Of course - backups aren't 100% reliable and you tend to lose data - but who am I and what do I know?
Trust me - that works until you lose really critical data. Then you are screwed buddy. Oh well, that's NMP. Not my problem.
Funny thing is that if they don't know theywere cracked, how do they know when to notify you that your account or data might have been cracked and hijacked?
Think about it. If they were too stupid to catch it, how will they ever know who to notify and who not to notify? When you cannot trust your data, everything else becomes meaningless.
I wonder if these notices will lead to more false insurance claims from losses due to cracking? After all, how can the banks, credit card companies, etc. prove diddly when they don't even know for certain that you have been cracked or if their data is accurate or just total hogwash.
Would you trust a business that notified you that your account might have been cracked and you could have some of your valuable precious data being floated around the Internet?
Of course, they could have avoided all that by using real equipment, but you won't know the truth any more than they know the truth.
All Ad hominem replies happily ignored as the sender shall be deemed to lack the faculties to comprehend the equation.
Do you think that a little "This site powered by Windows 2000" icon on the bottom of the page be considered appropriate notification?
Whatever happened to encryption?
why not make the company responsible for notifying my credit card company? Or better yet make them pay for fraudulent charges that I could prove were from their negligance?
They screwed up they should incur the cost of cleaning up the mess. If companies were responsible to that degree than watch how high security budgets would skyrocket. If they shouldnt be responsible to that degree with my sensitive information than why bother passing legislation like this?
This is just an attempt to sell Microsoft a lot of stamps.
Between the time the company notifies you and you receive your new card in the mail, that's damn near 14 days of sales tax he can't collect on purchases you might make
How about that. Someone breaks partway into a system at my bank. The bank may not know exactly what has been compromised, but they then publish a list of what it could be. Intruder now knows how close they are to the money!
-- All your bass are below two Hz
The _only_ sure-fire way to prevent getting your CC# stolen is to not have a CC to start with. But that still doesnt protect you from identity theft as someone can open a card in your name if they have your SSN from somewhere.
Ha! Finally, having bad/no credit is advantageous! They'll never be able to get a card in my name! Bwahaha!
These rules are good. I think both notification and public notices of being hacked should be required. But merchants and customers should be smarter to start with.
Many prominent ecommerce sites insist that if you buy with them, you have to open an account where your credit card info will be stored permanently (read the fine print on PayPal, for example, what happens when you try to erase it).
In order to permit you to reuse the credit card number without reentering it later, it generally has to be stored in a place accessible to the web server applications, aka a very hackable location. They usually claim to protect this via n-bit encryption, but their application can easily decrypt it, generally meaning that a hacker who owns the web server can as well.
If a brick-and-mortar merchant insisted on storing a xerox of the credit cards of all his customers in a filing cabinet on the sales room floor in case any time in the future they forgot their credit cards, I would still feel more secure than this sort of e-merchant makes me feel (because the volume of CC numbers is less and it can't be accessed remotely) than a database with millions of card numbers. There is a huge difference between temporarily using the credit card info in a transaction database and making it permanently available in an account database. Not only can transactions records be more-fully isolated from the web servers than account records, but in the transaction case, the most compromised is far less than the millions of credit card numbers compromised in an account database. You make yourself vulnerable forever if you do business with someone who wants to keep your credit card available in your account, and they probably will not even tell you if it is compromised.
IMO, good merchants do not insist on storing your credit card number in the account, but rather permit you to manually reenter it every time. Just like all the Microsoft email conveniences that turn out to be security holes, this sort of ecommerce convenience is asking to have your credit card number abused, with no notification. The number is safer in your wallet or travelling across SSL than in a web-server database with millions of other credit cards.
PayPal refuses to erase the account info even if you erase it. Perhaps this sort of law will eventually force irresponsible merchants to rethink the way they expose millions of cards to cracking. You can't hack what is not on the server.
I would say the majority of stolen CC #s are probably not on the net. Atleast personal ancedotal evidence seems to point in that direction. I've known atleast five cases, one of which being my parents who are generally anal in protecting their credit cards / bank accounts, in which the number was stolen and used. One interesting thing to note about these cases were that they all were either proven or most likely stolen at restaurants.
The next time you're at a restaurant, receive the bill, and you're about to give the credit card to the waiter or waitress you may just want to consider how much trust is required for that transaction. The waiter takes your card, walks off and runs the card, and comes back with your receipt and card. In that amount of time out of your posession, the number, name, expiration date, and the bank information on the back of the card could all be easily copied.
These credit card numbers weren't 'stolen', they were LIBERATED!
"Ask not what your country can do for you." --John F. Kennedy
People should be responsible if they are negligent, I agree. OTOH, expecting perfect security, as some on this thread seem to be doing, is wishful thinking. The world doesn't work like that. Bank robberies happen, and sometimes they get away with it. Cracks happen, and sometimes they get away with that, too. You should take reasonable steps to secure your facilities and have a sensible contingency plan for when that security fails.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
While on holiday in the Lake District a while back, some friends and I were going up to the top of Scafell Pike, the highest point in England. One of the paths was particularly treacherous, very steep and with lots of stones that slipped under foot. (Not good for those of us uncomfortable with heights!) After a few hundred metres, we got to the top of the path, only to find a sign there, facing toward anyone who was about to go down it.
It said, "Danger of death! Path under reconstruction! Keep off!"
We were suitably impressed. :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Hackers have used this attack many times before. The most recent one that I remember was PayPal. They claimed the password database had been corrupted or something, and asked people to click the link and reenter their passwords. Got a whole lot of accounts that way.
Someone else did it with a note that said they were putting a timer on service so that you had to log in every so often to keep your account active. People went and logged in by the thousands to the phony site they set up.
I hereby place the above post in the public domain.
Where a certified accountant needs to check and make sure everything is up to a certain standard.
That's good news, more IT jobs coming up?
-- Leeeter than leet