Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dear Sir: Your Credit Card Number Has Been Owned

Posted by timothy on from the do-tell-good-man dept.

An anonymous reader submits: "California has become the first state in the nation to require companies victimized by malicious computer attacks to disclose what might have been compromised to their customers. Dubbed the Security Breach Information Act, companies whose systems are cracked and have credit card, bank account, and/or other significant customer data stolen are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media. Law takes effect Tuesday, July 1 (tomorrow)."

28 of 179 comments (clear)

  1. I Remember when... by under_score · · Score: 5, Informative

    Slashdot was compromised back a few years ago. The maintainers were very quick to notify everyone and recommend changing passwords immediately. If only other businesses were as forthcoming!

    And there weren't any credit card numbers involved!

    --
    Helping with organizational effectiveness is our job.
    1. Re:I Remember when... by gr0ngb0t · · Score: 3, Informative

      from the linked post...

      Yup, Somebody Cracked Slashdot

      Posted by CmdrTaco on 30/09/00 0:30
      from the wiping-egg-off-our-faces dept.

      to me, that certainly looks like the 30th of September, 2000.

      Fix how you display your dates.

    2. Re:I Remember when... by frodo+from+middle+ea · · Score: 3, Funny

      Exactly, I mean think of all those slashdot users, who had stored their credit card numbers on slashdot.

      --
      for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
  2. "Update:" by shawnywany · · Score: 5, Funny

    "All your base is now belong to them."

  3. At least they're doing something sorta productive by I'm+just+joshin · · Score: 3, Insightful

    Not a bad idea but, with them having a 38 billion dollar deficit one would think they'd be focused on that.

    So glad not to be there now.

  4. MS Bank v1.1 by Anonymous Coward · · Score: 5, Funny
    for i in `select * from users`; do
    /usr/sbin/sendmail $i.email < sorry.txt
    done
    1. Re:MS Bank v1.1 by Anonymous Coward · · Score: 5, Funny

      apparently MS Bank runs on unix. in a bash shell...

      right... sher...

  5. Damn straight. by autopr0n · · Score: 3, Redundant

    People should be responsible for poor security they implement.

    --
    autopr0n is like, down and stuff.
    1. Re:Damn straight. by BiggerIsBetter · · Score: 5, Insightful

      Yup.

      How about if your local bank didn't lock it's safe at night, and used shitty supermarket padlocks on the doors? Then didn't tell you that people broke in occasionally when no-one was looking, but quietly increased your fees to cover the losses? Sound reasonable? No, of course it doesn't, but it's not far off the level of security some clowns put online. Personally, I'd like to see the sysadmins name posted in the notices too. :-D

      Imagine if these were physical break-ins rather than electronic ones. The money's all the same, the only difference is that until now, it didn't make the evening news. It's about time it stopped being swept under the carpet.

      --
      Forget thrust, drag, lift and weight. Airplanes fly because of money.
  6. Security Breach by Anonymous Coward · · Score: 5, Funny

    "Umm, I would send out notices, but it appears that the crackers overwrote the mailing addresses of our entire userbase with 123 Sesame Street."

    1. Re:Security Breach by YOU+LIKEWISE+FAIL+IT · · Score: 3, Insightful
      Interestingly enough, whats the exact wording of the law? Can you just bury it somewhere on the website which is the equivalent of a disused lavatory in an unlit basement with no stairs and a sign on the door saying "Beware of the Leopard"?

      I think this law would be a lot stronger if it mandated contact by all of those forms to the extent made possible by available customer data.

      This is kind of a sore spot for me at the moment because of a different, but similar misadventure of my own. Recently, my net banking access got frozen because too many incorrect password attempts had been made on it. However, the bank did not see fit to notify me of this, and I only found out when I urgently needed to do a wire transfer at 11pm on the weekend. And of course their service facility was long closed by that point and wouldn't be open until Monday. Sucks.

      YLFI

      --
      One god, one market, one truth, one consumer.
  7. Posting on website wouldn't be enough by CastrTroy · · Score: 5, Interesting

    I don't think that posting the information on the website would be effective enough. Sites such as amazon.com may have my credit card number stolen. If I don't visit the site within the time frame that they are displaying it then I may never find out about it. They need to do something that requires less action from the users such as snail/e-mail. I don't think site postings should be allowed.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Posting on website wouldn't be enough by jeffkjo1 · · Score: 5, Insightful

      I honestly don't even like the idea of them sending an email with this information. I can see some unscrupulous thief sending an email with forged headers stating: "Hi from amazon, our credit card database system was stolen by some meddlin' hackers, please click this link and reenter your information to reactivate your Amazon account. We apologize for the inconvienience."

  8. ...posted in the basement with no lights. by janda · · Score: 5, Interesting

    To quote the parent:

    ...a notice on their website...

    Yea, all you need to do is find the white-on-white "click here" hyperlink.

    Like I'm supposed to go out every day and check every credit card site, all my bank account sites, every mutual fund site, every stock brocker site, etc, etc, etc?

    Why? Why does the company that has been hacked have to engage in a deliberate act (e-mail, snail mail, phone calls, whatever) except for this? Why not force companies to own up to their mistakes?

    --
    Karma: Food Fight (Mostly affected by Date Plate).
  9. I can just see the conversation on 1337 IRC chans by Pento · · Score: 5, Funny

    (Translated to English, for readability purposes only.)

    1337 h4xxor> The company I broke into published it in the morning newspaper!!!1!1!
    5kr1p7 k1dd13> That's nothing!1!! I made the evening news!11!!!1!1

  10. Correction: 0wnx0r3d by dupper · · Score: 5, Funny

    Aha, spelling Nazis, now the shoe is on the other foot!

  11. Move... by Mullen · · Score: 3, Interesting

    Instead of fixing their security, companies will just find it cheaper to just move their servers out of California.

    --
    Linux O Muerte!
    1. Re:Move... by jeffy124 · · Score: 4, Informative

      interesting idea, except that a CA senator introduced a similar bill for national basis last week. (RTFA) Second paragraph happens to also mention that it dont matter where a company is physically located, they just have to have customers in CA.

      --
      The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
    2. Re:Move... by Beryllium+Sphere(tm) · · Score: 3, Informative

      I just got home a few hours ago from a seminar where I heard a Real Lawyer discussing this exact question.

      If you advertise in a California paper and sell to a California resident, that's governed by California law even if your corporate home is in another state.

      If you have a branch in California, same deal. You're considered to be doing business *in* California, as opposed to across state lines.

      There are a lot of complicated rules about what consitutes "doing business in" a state, rules which evolved back in the meatspace era.

      Remember all those "void where prohibited" disclaimers? Those were short for "If your state doesn't allow this, I'm not offering it there, so I'm not soliciting business from anyone in your state".

      All legal errors in the above are my fault. If you get in trouble because you got your legal education from Slashdot, that's your fault.

  12. internet is not only place where CC #s are stolen by civilengineer · · Score: 5, Informative

    When I first started using Credit cards 3 years ago, I never used it on the internet for 6 months, fearing the consequenses of a theft. But, one fine day, my statement showed charges from some cruise/vacation website and some discounts program I never heard of before for $200!! I got mad and called the credit card company and it took them 2 months to fix it. Then, I decided, what the heck, let's use'em on internet since the numbers will be stolen anyway. :(

    --

    New year Resolution: Don't change sig this year
  13. What's worse? by MoeMoe · · Score: 4, Funny

    companies whose systems are cracked...are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media.

    Now I'm not sure what I should be more afraid to find in my email, this or spam....

    --
    Business \Busi"ness\, n.;
    A scam in which all people involved perceive as beneficial...
  14. So what happens... by dethl · · Score: 4, Insightful

    When the hacker breaks into the notification server?

    Even if they didn't steal any information (other than some emails on the server) they could scare the living crap out of alot of people....like a BIG practical joke.

    Then the company would have to send out another email via the notification system to their customers....this ought to be interesting...why trust the company that claimed it was hacked yet it wasn't?

    --
    "Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
  15. Law takes effect Tuesday, July 1 (tomorrow)." by djupedal · · Score: 3, Funny

    Increased costs take effect Wednesday, July 2 (the day after the day tomorrow).

  16. I'm curious... by mabu · · Score: 4, Funny

    Do you think that a little "This site powered by Windows 2000" icon on the bottom of the page be considered appropriate notification?

  17. make them pay by slugo3 · · Score: 4, Interesting

    why not make the company responsible for notifying my credit card company? Or better yet make them pay for fraudulent charges that I could prove were from their negligance?
    They screwed up they should incur the cost of cleaning up the mess. If companies were responsible to that degree than watch how high security budgets would skyrocket. If they shouldnt be responsible to that degree with my sensitive information than why bother passing legislation like this?

  18. BUSINESS PLAN by goon+america · · Score: 4, Funny

    This is just an attempt to sell Microsoft a lot of stamps.

  19. Prevention is far better than cure. by expro · · Score: 5, Insightful

    These rules are good. I think both notification and public notices of being hacked should be required. But merchants and customers should be smarter to start with.

    Many prominent ecommerce sites insist that if you buy with them, you have to open an account where your credit card info will be stored permanently (read the fine print on PayPal, for example, what happens when you try to erase it).

    In order to permit you to reuse the credit card number without reentering it later, it generally has to be stored in a place accessible to the web server applications, aka a very hackable location. They usually claim to protect this via n-bit encryption, but their application can easily decrypt it, generally meaning that a hacker who owns the web server can as well.

    If a brick-and-mortar merchant insisted on storing a xerox of the credit cards of all his customers in a filing cabinet on the sales room floor in case any time in the future they forgot their credit cards, I would still feel more secure than this sort of e-merchant makes me feel (because the volume of CC numbers is less and it can't be accessed remotely) than a database with millions of card numbers. There is a huge difference between temporarily using the credit card info in a transaction database and making it permanently available in an account database. Not only can transactions records be more-fully isolated from the web servers than account records, but in the transaction case, the most compromised is far less than the millions of credit card numbers compromised in an account database. You make yourself vulnerable forever if you do business with someone who wants to keep your credit card available in your account, and they probably will not even tell you if it is compromised.

    IMO, good merchants do not insist on storing your credit card number in the account, but rather permit you to manually reenter it every time. Just like all the Microsoft email conveniences that turn out to be security holes, this sort of ecommerce convenience is asking to have your credit card number abused, with no notification. The number is safer in your wallet or travelling across SSL than in a web-server database with millions of other credit cards.

    PayPal refuses to erase the account info even if you erase it. Perhaps this sort of law will eventually force irresponsible merchants to rethink the way they expose millions of cards to cracking. You can't hack what is not on the server.

  20. It might get just like accounting... by leeet · · Score: 3, Interesting

    Where a certified accountant needs to check and make sure everything is up to a certain standard.

    That's good news, more IT jobs coming up?

    --
    -- Leeeter than leet