Three Indicted In Huge Identity/Data Breach

ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology.

Pirst Fost

Cuntflap.

Re:Pirst Fost

[Frosty+Piss]

Cuntflap

The nickname of this guy Gonzalez after a few months in federal prison?

I'm sorry, I'll go away.

Re:Pirst Fost

It's unbelieveable that Mexicans have gone from fagging around with their "vatos" in street gangs and stealing cheap Nikes to stealing credit card information online.

Re:Pirst Fost

Spics didn't do this as they can barely even turn on a computer. They are just a fall for a white guy.

Re:Pirst Fost

Ahh, so they are serving the only good purpose that they can. That is reassuring.

Hispanics are humans?

Why is it legal to be hispanic?

Re:Hispanics are humans?

[Frosty+Piss]

Why is it legal to be hispanic?

In Maricopa County, Arizona, it is.

It was me

I did it for the lulz

Re:It was me

[gandhi_2]

Like an internet hate machine.

Losing faith in the system

[AB3A]

These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.

Insurance companies will see this sort of business as a radioactive risk. They'll let existing contracts expire and quietly back out --UNLESS these companies get serious about their data security.

There is a huge opportunity for someone to make some real coin doing this sort of thing, but it will take a mindset that these people have been loath to accept: People really are out to get them.

Re:Losing faith in the system

[nametaken]

Seriously.

I mean, SQL injection? That's just disgustingly stupid and lazy.

Re:Losing faith in the system

[AB3A]

I agree.

And the downside for their company is-- WHAT? Why should they make the extra effort to avoid such flaws? Whose responsibility is it?

The problem is that the liability isn't all theirs. This is the same reason that so many software firms can sell steaming piles of insecure garbage, and there is very little practical consequence.

This is the same feature that led to the downfall of the housing market. If you spread the risk around too thinly, nobody will know who to assign blame to. That's how we got in to the mess we're in. When people start demanding accountability and liability, this nonsense will end.

Re:Losing faith in the system

[statusbar]

But the data IS secure! there is a little padlock on my web browser window that says so! ;-)

--jeffk++

Re:Losing faith in the system

[bill_kress]

Yeah, I was hoping when it said "Three indicted" that the three were actually working for one of these companies and they finally started indicting for incompetence.

We've handled this whole security thing poorly.

Re:Losing faith in the system

[nametaken]

I hate problems where the solution is "educate people" and "change minds". :(

Re:Losing faith in the system

[jonnyj]

No report that I've read suggests that 7-Eleven will be punished for this, even though they were self-evidently negligent with their customers' data - SQL injection vulnerabilities would by uncovered by any perfunctory peer review, security review or penetration test. In the UK, they'd be looking at a huge fine from the Office of the Information Commissionerfor this.

It also throws the whole PCI/DSS scheme into question. If PCI means anything, a company that demonstrates an attitude to security that's this relaxed should immediately have their right to process cards payments withdrawn by their sponsoring bank.

Re:Losing faith in the system

[hesaigo999ca]

The problem is that the credit card companies look at this investment as a luxury and not a necessity and like most investments, unless there is a need it will get filtered down to a basic formula.

Compare the cost of just reimbursing the people who have been stolen from, compared to the investment it would take to change the WHOLE cc infrastructure , and then ask yourself this....If it is not a crime to offer less secure credit cards, do you have to invest in more security, or will just saying you could not invest anymore cost less in the end?

If the government were to step in and say for each security breach a company has (with cc info) they get a 100,000,000$ fine which would for starters stop them from KEEPING the cc on file, which they do not need to do.
Secondly...if the credit card companies were to get a massive overhaul in the standards they NEED to implement for cc security...and adjust a fine system for the longer they wait, the more expensive it becomes, they would have no choice but to invest in their own infrastructure as well.

This is also the problem with the gas companies, they do not want to invest in creating more processing plants , which when a hurricane hits texas, guess what ,they have their excuse for raising the gas prices. If the government forced them to invest to create more infrastructure, so these things would not happen, then it would have no more price fixing happening.

Can the government step in, in either of these cases...probably not, because of the road blocks they put in themselves...however you go to a country like Syria, where everything is controlled by the government
you would not be able to complain, as a company, they would just laugh you out of the country.

Opinions don't kill people, people kill opinions!

Re:Losing faith in the system

[hesaigo999ca]

Problem is that accountability died along time ago side by side common sense.

Rob Malda wishes to make an announcement

In celebration of Wikipedia's 3 millionth article, Rob "CmdrTaco" Malda would like to announce that he will be participating in the "Gangbang 3 Million" event in order to get in the Guiness Book of World Records for "Most Dicks Put In Your Asshole in One Week". The event will be held in Las Vegas on September 11th, 2009 at the MGM Grand Casino. If you would like to sign up to be a part of this momentous event please go to http://slashdot.org/gangbang_3_million_signup.php. Signing up here will automatically enter you in the drawing to be the first in line to fuck Rob's asshole and the for the consolation prize of sloppy seconds. After the event is over, DVDs and Blu-Rays will go on sale on December 15th exclusively through Sourceforge, Inc's ThinkGeek.com retail site at a special 30% of discounted price. Later in January these items will be available for a wide release at 100s of other retailers but at the full retail price. Rob Malda and the rest of the staff at Sourceforge, Inc. hope to see you there!

Re:Rob Malda wishes to make an announcement

[Phusion0]

Holy flerking schnit man, you are some kind of Internet mutant. I love it! You know, I met Rob at a LinuxWorld one year, they were passing the mic around and giving out Slashdot shirts to anyone who asked a question. When I saw him, he looked kind of like the kind of guy who would enjoy participating in a furious, multi-cock, world record busting gang bang. I don't know, that's just me. Make sure to step out of the basement for just a moment and smell the air, it's nice, I promise.

Hate to say it...

[loteck]

but by the looks of one of the linked articles, any standardized internal controls audit should have seriously mitigated the risks of these types of attacks being possible. These guys are dealing with credit cards, right? Where was PCI compliance?

Re:Hate to say it...

That's only relevant to the end stores that need payment processing. The rules, of course, do not apply to the big name at the top.

Re:Hate to say it...

PCI? These guys were using AGP!

Re:Hate to say it...

PCI compliance is the definition of security theater. I used to work for a credit card processing company, and every month we'd get some new "PCI" rule we had to follow, which did virtually nothing to make us more secure.

Month 1: Can't store credit card numbers in problem tickets. Must use e-mail. (Internal e-mail, obviously.)
Month 2: Can't e-mail credit card numbers internally. Must put them into problem tickets.
Month 3: Can't do either one. Now you must provide the credit card numbers verbally (over the phone), or write them down and carry them to the person resolving the ticket.

Which made resolving card-specific software issues absolutely delightful to deal with - I couldn't even begin to guess how many miles I trudged through the IT floor, distributing sticky notes with credit card numbers written on them, which if you ask me was more of a security risk than having them stored digitally.

Meanwhile, the things that really mattered were left virtually untouched. I don't even know how many times something was completely and utterly screwed up by someone, somewhere in the company... and we couldn't even figure out who did it because there were no logs of what had happened, or because the logs pointed to a shared account that anybody could have used. My account on the actual card processing front-end system was watched like a hawk, however, nobody would ever have noticed if I'd downloaded a database dump from the FTP server and made off with it.

PCI has absolutely nothing to do with actually tightening security, and everything to do with making businesses able to say "It's OK! We're PCI COMPLIANT!"

(Post anonymously? Hmm, I wonder.)

Re:Hate to say it...

[hawleyal]

PCI

only relevant to the end stores ... rules do not apply to the big name at the top

Um. Ur wrong. It's relevant for everyone not Visa, MasterCard, American Express, Discover. TJX et al have way heavy PCI fines.

Re:Hate to say it...

[bearsinthesea]

Meanwhile, the things that really mattered were left virtually untouched. I don't even know how many times something was completely and utterly screwed up by someone, somewhere in the company... and we couldn't even figure out who did it because there were no logs of what had happened, or because the logs pointed to a shared account that anybody could have used. My account on the actual card processing front-end system was watched like a hawk, however, nobody would ever have noticed if I'd downloaded a database dump from the FTP server and made off with it.

I'm not sure if you are joking, but by this statement alone I can tell you were not PCI compliant, whether you were certified or not. Full logging is a requirement, it has an entire section of the PCI standard. Shared accounts are prohibited. And FTP? In a compliant cardholder data environment? Not likely.

Perhaps you were actually doing 'Auditing Theater', where you pretend to be audited, and buy a cert from a small company that isn't actually validating your systems.

Re:Hate to say it...

but by the looks of one of the linked articles, any standardized internal controls audit should have seriously mitigated the risks of these types of attacks being possible. These guys are dealing with credit cards, right? Where was PCI compliance?

Hew, they got Great Big Savings! They outsourced the security to the lowest bidder. It's the American Way.

Re:Hate to say it...

[neurovish]

PCI compliance is the definition of security theater. I used to work for a credit card processing company, and every month we'd get some new "PCI" rule we had to follow, which did virtually nothing to make us more secure.

Month 1: Can't store credit card numbers in problem tickets. Must use e-mail. (Internal e-mail, obviously.) Month 2: Can't e-mail credit card numbers internally. Must put them into problem tickets. Month 3: Can't do either one. Now you must provide the credit card numbers verbally (over the phone), or write them down and carry them to the person resolving the ticket.

Which made resolving card-specific software issues absolutely delightful to deal with - I couldn't even begin to guess how many miles I trudged through the IT floor, distributing sticky notes with credit card numbers written on them, which if you ask me was more of a security risk than having them stored digitally.

Meanwhile, the things that really mattered were left virtually untouched. I don't even know how many times something was completely and utterly screwed up by someone, somewhere in the company... and we couldn't even figure out who did it because there were no logs of what had happened, or because the logs pointed to a shared account that anybody could have used. My account on the actual card processing front-end system was watched like a hawk, however, nobody would ever have noticed if I'd downloaded a database dump from the FTP server and made off with it.

PCI has absolutely nothing to do with actually tightening security, and everything to do with making businesses able to say "It's OK! We're PCI COMPLIANT!"

(Post anonymously? Hmm, I wonder.)

I'm on the PCI compliance team where I work (well, was...eventually management decided they would rather outsource all credit card transactions and not have to worry about it), and you never were PCI compliant. For one, the numbers can't be stored in cleartext, which sounds exactly like what emailing them and putting them in trouble tickets, or even writing them on a sticky note would do. The actual PCI DSS is pretty normal security procedure and something you would want in place anyways. Aside from a shared account that the three linux admins used, our linux environment was already up to PCI standard before we had even heard of it.

Encrypt the application layer (https and ssh, no http, telnet, ftp, rsh, etc).
Don't use dumb passwords.
Change your password every once in awhile.
Don't give everybody access to everything.
Don't share accounts, never use root.
Don't leave services you don't use running.
Don't leave sensitive data in cleartext.
Test and make sure you're actually doing these things.

I'm sure there's some stuff missing, but that is essentially PCI DSS.

Re:Losing faith in the system--Don't Lose Faith!

[MarkvW]

Don't lose faith. The banks never lose. Both the Democrats and the Republicans see to that!

The losses always get pushed away from the stockholder and onto the consumer! That's what capitalism is! Capital dominates government!

Show Me The Money

[mindbrane]

Having been active on the Internet since the 90's and a /. reader since the late 90's I'm pretty much up to speed on the degree of identity theft that has taken place. But where's the money? Where's the proceeds of all the identity and credit card theft? If you added up all the stolen identities and credit card thefts you'd think a big chunk would have been bitten out of the economy. There doesn't seem to be any significant bleeding. Does it all add up to not much more than a drop in the bucket. On a personal note I think I'd be better serve being able to establish my personal information has been stolen multiple times. Maybe a new type of fraud will be 'stealing' your own credit cards and going on an online spending spree.

Re:Show Me The Money

[ScentCone]

But where's the money? ... would have been bitten out of the economy. There doesn't seem to be any significant bleeding.

It does take a huge bite out. It costs a fortune for merchants, card processors, banks (and of course to the retailers they pass those costs along to) to deal with fraud. Billions and billions a year. It's a drag on the economy that makes it more expensive to be a merchant, more expensive to (however briefly) borrow money, more expensive to run law enforcement, etc.

PCI stands for...

[brianc]

... Pay Cash Instead!

Re:PCI stands for...

[Phusion0]

I keep all my money inside a Magnum condom, inside a donkey.

Faith is gone. We need a better way!

[mcrbids]

These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.

Yes, but there is still an underlying problem: The credit card payment system is inherently insecure. I'm not talking about the computers, I'm talking about the system at large. Credit card numbers are basically a password that you share with anybody who you buy stuff from. Any of these vendors by definition have all the information necessary to use your credit card.

What you can't do with the current system:

1) You can't "lend" your card to a subcontractor so that they can buy supplies, without opening yourself up to a world of hurt.

2) You can't trust that your identity isn't stolen at every possible transaction.

3) In the case of a leak, you can't be automatically alerted to attempts to use your credit card.

It could be some otherwise bored l337 h@x0r in Montana at his mom's house who cracks an online shopping cart, or the Russian Mafia, or the pimply guy who pumped your gas. All of them get the ability to "be you" simply by transacting as you, and so long as this fundamental insecurity remains unchanged, credit cards are and will continue to be problematic.

Me? I'm imagining something with my cell phone, a PIN like an ATM card, but one that's different for each transaction. In this manner:

1) I swipe my card.
2) The credit card gives me a challenge code, asks me for my PIN.
3) I get a text message on my cell, which has the challenge code on one line, and a one-time-PIN on the next line, and a third line with the amount charged.
4) I enter the one-time PIN, proving that I have the registered phone in my hand.
5) Then, I enter in my permanent PIN, just like I do now.

This protects me:

1) Anybody at the cell phone company can see the challenge and the response PIN, but it doesn't do them any good since these change with every card swipe.

2) Anybody at the store can see the whole transaction, but it doesn't matter since they don't have my phone.

3) Even the credit card processing center can't fudge the transaction because the amount of the charge was submitted prior to generating the one-time PIN, and I've already been made aware of the charge.

4) If somebody did get your card #, and tried to use it, you would know immediately that it was happening, and the amounts involved because you'd be getting notices of the transactions sent to your phone!

This would DRAMATICALLY reduce the security footprint of the credit card transactional system, and would easily allow for causual "lend him the credit card" scenarios, since you could give the card to someone, and even let them know your permenant PIN, but keep the phone in your hand. The only person who can effectively compromise this credit card system effectively would be the credit card company itself.

The only downside that I can see is that you couldn't use this system in areas without cell service. But even in that case, you could "pre-register" a transaction or two with no amount set, keep the one-time PINs handy, and use them when you don't have service.

The current system is terribly insecure - I've had 3-4 different compromises of my credit card numbers in the last couple years despite my being VERY careful with my data. Then I talk to the fraud department, sign the affidavit, get my credit back, blah blah blah...

The current system sucks. We need a better system.

Re:Faith is gone. We need a better way!

[stabiesoft]

While I agree completely that a cell phone system would be much much more secure, nothing is unbreakable. See http://mobile.slashdot.org/article.pl?sid=09/08/17/0014235 for a description of hacking cell phone providers as an example. Basically, I think every card owner he stole should get the opportunity to take a paddle to his ass for one crack. His bright red butt should then be photo'ed and posted on the web. Now that would be justass.

Re:Faith is gone. We need a better way!

[Tweenk]

The current system sucks. We need a better system.

Here in Poland it is customary to pay for online purchases with bank transfers, and only use debit cards as a substitute for cash and at ATMs - nobody ever gives their card number to anybody. I am wondering why people bother with insecure credit cards when online banking fills most use cases of card-not-present transactions.

Re:Faith is gone. We need a better way!

[Tweenk]

While I agree completely that a cell phone system would be much much more secure, nothing is unbreakable.

It does not have to be unbreakable, only better.

Re:Faith is gone. We need a better way!

[caramelcarrot]

In the UK, my bank has given me a card signing device - whenever I set up a standing order, I put my card in, enter the amount, and then give my PIN. It spits back a response code, which I then type in. I believe it's possible to use a method like this on some websites that require credit cards, but not all processing systems support it; and that's a fundamental problem with any security improvements in credit card processing, that it'd require a replacement of effectively all current code.

Re:Faith is gone. We need a better way!

[duddles]

The system is perfectly secure. That a few rogue programmers left their system wide open to attack was in no way the fault of management. They couldn't possibly expect someone to actually find their data interesting enough for someone to hack in. Clearly they don't need to question their security protocols, instead what is needed now is a good blamestorm and get rid of a few more IT people, that'll teach them for leaving holes in the system. Oh, and management also want eight new features in by Friday.

Re:Faith is gone. We need a better way!

[Jason+Levine]

As someone who's had both his credit card account compromised in one of these breaches and had his identity full-on stolen (SSN, DOB, name, address, etc), a simple "thief uses your card to buy some stuff" is no big deal (relatively speaking). A close eye on your credit card statements, something you should do anyway, a quick call to the card company and you'll get a new card number and the charge will be taken off. Once the card is canceled, you're safe again. With full-on identity theft, even closing the accounts opened in your name isn't enough.

I agree that the system is broken, though. In my case, the credit card company (Capital One) approved the online credit card application with an incorrect mother's maiden name and didn't raise a red flag when the address was changed right away or when "I" tried to get a large cash advance before activating the card. I was just lucky that the card was sent out before the address change was processed. Otherwise, it wouldn't have landed on my doorstep and I would've never known that anything was wrong until the collection agencies came knocking.

Re:Faith is gone. We need a better way!

[mcrbids]

But it doesn't matter if the cell phone company is compromised - or did you miss that bit?

The only thing that the cell phone company gets is the ability to approve the transaction that I already started. I don't give a shiat who reads the cell message. And if the cell network was hacked so that I get a bogus text message, then the transaction still doesn't work.

In other words, yes, perhaps it's possible to hack a GSM cell phone tower, but even so, the attack window is very, very small.

Compare that to today, where the attack window is so huge you could fly a dozen Airbus 380's through it in a parallel formation. Today, literally *EVERYBODY* you do business with has the ability to steal your credit card credentials!

That's just retarded.

Re:Faith is gone. We need a better way!

[mcrbids]

The social security office could use a very similar protocol for setting up banking and credit accounts.

This is a *good* system and is roughly modelled after a system I designed for signing digital certificates.

And, do you want to talk about paranoia? Try designing a truly secure digital certificate system! It's harder than you think if you start with the assumption that any computer in the system could be hacked, but that still can't mean a system compromise.

Re:Faith is gone. We need a better way!

[hugg]

Including any kind of active circuitry in the credit card would severely impact the cost of shipping dozens of "free credit cards" to those who shouldn't be trusted with a lemonade stand.

Re:Faith is gone. We need a better way!

[maxume]

People bother with credit cards because the system is built on the assumption of trust. The vast majority of transactions do happen to be legitimate, and at the moment, the credit card companies are able to push most of the consequences of illegitimate transactions off onto merchants, so change isn't going to come quickly.

Re:Faith is gone. We need a better way!

[stabiesoft]

wow, what part of much much more secure wasn't clear.

Re:Faith is gone. We need a better way!

[ion.simon.c]

How can your buddy answer the random PIN challenge when you have the phone that receives the message that contains the random PIN to enter at the POS terminal? Do you call your buddy and tell him the random PIN, or do you loan him your phone?

Re:Faith is gone. We need a better way!

In the US, the information to add or remove money from a bank account (routing number and account number) is sufficient to drain the account. Yes, everyone you pay with a check and everyone that pays you via direct deposit can empty your bank account. Needless to say, people tend to be careful with their bank account numbers.

Re:Faith is gone. We need a better way!

[itsthebin]

the main problem with SMS confirmation is when you are in another country

my bank ( HSBC Sing )used to use SMS confirmation for transfers but now uses the dongle , but the SMS was a pain as I would have to call and change my number when I changed countries and sim cards.

maybe a secure login from your phone via a wireless data link to receive a confirmation code - maybe have it interrogate the IMEI of your phone to authenticate the device - though the mobile computers with phone capabilities will be next in the firing line to be compromised.

Re:Faith is gone. We need a better way!

You have to understand a culture developing with pervasive use of credit cards and personal checking accounts before online transaction clearing was the norm. The US consumer culture had widespread use of credit cards and personal checks for everything from petty purchases at groceries, to expensive meals, to hotels, to gasoline, or large department-store purchases since the 1960s-1970s. These transactions were made on paper and they could take WEEKS to clear. It was an entire generation before real-time transaction clearing started to appear at even high-volume merchant locations.

The entire US consumer culture is thus based on small-scale credit, with the costs and risks absorbed by merchants in order to get the benefit of increased business by making sales more convenient for the customer. (US consumers are not familiar with paying significant fees for credit card or personal check transactions.) So there has never been an incentive to have efficient online banking in the Internet Age, and many US banks still do not provide conveniences like electronic transfer to another customer in the same bank in the same state, much less online transfer to other banks or other states.

Re:Faith is gone. We need a better way!

Most credit cards offer one-time numbers for use online. See "Complete Fraud Protection. Period." at http://www.discovercard.com/credit-cards/member-benefits.html

Re:Faith is gone. We need a better way!

[jbatista]

Instead of using a cellphone, whose network can falter in remote areas, one could use a token card. At most it would double the number of cards in one's wallet. Some banks in Europe (I don't know how many) use a token card. During an online transaction initiated from the bank's netbanking site, the user is asked three digits from a 3-algarism number matrix in the card. This could replace the problem with not having mobile connection in some areas, although it does not eliminate the problem with the token being stolen (since people tend to keep both in the same wallet); although, admittedly, one's cellular can also be stolen in the same manner. However, the person's (secret) PIN would deter use long enough to alert proper authorities.

Re:Faith is gone. We need a better way!

[tlhIngan]

the main problem with SMS confirmation is when you are in another country

my bank ( HSBC Sing )used to use SMS confirmation for transfers but now uses the dongle , but the SMS was a pain as I would have to call and change my number when I changed countries and sim cards.

maybe a secure login from your phone via a wireless data link to receive a confirmation code - maybe have it interrogate the IMEI of your phone to authenticate the device - though the mobile computers with phone capabilities will be next in the firing line to be compromised.

Not only that, but SMS is also an unreliable no-time-guarantee service. People seem to think that their SMS always arrives in a minute after they send it, it will always do that. However, I can tell you, when you make that purchase you need to make, the SMS will fail. Maybe it'll take an hour to come through. Maybe you won't see it for days. Maybe it won't come through at all. And it'll happen on the day you forgot to pay a bill and have to pay right then and there before they close for business.

Heck, if that's the case, you might as well use e-mail. It usually arrives a minute after someone sends it, right? But people also know email can sometimes take its own sweet time and arrive hours/days after it was sent. Even if there was no transient error condition anywhere.

Then there's people like me who don't carry their phone with them all the time because they want some privacy, and let voicemail get it (cellphones have only become "essential" within the past decade or so. We survived without them despite them being available for over half a century.) Sure it'll save me a lot of money, and hey, maybe going Dutch would be more fun. "Sorry guys, but I don't have my phone... maybe next time!"

Re:Faith is gone. We need a better way!

[lsatenstein]

I refuse to own a cell phone. But you raised some interesting points. With the smartcard technology being delivered for Visa and Mastercard, I can see where the dynamic nature of the chip to send an encrypted pin would be great. However, what do we do for internet purchases, where there is no smartcard chip? Any ideas?

GODDAMN RUSSIANS

Ruin it for the rest of us.

This is a good thing

If this puts some of these companies out of business it's a good thing. To the survivors, protect your data or else.

If it's cheaper to deal with breaches than to secure them it will continue. That's just simple cost benefit analysis.

SQL Injection? Really?

[tukang]

Protecting against SQL injection is basic stuff, so I find it worrisome that that's how their system got compromised. I would like to think that most of the data they save to the db is sanitized and that the hackers just got lucky but I have a feeling that's not true.

Re:SQL Injection? Really?

[mcrbids]

Oh, I'm sure that the database was properly protected! I've seen quite a number of high-security environments that protect their databases with very cleverly written javascript that makes it all but impossible to hack!

Yet, somehow, those wascally l337 hax0rz still get in... (shrug)

new business model

[hguorbray]

I never thought I would do one of these, but:

1. Credit Card Industry fails to secure servers
2. Massive Identity Theft Occurs
3. Offer Credit Report and Identity Theft Services to mitigate steps 1 & 2
4. Profit!!!

-I'm just sayin'

Re:new business model

[dave562]

Step 3 is what irks me the most and as far as I'm concerned, step 3 is all the proof that we need that the financial industry does not care about protecting our personal data. If they truly cared about credit fraud they will give us free credit reports and free identity theft prevention services. They would do so because doing so would be more cost efficient than dealing with the fraud.

The reality seems to be that they will charge us to protect us and just continue to ignore the fraud. I will never pay for any sort of identity theft protection and I think it's criminal that the financial institutions can offer it as a service. Having to pay your bank extra to "really" safe guard the money that you trust to them is kind of like having to pay the conductor on the train an extra fee to actually stop at the stations. At my bank I already pay service fees. I pay fees for my checking account. I pay over draft fees every once in a while. The bank is already making enough that they don't need to charge an extra fee to provide the service that they are supposedly in the business of providing (safe guarding my money).

The 1990's called ...

[DrJimbo]

They want their SQL injection attack back. I would imagine that the companies involved had to put forth a huge recruitment effort in order to find people competent enough to create a working site and yet clueless enough to allow SQL injection.

Re:The 1990's called ...

[aj50]

It's not hard, just hire a bunch of recent CS graduates.

Re:The 1990's called ...

[oljanx]

Don't forget, they were apparently targeting fortune 500 companies with retail stores. The fact that SQL injection is working on sites run by fortune 500 companies is horrifying at best.

Re:The 1990's called ...

That's actually very true. I just recently received a Comp. Sci. B.S. from a very well-known and respected university, and we learned pretty much nothing about Information Security. The only reason I know about SQL Injections is from my own curiosity. I still couldn't tell you off the top of my head how to prevent an attack like this, but I sure as hell would take the time to research (at least) basic website security if I were tasked to build a site for someone.

Re:Losing faith in the system--Don't Lose Faith!

[HomelessInLaJolla]

Why should this be modded down? It's the logical conclusion to the system. We know the credit card system is insecure, we can fill the message boards with comments going back and forth about it... but that isn't the larger problem. Discussion centering around only the credit card system is bound to revolve around band-aid approaches to fixing the system. In order to truly avoid this sort of problem again we need to understand underlying flaws.

So, logically, you wonder why people need credit cards, and then you wonder why people need credit, and then you wonder why debt accumulates, and then you wonder who debt is important to, and then you wonder who the major players are in the system of debt and, eventually you come to understand that, yes indeed, it is a system of governments and big businesses exploiting capital. Once you reach that conclusion then, really and truly, all discussion around the credit card system becomes "offtopic" and the only topical discussion related to identity theft arising from financial systems concerns the security vulnerabilities in a capitalist system dominated by government and financial behemoths.

Of course, that wouldn't generate very much discussion, because acknowledging that everyone is trapped within an inherently flawed system is just depressing, and everyone leaves their computers to go find an ice cream sundae for comfort. Americans should be happy they live in a capitalist system. Under communism only the rich and powerful could afford a decent ice cream sundae. OTOH, under communism, your identity wasn't important in the first place.

So you can have one or the other: ice cream sundaes to comfort your stolen sense of identity, or no ice cream sundaes and no identity at all to steal.

All preventable

[gmuslera]

In short, SQL injection vulnerability in app + MSSQL . With that given, probably the rest was just consequences (wasnt a big help that default mssql installation includes a tool that can be used to download the rest of the attack) and there arent a lot of choices to secure that (reverse proxy, encrypted communications).

Re:All preventable

[moosesocks]

Don't hate on MSSQL -- it's actually a fairly well-respected database, even among folks who also use/maintain some of the open-source options. You could do far, far worse than MSSQL, even for this application.

Of course, if your administrators and developers are idiots, an injection vulnerability can be written into any database, no matter how secure.

All three were running MS

they get what they deserved. Sadly, few will care.

National security issue?

[schwit1]

How is 130 million cards getting compromised not going to have an impact on the economy?

Re:National security issue?

[Rival]

How is 130 million cards getting compromised not going to have an impact on the economy?

The question is, how is this going to impact the economy?

If these identities are being used for fraudulent transations, then the initial impact might be an overall increase in sales. Obviously those sales will be challenged, and repercussions will be felt at various points throughout the system, but the impact on the economy is not going to be a simple cause-and-effect, regardless of scale.

This scenario makes me wonder whether mass-compromise of the credit card system has been modeled yet. And more importantly, whether there are plan(s) in place to minimize both systemic and individual disruptions.

Re:National security issue?

[jjohnson]

As I understand it, not a lot of the CC numbers actually get used for identity theft. Most of the money in stealing the cards is selling the list to others. Besides, if you had 130 million CC numbers dropped in your lap, what would you do with them? At most you could personally exploit only a tiny fraction of them usefully.

The big financial hit here is the credit card companies having to do a mass cancel/resend of cards, as happened to me after the TJ Maxx heist.

Next Credit Application

[bitmanip]

Next time I receive one of those annoying credit applications I think I'll put in my name as "Drop Table" and my address as "Update Transactions Set Balance=-32765" and drop it into the mail.

Re:Next Credit Application

[thegameiam]

http://xkcd.com/327/

This is all academic.

[Artifakt]

Before people chime in to either wish Albert a roommate who thinks he has a pretty mouth, or 'explain' why the charges are bogus, just chill. This cracker was in trouble in 2004, turned state's evidence, and walked. There are people still on the inside who really miss him. It doesn't matter what the sentence is in his case, he literally is a dead man walking. It doesn't help either, that his Russian buds, still un-arrested and likely to remain so, may be worried about what new tales he will tell. They probably aren't worried enough to bother, but when somebody else does for lil' old 'soupnazi' they'll help enlarge the suspect list to where nobody will ever prove anything.
      So discuss the security needs of the big credit card companies, or this crime in particular, all you want. Just remember, you already know how this one turns out.

Re:Losing faith in the system--Don't Lose Faith!

[popeye44]

I recommend a method wherein we inscribe some sort of Mark on the right hand or the Forehead to identify people.....Meh yea. lets go that route.

Why store credit card info??

[Tony+Reina]

Why does the credit card number need to be stored at all? I'm assuming that the merchant sends the credit card number to the credit card company (or whomever authorizes the transaction). That authority sends back an "Ok" plus a unique transaction ID for that purchase. Each purchase has a unique transaction ID. The merchant stores the transaction ID and NOT the credit card number (or any other identifying info). Any disputes or corrections are handled by referring to the transaction ID. In this scenario, the actual credit card number is only stored by the credit card company. It exists in no other database. If the vendor site gets hacked, it doesn't have any usable info.

Re:Why store credit card info??

[plover]

Two things. First, RTFA, especially the link to Securosis, where it says the guy installed sniffers to record the data while it was being sent to the credit card company. The bad guys didn't steal stored accounts from Heartland, they were just snorting it off their network.

The other thing is that your assumption about how settlement works (while long discussed as a better solution than the current system) is incorrect. The retailer does not get a perfectly unique transaction ID back on a credit authorization request. They get only a short approval code that has to be tied to a specific transaction, and identifying the transaction to the bank requires the following data: merchant ID, terminal number, transaction date/time, account number, and approval code. Without all that data the bank will not pay the processor, who will then not pay the merchant. This is the protocol set up by Visa many, many years ago, and we're still using it.

The ironic thing is that while your proposed solution would make life safer for the merchants (who would no longer have to store account numbers), it would make life more complex for the payment processors as they would then have to store the account numbers (on behalf of the merchants.) And who was breached here this time? The payment processor.

What would really need to change would be the issuing banks and the whole protocol, so the banks wouldn't require the account numbers for settlement. The worst part about that is changing the protocols at 11,000 banks. It's very hard to get game-changing agreements like this passed by the card associations (Visa, etc.) because it imposes a lot of upgrade costs on the member banks. On the flip side, they seem to have no problem imposing their faulty security rules (PCI DSS) on all 6 million merchants.

Re:Why store credit card info??

[Tony+Reina]

Actually I could care less about TFA. It is one of hundreds of breaches that we know about and that will continue to occur. We've got to talk creating an actual solution rather than finding band-aids to the individual problems that crop up. My basic point is that we store far too much information that we actually need. I know it is nearly impossible to get 11K banks to change a well-established protocol, but I'm talking about what "should" be done as opposed to what "will" be done. I am not naive enough to believe that the system will change, but am suggesting that this is how it should be.

Re:Why store credit card info??

[Tony+Reina]

identifying the transaction to the bank requires the following data: merchant ID, terminal number, transaction date/time, account number, and approval code.

The combination of merchant ID, terminal number, transaction date/time, and approval code seems like a pretty unique transaction ID to me. If the payment processor stores this info as the primary key, then the account number is redundant to specifying the transaction.

Re:Why store credit card info??

[plover]

identifying the transaction to the bank requires the following data: merchant ID, terminal number, transaction date/time, account number, and approval code.

The combination of merchant ID, terminal number, transaction date/time, and approval code seems like a pretty unique transaction ID to me. If the payment processor stores this info as the primary key, then the account number is redundant to specifying the transaction.

Again, I agree with you, but I was describing the current protocol. Remember these systems were built long ago when these sorts of systems could be trusted. I believe the account number was originally used as the primary key in many of them (certainly at the banks, but probably at the processors and merchants as well.)

Re:Why store credit card info??

[plover]

There is a very secure solution available that involves replacing the current "valuable account number" system with smart cards and cryptographic protocols, but the roadblocks are many. The big initial hurdle is the resistance by the banks to implement it due to their costs. Certificate management, HSMs, card generation and deployment, all this would add up to over $20 per card. I figure that the amount wasted by merchants securing their systems would more than make up for the expense of such a system, but how does that money make its way to the bank to pay for implementing it?

The next problem is a genuine tinfoil-hat-and-all conspiracy theory: the card associations may not want perfect security. Visa makes their money by carrying transactions over their network and skimming their vigorish. With perfect encryption, merchants could send their transactions directly to the cardholder banks, avoiding Visa's network. Visa has a strong disincentive to implement it.

Another huge fear propagated by the card associations is consumer friendliness. There is concern that adding complexity to the user experience is going to result in dramatically reduced usage, especially after having built up the convenience factor as a primary selling point (see the Visa commercials featuring orchestrated lunch counters for an example.) I personally don't have a problem with people giving a second thought to "do I really want to do that whole PIN thing just to buy lunch?" But if people cut back on those impulse buys it means there will be a big reduction in the processing fees. Again, the merchants don't much care if the customer pays in cash, but the banks and Visa would be opposed to the pay cut.

Very few of the hurdles are technical problems. They're all about fear and money. As long as Visa can play the shell game, getting banks and processors and merchants to all run around securing their systems and taking the blame for failures, we all forget to look at why we're doing this in the first place. But I'm with you -- let's do it anyway.

How it works in Sweden

[MartinSchou]

I just recently moved to Sweden from Denmark. The changes in online payment processing wasn't that big - just introduced an extra bit of security. It's not a matter of being from Sweden or Denmark, it's a matter of how the shops are set up.

In Denmark, it's the same way as in the US:
1) Punch in your card number
2) Punch in the card's security code
3) There is no step 3

The Swedish stores I've bought from adds extra steps when I'm using the card from my bank though; it uses authentication that you need to have with you:
A smart card reader using the chip and pin for my card.

When I want to pay using that system, the steps are as follows:
1) Payment processor is my bank, not some random company, and is in a separate SSL session to my bank
2) Enter SSN on payment page
3) Enter the one-time control code in my reader
4) Enter the pin number for my card in the reader
5) Punch in the return code from the card reader on the payment page

It's the same system I use for my online banking as well; it has steps for login, signing and buying, each presumably using a separate private key.

A system like this put in to place everywhere would make gleaning my credit card number useless. I don't have any physical identification that has my SSN on it, nor am I required to have such by Swedish Law (unless I'm driving). And even with my SSN, they still need to know my pin code. Can't say for sure if the card and reader are tied to each other though - I haven't tried using someone else's reader.

Additionally when this system is used on the websites, all processing is done through the bank's own systems, meaning the bank itself is the one that needs to be compromised, and they're probably a bit more worried about a breach than the other guys. I mean - if their systems are broken into, it's not like they can just pass the blame onto some random third party and tell the customers "don't worry, we won't be doing business with them again" - they screw up and it's us telling the banks we won't do business with them again.

Re:How it works in Sweden

[jez9999]

I'd like to see banks go one step further with this, and issue a 'credit fob' instead of a credit card, though. The idea of this fob would be to have security for remote transactions built in, and it would have a number on it that changed every 10 seconds or whatever that you had to enter to make a transaction. That way you wouldn't need to carry around a bulky card reader with you to make online transactions everywhere. People would have to get used to the idea of a fob instead of a card, though, and the fobs would have to use RFID or something so you could touch it against a reader for physical purchases.

What are the chances of the banks bothering to do this... ever, though? :-(

Re:How it works in Sweden

The reader is just the interface to the SmartCard. It's interchangeable and basically a power source, keyboard and screen. The computer is the chip on the card and I really mean computer, it's as powerful as the several thousand dollar machines of twenty years ago. But it's heavily specialized on computing cryptographic algorithms.

Re:How it works in Sweden

[dr_d_19]

What your are talking about doesn't really sound like card processing, it seems you are using Direct Payment where you can pay using your bank account and some form of authentication (differs from bank to bank, but usually the same two or three factor auth you use for you online banking.

Now, at least my bank uses 3D Secure as well. The implementation differs between banks in Sweden. Some use only a text challenge/response while others use a two factor system where you need your cardreader as well. Works extremely well!

Sorry - people are too stupid for this

When I set up the cart for my employer, I naturally required buyers to put in their billing address info.

Fully 40% couldn't manage to supply their billing zip code.

Not even after they called us and we went through the guessing game over the phone.

I know we are a mobile society - but c'mon - I can remember every zip I've lived in for the last 15 years.

I finally gave up and now require only card number and expiration - that's it.

Fortunately, the vast majority of our purchases are under 50 bucks, and we've only had 3 or 4 charge backs in the last three years.

Most card theft is like gambling - a tax on the stupid.

This is horrible

[JeanBaptiste]

People really must start paying more attention to user inputs';drop table users;--

ion.SIMIAN.c - Step inside, #1 of 5... apk

Others tend to disagree w/ you ion.SIMIAN.c... quoting you from here in this URL next, below:

http://tech.slashdot.org/comments.pl?sid=1327945&threshold=-1&commentsort=0&mode=thread&pid=28980845

"2) You're talking to APK. He exists to write wall-of-text comments. His depth of knowledge is *really* shallow, so don't expect a good conversation out of him." - by ion.simon.c (1183967) on Thursday August 06, @08:09PM (#28980845)

Well, per the lists I put out below, vs. that above quoted from you?

Others tend to disagree w/ you, ion.SIMIAN.c (here, & in respected written publication, inclusive of respected corporate bodies in this art & science who used ideas of mine to place as a finalist 2x in a row @ Microsoft Tech-Ed in its hardest category - SQLServer Performance Enhancement) :

"My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."

----

Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61

(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row).

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it

HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!

Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...

Lastly, being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3

----

Also, it seems I have approximately around 110++ "modded up" posts here (which is harder on AC's, considering many folks "filter us out" in their user preferences here on their registered accounts):

----

+5 'modded up' posts by "yours truly": (4 of them)

http://it.slashdot.org/comments.pl?sid=1139485&cid=26974507
http://it.slashdot.org/comments.pl?sid=1139485&cid=26975021
http://it.slashdot.org/comments.pl?sid=170545&cid=14210206
http://hardware.slashdot.org/comments.pl?sid=175774&cid=14610147

----

+4 'modded up' posts by "yours truly": (4 of them)

http://tech.slashdot.org/comments.pl?sid=1290967&cid=28571315

Hey, ion.SIMIAN.c - IRAM is Trash? #2 of 5... apk

Ion.SIMIAN.c - I QUESTION YOUR ABILITIES TO RUN & UNDERSTAND LINUX, period... why? This:

-----

"Heh. The i-RAM is a finicky chunk of trash." -by ion.simon.c (1183967) on Saturday December 13, @09:55AM (#26102285)

-----

So, since you said that? Well, back it up, vs. these 3 simple questions you now refuse to answer:

-----

1.) Does the IRAM run on Windows reliably? ANSWER = YES...

2.) Does the IRAM run on Linux reliably?? ANSWER (per your sources, YOU, no less) = NO...

3.) Since the IRAM runs on Windows well, but not Linux, well... what is the "piece of trash" here (what is it YOU called the IRAM? A "finicky piece of trash"??)??? ANSWER (obviously) = LINUX...

-----

Funny - That 'piece of trash' (what you called the GIGABYTE IRAM SSD) works FINE on Windows... & yet, it does not on Linux!

(Explain that, & it appears the "finicky piece of junk", IS LINUX, not Windows OR the IRAM... well, it's that or what I am STARTING to lean towards, & that is that YOU DO NOT KNOW WHAT YOU'RE DOING WITH ONE (or, Linux apparently either)).

Who are you trying to fool here? Time to show YOU, what is what & everyone else here, where it's at, on that account... with your own list of massive screwups.

APK

P.S.=> For your NEAR constant trolling of myself via this registered account of yours, AND, via alternate logon sock puppets (like "random destruction")? Especially for comments like these in them:

"2) You're talking to APK. He exists to write wall-of-text comments. His depth of knowledge is *really* shallow, so don't expect a good conversation out of him." - by ion.simon.c (1183967) on Thursday August 06, @08:09PM (#28980845)

Well - I am going to DESTROY YOU here, ion.simon.c, by letting YOU, destroy yourself, with screwups like this one I just noted on YOUR part ... this is just the start! Remember - YOU started it, I am merely going to finish it, and YOU along with it... but, that's assuming trolls like you have any feelings of shame, & I doubt that you do... apk

Re:Losing faith in the system--Don't Lose Faith!

[SpaceLifeForm]

the only topical discussion related to identity theft arising from financial systems concerns the security vulnerabilities in a capitalist system dominated by government and financial behemoths.

Note that these 'systems' were attacked through MSSQL holes.

Yes, don't lose faith! Lose Microsoft!

You faIl it

community at over a quality Are just way over the most vibrant at least.' Nobody very sick and its I havE a life to a GAY NIIGER off the play area

A crime deserving 20 years?

These guys who have (attempted) fraud on a massive scale causing losses to (incompetent) corporations and hassles for many people who's details (and identities) were stolen are only likely to get 20 years according to the Guardian http://www.guardian.co.uk/world/2009/aug/18/american-credit-card-hacker

Whereas Gary MacKinnon, who poked around in some unprotected computers, purely out of curiosity and not for financial gain, and only causing hassle to the incompetents who had not secured their network, is threatened with 60 years imprisonment!

Crazy.

Huh?

[xenobyte]

... lock down the server to prevent unneeded network services and software installation (don't allow outbound curl, for example).

Excuse me? - The ability to fetch patches is essential to keeping a server secure. Allowing it to fetch patches from an intermediary server only doesn't make anything more secure as that server is easily compromised if the attacker already have root on the production server. It will only serve as a delay and an annoyance to the attacker, nothing more.

No, the only way to go is to prevent the server from being owned in the first place. Sane code- and SQL-design plus a stripped down server should do the trick. Don't use java and other unnecessary complex languages with too many features. Use PHP or similar which doesn't launch tons of junk processes for each thread, each with thousands of possible buffer overflows (java leaks memory in case of even the smallest error). Feel free to use whatever for the customer service interface but hand off handling the credit card info to a minimal ultra-secure server that basically does nothing except to get the info and return the result. No bells and whistles, no unnecessary features.

Re:Huh?

You have absolutely no idea what you are talking about regarding the server security. An attacker gaining executable privileges to the server does not mean ROOT. There is no reason apache needs wget/curl/ftp access, etc.

Re:Losing faith in the system--Don't Lose Faith!

[Opportunist]

The best system is a swiss cheese if the patches are not applied...

Seriously. I've seen far more serious security holes due to negligence on the side of the administrators and beancounters than on the side of the supplyer of hard- and software. For many companies, security is still seen as a product. It's something you buy, some box you put in front of your machines, and you consider yourself safe and secure, never to touch it again.

That's not how it works. Security is a process. Security is something you have to establish and audit. Preferably constantly, but that's not economically feasible for most companies. But you have to audit your security system against current, modern threats, you have to audit it against everything that has happened and is a known exploit or a known procedure employed by criminals. Today, tomorrow, for the rest of your company's existance. It's nothing you do today and then you're done with it.

Security is an evolving process. A race between attacker and defender. You can't "win" and then be over with it.

And as soon as companies realize that, we'll see some progress in this field. Not a second earlier.

Why does Ion.SIMIAN.c hate HOSTS files? #3 of 5

Because he obviously is a botmaster (or wannabe "hacker/cracker" who loses profits by blocking known bad websites in HOSTS files since adbanners have been compromised before), or some webmaster (as they lose monies on adbanner blockage, despite it taking away a users' speed online, OR, via malicious code in them that bushwhacks the unwary user):

http://it.slashdot.org/comments.pl?sid=1139923&cid=26983715

----

"But don't you see? Your favorite sites are going to have to shut down if you use AdBlock, 'cause then you're stealing their content! You're really going to just have to take one for the team." - by ion.simon.c (1183967) on Wednesday February 25, @01:32PM (#26983715)

----

I would ordinarily stop on that note alone, seeing as Ion.SIMIAN.c is obviously one profiting by these things (even though they're known to be infested with malicious code the past few years now & the fact that adbanners eat up an online user's bandwidth THE USER PAYS FOR no less)... but, that's not all, with wannabe, Ion.SIMIAN.c... far from it!

He hangs out @ the "hacker/cracker" websites online, like this one -> http://74.125.47.132/search?q=cache:T1ikOtt242AJ:hackaday.com/2009/02/22/x11-on-android/+%22Simon+C.+Ion%22&cd=10&hl=en&ct=clnk&gl=us

Thus, it's quite possible he is trying to somehow "discredit me" to others, since I have done guides that stop that type of loser (hackers/crackers), the worst kind of online SCUM that there is, via this guide I did in late 2008 -> http://www.tcmagazine.com/forums/index.php?s=5bf29ea6ca49162314f25f9ebf2aba68&showtopic=2662

He also likes things like "PhreakNic", a 'hacker/cracker' type event apparently -> http://wiki.yak.net/0.photos.simoncion?size=L and those are his photos from it...

APK

P.S.=> Keep using TOR (another indicator ion.SIMIAN.c is nothing but someone up to "no good" again most likely), & going slow as hell due to their total lack of speed (like any "anonymous proxy" usually is) being the "wannabe hacker" you *THINK* you are, apparently... NOW - You said this to me:

"2) You're talking to APK... His depth of knowledge is *really* shallow, so don't expect a good conversation out of him." - by ion.simon.c (1183967) on Thursday August 06, @08:09PM (#28980845)

Time to show YOU, what is what & everyone else here, where it's at, on that account... with your own list of massive screwups. I will keep to my word, because I laid off on you, thinking you'd leave me be from the last time we "had it out" for your trolling me, & you lost badly (which my other replies here clearly illustrate)... So, from now on, under this "ion.simon.c" registered user account you have here? I'll do as you requested -> http://slashdot.org/comments.pl?sid=1230601&threshold=-1&commentsort=0&mode=thread&pid=28076381 , & post this in reply to your posts, see how you like eating your own words... apk

ion.SIMAN.c, programmer? Chimps can't... #4 of 5

ion.SIMIAN.c claims he is a programmer? B.S.!

First he said this:

----

"I'm a programmer." - by ion.simon.c (1183967) on Saturday May 02, @11:17PM (#27803057)

----

So, since he said what he said in the quote above... all I can say is:

OH, Really? Prove to us you are a professional programmer, ion.simIAn.c, won't you? After all, you CLAIMED that you are above, & demanded others, in myself specifically, do so as well, here:

"You claim that you're a professional. Prove it" - by ion.simon.c (1183967) on Sunday May 03, @08:52PM (#27811101)

Ok then, time to put the "shoe on the other foot" - NOW, I demand the same proof of your words:

After all - That's the same question you asked ME to prove & I did, via the "My Name is Ozymandias" lists I posted in replies here earlier in this thread -> http://tech.slashdot.org/comments.pl?sid=1327945&cid=28981391

All of that, was in response to accusations like that one quote above, from yourself, directed MY way!

My list of some of the stuff I have been fortunate to have been noticed in, in this very field in respected publications or by companies &/or famous contests like Ms Tech Ed - which served to "shut you up", VERY quickly... not everyone is like yourself, SIMIAN, so, get over it...

(The rest of us, true pros in this art & science, don't waste our times on trying to be "hacker/cracker" wannabes that hang out @ "hack a day" (as you have been shown to do in my others posts here (Nor does everyone hide behind TOR like you do, nor do others use alternate sock puppet accounts as you do in "Random Destruction", your sock puppet registered account)).

What I found hilarious, was that you were shown to go even to the point of where you emailed Dr. Mark Russinovich -> http://slashdot.org/comments.pl?sid=1234703&cid=27981921 (in regards to he & I both doing work for Sunbelt software in the mid 1990s, and, where I corrected his errors in PageDefrag for him, telling him WHY & HOW he went wrong, to which he even THANKED ME FOR, in email, per this here -> http://www.pcmech.com/article/defragging-the-windows-page-file/ to which you obviously did get a response from he, & no longer question my status as you did above)

That stuff above, & my other replies here, along w/ other proofs I gave you disprove your b.s. here... & other places you trolled me in...

HOWEVER? Ah, but, when YOU are asked for the same proofs of YOUR WORDS & CLAIMS? YOU RAN... and you keep running!

APK

P.S.=> This is going to be the end of you, troll... I've had it, w/ your trolling b.s. directed MY way, & for the 4th time now from you or more... & this, on my part? It is merely "righteous indignation" and you deserve it, after this crap here you said about myself:

"2) You're talking to APK... His depth of knowledge is *really* shallow, so don't expect a good conversation out of him." - by ion.simon.c (1183967) on Thursday August 06, @08:09PM (#28980845)

Time to show YOU, what is what & everyone else here, where it's at, on that account... with your own list of massive screwups. I will keep to my word, because I laid off on you, thinking you'd leave me be from the last time we "had it out" for your trolling me, & you lost badly (which my other replies here clearly illustrate)... So, from now on, under this "ion.simon.c" registered user account you have here? I'll do as you requested -> http://slashdot.org/comments.pl?sid=1230601&threshold=-1&commentsort=0&mode=thre

ion.SIMIAN.c classic screwup list #5 of 5

There are too many to even paste in, but, the url's below will do (The compendium of ion.SIMIAN.c classic screwups):

1.) HOSTS files -> http://slashdot.org/comments.pl?sid=1219095&cid=27803005
2.) DNS Servers -> http://tech.slashdot.org/comments.pl?sid=1219095&cid=27798027
3.) Logon scripts & Group Policies usage -> http://slashdot.org/comments.pl?sid=1219095&cid=27800951
4.) SeLinux being implemented via kernel hooking/kernel patching -> http://tech.slashdot.org/comments.pl?sid=1219095&cid=27806379
5.) Services patching &/or cutoffs for security -> http://slashdot.org/comments.pl?sid=1219095&cid=27802917
6.) What the definition of "System Hardening" is -> http://slashdot.org/comments.pl?sid=1219095&cid=27800687

That's ALL for exposing you as nothing more than a "know-nothing troll" who has bothered myself for the LAST TIME here, ion.SIMIAN.c ...

Then again: Perhaps I am expecting you to even have the capability to feel shame, & that's possibly expecting too much from "the likes of you", who has nothing he can evidence to his credit, of accomplishments in this field in WRITTEN respected publications, or contests like Ms-TechEd as I have to MY credit - but yet, you see fit to say to others what you did about me in my P.S. below... lol!

APK

P.S.=> I've had it, w/ your trolling b.s. directed MY way, & for the 4th time now from you or more... & this, on my part? It is merely "righteous indignation" and you deserve it, after this crap here you said about myself:

"2) You're talking to APK... His depth of knowledge is *really* shallow, so don't expect a good conversation out of him." - by ion.simon.c (1183967) on Thursday August 06, @08:09PM (#28980845)

Time to show YOU, what is what & everyone else here, where it's at, on that account... with your own list of massive screwups. I will keep to my word, because I laid off on you, thinking you'd leave me be from the last time we "had it out" for your trolling me, & you lost badly (which my other replies here clearly illustrate)...

So, from now on, under this "ion.simon.c" registered user account you have here? I'll do as you requested -> http://slashdot.org/comments.pl?sid=1230601&threshold=-1&commentsort=0&mode=thread&pid=28076381 , & post this in reply to your posts, see how you like eating your own words... You sow the wind? Time to reap the whirlwind, in every post you make under this account, simian... THIS TIME? I won't "drop it", even though I did before (out of the interests of "enough is enough" mainly, as most folks learn a lesson the 1st time, you evidently? DO NOT, & have trolled me 4x now - usually? I give it 3x & go after the freaks that do so to myself & others (ones that *THINK* they're clever, & run behind TOR or "anonymous proxies" etc. et al, as you do) here + elsewhere online - but, I will let your OWN WORDS and outright TECHNICAL SCREWUPS, destroy you... (with ease!)

With the amount of technical screwups, & false claims + accusations you make (which are EASILY disproved)? Well - You do the job, for me... thanks! apk

Blame

[fulldecent]

Unless your name is Johnny Tables, how do you execute a SQL injection on a credit card processing system?

Maybe the blame should be placed on the system that gave the attacker visibility into the transaction processing database, rather than a sandboxed (rather, firewalled) access to the data needed to complete his specific transaction.

Heartland Wasn't SQL Injection

Heartland wasn't compromised by SQL injection, but it was their then head DBA's laptop that got compromised by some malware that gave the remote attacker control of his laptop. From there, they were able to use it to download Heartland's DBs of CCs. It wasn't till months after the laptop was compromised and the DBs downloaded that the breach was discovered. Heartland conveniently waited until Obama's Inauguration to do a Press Release so the major news outlets wouldn't pick it up: http://www.2008breach.com/Information20090120.asp http://it.slashdot.org/article.pl?sid=09/01/20/1930252&tid=76

This is more insider knowledge and I admit I can't back it up without making enough information available that would get me fired. Take it or leave it, those are the facts. I'm already taking a risk because my boss frequents slashdot.

big companies = big morons

[ILuvRamen]

SQL injection? I went to a local 2 year college and I know how to prevent those. Any idiot knows how to prevent those! Filter some damn command words and characters! Parameterize all queries! This is what happens when stupid people hire programmers with 4 year and masters degrees who look good on paper but actually have no idea what they're doing. I hate it when people like that who companies think are sooooo great get a job over me just because of their 4 year degree and going to some fancy private college but I love it when things like this happen and they crash a burn. They damn well better have gotten fired and replaced by someone who's not a moron.

Lots of "mod downs", but no replies (strange? NOT)

See subject above, & ion.SIMIAN.c : Looks like your "VISION QUEST" failed, badly, in your trying to take on your betters. Mod down all you like, but, that doesn't make the points in the other replies that show your general weakness in the art & science of computing just "go away", now, does it? Nope.