Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Cosmetic Retailer Lush Targeted By Hackers

Posted by timothy on from the people-are-bad dept.

Tasha26 writes "Cosmetic retailer Lush stopped its online activities on Jan 21 due to hacking activities. Their website is still down due to 'continuing attempts to re-enter,' and Lush is thinking of spinning a small PayPal outlet as a temporary solution. The company is urging customers who placed an order between Oct 2010 and Jan 2011 to contact their banks for advice on compromised credit card details. The company even posted a message addressed to the hacker, saying, 'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'"

79 of 109 comments (clear)

  1. Color me nonplussed by akkornel · · Score: 1

    Well, you could, that is, if you were able to get your hands on any fine Lush products, but now you can't, so I guess I'm not nonplussed after all.

    How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.

    1. Re:Color me nonplussed by daid303 · · Score: 1

      How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.

      There are alternatives. For The Netherlands we have iDEAL: http://en.wikipedia.org/wiki/IDEAL

      It works very simple, you only authorize a single payment. They could scam you out of a single payment but that's it. I exclusively buy online at shops that support iDEAL. And that list is growing fast, Steam also supports iDEAL for half a year now, and Blizzard accepts it as payment method. The whole credit card setup is so stone-aged compared to this.

      Also note that I don't need to setup a different account or anything else. Because I have an account at one of the banks supporting iDEAL. It requires the same 2 factor authentication as I use for online banking. So it all feels familiar.

    2. Re:Color me nonplussed by dtml-try+MyNick · · Score: 1

      Agree, iDeal may not be the end all, be all, solution for online transactions but it's pretty solid, safe and simple.

      Currently I only do payments via iDeal or paypall only. My paypall accounts is empty most of the times. If I want to buy something via paypall I transfer the amount of money needed first and then make the transaction.

      --
      Life starts at the end of your comfort zone.
    3. Re:Color me nonplussed by cdrguru · · Score: 2

      Your credit card will be compromised. It is a fact of life.

      Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people. Credit card companies do not prosecute - ever. So, even if someone is caught they aren't going to do any time.

      Magnify the opportunity and reward 1000 times for a credit card database.

      I do not know of anyone ever that had to pay for their credit card being used fraudulently. Generally I get a phone call asking if some purchase was mine and when the answer is no it is removed from the bill and a new card is mailed out. Period. Nothing else.

      I don't undersand what all the fuss is about. Yes, you will get a new credit card number periodically. So?

    4. Re:Color me nonplussed by GameboyRMH · · Score: 1

      Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people.

      That's it? Hahaha, suckers!

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    5. Re:Color me nonplussed by KingAlanI · · Score: 1

      PayPal has instant transfers out of attached bank accounts available at least in the US.
      Then you don't have the delay of waiting for the transfer to clear and add to your account balance, then paying with your balance.

      --
      I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
  2. Oh come on... by samcan · · Score: 3, Interesting

    It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

    1. Re:Oh come on... by Anonymous Coward · · Score: 1

      Such is not always the case. Even if you run a top notch secure system, there will always be bugs and ways to compromise it.

    2. Re:Oh come on... by Haedrian · · Score: 1

      or whether the guy who designed the kit was formidable.

    3. Re:Oh come on... by rtfa-troll · · Score: 5, Insightful

      A "top notch" IT team will have

      • offline backups
      • the ability to restore quickly
      • the ability to expand capacity quickly
      • the ability to do almost immediate updates*
      • basic forensic ability to work out what's going on

      Sure, your system may be compromised. Sure; the first replacement system may be compromised again. During the compromise of the second you should get enough logs that the third (or at worst fifth time) you come back, all the zero day attacks the attacker is using have gone.

      Anyone can lose a few hours of outage. To be down for a day and have to start begging for mercy is not a sign that their IT "skills are formidable"

      * at the cost of a short term outage;

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    4. Re:Oh come on... by 1s44c · · Score: 1

      It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

      Exactly. I'll bet the lush IT team consists of a few guys who might be reasonably smart but they just can't cover the amount of work they are meant to be doing. Management interference and other distractions most likely mean they could not keep track of all the work they should be doing.

      Unless they took the Microsoft route that is. Then they most likely employed a bunch of MCSE's who don't really understand technology, spent a fortune on windows servers and another fortune on active directory servers, and still got cracked endlessly.

    5. Re:Oh come on... by Anonymous Coward · · Score: 1

      "It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't."

      No, it's whether they actually HAD an IT team, or whether they just paid for a website and expect it to run forever with their great management skills.

    6. Re:Oh come on... by Elentari · · Score: 2

      This is the forum post from their singular IT team member about the incident: http://img35.imageshack.us/img35/3715/lushpostuk.jpg

    7. Re:Oh come on... by Nick+Ives · · Score: 2

      Not if the "zero day attacks" are in the bespoke code for your website. Then you'd be in the situation of getting whoever wrote your code to to sort their mess out, which for a relatively small firm like Lush would probably mean dragging back in whatever lowest bidder contractor they used.

      --
      Nick
    8. Re:Oh come on... by jimicus · · Score: 2

      Lush isn't an IT firm, they're a cosmetics firm.

      I would be astonished if their IT staff are in-house - there's a very strong chance they outsource it all.

    9. Re:Oh come on... by rtfa-troll · · Score: 1

      dragging back in whatever lowest bidder contractor they used.

      We are discussing here a "top notch" IT team.

      a) they wouldn't have used a lowest bidder in the first place

      b) once they know the URL they would be able to use one of the Apache filtering modules or a feature of their load balancer to block that URL

      c) once they captured the URL that caused the break in they could just fix the code themselves; being top notch they won't be using anything they don't have the code to.

      Even a slightly less than top notch company will have a support contract and in the case of a less than immediate response will have a notice like "waiting for Oracle support to respond"; "up as soon as Microsoft can fix IIS" which is the kind of thing which tends to get these companies to do a very quick fix.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    10. Re:Oh come on... by rtfa-troll · · Score: 1

      I was going to say that; if they are making most of their business online then they are an IT company; they just haven't realised it yet. However, it seems like in fact they probably do most business over the phone and in shops so I will actually say that it's good that they stood up and admitted what happened. Hopefully they learned and next time they'll get someone competent to run their online store.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    11. Re:Oh come on... by rtfa-troll · · Score: 1

      I read that as SQL injection points or equivalent. I don't think he means deliberately placed back doors. He's clearly a bit of a novice on some aspects of the security.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    12. Re:Oh come on... by Ritchie70 · · Score: 1

      I doubt much is online sales. The noxious fumes from their heavily scented products make a trip to Macy's highly unpleasant if you wander into the wrong part of the store.

      --
      The preferred solution is to not have a problem.
    13. Re:Oh come on... by internewt · · Score: 3, Insightful

      Maybe their admin password was 'password'

      It was worse than that.... it looks like up until very recently they could well have had their site on a Windows 2000 machine. 2000 was the best version of Windows that MS ever made, but it still had some chronic shortcomings that make it totally unsuitable for most internet-facing tasks.

      http://toolbar.netcraft.com/site_report?url=http://www.lush.co.uk

      Of course it is all too easy to just flame Windows, but even (especially) the MS fans will agree that using IIS5 in at least 2007 is not a clever thing to have been doing.

      But lets be honest, the way that site is slinging about the word "hacker" it is clear they do not have any kind of top-notch IT... or even any clue about computers - they probably accepted what the industry told them as 100% truths, and then think that somehow some person is doing fucking magic or something to get into their server. Considering how keen they seem to be to shirk responsibility for the break ins (their list of suspect beliefs, for example), they truly do not recognise their own ignorance. The BBC miss the point too, and just go along with the hacker rhetoric as well.

      --
      Car analogies break down.
    14. Re:Oh come on... by drinkypoo · · Score: 4, Interesting

      Noxious fumes from heavily scented products? Have you actually smelled their products? It's probably the only thing in Macy's that won't make my airway tighten up instantly. I have asthma and that toxic bullshit that is in most body products makes me react immediately, whether I can actually smell it or not; and so much the worse if I can smell it, since my body has been trained to associate the toxic reaction with the artificial smell.

      My lady has Lush products and they are both less scented and less noxious than virtually anything else on the market. Stop with your FUD.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    15. Re:Oh come on... by catmistake · · Score: 2

      2000 was the best version of Windows that MS ever made

      Still... it's a dubious honor.

      IMHO, Windows Servers have a purpose... to help administrate lots of Wndows Desktops with Active-Directory, and, of course, Exchange. When running Exchange, you need a couple or three compentant administrators, that do nothing else, who are constantly on top of things... because it doesn't run by itself.

      Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

      BAD METAPHORE TIME: Hardcore Microsoft-loyalist Windows Admins saw the movie first, and insist it was better than the book. The rest of us actually appreciate literature.

      --
      The Admin and the Engineer
    16. Re:Oh come on... by jimicus · · Score: 1

      The hackers have already demonstrated that they're probably a cut above the average script kiddie, insofar as they hacked the site to forward credit card numbers and this went unnoticed for a couple of months.

      There's a good chance that the IT team at the time this all blew up weren't sure exactly how the hackers got in in the first place. And if they were, they had evidence to suggest that attacks continued after the website was brought down and fixed. In which case, one line added to mod_security configuration may block the issue that caused the original hack but it won't do anything for any of the other issues that may exist.

      Were I to hazard a guess (and from my own experience of corporate IT), I'd wager that Lush's IT department have been trying to get a project for some major website re-redevelopment approved for some time. It wouldn't surprise me if they knew full well the site was a disaster waiting to happen, but until that disaster does happen it can be very difficult to get such projects approved.

      I daresay that the project will be made top priority now.

    17. Re:Oh come on... by jimicus · · Score: 3, Insightful

      Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

      ... perfectly correct, provided the server is administered competently.

      This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.

      And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.

      I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.

      The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.

    18. Re:Oh come on... by AndGodSed · · Score: 1

      A "top not" IT team will have a proper budget.

      Most of the things you mentioned cost money, and sadly most IT teams are the bastard children of management decisions as far as budget goes.

      It usually takes something like this before management decides to finally empower the IT team with some form of financial support for their IT needs.

      --

      Seven Days with Ubuntu Unity

    19. Re:Oh come on... by new500 · · Score: 1

      Upvote please the guy immediately above who knows a bit about Windows. It's hard, but do-able.

    20. Re:Oh come on... by Rogerborg · · Score: 1

      No, really, the guy that beat me up was like seven feet tall. Also, there were three of him. All of them ninjas.

      --
      If you were blocking sigs, you wouldn't have to read this.
    21. Re:Oh come on... by jimicus · · Score: 1

      No chance, unfortunately, the /. view is very unlikely to agree.

      Thing is, most hacks these days have rather more to do with the application than the platform it's running on. When I said "you have no business running a public website which processes transactions...", I include a public website running Linux.

      I don't actually have any experience running Windows on a public server, and hence I wouldn't feel entirely confident I could do a decent job. But to claim it's impossible to do it properly is just ignorant. Frankly, I'd have been just as scathing of someone who was running RHEL 2.1, for much the same reasons.

    22. Re:Oh come on... by Kazymyr · · Score: 1

      Second that. Fortunately my wife gets all of her Lush stuff in brick-and-mortar stores, not online.

      --
      I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
    23. Re:Oh come on... by LingNoi · · Score: 1

      or if they hired someone to build them a site and then didn't pay them to maintain it.

      FTFY

    24. Re:Oh come on... by drinkypoo · · Score: 1

      I note that you post Anonymously, probably because you are a fucking toolbag shill.

      If you can actually provide some kind of evidence, ANY kind of evidence, that it's Lush products in isolation causing this to happen, AND that these products are smellier than the USUAL stuff which you find in those stores (even my local Grocery Outlet, a second-run grocery store that sells pullbacks, has a whole stinky section of brand-name perfume next to Checkstand #1) then I might consider that you are a real human with a right to speak to others.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    25. Re:Oh come on... by catmistake · · Score: 1

      HA! Forget it Don Quixote... unless you don't have a lot of money to blow and can bend those stability, performance and security requirements, Windows is just about as close as your ever gonna get.

      --
      The Admin and the Engineer
    26. Re:Oh come on... by Ritchie70 · · Score: 1

      noxious/näkSHs/ Adjective: Harmful, poisonous, or very unpleasant.

      I find Lush products to be noxious. My wife also finds their products to be noxious.

      Lush sells a heavily-scented product line. If you don't believe that I don't know what to say.

      It has some of the strongest, most intense scents I have ever encountered. I would rather stand down-wind from a hog farm than in an aisle full of Lush products.

      If your lady has you convinced it's more lightly scented than other products, your lady is fucking with you.

      It may be all natural, and you appear believe that the all-natural nature of it makes it acceptable to your medical condition.

      My mother has asthma and is highly bothered by any strong scents, to the point that she has sent students in her classes to the restroom to wash lotion off. I doubt Lush would be any better for her than kerosene fumes.

      When I walk near their part of the cosmetics department I find the overwhelming scents emanating from the Lush products makes it difficult to breathe and I hurry through what I find to be a highly unpleasant experience to the rest of the store.

      --
      The preferred solution is to not have a problem.
    27. Re:Oh come on... by Ritchie70 · · Score: 1

      God, do you work for Lush?

      Call Macy's. Ask for the Lush counter.

      Don't ask if it's natural, don't ask anything else. Just tell them that your mother likes things with a very mild scent, one of your workmates said Lush was good, and ask if it has a mild scent or if it's pretty strong.

      If you can't tell on your own then maybe you have some level of anosmia.

      Further..... we're arguing about cosmetics on Slashdot. What the fuck. Can we just stop now???

      Moderators, please. DON'T MOD EITHER OF US UP.

      --
      The preferred solution is to not have a problem.
    28. Re:Oh come on... by drinkypoo · · Score: 1

      God, do you work for Lush?

      No, but I wouldn't mind. I would not, however, work for one of the cosmetics products companies that is knowingly using toxics in their products.

      Sometimes I wonder if the dollar stores were created to kill off Mexicans. They're full of toxic shit (there's been recalls for notebooks with lead paint on the covers and such) and notably they have tons of Latin-colored (you know, bright clashy colors) plates and such which have lead warnings printed in them only in English when the people who buy that stuff overwhelmingly speak Spanish.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. My opposite experience by cappp · · Score: 5, Funny

    Weird. My ex always sent me off to increase my "online activities" whenever I made "continued attempts to enter".

    1. Re:My opposite experience by kronosopher · · Score: 1, Funny

      "If you are reading this, our women would like to say that your talents are formidable. We would like to offer you a blowjob — were it not for the fact that your genitalia are clearly not compatible with ours or our customers."

    2. Re:My opposite experience by MichaelSmith · · Score: 3, Insightful

      'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

      Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

      --
      http://michaelsmith.id.au
    3. Re:My opposite experience by Anonymous Coward · · Score: 2, Interesting

      'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

      Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

      MySQL? Looks like the port is open. Running 5.0.91 by the looks of it too.

      And they wonder why they were hacked.

  4. "We'd like to offer you a job..." by mangu · · Score: 2

    "...if your salary weren't way above what us cheapskates are willing to pay!"

    Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

    1. Re:"We'd like to offer you a job..." by 1s44c · · Score: 2

      "...if your salary weren't way above what us cheapskates are willing to pay!"

      Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

      No doubt there is some truth is that. However the smart guys work for the challenge not the money. I know plenty of rich crap people and plenty of smart non-so-rich people.

  5. Every generation... by mwvdlee · · Score: 1

    Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed? If you're doing it for the fun of hacking, how much fun could it be to repeatedly hack a site that's obviously not very difficult to hack? Or is this just some juvinile delinquints trying to steal credit card details?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:Every generation... by jonbryce · · Score: 3, Informative

      They were doing it to steal credit card details. There are reports in the comments sections of various newspapers that they were using the cards to buy Telefonica O2 pay as you go credits. Presumably they then use these to phone premium rate numbers and cash out that way.

    2. Re:Every generation... by coolmadsi · · Score: 2, Insightful

      Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed?

      I wouldn't really call them evil. They notified all their online customers that their details may have been compromised and to take precautions (my girlfriend was one of them), as opposed to keeping it quiet, not telling anyone, and hope everything blows over.

      My girlfriends often tells me how ethical they are as a company, they stopped using plastic packaging for their products wherever possible, and allow customers to return empty pots back to them for a discount on their next purchase (and they then re-use the pots). As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.

    3. Re:Every generation... by jimicus · · Score: 1

      As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.

      That's the biggest advert they've got! You can smell one of their shops halfway down the street.

    4. Re:Every generation... by BLKMGK · · Score: 1

      Smells good to me. You can buy their soaps and your bathroom smells wonderful as well. I buy their stuff here in the States and like it actually. Is Lush Canada, Lush UK, and the Lush company here in the US all the same? I wonder what the other web sites are running... :-O

      --
      Build it, Drive it, Improve it! Hybridz.org
    5. Re:Every generation... by jimicus · · Score: 1

      Very much in so, they've openly admitted that they have been approached by people wanting to license/franchise the brand outside the UK where they're based and refused.

    6. Re:Every generation... by BLKMGK · · Score: 1

      Okay, well that makes sense. Here in the US I don't see them selling so much make-up like others have described as they do mostly natural bath products. I also don't see them in the likes of Macey's as has been described here. At least not that I've noticed. They DO have their own shops however and I've visited them at several malls and at an airport of all things. I always have some of their soap here and while I don't use it all the time the stuff smells great. I've actually found that when women smell it on you they like it too so bonus!

      From the "diary" entry posted elsewhere they do really sound like they have a small IT operation. Like three guys and a hosting company which surprises me if they are big enough to have sites for multiple countries and at least 4 shops that I know of here. I guess I would expect them to be using more than just a couple of guys and apparently a Win2K web server at least. I guess if nothing this is working out to be free publicity for them :-)

      --
      Build it, Drive it, Improve it! Hybridz.org
    7. Re:Every generation... by jimicus · · Score: 1

      The Win2K web server was with an outside hosting company.

      I can't believe any self-respecting hosting company is still operating anything running 2K, so my money's on it being their own server in a colo (which is now an Apache server with United Hosting - who I don't think do colo so I'd imagine it's a case of "we need to move our site to something which we can be 100% certain hasn't been hacked 15 ways from sunday - only way to do that is to run it on a different server altogether").

      They do virtually no make-up, but they've always billed themselves as a cosmetic company - their UK products are mostly moisturisers, massage bars, bath and shower products. They have a sister company that does do make-up, though I'm not sure that's made it terribly far outside of Covent Garden. Possibly in other countries they put the make-up in the Lush stores.

      (My wife is a Lush fanatic and I have a hell of a memory).

  6. And so by Dunbal · · Score: 1

    Someone thought that slashdotting the site would help more...

    --
    Seven puppies were harmed during the making of this post.
    1. Re:And so by coolmadsi · · Score: 1

      Someone thought that slashdotting the site would help more...

      The site is mainly text with a couple of images. No adverts (I don't think). More likely to stand up to a large influx of visitors compared to a site that is half flashy adverts, due to transferring less data.

  7. Re:Netcraft says.... by HRH_H_Crab · · Score: 1

    IIS on Windows has an overwhelming share of the market when it comes to online commerce sites. It's only natural that hackers would...wait, what?

  8. Our morals and those of our customers? by Kaz+Kylheku · · Score: 1, Interesting

    How do they ascertain customer's morals? Just because someone buys something from you doesn't mean they have good morals!

    What if the culprits turn out to be customers assisted by an employee? :)

    1. Re:Our morals and those of our customers? by Dracula · · Score: 1

      What if the culprit(s) turns out to be an employee?

    2. Re:Our morals and those of our customers? by Anonymous Coward · · Score: 1

      Consider that the customers are customers. That means that they pay money in return for products, as opposed to, say, stealing them. This might imply that the customers agree on "stealing is undesirable." Some might even extrapolate to "cracking servers is undesirable."

  9. Glass half empty, or half full? by rts008 · · Score: 1

    Well, after their servers experience a Chernobyl style meltdown from slashdotting, the hackers can't even get close enough to sift through the ashes! :-)

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
  10. Re:Netcraft says.... by 1s44c · · Score: 1

    It's PHP Apache if you look.

    PHP. The free alternative to visual basic.

  11. Lush is not a typical 'cosmetics' store by Squiff · · Score: 1

    They specialise in handmade soaps and seem to be in pretty much every high street in the UK- Example: http://maps.google.com/maps/place?cid=10383864969614968362&q=lush&hl=en&sll=51.494368,-0.154123&sspn=0.049163,0.154324&ie=UTF8&ll=51.518891,-0.2314&spn=0,0&z=13 You are more likely to get bath soap from them then eyeliner and you can smell the patchouli from one of their branches from quite a distance... Maybe their 'IT' team is in the same vein?

    1. Re:Lush is not a typical 'cosmetics' store by Billlagr · · Score: 1

      Australia too..I am greeted by the gently wafting smells every morning as I step out of the train station, on my way to work

  12. Smelly by ebcdic · · Score: 1

    The smell from their shops is so strong that it's actually unpleasant to stand at a nearby bus stop.

    1. Re:Smelly by Threni · · Score: 1

      Exactly. If there were only some way of preventing the stores from opening and instead allowing customers to shop online...

      Having a page on eBay and Amazon is something a few companies are doing now. The sort of script-kiddies and spotty virgin bedroom boys who try and take sites down are too lame to be able to affect them, so you'd be safe.

    2. Re:Smelly by ettlz · · Score: 4, Funny

      Ha! I cannot stand them and never understand why so many 16-19 year olds go crazy over a bar of soap..

      Oh, it's only a phase. It normally ends once they go to university.

  13. Re:Netcraft says.... by BeanThere · · Score: 3, Informative

    Wrong, if you check their 'what's that site running' history you'll see that they only switched to Apache yesterday. Before that, they were on IIS 5 on, FFS, Windows 2000, which is a sign that they were probably running on outdated poorly managed systems. The fact that the attack attempts "continue" is probably meaningless as whatever they were, they are almost certainly failing now, but the attempts will still show up in the logs which will make any naive IT administrator nervous.

  14. Re:Netcraft says.... by Nick+Ives · · Score: 2

    Yea, every computer on the internet is under constant attack. Like a lot of people, I've moved my SSH daemon to a non standard port out of annoyance with my secure log filling up with common username / password login attempts from botnets.

    If you're presenting a service to the world on a standard port, botnets will always be trying to robohack you.

    I'm not too sure of that Netcraft report though as Lush appear from their statements to have been with their current hosts since at least October last year, so they could've moved from Win2k more recently than three and a half years ago.

    --
    Nick
  15. I always thought... by baloki · · Score: 1

    Doesn't PCI:DSS forbid the storage of full credit card numbers?

    1. Re:I always thought... by jimicus · · Score: 2

      It does not, however, forbid taking the details in the first place. Which means that it'd be easy enough to slip a few lines into the shopping cart script that forward card details for every transaction to some hacker.

      Which would explain why they're only worried about customers who bought stuff in the last couple of months.

  16. Mobile Operators and Police don't help by Ian.Waring · · Score: 4, Informative

    My wife is a Lush customer, ordered online in the time period described and did have 2 £15 charges (total just north of $40) for prepay mobile phone credit debited from her account. She spotted that virtually immediately; however, her bank just wanted to snail mail post a claim form to her to get her money back, and O2 (the mobile phone company providing the goods from the fraudulent two transactions) said it was an industry agreed procedure to wait until the bank got in touch with them before they'd do anything. So, bottom line, the thieves have 5 days to use the credit they stole, when O2 could have invalided the transaction immediately and/or aimed some trace to the person using that mobile handset. About as much use as a cow on stilts. We need a Bill Bratton methinks. Follow the money, get to the source.

    1. Re:Mobile Operators and Police don't help by cdrguru · · Score: 1, Insightful

      Why do you want credit card companies to persecute their customers? Shouldn't they be reaching out to their customers with a more friendly business model?

      You see, the way it works is the cardholder gets the stuff taken off their bill - usually no questions asked, it just happens. OK, so they want you to jump through some hoops for it, but it will happen no matter what.

      Then the credit card company charges back the purchase to the merchant. The merchant should have insurance to cover this sort of thing, so it is no loss to them.

      So who loses here? Nobody. Victimless crime.

      The only problem is if the merchant doesn't have insurance. Too bad then. Should have gotten the insurance because it is going to happen to you eventually.

      Obviously here the credit card company isn't going to prosecute anyone.

      Oh, from a closer reading of your post it sounds like a DEBIT card was used, not a credit card. Well, the rules for those are different and banks are extremely reluctant to remove charges. Of course, they will charge back to the merchant anyway, just the same as a credit card. Except you might not ever get your money back from it and it just stays on your bill.

      Simple rule here: never, ever use a DEBIT card online. Ever. There are no systemwide rules for how those transactions are cancelled as there are for credit cards. Use a debit card and lose your money. Period.

    2. Re:Mobile Operators and Police don't help by Have+Brain+Will+Rent · · Score: 1

      Wow just yesterday my spouse got called by Amex because a (one single) charge appeared that fell outside her normal spending pattern and they suspended her card right away, told her she would not be charged the amount and told her a replacement card would be received within 5 business days.

      I used my business debit card for a sub $100 withdrawal, at an ATM in a branch of my bank, in a small town about 30 miles from where I normally do business. This set off some kind of alert and the fraud division called my number but I wasn't around to take the call so they cancelled the card - all within 2 hours of my using the card.

      Sounds like you may need a new bank?

      --
      The tyrant will always find a pretext for his tyranny - Aesop
  17. Yum by WarwickRyan · · Score: 1

    Their coconut soaps fantastic.

    Goes great with a bit of icecream and and grated dark chocolate.

    1. Re:Yum by uglyduckling · · Score: 1

      I have this problem too - on initial inspection, and smell from a distance, I would far rather eat most of their products. Once you get close and smell the soap, the feeling goes away. I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.

    2. Re:Yum by WarwickRyan · · Score: 1

      > I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.

      Yeah, like speciality fudge or something.

      Don't think that the ingredients are that different, either. Replace the oil with butter, and add a bit of sugar :)

  18. Morals ... by Martin+S. · · Score: 1

    "We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."

    Are these the same moral that allow Lush to charge premium prices for what is essential home made soap.

    1. Re:Morals ... by poity · · Score: 2

      I don't get it, how is charging premium prices a breach of morals? Do they have a soap monopoly?

      --
      your thin skin doesn't make me a troll
    2. Re:Morals ... by Skidborg · · Score: 1

      Restaurants charge a premium for what is essentially homemade food after all... if people are willing to pay for the convenience, why not let them?

      --
      Supporter of the +1 Over Dramatic mod option. In memory of apk.
    3. Re:Morals ... by coolmadsi · · Score: 1

      "We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."

      Are these the same moral that allow Lush to charge premium prices for what is essential home made soap.

      I think its mostly hand made. Surprisingly human workers cost more than machines.

      Besides, most things of a 'premium' brand will have a large mark-up. I've heard that for trainers (sneakers? Is that the American term?) they don't get much better in quality past the £50 point, but companies still have ones that cost over twice that because if they didn't someone else would sell them for that much, and people would buy them (percieved high quality from spending more)

  19. Lush Should Sell on Amazon Instead by CodeBuster · · Score: 1

    This example demonstrates precisely what can happen when a company which does not specialize in IT and the rigors of running a high traffic online storefront attempts to build same with an in-house crew or a band of hired consultants. Lush would have been much better off creating a storefront on Amazon and selling their products there. The readers of Slashdot will recall that Amazon threw off attempted DDOS attacks by Anonymous during the WikiLeaks affair without even breaking a sweat. My advice to Lush: go with Amazon and use their web services to connect your inventory control system to their storefront. If you had gone with Amazon, instead of trying to roll your own bubble gum and bailing wire solution. then you would be faced with the happy problem of how to restock your inventory instead of explaining to ex-customers how they can get in touch with their bankers in order to limit the damage.

  20. Re:Netcraft says.... by jimicus · · Score: 1

    I note that they also switched hosting provider. Obviously they're not too keen on their previous provider.

  21. Own up already by Suffering+Bastard · · Score: 1

    It actually bothers me that they blame "oh noes teh hax0rz!!1!". As if there are all these evil hacker minions out there using their villainous technology to break in to sensitive systems. It's classic deflection of responsibility by generating fear of faceless bad guys.

    Windows 2000/IIS? Storing cc numbers as plain text in your online database? If you're gonna lay down next to fire ants, don't cover yourself in honey.

    --
    "Molest me not with this pocket calculator stuff."
    - Deep Thought