Slashdot Mirror
UPS: We've Been Hacked
paysonwelch writes The United Parcel Service announced that customers' credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS. The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.
I made sure my password is at least 8 digits, alpha-numeric with at least one unique character!
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
Well, I am glad they waited until the issue was resolved before letting their customers know they were at risk. I would have hated for UPS's bottom line to be hurt by letting us know as soon as they realized there was a breach. After all, the company bottom line is more important than my security.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Don't tell me there's separate servers for UPS Canada and that data is never shared across both servers...
Get free satoshi (Bitcoin) and Dogecoins
The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.
What? So the malware had half a year to rumble around?
Only institutions that do not care get hacked. While absolute security is not to be had, it can be made expensive enough that hackers give up. These days, however, hacking a major company is often within th reach of amateurs with enough patience. Until these companies become liable for any and all stolen credit card and address information (say, $100 for each address and $500 for each credit card set to the owner without the need to prove anything, and unlimited for damage the owner can proof), nothing will change.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I disagree it's usually organizations who don't care who find never find out they've been hacked. In they do what you are proposing most companies will attempt to just sweep it under the rug. That's when it really becomes bad for the customer.
Ugh I should not try posting on mobile, the above was supposed to say. I disagree it's usually organizations who don't care who never find out they've been hacked. If they do what you are proposing most companies will attempt to just sweep it under the rug. That's when it really becomes bad for the customer.
The thing is, all companies need some people that give the appearance of caring, or they would be criminally negligent. But you typically find that these folks can only do after-the-fact analysis, have no input on security decisions that could prevent this and are understaffed and do not have the rights they need. I have personally seen one instance where the "IT Risk Officer" reporting directly to the director was a very junior person without the self-assurance to escalate anything or even ask questions and without any support or team that would have been needed to do the job right. (Still, that position was filled, so from a legal PoV everything was fine.)
So no, companies noticing they have been hacked does not indicate they did anything right. More often than not they will get notified by external, sources they cannot ignore.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This is true. I just visited the Netherlands and as an American I had this impression exactly. We want to think we're all so hot, "invented the Internet" and all. But the Dutch do technology way better than us. I was very envious of their chip and pin technology.
HA! I will point out your problem. You went mainstream. Years ago, I realized that all the hacking tools go that route too. So, all my passwords are only 2 characters......and only binary numbers. Hack That!
Never play chicken with a passive aggressive.
If they told everybody "your info was hacked" while they hadn't cleaned it up yet, a bunch of folks would have logged on and changed their passwords, immediately exposing the NEW ones. You clean up first, then you engage the PR folks.
The fundamental issue is that credit cards are based on the premise that you can authenticate somebody using a shared secret that you share with everybody you do business with.
I can post my ssh public key in this post if I wish, and about the only thing anybody could do with it is give me access to their systems. There is no reason that credit cards can't be made secure in this day and age. Nobody wants to bother, so we deal with messes like this.
If all UPS had were credentials that authorized only UPS to make charges to specific accounts (not even knowing what the account number is) below a certain spending limit, then stealing them would have little benefit to anybody (only UPS could use them), and they could easily be revoked by the banks or UPS itself without much trouble (so that even somebody who had the ability to charge somebody, deposit the money into a UPS-controlled account, and then move the money into their own account wouldn't be able to do so).
Make stiff penalties for breaches and make breach insurance required. Then the insurance companies will heavily encourage protective measures from those they insure because their profits are on the line.
Insurance companies would care more than regular companies because they deal in bulk. If there are lot of breaches, then they have a lot of payouts and lose money. A regular company views breaches as all or nothing incidents, which tempts them to gamble.
Table-ized A.I.