There's a critical problem with a general lack of security expertise in the media. It has lead to an unfortunate slant 'on the side of safety', where anyone highlighting an apparent security problem is instantly believed.
You mean like Y2K and credit card information theft?
Regarding credit card theft, I'm tired of hearing about the theft of the information. I don't care who steals my credit card number but who uses my credit card number. The information of the fraudulent charges racked up on stolen CC numbers is painfully missing in most stories telling how 250k CC numbers were stolen from random-site.com.
Why is it important for you to keep your CC info private?
At worst case, you are only liable for $50.00, regardless of the actual fraud.
The media made all of us think that Y2K would be a big deal, and I have the same opinion when it comes to credit card information.
Since the begining of e-commerce on the web, the media has been talking about how people could steal your credit card information. Be careful, someone could steal your credit card info. In addition, even if you deal with a reputable site, someone could use a packet sniffer and steal your credit card that way.
Please. My credit card number is not the kind of information that I worry about people getting. I'm more worried about disturbed individuals getting my home address and mistaking me for an abortion doctor. Or someone stealing my social security number, getting a job under my SS number, and not paying taxes.
Have you ever known anyone who had their life ruined because someone stole their credit card? IMHO, people have more to fear from the debt that can be caused by credit cards that the $50.00 limit on fraud purchases. People's lives have been ruined when they had their SS number stolen, not their CC info.
So who is pushing the media to push the masses to care so much about their CC info. The CC companies, as they are the ones who have to pay the fraudulent charges after $50.00. And we, as a whole, are falling for it in the same way that we fell for Y2K and Pauly Shore.
I have used a credit card on numerous web sites and have sent it in plain-text e-mails to pay for merchandice. If sending your plain text CC information was so sensitive, it wouldn't be printed on every receipt.
Wouldn't it be more effective in eliminating CC fraud to only print the last 5 digits on the receipt and omit the expiration date, making sure that someone can't just dumpster dive for my info?
As for the story, at least SQL Server can be configured to be secure. One of the companies I did work for was using FileMaker Pro 4.* as their web server. However, all you have to do is guess the username and leave the password field blank, and FileMaker (when doing the query) will assume the blank password field is a wildcard. Hence security is only as far away as the username. This "feature" is even present in the e-commerce example web site that ships with FileMaker Pro 4.*.
First of all, why would any server store them.. They don't need them after they used to get your money.
Refund processing. The alternative is having the user re-enter their CC number, but then you have to make sure that it matches the previously used number. This can be solved by storing only the last 5 digits of the card for comparison.
Besides refund processing, I've seen all types of lunacy with CC information. For one company I've done work for, one of their workers wrote a script to process all outstanding CC transations in one fell swoop. The script was ran, but the user didn't notice that the authorization results were not being stored in the database.
Months later someone had to go back with the CC report from the bank and match everything up and try and figure out who didn't get charged. It was a disaster. Imagine being hit up for $3000 (their average customer bill) 6 months after the fact because your credit card was declined and they never bothered to tell you.
I've had serious problems with Reel.com in the past.
I ordered a couple of DVDs, some were preordred and some were released. A few days later I received an e-mail that said that the released DVDs had shipped. About a week and a half later they show up in my box with a postmark 4 days after they said they were shipped.
I was irate. I contacted reel.com's customer support via e-mail and explained the situation and asked what it means when I get an e-mail saying a product had shipped since I obviously didn't mean that it was turned over to the shipping company.
I got back an e-mail explaining that sometimes there are problems fulfilling orders. I tried to explain that this had nothing to do with fulfilling the order and everything to do with being honest about when the product ships. I got virtually the same response about reel.com fulfilling orders. I gave up at that point.
When I got the DVDs that I had preordred, there was no postmark on the box. Heh.
I'm assuming that e-retailers think by telling someone the package has shipped that will get the customer off of their back. But as Toysrus.com just found out, it only makes things worse in the end.
My mother ordered some gifts from toysrus.com on the day after Thanksgiving. They showed up on Wednesday. We were less than impressed.
Slashdot Mirror
You mean like Y2K and credit card information theft?
Regarding credit card theft, I'm tired of hearing about the theft of the information. I don't care who steals my credit card number but who uses my credit card number. The information of the fraudulent charges racked up on stolen CC numbers is painfully missing in most stories telling how 250k CC numbers were stolen from random-site.com.
At worst case, you are only liable for $50.00, regardless of the actual fraud.
The media made all of us think that Y2K would be a big deal, and I have the same opinion when it comes to credit card information.
Since the begining of e-commerce on the web, the media has been talking about how people could steal your credit card information. Be careful, someone could steal your credit card info. In addition, even if you deal with a reputable site, someone could use a packet sniffer and steal your credit card that way.
Please. My credit card number is not the kind of information that I worry about people getting. I'm more worried about disturbed individuals getting my home address and mistaking me for an abortion doctor. Or someone stealing my social security number, getting a job under my SS number, and not paying taxes.
Have you ever known anyone who had their life ruined because someone stole their credit card? IMHO, people have more to fear from the debt that can be caused by credit cards that the $50.00 limit on fraud purchases. People's lives have been ruined when they had their SS number stolen, not their CC info.
So who is pushing the media to push the masses to care so much about their CC info. The CC companies, as they are the ones who have to pay the fraudulent charges after $50.00. And we, as a whole, are falling for it in the same way that we fell for Y2K and Pauly Shore.
I have used a credit card on numerous web sites and have sent it in plain-text e-mails to pay for merchandice. If sending your plain text CC information was so sensitive, it wouldn't be printed on every receipt.
Wouldn't it be more effective in eliminating CC fraud to only print the last 5 digits on the receipt and omit the expiration date, making sure that someone can't just dumpster dive for my info?
As for the story, at least SQL Server can be configured to be secure. One of the companies I did work for was using FileMaker Pro 4.* as their web server. However, all you have to do is guess the username and leave the password field blank, and FileMaker (when doing the query) will assume the blank password field is a wildcard. Hence security is only as far away as the username. This "feature" is even present in the e-commerce example web site that ships with FileMaker Pro 4.*.
We laughed. And then went to Apache.
Refund processing. The alternative is having the user re-enter their CC number, but then you have to make sure that it matches the previously used number. This can be solved by storing only the last 5 digits of the card for comparison.
Besides refund processing, I've seen all types of lunacy with CC information. For one company I've done work for, one of their workers wrote a script to process all outstanding CC transations in one fell swoop. The script was ran, but the user didn't notice that the authorization results were not being stored in the database.
Months later someone had to go back with the CC report from the bank and match everything up and try and figure out who didn't get charged. It was a disaster. Imagine being hit up for $3000 (their average customer bill) 6 months after the fact because your credit card was declined and they never bothered to tell you.
I ordered a couple of DVDs, some were preordred and some were released. A few days later I received an e-mail that said that the released DVDs had shipped. About a week and a half later they show up in my box with a postmark 4 days after they said they were shipped.
I was irate. I contacted reel.com's customer support via e-mail and explained the situation and asked what it means when I get an e-mail saying a product had shipped since I obviously didn't mean that it was turned over to the shipping company.
I got back an e-mail explaining that sometimes there are problems fulfilling orders. I tried to explain that this had nothing to do with fulfilling the order and everything to do with being honest about when the product ships. I got virtually the same response about reel.com fulfilling orders. I gave up at that point.
When I got the DVDs that I had preordred, there was no postmark on the box. Heh.
I'm assuming that e-retailers think by telling someone the package has shipped that will get the customer off of their back. But as Toysrus.com just found out, it only makes things worse in the end.
My mother ordered some gifts from toysrus.com on the day after Thanksgiving. They showed up on Wednesday. We were less than impressed.