Slashdot Log In
MSNBC: Stealing Credit Card Numbers Online is Easy
Posted by
Roblimo
on Sun Jan 16, 2000 05:22 PM
from the getting-out-of-hand dept.
from the getting-out-of-hand dept.
tiny69 writes "This is the reason why I don't use my credit card on the internet. The people I give it to may not be as responsible as I would like them to be. It's easy to point the finger at Microsoft and the MCSE's running the systems on this one." [Irony alert!] Yes, MSNBC says all the servers they cracked were running MS SQL. [/irony alert]
This discussion has been archived.
No new comments can be posted.
MSNBC: Stealing Credit Card Numbers Online is Easy
|
Log In/Create an Account
| Top
| 330 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Look! Up in the sky! (Score:3)
WHOOSH!
Bill Gates, Chief Software Architect! (Dah-da-da-DAH!)
Gaping holes, clueless management : help ! (Score:4)
Posted via Anonymizer [anonymizer.com] as an AC for reasons which will become obvious ...
This is off-topic as far as this story is concerned, but I'm posting because there are (I think) lots of people in a similar position & I really would like to hear some fresh thinking about how to wake my employers up.
I'm employed as an intranet developer by AMegaCorp.,Inc., a business services firm. With the thrill of anonymity I can name a client to give you an idea of how big they are : Ford Motor Co.
Our people have daily access to insanely sensitive stuff. Stock prices moves would be the tip of the iceberg. There's a fair amount of, um, politically sensitive stuff in there, too; let's just say defense, nuclear ... that kind of thing.
I've tried raising these issues in various ways, with no effect. Should I just run away ASAP ? Or am I morally obliged to do something about this ?
Seriously, any suggestions ?? This is doing my head in !
--
healing bex
Obvious solution: (Score:3)
Let's sue MS-NBC for stealing 2,500 credit card numbers!
These sorts of lawsuits are brought against [cr|h]ackers all the time. The defense? "Um... I wasn't going to use them, I was just... just wanted to see if I could get them! Yeah, that's it!" Yeah, right. And that's what MS-NBC wants you to believe too. So either we'll have a precedent for being able to collect information on the grounds that it's cool, or we'll get to sue MS-NBC back into the dark ages. Sounds good to me.
(all you have to find is one of these companies who actually knew they got hacked... um... never mind.
---
pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
MS servers get cracked more because there are more (Score:5)
I find it odd ... (Score:3)
MSNBC may be a touch more honest than Microsoft proper, but that doesn't mean they entirely have their clue on straight. Yes, tell the world that MS SQL has security holes in its defaults
Clues?
Is this really a new problem...? (Score:5)
----
Shooting the Messenger? (Score:5)
I've read through alot of these posts, and there seems to be two common threads to most of them:
I think both of these need to be addressed to see the underlying reasons for the problem, of which neither of the above are.
First off, I'm a professional SysAdmin, and have spent most of the last 4 years doing System Architect and Security stuff. The last two at E-commerce places.
People, the problem is threefold, none of which is easy to fix:
Virtually nothing is designed with security in mind. That includes all our favorite UNIX OSes, Windows, and virtually all applications. The few apps that seem to have some reasonable security setup often sacrifice this by using stupid defaults to aid "ease-of-use". The sad fact here is that nothing we are using these days is decently secure (no, not even OpenBSD). UNIX is stuck with the all-or-nothing model of security, while Windows actually has a good model that is horribly implimented. Apps tend to be the same. Given that the systems are poor to begin with, hardening them is more than difficult. And compromises tend to do massive damage.
Business is not taking security seriously. Right now, time-to-market is king, and everything else is sacrificed to that great Idol. This is primarily the public's fault, as people seem to reward cheap and first rather than more expensive and well-designed. The miserable state of software quality is a prime example of this mentality. And bugs are a leading cause of security problems.
Also, companies have limited resources. Right now, spending the extra money to shore up security (or maybe even - gasp - do it Right) is about as likely as giving the entire staff a free vacation to Tahiti. They simply have no reason to do it - there isn't much real PR problem, the public doesn't seem to reward companies that spend the extra on security, and there aren't really any legal liabilities yet for failing to do so. So why spend money on something that doesn't have any real returns?
Security is an ongoing battle. This is related to both the previous problems (lack of proper resources, and poor security to begin with). In order to keep a site even basically secure, it's far more complex than simply keeping an eye on BugTraq and watching for vendor security updates. A typical mid-size e-commerce site probably has at least 100 different products (remember, each script is a different product) to keep an eye on, covering at least a dozen (nowdays, with ASPs, likely several score) machines. Just keeping up to date is a daunting task, and like fighting a really war, the opponent isn't stupid, and adapts rapidly. You will suffer defeats. Security is a massively complex and difficult job. Don't let anyone kid you otherwise.
The knee-jerk reaction to fire the admin is merely a Management-covering-their-ass mentality. Blaming the product overlooks the reasons why the product is that way, and also doesn't say anything about the state of the market as a whole.
Until there is a concentrated demand from the public for security, things will continue to be as they are. If the public can stand it, well, then that's the shape of the world we live in. If they don't like it, give business the incentives to buckle down - make them legally responsible for breakins, buy only properly-designed software, etc. Until that happens, blaming the admins and the software is stupid.
Re:Is this really a new problem...? (Score:3)
The fact of the matter is, there are lots of people who could steal your card number...and not just in the places you use it. People at the bank who issued it could get ahold of it, too...people could (and have in times past) take rubbings through the envelope in which it is delivered to you. The only way to keep your number a complete secret is not to use it at all...and what would be the point of that?
Thankfully, many of the places where one could potentially use a stolen credit card number are becoming more watchful about getting verification of details, such as billing address. It won't stop fraud completely, but will help cut it down.
Re:Typical misinformation... (Score:3)
I think the basic problem here is what you mentioned yourself, that system administrators forget to remove (unnecessary) default accounts, or forget to patch for security bugs.
What always has been part in the equation used as for why the MS solution would be best (beating Unix), was the ease of use, and the resulting lower cost of ownership because you could hire cheaper people for administering your systems, and that those cheaper people would require less time per server to administer, because the OS was to userfriendly.
That part of the equation has now, repeatedly, been proven to be faulty.
Re:Is this really a new problem...? (Score:3)
On the online front, at one point, Visa said 'We will not give you a merchant account for online work unless you meet certain requirements.'
These requirements included providing information about your firewall, your security policies, who has the passwords, etc... which made perfect sense. They were protecting the consumer.
The problem is.. this gets abstracted. ONe company gets a merchant accounts, and then sells transaction 'services' to others, and at that point, security is questionable.
Re:What we really need... (Score:3)
It's not the consumer's problem. The whole reason for using a credit card is BECAUSE Of fraud protection.
The merchant is held responsible. The consumer does not have to pay unless the merchant can PROVE that it was them who initiated the transaction. If the consumer says 'I didn't do this' and the merchatn can't prove it, VISA doesnt' pay the merchant...
So.. VISA is protected.. and the consumer is protected.
And it's up to the merchants to protect themeselves.
So if someone steals the AOL customer databse.. who gives a hoot? It won't put any customers out any..
Re:Card Companies need to get wise. (Score:3)
ie: if you already have a storefront, and a merchant account, and then decide to do things online.. you don't need to tell visa.
That, or some third party farms out transactions.. making it so you don't have to deal directly with visa.
And all that aside.. VISA is not responsible... they clearly state that they do not have to honor any statement unless the MERCHANT can prove that the customer used the card legitimately (signature, basically). If a cardholder says 'I didn't do this' and visa says to the merchant' can you prove they DID?' and the merchant says 'no' then the merchant doesnt' get paid.period.
Let's get a few things straight. (Score:4)
1) You are not responsible for fraudulent use of your credit card. Technically, and I forget the exact terms, you can be held liable for up to $50 of debt.. but this is never enforced. It may only apply if you know about the theft but do not inform the card issuer immediately (kind of makes it your fault then anyway..)
2) The Credit card companies are the ones who bear the brunt of the financial burden for fraudulent use of cards. If their merchants are irresponsible, and cause them to lose money, it is up to them to deal with it. They are fairly lax about it, though, as if it was difficult to get a merchant account, then nobody would accept credit cards, and they would be out of business.
3) It is between the Credit issuer and the authorized Merchants to deal with this issue, it is not up to the consumer/cardholder. Yes, the cardholder should behave responsibly, but at the same time, who tells us this? The CARD COMPANIES tell us this.. why? Because it lessens the burden on them.
Remember.. one of the things card issuers use to get you to use their card instead of good old cash is FRAUD PROTECTION.. and that is the very beauty of credit (if there is such a thing..). You can buy online, and not get ripped off. If you buy with cash... ha.. you have no recourse.
Windows 2000 (Score:3)
Typical misinformation... (Score:5)
People, the credit card numbers that MSNBC stole were not stolen through a "cracked" database. MSNBC did no cracking of any kind, and therefore the security of MS SQL Server is not the issue. The issue is, once more, the people who stupidly set the sites up and left the default "sa" account active. The "sa" account is included in SQL Server merely to allow the software to be set up. It is not meant to be left active on a server connected to the web.
Try cracking a Microsoft SQL Server that's been configured correctly, by someone who actually has half an idea what they're doing. It's just as impossible as cracking any other database solution...in fact, I'd venture to say MS SQL Server is even more secure than most other database servers.
Furthermore, the "::$DATA" vulnerability was only in IIS4. Microsoft patched that bug over two years ago, and anyone stupid enough to still be running an unpatched IIS4 server is just asking for trouble.
--
Re:Typical misinformation... (Score:3)
MS deserves bad press for such a stupid blunder as would any other company or development effort.
Online checks are still worse (Score:4)
As others have pointed out in different responses, it's *worse* since credit cards have fraud limits - and that limit applies to all fradulent charges. Checks, in theory, will be fully refunded if you file the paperwork to claim fraud. In practice, most banks have quietly changed their fine print to say that if someone has your account number the presumption is that you have authorized *any* access, and it is damn hard to get them to stop honoring debits. In practice you must close the account, something that's far more disruptive with checks than with a credit card.
I can understand why the banks did this - they probably got tired of being caught in the middle between customers and health club finance companies - but the practical effect is that checks are now far less secure than credit cards.
I mention this only because I've already seen some sites advertising that they offer "online checks" as a "secure" alternative to credit cards, and stories like this will only make things worse.
Re:Typical misinformation... (Score:3)
The issue is, once more, the people who stupidly set the sites up and left the default "sa" account active.
I usually work with Oracle databases. I am still astonished every time I find a can log in to an Oracle database as either SYS or SYSTEM. Given that the default SYS password is ChangeOnInstall, you have to wonder about the people running the systems. I guess that more than 10% of Oracle databases are misconfigured like this.
Don't even get me started about the DB2 database I found on a net-facing S/390 that still had the default admin password.
Is this Oracle's (or Microsoft's, or IBM's) fault? NO - it is the fault of the halfwit DBAs who bullshit their way into jobs that are way beyond their ability. The 'differently intelligent' managers who hire these people should also be held to account, except their mental age relieves them of criminal culpability.
PS - I actually quite like SQL Server. Every time a client specifies a really slow, memory intensive RDBMS, I specify SQL Server. It hasn't happened yet.
This problem is easy to fix.. (Score:3)
They hit the hail on the head andthis problem should be easy to fix, but there are more programmer orented problems that are not so 3easy to fix:
These script langauges which deposite form variables in the global namespace (like PHP and VBScript) there is a god chance of programmer created problems which are not so easy to track of fix. Example: programmer keeps copy of web site PHP code at home.. Programmer gets fired.. Programmer paws through code and finds a weakness since the code was in PHP and allowed form submits to mess wit the global name space.
Also, VBScript has the problem that most people using it do not know how to protect the strings that are going into an SQL query.
I know these problems seem milder because the exploits may need to be diffrent for diffrent web sites, but I would expect to see tools (maybe even AIs) which manage to automate some of the process of exploiting these holes. Government funded hackers (like in China) may have access to profesors and people who could do the research to find statisticaly probable weaknesses in custom software.
I'm not really tring to slam PHP and VBScript, but I do see a lot more potential for PHP and VBScript programmers making the same mistake over and over then with other langauges.
Jeff
Here's Some Real Irony (Score:3)
Oracle security measures are routinely ignored (Score:3)
Over the past year or so I have done DBA consultancy for some of our customers, going into sites and helping with their database administration. Very often, I find that the default passwords of privileged database users have never been changed. Try it sometime: the user system, who can read and change any data in the database, has the default password manager, and the user sys, who can start up and shut down the database, has the default password change_on_install. (Some people apparently don't notice that the latter password is a hint.)
Oracle installs a default "listener" that is open on port 1521. Many e-commerce sites have their web and DB servers on the same machine, and don't need any external TCP/IP connections to the database. Even those that do can be set up so that connections are only permitted from a limited number of IP addresses. But this, too, is almost never done. So there's your opening: get an Oracle client to connect to port 1521 on your target machine, log in as system/manager, and in many cases you'll own the whole database.
Another thing: many people routinely do their Oracle admin work by logging as the "oracle" user, the owner of the Oracle software. Few seem to understand that this user is like root: you don't log in under that name unless you absolutely have to, because any mistake you make can be disastrous. What you do is make users with DBA responsibilities members of the group "dba", so they can run the admin software but can't delete anything critical. In fact, you need to be "oracle" far less often than you need to be root -- after installation, you should never log in as "oracle" again. And yet there are admins who work as "oracle" all day long. Even worse: it seems that the most common password chosen for the "oracle" user is, you guessed it, "oracle"!
We could accuse the administrators of laziness and cluelessness. But the real blame lies with management, who want to set up a cheap e-commerce site without paying the price for DBA's who know what they're doing, or for the training that their current admins need. Many of the admins I've worked with have told me that the boss stuck the Oracle CD's in their hand one day and told them to go run a database. That's a surefire formula for an insecure site.
Re:Good tactic (Score:3)
Your middle name method is pretty clever...
One of the things that one can do to limit the value of the credit card he uses, and therefore defend against most fraud, is to use a card without anymore money than you wish to spend.
Three possibilities I can think of.
First, an Incentive Card if you can find any. Those come with fixed values, they're not credit cards, but you can spend up to their fixed value anywhere that takes credit cards. www.aies.com sells them, I believe. That way, you keep changing CC# very often.
www.webcertificate.com offers a similar product, and you can add money with your real credit card (processing fee of 1.50$ by 50$ you add). You don't get a physical card, but only a mastercard number you can use to make purchases. It works great for me.
The third method is to use a Visa Debit Card and deposit the amount you wish to use before every transaction... That's a bit of trouble, but combined with online banking it can be made easy. I use www.x.com to do that. You open an account with them, and they send you a visa debit card you can use like a credit card. But the balance availaible is only what you deposit in it. You can deposit up to 500$/6 months with another credit card, and as much as you want by check.
Any of those ways, you have a "credit card" without credit. It only has as much money as you want. I'm sure you can understand the implication of that.. Even if somebody steals it from you, you don't lose anything more than the value that you put on it, which is probably only the value of the item that was there in the first place. And as they're issued by banks, they will let you contest charges as well as with a real credit card.
Hope this has been helpful.
---
P.S. If you sign up for x.com, you have the option of referring somebody. If you feel generous, refer francois@bradet.com . You don't lose anything if you don't refer me. If you feel this whole thing sounds like a commercial endorsement and you don't like such things, please let me know by moderating me down. If you really what I just wrote is bad, let me know at francois@bradet.com and I'll apologize. I'm just trying to share my knowledge.
Good tactic (Score:5)
Whenever I make an online purchase, I use the name (or first initial) of the company as my own middle name. That way, if someone steals my personal info, emails me spam, or any number of invasions, I will know instantly from the name on the billing which I company I should never use again.
Of course, this does nothing to prevent your information from actually being stolen in the first place...
-konstant
Yes! We are all individuals! I'm not!
slashdot? (Score:3)
But more seriously, what this shows us is that people don't pay attention to what they are doing before they do things. If you don't do something as simple as set a password on your database, it should come down to the same thing as leaving the key in the ingition, the car running, and noone in the car, in the third lane of a four lane highway in rush hour. Insurance won't cover it. People have to be careful when they start up a business that they are doing everythign right.
If you are thinking of starting an ecommerce site, then higher a security professional to come in and take a look at it. They are out there, they are there for a reason. Credit card numbers are a very personal thing, and having them publically available is just plain bad, even if its not on purpose.
In legal terms, if you kill someone and didn't mean to, its called 'involuntary manslaughter' and you still go to jail.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
Instructions for Using Your Credit Card (Score:3)
Here we go with some simple instructions for how to use your credit card and not get burnt:
1. Make sure you can check your credit card statement on-line as required.
2. Record all purchases in a database (Quicken, MYOB, MS-Money, text file, spreadsheet, whatever!)
3. Check your credit card statement on-line as often as you can (once per day is good
4. If you find anything you didn't write down, start screaming to your card issuer!
Even if you never travel over seas, purchase from catalogs or purchase from the 'net, you should be doing this. If you don't, you're just asking for trouble. At the least, you should check your monthly statements - doing it daily makes it quicker to get the dispute resolution process started
I frequently travel to "worrying" places, use my card at cafes/restaurants, purchase over the 'net and so on. I check things and (touch-wood
Stop whining, stop expecting the government/corporations/mommy & daddy/whatever to protect you. Get off your ass and take responsibility for your actions.
Same goes for those setting up e-commerce sites. One of my companies does it and we get third-party security reviews (we charge more, but we don't want penny-pinchers as clients - they always come back to haunt you
Roblimo Paronoia (Score:3)
It's good to be careful like Roblimo and careful whom you give it too. However it's more important to know your rights and that your not responsible for such charges.
Why Not Use Credit Cards over the Net? (Score:5)
First of all, if someone makes a purchase with your credit card, but you haven't actually lost the card, then you are liable for nothing. You have nothing to use!
Credit card theft and fraud occur without the internet. Your wallet/purse can get stolen. In that case, you are liable for up to 50 dollars. A waiter or clerk can copy down your numbers.
The risk isn't any greater at all, but fear tactics from the media like this MSNBC story don't give a sense of proportion.
Re:Why does the media overlook the bigger point he (Score:3)
Of course, since Microsoft is the scapegoat of the computer industry, people will blame the company if any of their software is involved in any way. eBay is a prime example; when the people who blame eBay find out that it was Sun's and not Microsoft's fault for the problems, they do not shift the blame to Sun, but rather shrug off the problems, and pretend to play down the incident. eBay's outage in the summer, which cost well over one and a half BILLION dollars in market capitalization, is one of the biggest industrial blunders in history, and was 100% to blame on a bug in the Solaris operating system. Yet Microsoft continues to receive the blame for it.
It is really getting out of control. There are people who really think Microsoft is to blame for the Year 2000 problem the Year 2038 problem, the Internet worm, et cetera, ad nauseum. It is so incredibly trendy to blame Microsoft that any industrial problem whatsoever is blamed on them if they had any involvement whatsoever - without even GLANCING at what the real problem was or who really was to blame.
Not really about the DB server.... (Score:3)
Any time you can get a credit card number via a normal database query it is a security hole.
I will say it again -- anytime you can query your database and get a credit card number it is a security hole. If you are not saving the information to a non-internet connected system, or encrypting with strong encryption before writing it to disk, you are playing fast and loose with customer information.
The simple rule should be this -- an unencrypted credit card number should never be written to disk, not even for a moment.
Geez what a lot of trash (Score:3)
-Wanrat
hehe it's 10pm, do you know where your credit card is?
This Is Probably A Good Thing... (Score:5)
But anyway, all the attention to this issue is probably a Good Thing. Popular Internet e-commerce servers are bound to have quite a bit of credit card numbers, along with other goodies such as the name of the owner and the expiration date, floating around, and it's time that a people became more clueful about how to handle this situation.
Face it: any setup where both your webserver and database server are available from the Internet is a major security risk. The way most e-commerce shops, especially those running at hosting companies, are set up today (webserver and database server on the same machine, or at least the same network without any access controls) is simply asking for trouble.
Here are a few reasons why: ::$DATA issue, although most clueful providers will fix it quickly.
Software bugs - and no, not running any Microsoft products won't get you off the hook. In fact, I guess the cozy little MySQL password security exploit that was discovered recently is way worse than the
Untrusted staff - how easy is it for a rogue operator at your provider, or a lowly-paid temp working for the shop itself, to run a complete copy of the credit card file?
General data security - in other words: hey, do you know who else has access to your shared database server, or where the backups go at night?
All of the above leads to a few conclusions:
1. Partitioning - Web and database server functionality should be separated as much as possible: having your database on a separate machine and fitted with proper access controls (i.e. only accepting connections from trusted hosts and using proper authentication in addition to that) is pretty much a requirement.
2. Encryption and access controls - Even with proper partitioning in place, most of your customer details need to be encrypted using a non-trivial scheme, and proper access controls need to be put in place. Make sure only the right people have access to your data, and log every access. Disable bulk commands, except during the backup window, if possible.
Now, which percentages of sites is operating as described above today? My guess would be less than 10%, leaving enough room for on- and off-line crackers to steal whatever information they want. It's not consumer problem per se (since credit card companies have pretty extensive consumer protection from fraud...), but still a lot needs to be done before the general public will truly get a warm fuzzy feeling about on-line shopping...