Forgot your password?
typodupeerror
The Internet

MSNBC: Stealing Credit Card Numbers Online is Easy 330

Posted by Roblimo
from the getting-out-of-hand dept.
tiny69 writes "This is the reason why I don't use my credit card on the internet. The people I give it to may not be as responsible as I would like them to be. It's easy to point the finger at Microsoft and the MCSE's running the systems on this one." [Irony alert!] Yes, MSNBC says all the servers they cracked were running MS SQL. [/irony alert]
This discussion has been archived. No new comments can be posted.

MSNBC: Stealing Credit Card Numbers Online is Easy

Comments Filter:
  • Anyone with a scanner can intercept credit card numbers using these methods. Any transaction made without using cash is susceptible to fraud or theft.

    Do you shred all your personal documents? Do you review the security procedures of your bank? I'll bet not.

    The only reason this is noteworthy is because this abuse happened over the 'net. It's hardly a novel threat.

    I'm patiently awaiting the calls for regulation of online businesses to "protect consumers" from this kind of thing. The better to tax them with.
  • by Anonymous Coward

    I would hope that a database server like that would have been set up behind a firewall which blocked all access to the database admin ports, Microsoft RPCs, etc. and only allowed HTTP and HTTPS access.

    OK, a hosting service might allow an IP they know is the client's to administer the server, but not the whole internet!

    If a firewall isn't blocking database admin, it might not be blocking NT file sharing either, and that opens a whole new can of worms.

    And no, this isn't an NT problem. If I had a MySQL system and allowed the whole internet to access port 3306 on the server, then I'd be in trouble, too.

  • by Anonymous Coward
    By default the Win2K telnet client logs you on to the server with the login credentials you supplied to your workstation. This is the username/password you typed in at the Ctrl-Alt-Del logon prompt.

    In other words, if you're logged into your workstation as JoeUser, you will be automatically authenticated as that user to the telnet server on the machine you're trying to connect to.

    This is done via NTLM or Kerberos, depending on how your domain is set up, so it is pretty secure. It works just like how you don't have to type in a password to connect to a file share if you've already authenticated to the machine.

    I would note that this the default Win2K telnet server config is actually much more secure than a regular telnet server, since passwords are not sent over the wire in plaintext.

    Turn on IPsec, and the session traffic will be encrypted as well.

  • by Anonymous Coward
    What kind of idiot would expose an unsecured server running a database manager (Ms-SQL Server or otherwise) directly to the 'net?

    This only proves a point that I've long been trying to make to those who have been of the opinion that "once Microsoft enters the server market, the Bad Old Days of needing arrogant computer gurus will be over." Frequently heard in pre-WinNT days and apparently still believed by many.

    The point is this: sophisticated and powerful computing problems need sophisticated solutions, implemented by knowledgeable and talented computer engineering professionals.

    Make no mistake: this kind of thing is not Microsoft's fault. It was just an amusing irony that MS server products were the ones that were discovered/investigated. And lest anybody think that non-MS platforms/software are unlikely to suffer the same kind of fate: witness the Serious Bug in MySQL password handling [securityfocus.com] recently reported on bugtraq. How many E-Commerce site admins running MySQL do you suppose don't even know about that one, much-less have it plugged?

    Where Microsoft is to blame, IMO, is in promulgating the myth that their products take the complexity out of complex problems. Sorry, but it just ain't so. What they do accomplish is burying details so effectively that the solutions appear simple. (And, ironically, even if you know they're not: making it hard to "get to the root of things." [No pun intended.])

    Real computing problems require real solutions implemented by real computer-savvy, intelligent and, perhaps most of all, focused and responsible engineers. Not some liberal arts or business marketing graduate that took one-or-another vendor course and got his or her "certificate." Regardless of the chosen solution. (Tho I, personally, do not recommend MS-based solutions.)

  • by Anonymous Coward
    It would be nice if somebody decided to maintain a "black list" of sorts that contained the names of all companies & web sites that are found to be using inadequate security measures for e-commerce. There are several self-proclaimed hacker groups who keep telling us how their cracking antics are really doing the rest of us a favor. I wonder if any would be willing to prove it by creating and/or maintaining such a list. It's benefits for the average consumer should be obvious.
  • by Anonymous Coward on Sunday January 16, 2000 @02:12PM (#1366775)
    This looks like a job for...

    WHOOSH!

    Bill Gates, Chief Software Architect! (Dah-da-da-DAH!)
  • by Anonymous Coward on Sunday January 16, 2000 @02:04PM (#1366776)
    OK, the second security related story in two hours, it has to be a SIGN .. ;)

    Posted via Anonymizer [anonymizer.com] as an AC for reasons which will become obvious ...

    This is off-topic as far as this story is concerned, but I'm posting because there are (I think) lots of people in a similar position & I really would like to hear some fresh thinking about how to wake my employers up.

    I'm employed as an intranet developer by AMegaCorp.,Inc., a business services firm. With the thrill of anonymity I can name a client to give you an idea of how big they are : Ford Motor Co.

    Our people have daily access to insanely sensitive stuff. Stock prices moves would be the tip of the iceberg. There's a fair amount of, um, politically sensitive stuff in there, too; let's just say defense, nuclear ... that kind of thing.

    • We have no corporate IT policy.
    • We issue staff with Win 95 laptops; it's also on all the desktops. (Yes folks, even NT would be safer than 95 :) )
    • We have no IDS.
    • We have 'a firewall'.
    • We have a reasonable virus protection package.
    • We have fast desktop net access; I'm no expert, but I can see a LOT of ports on external boxes.
    • I actually had a support call from a user who's "internet is broken, yeah, since I disconnected this modem I was using to access hotmail, could that be it ?"
    • We are about to embark on a major rollout of RAS ...

    I've tried raising these issues in various ways, with no effect. Should I just run away ASAP ? Or am I morally obliged to do something about this ?

    Seriously, any suggestions ?? This is doing my head in !

    --

    healing bex

  • Many companies in the UK are only using 40-bit SSL, which is blatantly insufficient. Offenders include Dabs Direct [dabs.com], who actually told me that they're happy with 40-bit SSL and don't intend to upgrade.

    I've spoken to NatWest Streamline, who perform CC clearing for many online retailers, and they don't intend to increase their minimum security guidelines to 128-bit SSL. I know know which of the two is being more negligent.

    Even the Which? Web Trader Scheme [which.com] doesn't mandate 128-bit SSL, which is insane.

  • Good idea. Have you gotten any unexpected results from this?
  • Not necessarily. Recently there was a guy that got caught in New York who had been scanning people's cards twice - once on the cash register for the purchase, once through a reader attached to his Palm Pilot which saved the numbers. Apparently he did this for several months (and got several thousand credit card numbers) before somebody noticed he was scanning their card twice and not providing a good enough explanation.

    Sure, this is an isolated incident, but so is the CDUniverse crack.
  • > Yet again, Slashdot spews out anti-Microsoft FUD with as much fervor and skill as Microsoft spews out anti-Linux FUD.

    I don't know who or what you are responding to, but I've read almost all of this discussion and I haven't seen anyone 'spewing' anti-MS FUD or claiming that these servers were 'cracked'.

    The article also said that the ::$DATA problem had been patched ages ago.

    --
    Simon
  • by pb (1020) on Sunday January 16, 2000 @02:22PM (#1366781)
    This isn't a problem, it's a solution:

    Let's sue MS-NBC for stealing 2,500 credit card numbers!

    These sorts of lawsuits are brought against [cr|h]ackers all the time. The defense? "Um... I wasn't going to use them, I was just... just wanted to see if I could get them! Yeah, that's it!" Yeah, right. And that's what MS-NBC wants you to believe too. So either we'll have a precedent for being able to collect information on the grounds that it's cool, or we'll get to sue MS-NBC back into the dark ages. Sounds good to me.

    (all you have to find is one of these companies who actually knew they got hacked... um... never mind. :)
    ---
    pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
  • 1. Partitioning - Web and database server functionality should be separated as much as possible: having your database on a separate machine and fitted with proper access controls (i.e. only accepting connections from trusted hosts and using proper authentication in addition to that) is pretty much a requirement.

    EXACTLY!! My first thought was why are they even allowing access from outside their own domain. It's easy to set up and can protect you from a multitude of mistakes in other areas. I wonder what those companies would do if someone issued 'delete from orders;' or some such?

    All of the things you mentioned are important, but that one thing would go miles in the right direction.

    I would add one more thing: NEVER allow a cgi script to pass in unchecked SQL. That's begging for trouble!

  • by heroine (1220) on Sunday January 16, 2000 @06:00PM (#1366784) Homepage
    If you haven't already noticed, most of the servers which are used by businesses are Win NT. Maybe if businesses used UNIX instead you'd see UNIX SQL installations getting cracked. UNIX owns the college and hobbyist world for 50% of the internet, but Win NT clearly owns the part of the internet that deals with business. Just read Alan Cox's diary. Every business server he deals with is running Win NT whether it's catalog orders or metro stations. Not a single business server he mentions is running UNIX. Not a one. Just because colleges and hobbyists account for over 50% of the internet doesn't mean that businesses are flocking to UNIX, which they obviously aren't.
  • Maybe that's why they are getting cracked? They read PC Magazine, buy NT, hire some freshly-out-of-colledge MCSE wannabe-admin, that knows exactly one this - to click "OK" buttons, and then they wonder why their systems are wide open and bent... The only cause we haven't 10 times more such cracks is because 99% of crackers are plain stupid - even too stupid to correctly run ready-made exploit, not to say make one by oneself.
  • I used beta 2.

    And I wholeheartedly disagree with you.

    the term "bloated" refers to a lot of things, but mainly, to the fact that the bar is raised with each release with regard to minimum hardware requirements. W2K's minimum hardware requirements are fairly astronomical. When you run it on low-end hardware, it is slow as hell. And in the Microsoft-run training class I took, we couldn't get half the machines to install DNS, and therefore couldn't get ActiveDirectory to run on those machines, and therefore couldn't install most of the nifty new cool spiffy features Win2K supposedly has.

    It's a big bloated piece of POO, unless you can buy shiny new very expensive Intel hardware to run it on.

    I wish I had a nickel for every time someone said "Information wants to be free".
  • "IE technology & IIS etc are important to windows 2000 cause they provide objects and libraries that are used as
    other parts of the OS."

    A **RESPONSIBLE** OS vendor would ship the libraries and objects SEPARATELY from the application, allowing people to install the libraries and objects, and use whatever web browser and web server applications they want.

    Applications != Objects and Libraries.

    I wish I had a nickel for every time someone said "Information wants to be free".
  • Your $700 machine is obsolete, because you're not going to be running W2K on it. Not effectively anyways.

    PS. I brought in over $100k last year, and I just bought a $4500 Sun Ultra 10, so don't go talking about things you have no idea about. I'd just prefer an OS that lets you spend money on hardware for performance improvement, not spend more money for the same or worse performance, and I'd like hardware to be useful past a 2-year horizon. In an NT network, if you go W2K, if you want to take advantage of most of the new features, you need to run CaptiveDirectory, so you have to be homogeneous with respect to OS, which means the Pentium 200 you used to run NT 4 on gets shitcanned. With Linux, when you buy your shiny new dual Xeon 500, you can keep your Pentium 200 around as a DNS server or something.
    There's a difference between demanding cheap, rock-bottom priced systems, and demanding value for your hardware dollar.

    I wish I had a nickel for every time someone said "Information wants to be free".
  • by Frater 219 (1455) on Sunday January 16, 2000 @05:05PM (#1366789) Journal
    ... that Bob Sullivan and Anatoliy Prokhorov would admit, in a news article published worldwide, to having committed several counts (possibly 2500 counts, to judge by the example of Kevin Mitnick) of a few major felonies. Plus, of course, listing the names of the sites from which they stole the credit card numbers ... is this reportage, or script-kiddie-age? "Gimm3 y3r k0d3z, d00d!!!!"

    MSNBC may be a touch more honest than Microsoft proper, but that doesn't mean they entirely have their clue on straight. Yes, tell the world that MS SQL has security holes in its defaults ... Yes, tell the world that hiring a Microsoft Certified-Clueless Database Administrator is a bad idea ... but no, don't publicly admit committing felonies like that. At least, not under your real name, Bob and Anatoliy.

    Clues?
  • I wish that web sites would give us a choice about storing our credit card numbers. The last time I used Amazon.com (long ago, before the recent boycott due to B&N) was right before my credit card expired. I'm happy to use my credit card online, but not somewhere where they store the number (I don't mind typing it in everytime). It's two years before my current cards expire. Who's to say if/when an online DB gets comprimised: two years is a long time in computing circles.
  • Nah, I'd say the problems lie in those companies that can't afford wetware and expect an "easy to use" gui-based OS to compensate for their decision to hire "air"ware.
    --
  • Gosh... Why don't you just calm down a bit? This isn't an anti-Microsoft article, this is an article about the current state of security in e-commerce, which contained an amusing note that Roblimo highlighted (with a prominent irony alert) for our entertainment. Shashdot doesn't spew out anti-Microsoft FUD, this article doesn't contain anti-Microsoft propaganda, and you should just chill down and stop wasting your nerves on such nonsense.
  • It was fixed over a year ago, and the patch was distributed.

    These examples show that the problems don't lie in the software - it's in the wetware. Any system, OS, or combination of the two can be insecure with a stupid enough person at the wheel.
  • The article used the term "sneakernet". In case there are others as unenlightened as I myself was a moment ago, let me share the definition with them:

    sneakernet /snee'ker-net/ n.

    Term used (generally with ironic intent) for transfer of electronic information by physically carrying tape, disks, or some other media from one machine to another. "Never underestimate the bandwidth of a station wagon filled with magtape, or a 747 filled with CD-ROMs." Also called `Tennis-Net', `Armpit-Net', `Floppy-Net' or `Shoenet'; in the 1990s, `Nike network' after a well-known sneaker brand.

    (from the jargon file [tuxedo.org])
    --

  • I guess you have not heard of ebay, amazon.com, (gasp!) IBM, etc.

    ___
  • ...And then get someone to "surreptitiously" point it out to Ford's PHBs.

    My suggestion: Fake up an email and run it through a bunch of anonymous remailers. Claim to be a cracker who has access to information that would be available to someone who penetrated only the outermost security layer. Mail it to yourself at Ford. Forward to supervisors with the heading, "We got a problem!" When the emergency meeting is convened, drop on the table your prepared action plan for creating reasonable security and say, "We're going to do this."

    Make sure the first thing you do is install RCS/CVS/whatever version control on all security measures, and log everything. This way, they can't later claim your fake email was a ruse to install trojans, since all checkins were logged and can be reviewed.

    Hey, might work...

    Schwab

  • by Booker (6173) on Sunday January 16, 2000 @01:26PM (#1366807) Homepage
    I mean - people are willing to call a complete stranger on the phone, and give them their credit card number. Same goes with a waiter in a restaurant, for example. I guess there's more potential for abuse online, since a list of 1000's of numbers might be available... but using a credit card in almost *any* fashion has the potential for abuse or theft.
    ----
  • Not to smear Loki's name or anything, but they have been less than careful with credit card numbers in the past. My girlfriend purchased Quake III for me (what was she thinking ?) from Loki using their secure form. There was a small problem with the information, so the person handling the order saw fit to tranmit the output from their ordering script in it's entirety via. email IN CLEAR TEXT.

    It's true that submitting private information such as a CC number online is really no different than signing a receipt in a store, but a certain trust relationship is assumed when carrying out a secure online transaction. I think people using "the Internet" for transactions tend to rush about with their business without thinking. Maybe it's the "time dilation" that occurs on "the Internet", or maybe not.



  • Yeah! Just look at Enlightenment!

  • Right-click on task bar.
    Select "Properties".
    Select "none" for menu effect.

    No more fade-in menus to bitch about.

  • This is a repost of a comment from the story,
    http://slashdot.org/articles/99/09/29/119245.sht ml

    ------------------------------------------------
    Was he installing from the CD? Was he installing directly from his HD under windows? Was he installing from the CD in DOS? If he was installing from DOS, he probably didn't have the foresight to load smartdrv and sat there for 4 hours while it copied all 2,000 files from the i386 dir to the HD. Anyone who has any experience installing Win2k doesn't install this way as it is like chineese water torture. DOS copies files very very slow. The better method is to either boot from the Win2k CD directly, install from Windows (if you already have it installed), or if you MUST install from DOS - make SURE you run smartdrv to speed up the file copy process.

    I can't speak for beta2 since it is almost 9 months old, but Release-Canidate 2 that was released a couple of weeks ago doesn't take more than an hour to install. I am speaking on behalf of 40 or so people in #Win2000 on efnet who all install Win2k at various times. As long as they arent installing from DOS without running smartdrv, and they don't have shitty hardware, they install within an hour consistantly.
    ------------------------------------------------ -

    To add to that, Win2k RTM (final) has been quicker to install than RC2 that is mentioned in the quoted text.

  • I'd really like to know why they need to store Credit Card numbers in the first place let alone all of the details. If I buy a TV from Best Buy they don't need my Name/Address/E-mail Address/Date of Birth/Magazine Interests etc. Sure the online merchant needs your address to send you the goods, but after that, they don't.

    Unless I explicitly agree (hence the default being that I don't agree [that one's for all you sites which made me search for that darn check box which was inconvieniently ticked for me]) to have my e-mail Inbox or snail mail box filled with wads of trash they don't need squat.

    How 'bout this. VISA (or AMEX/Diners/etc) goes into the instantaneous online transaction business.

    I've filled my shopping cart with goodies and I'm heading for the checkout. At this point, I give them my name and the billing address of my VISA card (the public key). The merchant then contacts VISA and indicates that I want to make a purchase for the given amount. VISA then issues a challenge to get the credit card number correct (the private key). This can be easly done without ever transmitting the credit card number itself or anything which can be easily converted into my credit card number.

    For example, VISA sends the merchant some random garbage who then passes it on to me. I enter my credit card number which is combined with the random garbage and spits out, for sake of argument, a 128 bit MD5. I send the MD5 back to the merchant who then sends it to VISA who can easily verify that the card number is correct, and then make sure I'm not over my limit etc.

    VISA then indicates to the merchant if you succeeded or not and the transaction is completed. As an added bonus the transaction could require that you combine the amount of the transaction with you credit card number to prevent the merchant from being able to fiddle the books (not that a merchant would want to do this anyhow, I can't imagine that pissing VISA off is good for business).

    So the net result is the merchant (whom has been identified as a weak link in the chain) never sees you credit card number.
  • by trims (10010) on Sunday January 16, 2000 @03:46PM (#1366821) Homepage

    I've read through alot of these posts, and there seems to be two common threads to most of them:

    1. It's the product's fault for shipping with stupid defaults.
    2. It's the admins fault for not fixing things tightly.

    I think both of these need to be addressed to see the underlying reasons for the problem, of which neither of the above are.

    First off, I'm a professional SysAdmin, and have spent most of the last 4 years doing System Architect and Security stuff. The last two at E-commerce places.

    People, the problem is threefold, none of which is easy to fix:

    Virtually nothing is designed with security in mind. That includes all our favorite UNIX OSes, Windows, and virtually all applications. The few apps that seem to have some reasonable security setup often sacrifice this by using stupid defaults to aid "ease-of-use". The sad fact here is that nothing we are using these days is decently secure (no, not even OpenBSD). UNIX is stuck with the all-or-nothing model of security, while Windows actually has a good model that is horribly implimented. Apps tend to be the same. Given that the systems are poor to begin with, hardening them is more than difficult. And compromises tend to do massive damage.

    Business is not taking security seriously. Right now, time-to-market is king, and everything else is sacrificed to that great Idol. This is primarily the public's fault, as people seem to reward cheap and first rather than more expensive and well-designed. The miserable state of software quality is a prime example of this mentality. And bugs are a leading cause of security problems.

    Also, companies have limited resources. Right now, spending the extra money to shore up security (or maybe even - gasp - do it Right) is about as likely as giving the entire staff a free vacation to Tahiti. They simply have no reason to do it - there isn't much real PR problem, the public doesn't seem to reward companies that spend the extra on security, and there aren't really any legal liabilities yet for failing to do so. So why spend money on something that doesn't have any real returns?

    Security is an ongoing battle. This is related to both the previous problems (lack of proper resources, and poor security to begin with). In order to keep a site even basically secure, it's far more complex than simply keeping an eye on BugTraq and watching for vendor security updates. A typical mid-size e-commerce site probably has at least 100 different products (remember, each script is a different product) to keep an eye on, covering at least a dozen (nowdays, with ASPs, likely several score) machines. Just keeping up to date is a daunting task, and like fighting a really war, the opponent isn't stupid, and adapts rapidly. You will suffer defeats. Security is a massively complex and difficult job. Don't let anyone kid you otherwise.

    The knee-jerk reaction to fire the admin is merely a Management-covering-their-ass mentality. Blaming the product overlooks the reasons why the product is that way, and also doesn't say anything about the state of the market as a whole.

    Until there is a concentrated demand from the public for security, things will continue to be as they are. If the public can stand it, well, then that's the shape of the world we live in. If they don't like it, give business the incentives to buckle down - make them legally responsible for breakins, buy only properly-designed software, etc. Until that happens, blaming the admins and the software is stupid.

  • PS - I actually quite like SQL Server. Every time a client specifies a really slow, memory intensive RDBMS, I specify SQL Server. It hasn't happened yet.
    So you really find MS SQL server to be that much worse than Oracle, or any of the other products out there? What were you using it for? Or have you even used it?

    This looks to me like a prime example of someone from the Linux community happily spreading FUD or just generally spouting ignorance. I've had a fair amount of experience with MS SQL Server recently, and, being a long-time MS-hater, I certainly didn't come to it with an open mind. But I have to say that MS SQL Server is a damn good database; I'm very, very impressed with it. It's certainly as solid and as featureful as anything else out there.

    Unfortunately, it is somewhat crippled by running only under NT. This limits its reliability and security, in that the OS underneath it is not terribly reliable or secure. It also limits its scalability in that NT simply doesn't run on big machines. And, of course, I find NT system administration a complete PITA.

    But there are a lot of database systems out there than can get by just fine on a 4 x 500 MHz PIII system with a gig of RAM, and under many circumstances the MS SQL Server system will be rather cheaper than the Unix options. If you've got an NT admin handy to keep the server running, it can be a worthwhile choice.

    cjs

  • by Robotech_Master (14247) on Sunday January 16, 2000 @07:01PM (#1366827) Homepage Journal
    At my K-Mart, the cash register prints out two receipts: one for the customer to keep (with full number printed thereupon) and one for the customer to sign (also with full number & other data printed thereupon) which then goes into our till. I am led to believe that we need that copy in order to be able to charge the customer for the merchandise. I don't think we could have the number blacked out and still process the charge.

    The fact of the matter is, there are lots of people who could steal your card number...and not just in the places you use it. People at the bank who issued it could get ahold of it, too...people could (and have in times past) take rubbings through the envelope in which it is delivered to you. The only way to keep your number a complete secret is not to use it at all...and what would be the point of that? :)

    Thankfully, many of the places where one could potentially use a stolen credit card number are becoming more watchful about getting verification of details, such as billing address. It won't stop fraud completely, but will help cut it down.
  • by jelle (14827)
    Isnt the ::$DATA bug one that was found over a year ago and was supposed to be fixed by MS ages ago as well?

  • by jelle (14827) on Sunday January 16, 2000 @01:52PM (#1366835) Homepage
    I don't think it's about quality of the software.

    I think the basic problem here is what you mentioned yourself, that system administrators forget to remove (unnecessary) default accounts, or forget to patch for security bugs.

    What always has been part in the equation used as for why the MS solution would be best (beating Unix), was the ease of use, and the resulting lower cost of ownership because you could hire cheaper people for administering your systems, and that those cheaper people would require less time per server to administer, because the OS was to userfriendly.

    That part of the equation has now, repeatedly, been proven to be faulty.

  • I mean - people are willing to call a complete stranger on the phone, and give them their credit card number. Same goes with a waiter in a restaurant, for example. I guess there's more potential for abuse online, since a list of 1000's of numbers might be available... but using a credit card in almost *any* fashion has the potential for abuse or theft.

    I used to work for RadioShack, and believe me there was a LARGE potential for abuse there. I would assume this potential exists anywhere in retail, but....

    It was a small matter to rip off HUNDREDS of credit card numbers per week. (Not that I did this...but I'm sure some people who worked for RS did...). This may have changed since they converted to a new register system a couple of years back, but...

    RadioShack would keep the yellow carbon copies of all receipts printed out. The ones for credit cards would go into a separate bin. The bin was not secured in anyway: it was sitting on a shelf, in plain sight to someone behind the counter. All one would have to do is wait till the manager went on break, and start copying credit card numbers down (yes the reciepts listed the FULL credit card number right on them, not simply the first four or last four digits as is now common place). At that time, most stores were not even videotaped, so the potential for abuse was QUITE great.

    RadioShack no longer prints the full credit card number on the receipt, so this is no longer an issue with them. Most stores are now videotaped (since in the 90s many managers started setting up videocameras taken from stock to tape the store, it became common practice).

    So think twice next time you use your credit card -- ANYWHERE, not just online. Make sure your CC# is not printed on the receipt in full....if it is, demand to see the "carbon copy" and black it out with a magic marker.


  • Yes.
    My primary complaint is that there is no other easy way for me to buy stuff online...

    And.. as for merchants earning my trust.. I firmly feel it is the responsiblity of the CARD ISSUER to trust the merchant, and is not my problem. If someone tells me I can pay with my card, and we agree on a transaction, then that is the only transaction I am responsible for. If the merchant steals my number and uses it fraudulently, it's not my problem whatsoever, it's Visa's.
  • The thing is... who cares? Is the merchant responsible for the frauds? I mean, are they held financially liable (by visa) if the numbers get stolen and used? If so. .that is their incentive.
    If they aren't.. that's VISA's problem.
    In any rate, it is not the consumer's problem..
  • Yes.. you are correct. They were, of course, covering their own asses.
    And I bet you are right about the merchant agreements forbidding things too.

    After some thought, the consumer doesn't have a lot to worry about, really... it's the credit card companies that will bear the burden.. and they will just hand it off to the merchant.
  • 1) You get your money back instantly.. or rahter, if you actually READ your bill before paying, you never even pay anything.

    Yes.. a clerk could do it, and a kiddie could do thousands... but so what? This doesn't hurt the consumer, it hurts the card issuer, and by contract, the merchant.

    Also.. they don't 'withdraw' money from your account.. they 'charge' $5 in credit.. which you can just refuse to pay.
  • Okay...
    But did you call the card issuer instead? If bogus charges appear on your card (which, I believe, includes any incorrect charges) the issuer will immediately revoke them and put the onus on the merchant to sort it out. It is the merchant that should be put out by this.. not you.
  • by mindstrm (20013) on Sunday January 16, 2000 @05:09PM (#1366849)
    Yes.. and the CC companies have standards of conduct for merchants. What to do with receipts, etc.... There is a code of conduct with regards to dealing with plastic.

    On the online front, at one point, Visa said 'We will not give you a merchant account for online work unless you meet certain requirements.'
    These requirements included providing information about your firewall, your security policies, who has the passwords, etc... which made perfect sense. They were protecting the consumer.

    The problem is.. this gets abstracted. ONe company gets a merchant accounts, and then sells transaction 'services' to others, and at that point, security is questionable.
  • by mindstrm (20013) on Sunday January 16, 2000 @05:46PM (#1366850)
    Why?
    It's not the consumer's problem. The whole reason for using a credit card is BECAUSE Of fraud protection.

    The merchant is held responsible. The consumer does not have to pay unless the merchant can PROVE that it was them who initiated the transaction. If the consumer says 'I didn't do this' and the merchatn can't prove it, VISA doesnt' pay the merchant...
    So.. VISA is protected.. and the consumer is protected.
    And it's up to the merchants to protect themeselves.


    So if someone steals the AOL customer databse.. who gives a hoot? It won't put any customers out any..
  • by mindstrm (20013) on Sunday January 16, 2000 @05:49PM (#1366851)
    Actually, many already do.. the problem is, they are too easy to circumvent.
    ie: if you already have a storefront, and a merchant account, and then decide to do things online.. you don't need to tell visa.
    That, or some third party farms out transactions.. making it so you don't have to deal directly with visa.

    And all that aside.. VISA is not responsible... they clearly state that they do not have to honor any statement unless the MERCHANT can prove that the customer used the card legitimately (signature, basically). If a cardholder says 'I didn't do this' and visa says to the merchant' can you prove they DID?' and the merchant says 'no' then the merchant doesnt' get paid.period.
  • by mindstrm (20013) on Sunday January 16, 2000 @05:33PM (#1366852)
    Not to cloud the issue.. but I think there is a simple cause and effect here that we need to remember.

    1) You are not responsible for fraudulent use of your credit card. Technically, and I forget the exact terms, you can be held liable for up to $50 of debt.. but this is never enforced. It may only apply if you know about the theft but do not inform the card issuer immediately (kind of makes it your fault then anyway..)

    2) The Credit card companies are the ones who bear the brunt of the financial burden for fraudulent use of cards. If their merchants are irresponsible, and cause them to lose money, it is up to them to deal with it. They are fairly lax about it, though, as if it was difficult to get a merchant account, then nobody would accept credit cards, and they would be out of business.

    3) It is between the Credit issuer and the authorized Merchants to deal with this issue, it is not up to the consumer/cardholder. Yes, the cardholder should behave responsibly, but at the same time, who tells us this? The CARD COMPANIES tell us this.. why? Because it lessens the burden on them.

    Remember.. one of the things card issuers use to get you to use their card instead of good old cash is FRAUD PROTECTION.. and that is the very beauty of credit (if there is such a thing..). You can buy online, and not get ripped off. If you buy with cash... ha.. you have no recourse.
  • I think it's [Win2K] the best thing ever to come out of Microsoft.

    Could well be. That really isn't saying much. There is plenty of room for improvement in Windows. (Most would say that is an understatement.)

    For that matter, it's the best OS currently on the market.

    Really? You don't use many OSes, do you? According to your own website, you've had Windows 2000 go bonkers [wonko.com]. SVCHOST.EXE starting eating up all your RAM and CPU. Very interesting, that.

    You see, there are no mystery processes under Linux. There are no huge, monolithic programs that are part of the system. No single, huge "System Services Manager". So if you see something sucking up CPU time, you kill it. And if you need to find out what is wrong, you open up the source in the debugger and trace it. With Microsoft, when SVCHOST.EXE goes wonky, you do not and cannot determine what is wrong by examining the problem directly. You have to jump through hoops, like reinstalling the OS, for example.

    Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.

    I find it very interesting that you assert Win2K is the best OS on the market, when you yourself have encountered problems Linux has never had, and never will.
  • Me: You don't use many OSes, do you? According to your own website, you've had Windows 2000 go bonkers. SVCHOST.EXE starting eating up all your RAM and CPU.

    You: Uh, you've never used netscape have you?

    You work for Microsoft, don't you? Well, in my book, the browser isn't part of the OS!

    You: Uh, you could always get 3rd party backup software (or did Linux write all of GNU himself).

    You miss the point. This guy goes around claiming Win2K is the best OS available, but its own backup program cannot understand its own filesystem? Yeah, I really want to trust my data to software of that quality.
  • Me: You see, there are no mystery processes under Linux. There are no huge, monolithic programs that are part of the system. No single, huge "System Services Manager".

    You: In fact, my friend, that is exactly what the Linux kernel is. Yes, the Linux kernel is a huge, monolithic program (thus the term "monolithic kernel") that contains a good deal of Linux's device support as well as a zillion other things.

    Not quite the same thing.

    Yes, the kernel is a monolithic kernel. That refers to the design of the memory management and scheduling of the kernel. All parts of the kernel share the same memory space and are scheduled together. This is one of the reasons Linux performs so well -- the kernel isn't preemptable, so there is no overhead of task switching in the kernel.

    However, the kernel is still nicely modularized into separate components for software maintence, and compiles to a small binary that performs one task -- low-level device abstraction -- well. True, all of your low-level device abstraction is happening in the same program, but there really isn't a way around that. Device drivers have to have kernel privileges.

    Comparing that to what I was referring to -- the many "monolithic" userland programs in Windows -- is an error. I was referring to the fact that there are a great many "do it all" processes in Windows which are essentially opaque, such as SVCHOST.EXE. You have no idea what they really do. You cannot get inside them to diagnose problems. They are a magic black box, which you are forced to trust. Hence the term "monolithic". Sorry if my usage confused you.

    Now, there are various projects to include userland functionality -- knfsd, for NFS service, and khttpd, for web service -- in the Linux kernel, but I consider them the wrong solution to a problem. Fortunately, I don't have to include them in my kernel -- I can easily exclude them at compile-time, or not load them if I'm using pre-compiled modules.

    That is another thing you cannot do with Windows -- you have to accept Microsoft's choices for what is and is not in the kernel. Such as the graphics layer. Originally, NT 3.x did not include the graphics subsystem in the NT kernel. This is one of the reasons NT 3.x was so slow, but it did mean better stability. However, MS decided to move parts of the GUI into the kernel itself with NT 4. This made things faster, but means there is a lot more that can go wrong in the critical kernel code.

    Hmm. I guess you didn't read my article too well. I didn't use backup software to back up my files.

    Hmmm. I guess you didn't write your article too well. I quote, "...installed Win2K, did an emergency restore of my wonko.com backup (which, luckily, was totally up to date)." Sure sounds like a Win2K backup program to me! How was I supposed to know that a totally up-to-date "backup" really meant you did a file copy after the problem happened? To me, a backup is something you do before problems occur.

    (And before you start jumping up and down about your usage of "DOS" in the next sentence, realize that: MS still uses DOS today in some of its products. MS supports DOS programs under NT. MS has system recovery procedures that work with NT using DOS. Using a DOS-based program to run a system restore program is something they've done in the past. I didn't know you meant the actual MS-DOS(TM) product running instead of NT. I didn't think anybody still used stand-alone DOS.)

    When I made that statement, I was referring to the final release of Windows 2000, which I am now using. My previous problems, as I've stated before, were with a beta version of the OS.

    That is very true, but I believe the problems I describe are flaws in the design of MS-Windows, of which your problems are only examples. Windows still follows the same design approach, and I believe it will still cause problems.
  • I was very amused by this article. I warned (and warned, and warned...) my former employers of such possibilities, yet they went the MS SQL route anyway.

    I think at the heart of this is the age-old debate: Open-Source/UNIX vs. Closed Source/NT/WinX. Before everyone starts flaming, or or yelling "MS basher!", let me explain...
    I've noticed that most *nix software ships with a very tight setup by default. You have to specifically enable things. You have to open those ports that you want opened. And your admin needs to have a clue.
    Now, with an MS solution, things are a bit different. Turn it on, click here, type in some info - and HEY! you've got an E-Commerce site up! And if you are not well-versed in security, and/or pretty clueless about the internet - you could be in big trouble, as the MSNBC article points out.

    My point is, you don't have to know much about IT stuff to set up an E-Commerce site using this software. You don't have to know anything about security. And this leads to the sort of things we are seeing now. "Ease of use" on the desktop is just fine... but I think they have carried it a little too far on the server end.


    I agree with many of the other posters though, this is not entirely Microsoft's fault. I think the blame should mostly fall on the PHB's hiring clueless admins.
  • And you totally missed my point...

    Any moron can set up an E-Commerce site with IIS, whereas to set up PHP/MySQL/Apache takes a little bit more understanding and working knowledge of the Internet.
    You tend to pay more attention to security when you have to learn HOW it all works, rather then point-and-click your way online.
  • I wouldn't say "obscurity of setup" perhaps. Would be much better if even ONE, yes just 1, PHB learned from this incident, and hired an admin who knew what he/she/it was doing.
    I have seen a lot of "admins" passing themselves off as professionals in the IT field, when they knew next to nothing about how any of it worked. And most of them were NT admins. I am not bashing NT admins as a whole, but it is much easier to pass yourself off as a Professional with NT than with Linux, IMHO.


    Compare and contrast Rob Malda to such. If he had not taken the time to learn how it all works, would we not see "Y0u are 0wn3D!" on the /. homepage quite frequently? :)
  • RedHat 6.1 has rsh, rlogin, and rcp turned on. As well as an lpr package with holes, and numerous other security problems. MacOS 9 shipped with a bug in the TCP/IP stack that brought the machine down with one UDP packet to a high-numbered port. And when you compile MySQL, it doesn't make you put a password on the root account by default.

    CowboyNeal calls it an irony alert that the servers were running SQL server. That's not ironic, it's stupid. Not putting the database servers on the other side of a firewall or inside a private IP network is dumb. SQL server, while perhaps difficult to configure, is not dumb. It might not be the best database server; that doesn't make it stupid. It is easier to develop for because there are a great number of high quality development tools.

    This is just poor security. Stupid mistakes. RedHat, Apple, and people like you and me make them all the time, doing things that most of us would consider stupid out of context. It's not evidence of MS stupidity or inadequacy. It's just plain dumb.

    If you don't trust other people to be perfect, then don't give them your credit card. Develop secure payment algorithims that don't require card number transmission. But don't bitch about MS. It sounds so fscking stupid when you do, and it makes people like us (you know, "Open Source" "Free Software" "Linuxheads" "BSDers "Technophiles" "Abused High-Schoolers" or whatever is our Label of the Day) sound like crybabies.

    Just put your shoulder to the wheel, your nose to the grindstone, and build something. When you're done, start over. That's how we will make the world a better place.
  • I'm wasting my energy, but:

    valid - how so?

    proven - by whom?

    ontopic - where is Win2000 mentioned in the article?

  • Okay, okay already. I'll install the service pack as soon as I get this batch of burgers flipped over.
  • by SEWilco (27983) on Sunday January 16, 2000 @01:26PM (#1366876) Journal
    Well, Windows 2000 will surely fix all these network security problems.

    :-)

  • Funny that,
    I always wonder that same thing myself.
  • On the other hand, even sites with 128-bit SSL don`t always have a clue. Lloyds Bank, for example, has online transaction facilities, and requires that passwords be between six and eight characters long, and alphabetic characters only. The idea that a password should not be easily guessable doesn`t seem to have occurred to them.
  • Have you ever used Windows 2000? Eh? What's that? No? Then what's all this "too bloated" crap you're spouting? Go use the thing first, silly. Then you can spout your misinformed opinions. I've used Windows 2000 as a server for almost a year now (yes, starting with the early betas) and I think it's the best thing ever to come out of Microsoft. For that matter, it's the best OS currently on the market.

    --

  • If that's the case, then Linus Torvalds and all his minions are just as evil and stupid as Microsoft. Do you really think Linux is secure by default? If so, then the only one here who's an idiot is you. Linux is most certainly not secure by default. In fact, no operating system is. Just because SQL Server has a built-in account (which, by the way, the setup program gives you the option to disable from the very beginning, genius) doesn't mean Microsoft did anything wrong.

    --

  • Really? You don't use many OSes, do you? According to your own website, you've had Windows 2000 go bonkers. SVCHOST.EXE starting eating up all your RAM and CPU. Very interesting, that.

    That particular issue occurred while I was running Win2K RC2...a beta release. The issue was reported to Microsoft, and is fixed in the final release. As for running different OSes...despite my age, I've managed to use DOS, OS/2, OS/2 Warp, UNIX, Linux, FreeBSD, MacOS, GEOS, QNX, Win 3.0, Win 3.1, Win95, WinNT 3.51, Win98, WinNT 4.0, Win CE, and Win2K. So to answer your question, yes, I have used many different OSes.

    You see, there are no mystery processes under Linux. There are no huge, monolithic programs that are part of the system. No single, huge "System Services Manager".

    Funny you should mention that. In fact, my friend, that is exactly what the Linux kernel is. Yes, the Linux kernel is a huge, monolithic program (thus the term "monolithic kernel") that contains a good deal of Linux's device support as well as a zillion other things.

    Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.

    Hmm. I guess you didn't read my article too well. I didn't use backup software to back up my files. I stuck the hard drives in a DOS machine and copied them that way...thus the reason for the lost long file names, since DOS doesn't support them.

    I find it very interesting that you assert Win2K is the best OS on the market, when you yourself have encountered problems Linux has never had, and never will.

    When I made that statement, I was referring to the final release of Windows 2000, which I am now using. My previous problems, as I've stated before, were with a beta version of the OS. Bugs are to be expected in betas, just as bugs are to be expected in Linux's unstable development releases.

    --

  • Hmmm. I guess you didn't write your article too well. I quote, "...installed Win2K, did an emergency restore of my wonko.com backup (which, luckily, was totally up to date)." Sure sounds like a Win2K backup program to me! How was I supposed to know that a totally up-to-date "backup" really meant you did a file copy after the problem happened? To me, a backup is something you do before problems occur.

    Yet again, the problem here is you not reading things correctly. I said I did an emergency restore of my wonko.com backup. NOT my hard drive backup. The wonko.com backup was a backup file made by IIS that contains all the settings for the web site. It contains NO files. Just settings. THAT is what I restored. Try to actually read the sentence before you start jumping down my throat.

    --

  • Complete and utter bull. I run wonko.com [wonko.com] on a Windows 2000 Server, and the machine it's on is a Pentium 166 with only 64 megs of RAM. It runs fine. That machine serves up web pages as well as running Microsoft SQL Server 7.0, and it's speedy as all get-out. If you had problems, they were most likely caused by not configuring things correctly.

    --

  • By your logic, everyone should buy one computer at an early age and then never upgrade it again, and all software companies should write software that will run on that old piece of crap computer even though technology has advanced considerably. Yeah, right. Doing things that way will only bog down technological advancement.

    By developing software that runs best on newer equipment, software-makers cause more demand for the new equipment, which then prompts hardware-makers to put more money into developing even newer equipment, which is the only way technology ever gets anywhere. I, for one, like this course of events. If you're too poor to be able to save up for a little while and buy a new processor, well, what are you doing playing with computers?

    I bought my current machine for less than $700: a Celeron 300A OC'ed to 450mhz, running on an ABIT BH6 motherboard, with 128 megs of RAM and 37 gigs worth of 7200rpm IDE hard drive, SoundBlaster Live!, and a Riva TNT AGP video card. Yes, less than $700, and it runs all the latest software without flinching. And I'm a high school student with a low-paying part-time job. If you can't afford that, then perhaps you need to think about getting a better job.

    --

  • by Wonko42 (29194) <ryan+slashdot.wonko@com> on Sunday January 16, 2000 @01:40PM (#1366885) Homepage
    Yet again, Slashdot spews out anti-Microsoft FUD with as much fervor and skill as Microsoft spews out anti-Linux FUD.

    People, the credit card numbers that MSNBC stole were not stolen through a "cracked" database. MSNBC did no cracking of any kind, and therefore the security of MS SQL Server is not the issue. The issue is, once more, the people who stupidly set the sites up and left the default "sa" account active. The "sa" account is included in SQL Server merely to allow the software to be set up. It is not meant to be left active on a server connected to the web.

    Try cracking a Microsoft SQL Server that's been configured correctly, by someone who actually has half an idea what they're doing. It's just as impossible as cracking any other database solution...in fact, I'd venture to say MS SQL Server is even more secure than most other database servers.

    Furthermore, the "::$DATA" vulnerability was only in IIS4. Microsoft patched that bug over two years ago, and anyone stupid enough to still be running an unpatched IIS4 server is just asking for trouble.

    --

  • As others have pointed out in different responses, it's *worse* since credit cards have fraud limits - and that limit applies to all fradulent charges.

    I don't know about that. We have a credit card of which the number must have been taken by someone in Florida when we where at a trade-show.

    They started ordering stuff from one of these TV shows (jewelry or something) but only for small amounts. Since the card has a lot of charges on it and we travel a lot it took three months before we noticed it.

    Well, the fine print reads that you have to notify them within a month or you are screwed. Fraud protection my ass. Yes, they will give you the company who charged it's information. Then you have to try to find out from that company where the goods where delivered (and why would they want to cooperate?). If you are lucky enough that you'll get that information out of them, then what? Call in the cops? We did, they laughed...

    In other words, you spend hours and hours on the phone and the bottom line is: you lost your money.

    I know now that you have to keep a very close eye on every statement for a credit card. This may sound obvious or stupid but when you have company cards with a hundred or more transactions per statement...

    Breace.
  • Yes, they can be held to blame.

    VMS learned the hard way, back in the 80s that you just don't leave default passwords lying around, even if you think your users might be smart enough to change them.

    You will notice that when you install most software these days that needs such facilities that it asks for a password during the install.

    This is the way it should be. If a user choses a dumb password, that's different, but having a default is a good way to get bad PR, and companies that succede in getting bad PR for that will earn no sympathy from me.
  • by ajs (35943) <ajsNO@SPAMajs.com> on Sunday January 16, 2000 @02:01PM (#1366899) Homepage Journal
    Every product on the market gets this kind of PR hit when it ships with a blaringly stupid default (like an sa account that you don't have to go out of your way to leave open). People break in, and the product is blamed. This can be said for many FTP servers under UNIX/Linux, MS SQL and a gob of others.

    MS deserves bad press for such a stupid blunder as would any other company or development effort.
  • by coyote-san (38515) on Sunday January 16, 2000 @01:46PM (#1366900)
    Some sites are now offering "online checks" for people who aren't willing to trust their credit card to the net.

    As others have pointed out in different responses, it's *worse* since credit cards have fraud limits - and that limit applies to all fradulent charges. Checks, in theory, will be fully refunded if you file the paperwork to claim fraud. In practice, most banks have quietly changed their fine print to say that if someone has your account number the presumption is that you have authorized *any* access, and it is damn hard to get them to stop honoring debits. In practice you must close the account, something that's far more disruptive with checks than with a credit card.

    I can understand why the banks did this - they probably got tired of being caught in the middle between customers and health club finance companies - but the practical effect is that checks are now far less secure than credit cards.

    I mention this only because I've already seen some sites advertising that they offer "online checks" as a "secure" alternative to credit cards, and stories like this will only make things worse.
  • by chazR (41002) on Sunday January 16, 2000 @02:55PM (#1366902) Homepage
    I agree entirely. Particularly...

    The issue is, once more, the people who stupidly set the sites up and left the default "sa" account active.

    I usually work with Oracle databases. I am still astonished every time I find a can log in to an Oracle database as either SYS or SYSTEM. Given that the default SYS password is ChangeOnInstall, you have to wonder about the people running the systems. I guess that more than 10% of Oracle databases are misconfigured like this.

    Don't even get me started about the DB2 database I found on a net-facing S/390 that still had the default admin password.

    Is this Oracle's (or Microsoft's, or IBM's) fault? NO - it is the fault of the halfwit DBAs who bullshit their way into jobs that are way beyond their ability. The 'differently intelligent' managers who hire these people should also be held to account, except their mental age relieves them of criminal culpability.

    PS - I actually quite like SQL Server. Every time a client specifies a really slow, memory intensive RDBMS, I specify SQL Server. It hasn't happened yet.

  • by Weezul (52464) on Sunday January 16, 2000 @01:43PM (#1366910)
    From our point of view this is just unprofessionalism in a very high degree that's not explainable

    They hit the hail on the head andthis problem should be easy to fix, but there are more programmer orented problems that are not so 3easy to fix:

    These script langauges which deposite form variables in the global namespace (like PHP and VBScript) there is a god chance of programmer created problems which are not so easy to track of fix. Example: programmer keeps copy of web site PHP code at home.. Programmer gets fired.. Programmer paws through code and finds a weakness since the code was in PHP and allowed form submits to mess wit the global name space.

    Also, VBScript has the problem that most people using it do not know how to protect the strings that are going into an SQL query.

    I know these problems seem milder because the exploits may need to be diffrent for diffrent web sites, but I would expect to see tools (maybe even AIs) which manage to automate some of the process of exploiting these holes. Government funded hackers (like in China) may have access to profesors and people who could do the research to find statisticaly probable weaknesses in custom software.

    I'm not really tring to slam PHP and VBScript, but I do see a lot more potential for PHP and VBScript programmers making the same mistake over and over then with other langauges.

    Jeff
  • by mochaone (59034) on Sunday January 16, 2000 @01:43PM (#1366913)
    Stories exactly like this will spur PHB's to run out and purchase Win2000 and all the 2000 certified software in the hopes that it will absolve them from security problems. Microsoft should be excoriated for releasing insecure systems and keeping them closed, yet Microsoft is in a win win situation. The people running these sites are probably married to the idea of a Microsoft platform and will no doubt move up to its latest incarnation.

  • To support the argument that this is not just a Microsoft problem, let me point out that the security measures built into Oracle databases are ignored at very many sites I have encountered. The problem is that many administrators do nothing -- and I mean nothing whatsoever -- to change the default state of the database installation. Oracle is a popular choice for e-commerce, and I'm sure that someone, someday, will manage to steal data because of this.

    Over the past year or so I have done DBA consultancy for some of our customers, going into sites and helping with their database administration. Very often, I find that the default passwords of privileged database users have never been changed. Try it sometime: the user system, who can read and change any data in the database, has the default password manager, and the user sys, who can start up and shut down the database, has the default password change_on_install. (Some people apparently don't notice that the latter password is a hint.)

    Oracle installs a default "listener" that is open on port 1521. Many e-commerce sites have their web and DB servers on the same machine, and don't need any external TCP/IP connections to the database. Even those that do can be set up so that connections are only permitted from a limited number of IP addresses. But this, too, is almost never done. So there's your opening: get an Oracle client to connect to port 1521 on your target machine, log in as system/manager, and in many cases you'll own the whole database.

    Another thing: many people routinely do their Oracle admin work by logging as the "oracle" user, the owner of the Oracle software. Few seem to understand that this user is like root: you don't log in under that name unless you absolutely have to, because any mistake you make can be disastrous. What you do is make users with DBA responsibilities members of the group "dba", so they can run the admin software but can't delete anything critical. In fact, you need to be "oracle" far less often than you need to be root -- after installation, you should never log in as "oracle" again. And yet there are admins who work as "oracle" all day long. Even worse: it seems that the most common password chosen for the "oracle" user is, you guessed it, "oracle"!

    We could accuse the administrators of laziness and cluelessness. But the real blame lies with management, who want to set up a cheap e-commerce site without paying the price for DBA's who know what they're doing, or for the training that their current admins need. Many of the admins I've worked with have told me that the boss stuck the Oracle CD's in their hand one day and told them to go run a database. That's a surefire formula for an insecure site.
  • Actually, it does and it doesn't. By default, unless you change the options during install, Telnet doesn't even run. If you run it, then by default localhost and Windows 2000 machines in the same domain don't need to authenticate, but any other machine won't be able to connect. Or, you can set a lower security option to use password authentication. It's not too bad, actually; I've been running the various versions from RC1 through 2195 (RTM final) for months now, and it actually kicks ass. Beats NT hands down, 98 no question, and even Linux on some tasks.

    Of course, that just got this comment labeled a troll because it doesn't proclaim it to suck, but hey - the truth hurts. Deal.

  • When slashdot constantly accuses Microsoft of generating FUD, what is this ? Can anybody debate the fact that the topic is strongly anti-MS biased ? I hope that the posters will know better than to say "that's what happens when you don't go with linux". Sure, MS has a lot of security flaws.

    In this very situation, you are combining two things.

    First, the database administrators (who might not be MCSEs... Without praising the MCSE program, one thing it does put emphasis on is long, hard to guess passwords with short expiration times) made the stupid mistake of using the default username for their database and putting no password, or a stupid password. That's like leaving the root password blank, and allowing root to log in via telnet ! It's a stupid mistake made by people who probably didn't get any kind of training. Probably not the kind of people you'd normally hire to run your server... Such a person running your linux server would give you a very vulnerable server, as vulnerable as those.

    Second thing is, they were using a version of IIS that had not been patched for the last two years. Okay, it shouldn't have been defective in the first place. But look at 2 year old linux distributions ! Anybody with a good root package is able to crack a linux box that's been left alone for the past 2 years ! Use one of the buffer overflows in one of the various flawed daemons, if it's 2 years old, it's probably vulnerable... If you don't patch your system, no matter what OS it runs, it will be vulnerable.

    Who should be blamed here, the OS or the administrators ? I think the answer is obvious. A bad administrator will cause similar problems in any old OS.
  • by hernick (63550) on Sunday January 16, 2000 @02:08PM (#1366921)
    My method to detect e-mail spam is to use give companies companyname@mydomain.com as my email address. Of course, that only works if you have your own domain and a catchall account. But it allows you to know who put you on a spam list, and to ignore them easily by forwarding their spam to /dev/null.

    Your middle name method is pretty clever...

    One of the things that one can do to limit the value of the credit card he uses, and therefore defend against most fraud, is to use a card without anymore money than you wish to spend.

    Three possibilities I can think of.

    First, an Incentive Card if you can find any. Those come with fixed values, they're not credit cards, but you can spend up to their fixed value anywhere that takes credit cards. www.aies.com sells them, I believe. That way, you keep changing CC# very often.

    www.webcertificate.com offers a similar product, and you can add money with your real credit card (processing fee of 1.50$ by 50$ you add). You don't get a physical card, but only a mastercard number you can use to make purchases. It works great for me.

    The third method is to use a Visa Debit Card and deposit the amount you wish to use before every transaction... That's a bit of trouble, but combined with online banking it can be made easy. I use www.x.com to do that. You open an account with them, and they send you a visa debit card you can use like a credit card. But the balance availaible is only what you deposit in it. You can deposit up to 500$/6 months with another credit card, and as much as you want by check.

    Any of those ways, you have a "credit card" without credit. It only has as much money as you want. I'm sure you can understand the implication of that.. Even if somebody steals it from you, you don't lose anything more than the value that you put on it, which is probably only the value of the item that was there in the first place. And as they're issued by banks, they will let you contest charges as well as with a real credit card.

    Hope this has been helpful.

    ---
    P.S. If you sign up for x.com, you have the option of referring somebody. If you feel generous, refer francois@bradet.com . You don't lose anything if you don't refer me. If you feel this whole thing sounds like a commercial endorsement and you don't like such things, please let me know by moderating me down. If you really what I just wrote is bad, let me know at francois@bradet.com and I'll apologize. I'm just trying to share my knowledge.
  • by konstant (63560) on Sunday January 16, 2000 @01:43PM (#1366922)
    I won't go quite as far as the poster about abstaining from online credit card purchases, but I do have a method by which I can at least identify the culprit company if anything goes wrong.

    Whenever I make an online purchase, I use the name (or first initial) of the company as my own middle name. That way, if someone steals my personal info, emails me spam, or any number of invasions, I will know instantly from the name on the billing which I company I should never use again.

    Of course, this does nothing to prevent your information from actually being stolen in the first place...

    -konstant
    Yes! We are all individuals! I'm not!
  • As I've always felt and always said.. I trust the internet completely.. While it may be possible that encryption can be broken, the amount of effort needed would be too high for the gain of a mere credit card number. So, the internet itself is safe.... But that's not enough.

    The CC number has to be cleartext when its sitting on MY computer when I type it in. It also has to be cleartext on THEIR computer when they submit it to the CC company. I trust my system is fairly well set up and secure. I don't trust the peon's on the other end to have done the same. THAT is why I dislike ordering online.

    There are also the issues of extent. A waiter can only copy so many CC numbers a day; a thief can only steal so many purses a day. But, an online site can store thousands of CC numbers in an insecure database.

    But you are right.. The biggest danger isn't monetary loss (because of the $50 limitation of liability), but rather hassle and annoyance.

  • by cdlu (65838) on Sunday January 16, 2000 @01:35PM (#1366925) Homepage
    Can I use CODs to buy slashdot hats and tshirts now? :)

    But more seriously, what this shows us is that people don't pay attention to what they are doing before they do things. If you don't do something as simple as set a password on your database, it should come down to the same thing as leaving the key in the ingition, the car running, and noone in the car, in the third lane of a four lane highway in rush hour. Insurance won't cover it. People have to be careful when they start up a business that they are doing everythign right.

    If you are thinking of starting an ecommerce site, then higher a security professional to come in and take a look at it. They are out there, they are there for a reason. Credit card numbers are a very personal thing, and having them publically available is just plain bad, even if its not on purpose.

    In legal terms, if you kill someone and didn't mean to, its called 'involuntary manslaughter' and you still go to jail.
    #include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}
  • .. or obsessive compulsive.

    True - could be said of that. Mind you, the card is used in my company, so yeah, I do check it daily (mostly 'cos it's almost always close to limit lately :)

    Do you check you checking account everyday?

    The business ones, yes. My personal one? Shit no (mostly 'cos it's close to empty all the time :)

    You see, it takes about 5 - 10 minutes per day to check transactions against my accounts (two checking accounts, a transfer account, a cash management account and the credit card). Maybe it's paranoid or obsessive/compulsive, but then again, maybe it's 'cos I'm running a company? (My other company has an accounts person - he does the checking for me on those accounts and I just take a peek at the current balances, etc :)

    Do you check the stash of money under your bed everyday too?

    Shit no - I ditched that ages ago. Too insecure - the cockroaches were robbing me blind. As to the uncut diamonds in the fish tank - now that's a different matter :)
  • by grantdh (72401) on Sunday January 16, 2000 @02:03PM (#1366932) Homepage Journal
    OK - so maybe the credit card companies need to send out a bunch of instructions for people who are too dumb to figure it out for themselves (sort of like those "Objects in mirror are closer than they appear" messages - like, DUH!!!!! :)

    Here we go with some simple instructions for how to use your credit card and not get burnt:

    1. Make sure you can check your credit card statement on-line as required.

    2. Record all purchases in a database (Quicken, MYOB, MS-Money, text file, spreadsheet, whatever!)

    3. Check your credit card statement on-line as often as you can (once per day is good :)

    4. If you find anything you didn't write down, start screaming to your card issuer!

    Even if you never travel over seas, purchase from catalogs or purchase from the 'net, you should be doing this. If you don't, you're just asking for trouble. At the least, you should check your monthly statements - doing it daily makes it quicker to get the dispute resolution process started :)

    I frequently travel to "worrying" places, use my card at cafes/restaurants, purchase over the 'net and so on. I check things and (touch-wood :) haven't had any problems. I did find a couple of entries that were charged incorrectly and was able to resolve them by contacting the vendor directly. No problems, everyone happy.

    Stop whining, stop expecting the government/corporations/mommy & daddy/whatever to protect you. Get off your ass and take responsibility for your actions.

    Same goes for those setting up e-commerce sites. One of my companies does it and we get third-party security reviews (we charge more, but we don't want penny-pinchers as clients - they always come back to haunt you :)
  • by Duxup (72775) on Sunday January 16, 2000 @01:59PM (#1366934) Homepage
    I use my CC online all the time. I've never been burnt but a friend of mine was. He just called the CC company and they refunded his $. It is that simple.
    It's good to be careful like Roblimo and careful whom you give it too. However it's more important to know your rights and that your not responsible for such charges.
  • by Super_Frosty (82232) on Sunday January 16, 2000 @01:30PM (#1366943)
    I can't understand why people refuse to buy things over the internet.

    First of all, if someone makes a purchase with your credit card, but you haven't actually lost the card, then you are liable for nothing. You have nothing to use!

    Credit card theft and fraud occur without the internet. Your wallet/purse can get stolen. In that case, you are liable for up to 50 dollars. A waiter or clerk can copy down your numbers.

    The risk isn't any greater at all, but fear tactics from the media like this MSNBC story don't give a sense of proportion.

  • You work for Microsoft, don't you? Well, in my book, the browser isn't part of the OS!


    A browser may not be part of an operating system in some sense, but it's part of the Windows OS. It's as much a part of Windows 2000, as Windows Explorer was part of Windows 95. In Microsoft's mind, it's as essential as bash/tsh etc would be to redhat.
    So while it's not part of the kernel (what you would probably consider part of the OS) it's a major part of Windows, and is hugely important - windows would be useless without a shell for most people.
    Who cares if the shell just happens to be able to render HTML (just like most shells of yesteryear can render ASCII).

    IE technology & IIS etc are important to windows 2000 cause they provide objects and libraries that are used as other parts of the OS. IE for HTML Help, It's XML DOM etc. IIS comes with MTS, which is becoming essential for load balancing and stabalizing COM+.



    This guy goes around claiming Win2K is the best OS available, but its own backup program cannot understand its own filesystem?


    Who said Win2K's backup couldn't understand it's own filesystem. Am I missing something here? Since when was windows 2000's backup program restricted to 8.3?
  • I won't assault Robin this time :), because this time I'm alert to the fact that these aren't his own words -- he just happens to bite on sensationalist articles...

    If all other security issues having to do with administration vs. the OS itself could be considered muddy, this one isn't. I don't see how others' bad coding and administration is Microsoft's fault, does anyone else?

    Even though the language ultimately corrupts itself, should Larry Wall be the person to blame for shoddy Perl scripts? Should we blame Linus Torvalds if the root password to Slashdot's SQL box is successfully guessed? I don't think so.

    --

  • You are making things too complicated. The article's main complaint is that too many admins have not set up password protection on their SQL servers. This is negligence of the first order. Your long series of second-order security precautions comes into play only after the competence of these admins rises to the point where they see the need and can do password assignment. And that won't happen universally, across the board, until corporations become liable for this sort of negligence [IANAL, so they may already be liable for this and we are only waiting for a test case to prove it].
  • About 5 years ago, I was working at a gas station in a small town. When we took credit cards, we swiped them through the POS machine (same as debit). However if, for some reason, the card didn't go through, we did the old manual imprint method, and put the retailer's copy in the top drawer behind the cash. When I worked there, there were literally hundreds or thousands of these numbers, sitting unprotected in a drawer. Most nights, I was the only one in the station, and would often be in the back sweeping. Anyone could have taken these numbers! And that is assuming I hadn't already auctioned them off to the highest bidder.

    The point is, whenever you use your credit card, there is a risk involved. That does not mean, however, that we should not address this particular problem.
  • Before you make a purchase at a site, take a look at what kind of server they're running. Here [rexswain.com] is a nice little CGI that easily lets anyone fetch header info. Among the many bits and pieces in the header is the type of server being used. Although this is by no means fool-proof-- pretty much any system can be set up lazily/ineptly/insecurly, god news-- we all know that some servers (I recognize that this SQL thang isn't exactly a server problem) are more easily accidentally left insecure than others. Additionally, the header info can give you an idea of the OS the folks are running (if you want to be rabid about only supporting Linux based e-tailors, or some such hogwash **grin**.)

    In a way, checking on a site's html-headers is the same as glancing at the fry-cook's hands to see if they're dirty-- a guy with clean hands can still sneeze on your burger, but it's still a little peace-of-mind.

  • by VAXman (96870) on Sunday January 16, 2000 @02:38PM (#1366965)
    eBay's servers are NOT Microsoft. Their front end web servers are Microsoft, but the back end databases are Solaris. All of the problems which eBay has had are bugs in Solaris. When eBay had problems there were SUN engineers on site to fix the problems.

    Of course, since Microsoft is the scapegoat of the computer industry, people will blame the company if any of their software is involved in any way. eBay is a prime example; when the people who blame eBay find out that it was Sun's and not Microsoft's fault for the problems, they do not shift the blame to Sun, but rather shrug off the problems, and pretend to play down the incident. eBay's outage in the summer, which cost well over one and a half BILLION dollars in market capitalization, is one of the biggest industrial blunders in history, and was 100% to blame on a bug in the Solaris operating system. Yet Microsoft continues to receive the blame for it.

    It is really getting out of control. There are people who really think Microsoft is to blame for the Year 2000 problem the Year 2038 problem, the Internet worm, et cetera, ad nauseum. It is so incredibly trendy to blame Microsoft that any industrial problem whatsoever is blamed on them if they had any involvement whatsoever - without even GLANCING at what the real problem was or who really was to blame.
  • Do I walk around with a note with username and password for my network in my wallet? NO!
    Do I tag my home adress to my keys? NO!
    Do I walk around with a card in my wallet, containing in plain text form all information required to purchase stuff online. YES!

    If our computers were cracked because i had a postit with UID/PW I would be in serious trouble with my boss.
    If a pick pocket would break in because I told him where my keys went, I would probably get nothing from my insurance.
    But the plain text information on a plastic card is enough to spend my money! Hello!

    Of course I might be able to prove that a transaction was not valid and eventually get my money back, but that would take lots of work.

    Where I live, a CC purchase must be validated with either a PIN-code or a signature. Get my number if you want to. You still dont have access to my money without forging my signature or getting my code.

    Enter the net. Thousands of opportunities to buy stuff online in my name. Once my number is out, I just have to trash my card.

    Thats the problem with CC numbers on the net.

  • Not changing your passwords and account names from the defaults (or not even having a password) on a live customer database connected to the internet! Lunacy. Seems like some e-commerce companies have never heard of security, aren't able to implement it at the most basic level, or simply think it's too hard. To all those who have posted saying that "even when you use your credit card at a restraunt you run a risk because the waiter could memorise your number and use it" think about this. a)the "waiter" couldn't rip 2500 people's card #'s in a matter of minutes. b) each time the "waiter" rips a card there is a tangible like between himself and the card - he is an employee at a place that the card was used, making the chances of cathing him reasonably high. When you get 2500 people's card details all that links you to them is a few TCP/IP packetts that flew across the internet. c) AFAIK your argument originally appeared in a dilbert cartoon (you know, the one where the waitress comes back wearing the fur coat).
  • Why is it important for you to keep your CC info private?

    At worst case, you are only liable for $50.00, regardless of the actual fraud.

    The media made all of us think that Y2K would be a big deal, and I have the same opinion when it comes to credit card information.

    Since the begining of e-commerce on the web, the media has been talking about how people could steal your credit card information. Be careful, someone could steal your credit card info. In addition, even if you deal with a reputable site, someone could use a packet sniffer and steal your credit card that way.

    Please. My credit card number is not the kind of information that I worry about people getting. I'm more worried about disturbed individuals getting my home address and mistaking me for an abortion doctor. Or someone stealing my social security number, getting a job under my SS number, and not paying taxes.

    Have you ever known anyone who had their life ruined because someone stole their credit card? IMHO, people have more to fear from the debt that can be caused by credit cards that the $50.00 limit on fraud purchases. People's lives have been ruined when they had their SS number stolen, not their CC info.

    So who is pushing the media to push the masses to care so much about their CC info. The CC companies, as they are the ones who have to pay the fraudulent charges after $50.00. And we, as a whole, are falling for it in the same way that we fell for Y2K and Pauly Shore.

    I have used a credit card on numerous web sites and have sent it in plain-text e-mails to pay for merchandice. If sending your plain text CC information was so sensitive, it wouldn't be printed on every receipt.

    Wouldn't it be more effective in eliminating CC fraud to only print the last 5 digits on the receipt and omit the expiration date, making sure that someone can't just dumpster dive for my info?

    As for the story, at least SQL Server can be configured to be secure. One of the companies I did work for was using FileMaker Pro 4.* as their web server. However, all you have to do is guess the username and leave the password field blank, and FileMaker (when doing the query) will assume the blank password field is a wildcard. Hence security is only as far away as the username. This "feature" is even present in the e-commerce example web site that ships with FileMaker Pro 4.*.

    We laughed. And then went to Apache.

  • by mckyj57 (116386) on Sunday January 16, 2000 @03:59PM (#1366982)
    The problem here is not so much the database server as the database design.

    Any time you can get a credit card number via a normal database query it is a security hole.

    I will say it again -- anytime you can query your database and get a credit card number it is a security hole. If you are not saving the information to a non-internet connected system, or encrypting with strong encryption before writing it to disk, you are playing fast and loose with customer information.

    The simple rule should be this -- an unencrypted credit card number should never be written to disk, not even for a moment.

  • I have a credit card. I Use it a lot in place of cash and just pay the bill off at the end of the month. Anywhere you use that bad oscar it can be stolen. I got my CC bill one month. this was before I made it a 500 dollar limit. Bam 15,000 Dollars my damn card was maxed out. I shit a wooden nickel. I did only pay 50 bucks but good lord. I had shopped online for like 2 and a half years at that point. You know where it was stolen from? Macy's of all fargen places. One of the Cashiers there took like 15 or so CC nums and just went hog wild buying cars and whatever else. The point is ITS all insecure. So there just has to be a little trust between you and where ever or whoever you are buying with..
  • by wanrat (127429) on Sunday January 16, 2000 @04:12PM (#1366994)
    Someone above posted the correct answer which is: these guys just stripped the info out of 1)MS SQL's enterprise manager using either the default login, 2) by exploiting an extended stored proc., or 3) by stripping login info out of the .asp page or from the global.asa file at the root of the asp distribution directory. ALL of these holes are patchable, and were required fixes by MS. ANY site who has a DBA on staff should be aware of these things and should already have them patched. MSNBC likely used the extended url hack on IIS to read the global.asa file which has the u/p embedded in it. This is not really MS's fault, as hacks will be created on every platform... this is the fault of the folks who hired second rate, underqualified DBA's and network engineers. Even given a local login and straight access to the site, the SQL Server can be made inaccessable simply by implementing application specific security (under 7). This is, once again, a foresight and planning problem and is not necessarily the fault of the technology. My Redhat/Oracle box winds up with many many security patches as well, so we in the Linux community are not immune to this kind of stuff. Actually, I'm surprised that the people who skimped on their network weren't hacked up until now. (the frightening thing is... maybe they have been muhahahahaha)

    -Wanrat

    hehe it's 10pm, do you know where your credit card is?

  • by mdb31 (132237) on Sunday January 16, 2000 @01:51PM (#1367002)
    I'm not sure why everyone is suddenly so excited about the fact that you can easily steal credit card numbers "over the Internet" -- heck, you can easily steal credit card numbers anywhere . Guess someone feels they have to make up for their Y2K media fiasco...

    But anyway, all the attention to this issue is probably a Good Thing. Popular Internet e-commerce servers are bound to have quite a bit of credit card numbers, along with other goodies such as the name of the owner and the expiration date, floating around, and it's time that a people became more clueful about how to handle this situation.

    Face it: any setup where both your webserver and database server are available from the Internet is a major security risk. The way most e-commerce shops, especially those running at hosting companies, are set up today (webserver and database server on the same machine, or at least the same network without any access controls) is simply asking for trouble.

    Here are a few reasons why:
    Software bugs - and no, not running any Microsoft products won't get you off the hook. In fact, I guess the cozy little MySQL password security exploit that was discovered recently is way worse than the ::$DATA issue, although most clueful providers will fix it quickly.
    Untrusted staff - how easy is it for a rogue operator at your provider, or a lowly-paid temp working for the shop itself, to run a complete copy of the credit card file?
    General data security - in other words: hey, do you know who else has access to your shared database server, or where the backups go at night?

    All of the above leads to a few conclusions:
    1. Partitioning - Web and database server functionality should be separated as much as possible: having your database on a separate machine and fitted with proper access controls (i.e. only accepting connections from trusted hosts and using proper authentication in addition to that) is pretty much a requirement.
    2. Encryption and access controls - Even with proper partitioning in place, most of your customer details need to be encrypted using a non-trivial scheme, and proper access controls need to be put in place. Make sure only the right people have access to your data, and log every access. Disable bulk commands, except during the backup window, if possible.

    Now, which percentages of sites is operating as described above today? My guess would be less than 10%, leaving enough room for on- and off-line crackers to steal whatever information they want. It's not consumer problem per se (since credit card companies have pretty extensive consumer protection from fraud...), but still a lot needs to be done before the general public will truly get a warm fuzzy feeling about on-line shopping...

  • Using Credit Cards to make on-line payments is essentially a trust based method. Although we won't trust J Random Merchant with our cash, we will trust him with our credit card.

    Trust, unfortunately, is one of the easiest things to abuse. After all, most of the merchants have not earned our trust. We just take their word for it, i.e., the only reason we trust them is because they us to trust them.

    Old though I am a sentimental old fool who believes in trust, I think it is about time that we moved out of this trust based method of transaction and entered a much more secure form of on-line funds transfers.

    E-cash, and e-cheques sound promising. For example, a if someone mugs you and gets 10 quid ( sterling pounds ) off you, your damage is only that 10 quid. However if someone steals a credit card from you, the damage can be quite considerable. Of course, you, the user, may not bear the brunt of the damage - the merchant and the bank most probably will - but the muggers earning potential is only limited by your credit ceiling.

    Same way, if someone steals a 100 dollars of e-cash or e-cheques, the potential loss is only that amount.

    I hope some of the e-commerce companies and banks give this a serious thought.

  • It's quite simple.. and it requires no encryption, no digital signatures, and no expensive hardware to implement: just use a rotating pin number for each credit card transaction. Each month with your credit card bill, you get a list of say.. 10 randomly generated (http://lavarand.sgi.com anyone? :-) 4-digit pins printed on a cheap laminated card. Each time you make a transaction, you go to the next number, then cycle back to the top at the end of the list. This way, even if someone steals your credit card number and pin (such as from an online database), it is completely useless to them since the next transaction will require a different, random pin and only you and the credit card company know the list. The only case in which this would not work is if you made enough consecutive transactions with the same party to go all the way through the list. But thieves are looking for a quick steal. They would not likely go through this much hastle. In summary, this method would eliminate, first of all, the most common type of credit card theft: the casual, unscrupulous store/hotel clerk. And secondly, it would drastically reduce the potential of online theft by making credit card number databases, in themselves, nearly worthless to crackers. ..a sidethought: the system could be made more secure by appending a single rotating digit to the number from a list of say.. 6 random digits. (or any other number such that the modulus of it and the number of 4-digit #'s is non-zero) This digit would also be printed on the card rotated with each transaction, but it might add enough extra complexity to confuse idiots..
  • As someone whos done work in the financial services area I'd like to point out a few things:

    1. Customer is only liable for $50 *if* its after 30 days from time a fake charge was made. If the consumer notices the charge before, then the credit card company eats the bill (and consequently puts more requirements on existing laws (see # 2) and merchants for greater secuirty)

    2. Alot of these problems could be corrected with strong encryption - but since its not feasible to run a global web site with strong encryption for US users and weaker encryption for non-US...this is a mute point...But once credit card companies start losing $$$ because of this, congress will suddenly have a new outlook on the whole issue.

    3. Fixed credit card numbers will be a thing of the past within the next 5 years or so.. A much better approach is to have valid session id's. That is, dynamic credit card "numbers" that are good for one transaction and one transaction only..that way if the merchant you did business with has crappy security and that information gets released to the world at large...doesn't matter because the number is no longer valid...

    4. and finally, #1 was *really* put into effect by the govt (it is called Reg D) to make consumers comfortable using credit cards period. The reason for this is it makes the IRS's job much easier come audit time. Umm...you had $30k of credit card bills that all got paid last year, so now we know you made at least $30k...

    -deep_magic

God help those who do not help themselves. -- Wilson Mizner

Working...