Forgot your password?
typodupeerror
The Internet

Western Union Cracked, Credit Cards Stolen 246

Posted by CmdrTaco
from the time-to-start-canceling dept.
TrumpetPower! writes "NPR just reported that Western Union is recommending that customers who used their web page to send money should cancel their credit cards after somebody cracked their online credit card database. As I type this, the Western Union homepage simply states, "Our Web site is temporarily out of service We apologize for any inconvenience To find the nearest agent location plase call: 1-800-325-6000."" Not much online yet besides the AP brief. (Normally we don't post this stuff, but its getting submitted a lot, and it is kinda a big deal). Lends more credibility to the disposable credit card concept.
This discussion has been archived. No new comments can be posted.

Western Union Cracked

Comments Filter:
  • Wonderful. I'm not familiar enough with the intricacies of the MD5 algorithm to know exactly how many bits of input randomness are needed to guarantee the full 128 bits of output randomness, but the several hundred bits you're using above should be plenty.

    How do you store the random 56 character string so you can verify it later though? If you need to put all these pieces back together again at a later date, and the only thing the customer is entering is the credit card number, you have to store the other pieces in cleartext or a cleartext-equivalent. If the hypothetical cracker can get their paws on that table and the customer id table, you're back to a few dozen bits to bruteforce.

  • It isn't clear that any numbers were actually stolen, only that people broke into the computer and that it actually had the credit card numbers on-line.

    Of course, I think Western Union should be held liable anyway: their poor security is causing their customers and credit card companies a lot of effort and expense, whether the cards were stolen or not. Keeping personal information, in particular credit card numbers, on a system that is accessible from the Internet is grossly negligent.

  • Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.

    well, that seems to be quite a task to properly create and implement. Why don't you get on it and create such a system in a feasible manner and come back then?

    And it's not like this is a big, big deal to consumers. Worst case, they pay $50. Probably won't even have to do that, since western union has money and won't flinch about reimbursing for that rather than risk a class action suit.

    it'll probably just end up meaning that western union has to pay higher processing fees and take a charge off against earnings because of it. that's it.
  • traced to human error .. Somebody left a database open

    Geez... either stupidity/carelessness, or intentional. Not to sound conspiracy-ish, but there is some, however unlikely, chance that the 'somebody' did this on purpose.


    ---

  • ugh. don't i feel stupid.

    coulda sworn I quoted him there. oh well. still, my point was valid... it just took a little bit more reading ability (say, 4th grade) than I remembered.
  • With my CC, I have to dispute charges in writing and reissue takes more than just a day; what bank are you using?

    People have gotten into problems over misuse of their credit cards, mostly when it happens on a significant scale and they don't notice for a while (as part of an identity theft). That can cause problems with your credit rating: you can dispute and explain all you want, for the lender, you still are less attractive than someone who hasn't had those kinds of issues.

    Another problem with canceling credit cards is that they often have ongoing charges (ISP, on-line bookstore, etc.) on them, and all that needs to be changed as well.

  • Many of the posts on this story suggest that no credit card information should ever be stored on a web connected server for a very long period of time. I tend to agree, and have tried to make that point to many of my company's e-commerce clients (I build DBs). The point at which the discussion ends is when I inform them that their customers would be required to enter their CC info every time they visited the site. It seems that most companies feel like their customers would rather take the chance that security is 'good enough' if it means that they will be saved a few seconds of typing.
    This feeling seems to be borne out by reality, the few companies who have taken me seriously have provided the customer with the option to retain CC info. (some of those guys store it regardless) Suprisingly, most people choose to store it, security be damned.

    Might this be because the general public is ignorant of the way these systems are connected to the internet? People are used to keeping their money in banks, with big physical barriers to theft, not on a computer that is subject to a seemingly endless stream of security holes.



    -----------------------------------------

  • I think the time has come for a true electronic currency. Something like the credstick idea in Shadowrun. Cheap, disposable, and safe, just like cash.
  • Some network client code has buffer overflow or other security problems. Running network client code as root is therefore riskier than running it as an unprivileged user.

    --
  • Why should anyone store my CC info?

    We run an ecommerce site and I went as far as to verify that our credit card processor doesn't *ever* store credit card details?

    Doesn't anyone care anymore? Am I the only one that doesn't like my financial information being stored?

  • There is work in Linux and several other Unixen to move to a capability based systems and implement the principle of least privelege

    As pointed out by the main EROS engineer (if it is right to put it that way), Linux and other systems can never evolve to pure capability systems.
    Internally, Linux uses capabilities, but that does not matter at all, as the external API of the system is not capability-based, and can never be one. In order for it to be capability based, the change will be so huge, you wouldn't recognize Linux in the other end. Pure capability systems have to be built from the ground up, because a combination of ACL and Capability systems seems to always end up worse than both.
    Another issue with capability systems is that the machine state becomes more complex to set up, while implementing the principle of least privilege, and simplicity. The simplest solution is EROS's, to use Orthogonal Persistancy. This makes a file system obselete and redundant, and only a prone-ness to security holes, not to mention it is the basis of all which is UNIX. This means UNIX will never be able to EFFECTIVELY implement pure capability systems, not while remaining a UNIX.
  • CDNOW? Are you talking about the incident [slashdot.org] with CD Universe?

    Well, it's probably pretty obvious, but all of these companies don't care about security. Security comes in a distant second compared when compared to money. They'd rather concentrate on methods of obtaining more revenue online, than securing their website. That's just my thoughts on these businessmen.

    Although, it said that while performing routine security checks they found this problem, right? Well, at least they realized that they had an intrustion. The worst is when the company, and/or the public doesn't find out about the theft, until it is too late.
  • I was working on a project that involved building a website for a freight moving company, because of the way things are charged the credit card number do have to stored temporarily (Even though the details will be in the database for at most a day or two). Sometimes the requirement for the business mean that you have no choice but to store information better just sent to the bit (or in this case, decimal) bucket.

    But yes I agree, storing credit card numbers simply for the users "convenience" is BAD - afterall, who wants to use a stolen card number more than once ;)
  • paypal runs unix :)

    #----------------------------
    $mrp=~s/mrp/elite god/g;
  • hahahahahaaaaehheaoehaoahoeaeoheo

    wait

    haeiehaihaeehoeoeah

    "my workstation". you mean your peecee right?

    ---
    Solaris/FreeBSD/Openstep/NeXTSTEP/Linux/ultrix/OSF /...
  • HAL9000: This sort of thing has cropped up before, and it has always been due to human error...
  • by MrP- (45616)
    I'll be sure to visit http://www.e-gold.com/e-gold.asp (minus the ?cid=101574) and I'll also visit http://www.thegoldcasino.com/win.cgi (minus the ?2465679)

    thanks for the links =)

    #----------------------------
    $mrp=~s/mrp/elite god/g;
  • by Docrates (148350) on Sunday September 10, 2000 @09:41AM (#790249) Homepage
    To me, the only way to prevent crackers from getting into some system and steal credit card numbers is to not store them in your system... I run an ecommerce site and every transaction made, once cleared with the bank, gets its credit card info deleted.

    the advantages of storing users credit card numbers does not justify the risk. It's like a restaurant that keeps your credit card number so that next time you eat there you don't have to wait for the check...

    sure there could be trojan horses that store credit card info as soon as it arrives to the server, but that seems to be less common.
  • by Drestin (82768) on Sunday September 10, 2000 @05:57PM (#790251)
    A Western Union spokesman said the vulnerability was caused when "performance management files" were left open on the site during routine maintenance, allowing the hacker access. He did not know when the maintenance began or how long the site had been left unprotected.

    "We are still in the due diligence period," said Peter Ziverts, a spokesman for the Englewood, Colo.-based company. "But this wasn't an architectural problem; this was due to human error."

    Repeat: "it wasn't an architectural problem; this was due to human error."

    So, get off the IIS/SQL/NT crap - being desperate for ANYTHING anti-MS doesn't paint /. users in a positive light to anyone.

    This could have just as easily been a *nix box and it still would have been compromised if propery security methods weren't followed, as was the case here.
  • Maybe they only used MS for the brochureware. The rest might have been built on any vendor's stuff.

    I will be interested to hear _why_ they believe any violence was done to the DB. What the clues were, etc.

    I do know that once I was attempting to build a site for a company that had content which was going to be integrated into the [insert very large card company here] web site. This small fact was enough for two of their security folks to grill me, they sent a rep to conduct a physical security check, and they wanted a white hat to give our dev server a go. They wanted two firewalls in front of my dev server. I was fairly impressed. So on some sites yr info is considered important.
  • I thought of the dispoasble credit card thing about a month before reading about amex's idea on slashdot. The problem I found with it is that you would want to sell them at a place like 7-11, but with that much cash-equivalent laying around, the store is just begging to get robbed. 100 $50 or $100 cards is a lot of moolah in a pretty small space. I think less that $50 would be sort of useless, as would these cards for expensife electronics, unless shops implement the ability to accept multiple cc#s for a single purchase, which I doubt they'd want to do (10 cc#s as opposed to 1 are 10 times more chance for the transaction to be canceled, etc).

    __________________________________________________ ___

  • The varmints're gettin' away on their horses! We'll never catch 'em!
  • Yup. Full of shit. Client: Can you guys do a one time install and configure of Oracle for us? My Boss: Sure thing. SSM, get to it.
    Me: Sure thing, boss. I'm assuming that they've guarenteed that the Internet between there and here will be both fast and stable enough to keep an X session going for the several hours it will take to install and do basic configuration?
    Boss: Huh?
    Me: *points to docs that say no character mode install*
    Boss: AAAARGH!
    Clients: AAARGH@
    Nobody was happy at the end of the day.
  • by Anonymous Coward on Sunday September 10, 2000 @09:17AM (#790274)
    ...the fastest way to send money to LEET HAX0RS.
  • Maybe the hackers are searching for the letter Dr. Brown sent back in 1885?
  • by Andrew Dvorak (95538) on Sunday September 10, 2000 @09:19AM (#790277)

    The problem, as reported by NPR, was traced to human error .. Somebody left a database open, which is where the vulnerability existed. Western Union will correct the problem, says they.


  • I have the right to. I have the skills to. I don't have a credit card database on my workstation.
  • Lends more credibility to the disposable credit card concept.

    You hit the nail on the head. American Express, a huge corporation, but second fiddle to the likes of Visa and MasterCard, needs something to promote its new idea. With the Internet at hand, it has its weapon. It sends some crackers to crack Western Union, thereby pushing people to the 'safer' disposable credit card.

    Or maybe they didn't send anyone at all. Maybe they just got Western Union in bed with them. Who knows. The point is, CT found the conspiracy.

  • I don't see where. This is just a rehash of the AP article linked to in the story.

  • The correct way to deal with credit cards is to use an asymetiric algorithm (public-key) encryption, where the private key exists only on a system that has no connection to any network. The encrypted data is then pushed to a floppy/zip/etc, where is is processed by human hands at the secured processing machine. The processing machine is then protected by physical means (cages, keys, cameras), and is done by a person who has been deemed trustable (background checks, etc).

    That is a good setup. A serial link should also be acceptable as long as an unprivileged processing daemon (w/o access to the secret key and with no capability to send data) on the processing system is the only thing listening to the serial connection.

  • I had a Fleet card and *they* automatically cancelled my card and fedexed me anew one. I had forgotten that I had even had an account with CD universe.

    But I agree with you about the other hassles, the autobilling, etc. My EZ pass was on the card among other htings.

    __________________________________________________ ___

  • Damn humans! They're nothing but trouble. Someone should get them away from computers.

    --meredith
  • I know it can happen.. but..

    When false charges show up on my credit card, that I know I didn't pay, I simply pick up the phone and tell the CC company that I want to dispute the charges. They take them off, and do their own investigating, and inform me of the results (ie: I have to pay, or not).

    This in no way at all damages my credit rating. If a lot of charges are showing up, I have the company cancel the card and issue a new one immediately. It shows up the next day in the mail.

    For the most part, if you stay on top of your credit card bills (ie: read them when they come in), you are fairly safe from this kind of thing.

  • Thanks, I'll have to look into it. The problem is that clients aren't always amenable to having extra network service installed. Should be perfectly good for internal stuff, though. And some clients. ;-)
  • I bought someone a gift certificate card fom Barnes and Noble. Until it is activated at the cash register via a transaction, it is just a plastic card with a magnetic strip. I can't see a clerk at a 7-11 as being able to activate more that 1 of these per minute. If 10 are generated within 10 minutes, it ought to generate a notice that an irregular event is taking place. What robber wants a holdup in a 7-11 to take 10 minutes?
    When a redemption trasaction is put through with the "stolen" disposable credit card, the local authorities and Fox's COPS and Deadliest Car Crashes would be notified for the ensuing car chase.
    Up and at 'em.
  • Well, I'd give Oracle part of the blame for this. Nowhere in he installation instructions or printed documentation with ANY Oracle product do they tell you what users and passwords they are loading. I've only ever been asked for a password during installation on a windows system. I had to look through the setup scripts to find their damned default password.

    BTW, this is a problem in alot of places. Software installs things you aren't aware of (esp. on windows.) And admins aren't paying attention or aren't trained to manage what they are handed.
  • by Soko (17987) on Sunday September 10, 2000 @10:01AM (#790307) Homepage
    This is NOT good. Western Union is Old Money - they've been around for a long, long time as far as companies go. This will get the establishment REALLY pissed. Do we really want an all out war with The Man? Something like this will not help the cause of Napster, DeCSS and Open Source in general.

    The establishment is not used to how the Hacker culture does things - they are used to order and directed control. The Internet is a terribly chaotic place - if you want something done, you go ahead and do it. Also, the first one there usually controls the situation, no matter whom else joins them in the endeavour (witness that newer posts on /. usually garner more moderation points, and therefore direct the comment stream). Even in Internet startups, there is usually one person who starts the company and then hands over the reigns to an established Buisiness man to run the show (Yahoo!), not like what happens with Internet based projects, where the Alpha Geek or Lone Coder is regarded as the undisputed leader, regardless of how much education or money he has (a Good Thing, BTW).

    The establishment will likely view this as futher validation that we are out to kill. While the Hacker community has control of the Internet attacke like this may end up being more common. The only way the Establishment can ensure it's continued existatnce is to wrest control back. Napster being stamped out might be the first salvo in the Great Internet War. This little faux pas (likely by a script kiddie) will only accelerate the zeal and ruthlessness with which The Man deals with us. They just might see such attacks as a threat to thier very survival, and react accordingly.

    OK, some of you may post "Yeah! Stick it to the man, l337 h4x0r d00dz" and think it's good that the rich are getting thiers. That's fine, and welcomed on one level. However, we need to look at the big picture - The Man can pull the switch on the Internet if he's really threatened (not literally, figuratively), so we end up out in the cold (InternetII, anyone). Or just toss your ass in jail, rights be damned. As much as we don't like it, we have to compromise and let the establishment have its way - for a while.

    I hope we can start to see things from the other side of the firewall soon - and use articulate argument, humour, understanding and gentle persuasion to get our way instead of random guerilla attacks on established companies.

  • How can you possibly say that hackers aren't to blame? Just because someone was careless doesn't mean it's instantly moral to exploit the new weakness and use it for less than acceptable purposes. Hackers are to blame, because they're the ones who did it.
  • If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores?

    The important standard here is reasonable care. Sears would NOT be liable if someone takes the credit slips at gunpoint. It is not reasonable to expect someone to risk their life for that. OTOH, if a kid takes a big bag of credit slips from the loading dock and abuses them, Sears may BE liable, since they could have easily prevented the theft, and should have anticipated the possability.

    It is the same for an e-commerce site. If the database server had default account and password and was accessable from the net, that's like leaving the slips outside. If someone got the passwords or stole the drives by holding an admin at gunpoint, they would not be liable.

    It is also possable that their vendor could be liable if they had assurances that the security measures were adequate. This would be the real world equivilant of putting the slips in a locked office but discovering (too late) that the guaranteed security lock could be opened by jiggling the door knob.

  • by csbruce (39509)
    Perhaps amazon.com's one-click patented technology will be less appealing after amazon.com's online customer database is ultimately hacked by 1337 h4x0r d00dz. What we really need is one-click class-action lawsuit technology.

    The practice of keeping credit-card numbers around on an internet-accessible machine after a transaction has cleared is brain-damaged and companies that do that deserve to be sued.

    When web sites tell their customers about how safe their transactions are because they are using secure sockets, etc., they should also be telling their customers that, after the safe, encrypted data has arrived on their server, it will be available in plain text to anyone who can type "system/manager".
  • From what I remember from personal issues with cc companies, it is fairly easy to dispute charges.

    So you'd think. In my case, the company was Chase Manhattan, and it took over nine months to resolve a $200+ disputed charge which appeared on my acount after I'd closed it. The charge wasn't posted to me for over a year, following a resubmission by the merchant. I immediately notified Chase by phone and mail that I wasn't responsible for the charges (to a Florida hotel -- I live in California and have never been to Florida). The charges (and interest, and late charges) continued to appear on my statement. Repeated requests for copies of the actual charge slips failed to produce anything.

    It was ultimately the threat of legal action, including criminal charges for fraud, misrepresentation, and malfeasance, and libel (credit history), if the dispute wasn't resolved within 30 days, which got the charges cleared from my account -- nine months after they'd initially appeared, seventeen months after they'd been made, a year and a half after I'd closed the account.

    Yes, I got the dispute resolved, the dollar value was low, but it was a complete PITA.

    What part of "Gestalt" don't you understand?

  • by Anonymous Coward
    "No fraudulent transactions had been reported"--YET. Have any credit card statements been sent out--YET?

    I've been walking someone through covering her ass after having her CC# stolen (not through Western Union) and was astounded when the fraud unit of this company (again, not Western Union) admitted that it believed that someone had broken into its database. And she does no online commerce.

    So far, it's been nearly a month from the time that she was notified that her card was over her credit limit that she's been able to dispute fraudulent charges (can't dispute charges until the credit card statement arrives; can't file a police report without a credit card statement; can't put an alert on other personal records without a police report).

    Translate "No fraudulent charges have been reported [YET!]" to "The shit hasn't hit the fan [YET!]". It's going to take some time before fraud reports can even trickle in. Perhaps about the time of the Thanksgiving Day parades.
  • No, it's not a good analogy.

    Computers are deterministic. Your 'con' is simply lock picking on a more complex scale. The fact that some logical constructs involving words similar to English are involved is not relevant. When you con someone into opening their house to you they make a voluntary decision. Computers can't do that.

    Nonetheless, hacking computers is not equivalent to housebreaking, because no property is interfered with.

    Hacking a system and looking around without making any changes or taking any information is, perhaps, closest to the crime of peeping tom or voyeurism in real life.
  • Not true. Read his first sentence, in which he accuses credit card companies of covering up this policy and propagating the idea that the consumer is liable, despite the contrary being true.

    That is the statement I was addressing, which should have been obvious as I quoted it.

    I'm sure I don't even have to point out the irony of your calling me a "thickheaded nitwit".
  • Yes, that solves it!
    All SysAdmins should be required to read Slashdot for accurate info as to how best to secure their boxes and networks.

    maybe not.
  • Internally, Linux uses capabilities, but that does not matter at all, as the external API of the system is not capability-based, and can never be one.

    All of the capability information is there, it just never leaves kernel space.

    A file system is a file system, even if it is based on persistant objects in virtual memory space. It doesn't really matter if the appropriate pointer to the object containing my new mail is 0x37f739d7 or '0x2f7661722f73706f6f6c2f6d61696c2f736a616d6573'

    Granularity IS a problem of course, but I have also heard the alternate view that too fine a granularity will be 'too much trouble' or an 'undocumented mess'. Either condition will lead the very human admins to be too permissive, and thus defeating the security.

  • I'd actually like to see guidelines coming out of the insurance industry. Sears, in your example, would be liable, but would have liability coverage through their business insurer if they'd taken appropriate risk-mitigation steps. OTOH, if the credit slips are in an unsecured area and free for the taking, the insurance company would refuse coverage. There's a whole field of risk management concerned with both financial and physical business risks.

    What part of "Gestalt" don't you understand?

  • If you're really paranoid about your finances, you really shouldn't use a debit card. It's similar to carrying around your checkbook with every check signed.

    Here's [msn.com] one article.
  • P.S:
    This UNIX comment applies to Windows as well, which is of the same class of security mechanisms (ACL's). (Not to mention various other systems that are not capability-based)
  • by beacon (23656) on Sunday September 10, 2000 @10:08AM (#790335)
    Indeed so. I recently worked on a very large (>$1m) project for a multinational client, with a significant ecom component, where:

    • The sysadmin had never heard of apache
    • I and several other developers had full root access to the production environment
    • The oracle manager account was system/manager

    and various other nasties like that. In their defence, they never stored credit card numbers. But nonetheless, I couldn't believe it. IMHO, this all comes from abmitious young new media execs who know nothing about technology being given far too much money to throw around. They hire people who are good at BSing and dressing up their CVs, and they end up missing out the itsy little technical details, like getting a sysadmin who knows what routing is.

    Just for fun, let me say that first bullet point again: "the sysadmin had never heard of apache".

  • by Anonymous Coward on Sunday September 10, 2000 @10:13AM (#790338)
    Vandalism and theft have nothing to do with freedom. If I mug or if I pick your pocket and get your credit card and proceed to buy stuff and you just happen to be rich, I'm not sticking it to the man. I am thief, Napster and DeCSS are about very different things, and while the MPAA may try to paint being able to access copyrighted digital data as theft, they are trying to manipulate the language not talk about what pirates are doing. This is illegal because CC#s which can be used to purchase things and cause the unauthorized transfer of money have been taken into posession of which was never intended.
  • by beacon (23656) on Sunday September 10, 2000 @10:14AM (#790341)
    AFAIK, most of them do. At least, all the banks I've dealt with demand that you follow certain security procedures before you use a merchant account for Internet transactions. The problem is, they get you to sign a bit of paper, but they don't enforce it, and their requirements are fairly lax (e.g. SSL and a firewall).
  • It ought to be the merchant's problem, but it isn't. It is the consumer who has to deal with the false charges, the damage to his credit rating, and going without a credit card for a while. In fact, the liability of merchants and credit card companies for causing the consumer harm through their credit-related actions seems pretty limited.
  • by trog (6564)
    So where's the public key?

    On the production servers. It doesn't matter where the public key is, because you can only encrypt with it. You cannot derive the plaintext from only the public key when you use a well tested (both mathematically and in practice) asymetric algorithm. You can tatoo the public key on your forehead if you like; it is no less secure.

    (Of course, with credit card numbers, you have very real problems with known-plaintext attacks. These are dealt with quite easily; I'll leave that answer as an exercise for the reader.)

    And what has this bought you, at all?

    It's pretty obvious you don't work with financial data.

    It has bought you (close to) airtight security. The database containing the encrypted card numbers could be completely compromised, and it doesn't matter. Without access to the private key, they cannot be decrypted in our lifetime (Of course, this assumes our current understanding of mathematics.)

    What many people fail to realize is that for most credit card transactions, the vendor has to keep a record of the cards. You cannot simply discard them. Most businesses have to keep them indefinately.

    Doing it this way is much more secure than storing them in a locked file cabinet somewhere.

    but its only advantage seems to be having the numbers stored on a non-networked machine

    Again, it is very apparant you don't work with financial data. The card numbers have to be downloaded in batches. Because the decryption machine is physically seperate from all other networks, you cannot do this in real time. The encrypted cards have to be stored SOMEWHERE before you download them; without the proper use of an asymetric algorithm, they would be stored in plain text in a database (a bad idea, remember?), or encrypted with a SYMETRIC algorithm, which is just as good as storing them plaintext (In a symetric algorithm, the same key used to encrypt also decrypts. Because you would have to store the key on the server that encrypts them, the key is subject to compromise)
  • I would suggest that this is bordering on overkill. There are lots of brick-and-mortar businesses that handle credit cards without needing precautions like those.

    There is no such thing as overkill security; only difficulties in implementation because of the extra work it places in production.

    In online business, credit card theft is much rarer, but it is more devastating, because it is usually many thousands of credit cards at once, rather than just one or two carbon reciepts stolen out of the waste basket.

    Don't get complacent...

    Absolutely. This is just one component in an overall security policy. Trust me; there is MUCH, MUCH more to the systems I have built than this.

    What might be even better would be a Java applet running on the client side doing the encryption there. That way the plaintext never even enters the server.

    Unfortunately, the legality of this is still in question with current US crypto laws. This would also be very difficult to implement, due to differences in java runtime environments, etc, etc. But it is an interesting idea.
  • And the worst is having a project where the web "designers" are calling the shots.

    "Can you please put in some helpful error messages to tell the user whether they've entered an incorrect user name or just a wrong password?"

    "No problem, should I list the most likely username intended and display the password hint as well? Come think of it, why don't I just delete all the files and drop the database on the live site, and save the "user" some trouble?"

    Knowing how to do fancy graphics (actually not all that fancy at all) does not a web designer make.
  • Sue. Sue their pants off. I use my card for work and my company can call me in the middle of the night and say, "you're on a plane at 10 for New York", and I'd have to go. My bank takes 2 weeks to replace a card, I had to do it a couple of months ago. During that time, it was impossible for me to travel.

    A large financial site should take every possible precaution to prevent such things. It's essentially the same as leaving a stack of credit receipts on the store counter and walking away for 30 minutes.

    I can guarantee you that when my online store is up (if I ever get time to finish it), there will be absolutely no storing of card info at all. Even if the card numbers are "sneaker net'd" over to a box with no NIC or modem in it. None. If I stored card numbers and someone broke in and got them, I would fully expect my customers to hold me liable.
  • Western Union will correct the problem, says they.

    hmmm... they'll close the proverbial barn door?

  • Reports of e-Commerce sites being breached seem to be occurring daily. Every one appears to stem from some clueless amateur screwing up. Default passwords, open ports, sensitive data on the wrong side of firewalls. I've even heard of CC details appearing in a flat-file made visible by deleting a couple of levels from a URL.

    Even my local newspaper, covering around 20,000 people, had as the main headline this week a story about a security breach on a local website. The report was laughable, with the web-hosting site believing that the attacker must have known the userid and password into the web publishing system, as they were unaware of any other means into the machine. Obviously someone else who has never heard of CERT, Nessus or Bugtraq. I'll probably be writing to the newspaper this week to put them straight, once I've let Nessus have a proper probe.

  • Lends more credibility to the disposable credit card concept.

    the whole system is screwed. which idiot decided that a merchant should be given authority by the customer to charge their bank account? bah

    BPay [bpay.com.au] rules. You tell your BANK to pay the money to the merchant. A payment consists of Biller Code (the company to pay) and the Customer Reference (your customer/account/bill # with the merchant).

    Online ordering is easy - either you open an account with the company and all your purchases are pooled together and get paid for under your Customer #, or the website gives you a unique bill number after you confirm your order, and you pay for each individual purchase. Once you have your customer #/bill # you head over to your bank's website, log in, type in the details and your bill is paid.

    AFAIK, it's only debit at the moment, but there's no reason it can't be extended into credit. It's no substitute for an in-person credit card, but for online shopping, it can't be beat, IMO.
  • by Anonymous Coward
    The issue is that upper-management wants their web presence NOW. They don't care what corners get cut as long as you meet your deadline and it looks like it works.

    I'm sure that if some group came up with a basic list of best practices for e-commerce security this sort of thing would be less rare... I'm sure companies would love to show their probably-hack-free compliance(tm).


    stv
  • by Admiral Burrito (11807) on Sunday September 10, 2000 @12:23PM (#790368)

    An important component is that no sysadmin at the company has any access to this processsing machine. Only technically inclined executives (i.e. CTO, CIO, COO) have root access to this machine, and if maintence must occur at this machine, the sysadmin is logged into it by the executive, who then physically watches what the sysadmin is doing (and the executive knows his/her shit, so there is no question of foul play).

    I would suggest that this is bordering on overkill. There are lots of brick-and-mortar businesses that handle credit cards without needing precautions like those.

    Attacks over the internet are serious because they are relatively anonymous. Credit card numbers stolen by employees are less of a concern because the pool of suspects is small and you know where they all live.

    In this scenaro, if the website is completely compromised and all credit card numbers are stolen, they are completely useless to the cracker, as they cannot be decrypted without that private key.

    Don't get complacent. As long as your system is working and those credit cards numbers are getting encrypted, you're okay. But if you're hacked that can change. Someone could capture credit card numbers as they enter the system- after they come out of the SSL-encrypted socket, but before they get encrypted by your application. A good rootkit could keep such a process hidden for a long time. Of course, this is a much more difficult attack than just dumping the contents of a database.

    This is ideal practice, and should be implemented at all e-commerce sites.

    Not quite ideal, but a major improvement over what most people are doing right now.

    What might be even better would be a Java applet running on the client side doing the encryption there. That way the plaintext never even enters the server. The applet should be signed so that if someone breaks into the server they can't simply replace the applet with a trojan. But this assumes that the users would notice if the applet was not signed- a bad assumption.

  • by sjames (1099) on Sunday September 10, 2000 @10:17AM (#790369) Homepage

    This principle CANNOT exist in a UNIX system, which has very rough granulity to its security, and is based on very huristic security methods that form an extremely complex, impossible to secure system.

    Sure they can! There is work in Linux and several other Unixen to move to a capability based systems and implement the principle of least privelege.

    EROS does look interesting though.

  • I don't know the legalities.. but from a purely idealistic view, it's like this:

    The CC Company values customers over merchants. Merchants pay to accept cards. (not that merchants aren't important).

    The Card is simply a token of the credit the company has extended to you. It is a means to an end; it is not the credit itself. Same with the number on that card. The number simply identifies your account.

    From what I remember from personal issues with cc companies, it is fairly easy to dispute charges.
    It used to be that a card imprint was requried. Later, anything would do, but a signature was required. Remember, you have to authorize each and every use of your card.
    If a merchant cannot show that YOU actually authorized the transaction, he has no right to collect funds on your card.

    Simply using the card yourself is authorization enough; but the merchant should be able to prove it. ie: registered delivery of goods to your home.

    The onus should be on each and every merchant who accepts credit cards to ensure that they are taking part in a legal transaction. This is why there is a signature on your card; this is why you must sign your receipt. It *IS* permissible to ask for ID when someone presents a credit card!

    Like cheques these days, the system does not verify everyhing. IT's far cheaper to deal with issues should they arise than to simply check every transaction.

    Just because society is rushing like a madman into using credit cards for digital transactions for everything on earth, and merchants are forgoing safety checks... this is the MERCHANT'S problem, not the consumers.

  • I don't know about that. The webserver never really needs to see the CC#s. The customer is probably not going to need (or want) the website to re-display their own number... This is something they already have. All it might need to do -- as you mentioned -- is confirm the number; an action that does not require the webserver to actualyly have the number.

    A perfectly viable method would be to send the pending credit-card number over to the database server, and have it (and it alone with access to the actual numbers) confirm it.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • The web server doesn't need to retrieve credit card numbers from the database server. It needs to be able to store the information, request an authorization, and submit a charge. I'm assuming that the authorization and charge submission is done on the secure database server. It can report success/failure back to the web server. If you want the user to verify the stored information, you could do what some web sites currently do, X out all but the last 4 digits of the card number.
  • Is there any indication how far the hackers went?

    Westion Union is owned by First Data Corporation, one of the largest credit card issuers in the US. Assuming the networks of the two corporations were somehow linked (or have systems shared between the two), if the hackers were able to get into FDC's systems, this could be disasterous.

    It may be wise to invest in some put options on FDC...hmm

    Jason.

  • by Greyfox (87712) on Sunday September 10, 2000 @09:20AM (#790385) Homepage Journal
    It seems like a fairly common practise for these web companies to store your credit card numbers in their database forever and ever once you make a transaction with them. The very same people seem to have no concept of how to keep a system secure. What will it take to get these idiots to design their sites with some level of security in mind? Maybe a class action suit (malpractise or something) on the behalf of all the customers and credit card companies inconvienenced by this is on order...
  • Storing partially encrypted data in the database and keeping the decryption key on a separate, secure machine definitely sounds like a good idea - but has anyone here actually seen this done in practice?

    Can you point me to any references I can quote for management?

    ----
  • by CTalkobt (81900) on Sunday September 10, 2000 @09:22AM (#790394) Homepage
    This should never have happened. With the proper safeguards - ie: having a 1 way cipher to the credit card data and then another machine not connected to the internet to process it; the accounts would merely be a jumble of characters and digits encoded.

    Any company that does business on the Internet without proper safeguards ( which is what it sounds like ... ) deserves to be sued.

    Granted, my view may change - because there is not enough information about how - but this has happened at other sites and it still amazes me.

  • IKEA caught with its ePants down
    IKEA exposes customer information on catalog site [cnet.com]

    In short, a bit of URL hacking exposed their whole customer database. Dan Huddle (CTO of xanga.com) said: "What a spammer's dream!", commenting on the potential for abuse of that privacy breach.
    Continuous coverage of butt-headed, idiotic eCommerce web page designs continues after these dotCOM messages.
    ---

  • by 1alpha7 (192745) on Sunday September 10, 2000 @09:22AM (#790400) Homepage

    Lends more credibility to the disposable credit card concept.

    Please. It lends more credibilty to the concept that big corps still don't have a clue. Technology security (unlike physical) is not a place to save a few buck by hiring a few minimum security wanna-be rent-a-drunks. Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.

    1Alpha7

  • by Speare (84249) on Sunday September 10, 2000 @09:23AM (#790402) Homepage Journal

    c|net's article [cnet.com] has a little more information about the hack.

    It was unclear whether the hackers obtained any personal account information. No fraudulent transactions had been reported by late yesterday [...] Only Web site users who conducted online transactions would have been affected. Company officials were using email, letters and phone messages to alert between 10,000 and 20,000 consumers to cancel their credit or debit cards and get new ones.

  • by tweder (22759)
    Taken from the WU website...

    Helping people make their lives better, everyday

    n0w 7h3 f45735t w4y 70 53nd m0n3y (70 31337 h4x0r d00dz)
  • With the number of CC DB's being cracked, hijacked, cloned to hostile servers, I mean why the hell do that have to keep your number after you use it? Amazon does this, B&N, Buy.com, and most e-stores. Once the transaction is approved, wipe the number. You don't have to have it anymore.

    If you really, really, want to keep it, set up a dot matrix and print it out. I think the Credit Card companies should charge the fraud back to the company that stored the number. That ought to promote securing a server!

  • One of the greatest misconceptions propagated by the credit card industry is that the consumer is liable for charges incurred on a stolen credit card.

    Read your agreements carefully; most of my cards hold me with little if any liability (the worst is $50 maximum). The rest of the bill is footed by the credit card company/issuer, not the consumer. When the credit card company denies a charge to 'verify security', it is not doing so for 'your protection', as they say, but for their own.

    So, if the credit card numbers were indeed stolen and used illicitly (which is not clearly the case), it's the credit card companies who have something to worry about, not the consumers.

    Regardless, Western Union should have had more secure systems; I'm sure this is very embarassing.
  • The correct way to deal with credit cards is to use an asymetiric algorithm (public-key) encryption, where the private key exists only on a system that has no connection to any network. The encrypted data is then pushed to a floppy/zip/etc, where is is processed by human hands at the secured processing machine. The processing machine is then protected by physical means (cages, keys, cameras), and is done by a person who has been deemed trustable (background checks, etc).

    An important component is that no sysadmin at the company has any access to this processsing machine. Only technically inclined executives (i.e. CTO, CIO, COO) have root access to this machine, and if maintence must occur at this machine, the sysadmin is logged into it by the executive, who then physically watches what the sysadmin is doing (and the executive knows his/her shit, so there is no question of foul play).

    In this scenaro, if the website is completely compromised and all credit card numbers are stolen, they are completely useless to the cracker, as they cannot be decrypted without that private key.

    This is ideal practice, and should be implemented at all e-commerce sites.
  • Hell, this would never effect me, I just mail cash. Ones are the best for mailing.

    -josh
  • Perhaps. Oracle's 8.1.x installer (fucking Java based installer; can't install over telnet anymore on most systems) tells you system/manager and sys/change-on-install or the like. But anybody who's used Oracle even once knows about system/manager. Anybody who's used SQL Server knows about 'sa/'. Anybody who's used Windows NT knows Administrator, Guest, IUSR_MACHINENAME. Anybody who's used Linux knows about root, guest, etc etc. There honestly does need to be criminal liability for this sort of thing. If an armoured truck full of gold bricks were stolen because the driver left the keys in the ignition, or in the sun visor, there'd be hell to pay. Well, default passwords and blatently poor installation should be just as liable. Of course, the armoured truck driver doesn't have a CEO who's never gotten a driver's license sitting behind him telling him which pedal to push and which way to turn 'that wheel thing' all the time. It's not always the sys admin's fault. And heaven help the admin who's boss knows JUST ENOUGH to get himself in trouble.
  • I don't think IKEA needs to save money on programmers. I think that web development is a big business and very well paid.. everybody wants to jump in and it's a relatively new kind of development where there isn't a solid experience of the field.
    Every software developer knows that there is no room for perfection when deadlines and money are involved. It's very common to have bugs here and there.. the problem now is that in web development bugs can easly mean security holes.
    Eventually web developers will be required to be educated about security issues.. for now.. it's just a risky business for the customers.
  • Wrong.
    Don't give the account that is on the webserver the "SELECT ANY TABLE" privilege.
    create packages (stored procedures) on the Oracle Server that perform operations such as insert_cust_info and insert_cust_credit_card.
    Don't use public synonyms on the Oracle Database.
    In this manner, if (when) the webserver is cracked, the account that is now owned can only insert data. By storing customer credit card info in a separate table that only DBAs (and specific procedures) have access to - the compromise dof the webserver does not allow the type of access that the hAx0r is looking for.

    I believe that this is called "Principle of least privilege". Apply it.
  • by SuiteSisterMary (123932) <slebrun AT gmail DOT com> on Sunday September 10, 2000 @09:25AM (#790425) Journal
    I used to work as developer support for a web application development product. This often involved doing work dirctly on a customer's site. If I had a nickel for every time I asked for the login/password for an e-commerce related database, and it was the admin login with either a null password, or a default, I'd have a shitload of nickels. And if I also had a nickel for each time the database was installed on a computer completely exposed to the Internet, instead of, say, being installed behind a firewall, with possibly only the database access ports tunneled through (and only accepted from the IP of the web machine), or better yet, having both the web and database machines behind the firewall, and requests to the web machine being forwarded through, well, I'd have an even bigger shitload of nickels. Picking up SQL Server for Dummies or O'Reilly's Oracle In a Nutshell does NOT an e-commerce ready database make.
  • by mindstrm (20013) on Sunday September 10, 2000 @09:26AM (#790430)
    Nowhere in that article (unless I'm blind) does it say that any numbers were stolen. ALl they said is that it was unclear whether any 'personal information' was stolen.

    And if it was stolen... that's shitty site design. You quickly stash cc#'s off in a secure location; you don't make them retrievable off the website, EVER.
  • by Detritus (11846) on Sunday September 10, 2000 @09:28AM (#790432) Homepage
    I still don't understand why anyone would store sensitive information in a database on a system that is accessible from the Internet. Put the database on a secure server that provides a restricted set of functions to a predefined list of systems. Even if the web site gets cracked, and it will, the intruders would not get unrestricted access to the database.
  • by kirwin (71594) on Sunday September 10, 2000 @09:29AM (#790434)
    The problem was discovered during a routine security check Friday, he said.

    If their security checks are so routine, then why did this happen?

    [root@solstice /root]# telnet westernunion.com 80
    Trying 208.244.136.46...
    Connected to westernunion.com.
    Escape character is '^]'.
    get /
    HTTP/1.1 501 Not Supported
    Server: Microsoft-IIS/4.0

    Oh, I see now.

  • Well, I don't think a 7-11 is the place to sell these things.

    Your bank, maybe...FDIC is a good thing, and 7-11 isn't.

    -- Give him Head? Be a Beacon?

  • Good reply. However, you are the type that I was warning against.

    "ESR didn't break into the server. RMS didn't do it. Linus didn't mastermind the attack. This has nothing at all to do with Open Source, as a movement or software. It's got a lot to do with Microsoft's closed source software and stupid administrators. "

    I couldn't agree more. But that being said, have you seen the view from the other side?

    You are a hacker, and a hacker broke into the Western Union credit card database. Doesn't matter to them that you specifically didn't do it, just "one of your gang". This type of attack undermines what the establishment wants the Internet for - commerce. As such, they will just bear down more on ANY threat coming via the Internet, not just this specific type of attack. If that doesn't work, they may go after the Internet itself.

    I agree that it is shoddy programming pratices, mis-configurations and bad administration that are the usual causes of security breaches, but to a CEO who talks to the lawmakers, it's "Some punk hacker who got through the firewall", key word being "hacker".

    My post was to show that we as a group had better be accomodating to the interests of everyone, else they will not be accomodating to us - which could conceivably spill over into the other cases stated in my post. The Man won't care that you didn't do it - just that you could.

  • www.westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98

    D'oh! Seriously, you'd think these big banks and money sending whatever it is western union does people would use a B1 Trusted OS or something.

    May I suggest BullDog [argusrevolution.com] or possibly TrustedBSD [trustedbsd.com]? I haven't tried TrustedBSD, but I was quite impressed with BullDog's stats at this past DefCon [defcon.org]. They put a server running thir OS (a modified Solaris) on the CTF (Capture The Flag) network running all sorts of insane services. A day into the competition they still hadn't been cracked so they posted the shadow password file. They never did get cracked.


  • Interesting. So you are saying that becuase the computers actions are totally predictable (deterministic), it should not qualify as a con?

    I have to disagree. There is nothing about humans which says they are not deterministic too. If I could give you a truth serum, then get you to reveal your password, is that not placing you into a deterministic state of mind, before "conning" you?

    Or what about exploits that make use of race conditions in file locking and such to penetrate the system? There is an element of chance in such exploits - so that makes it a con game?

    Actually, I was just pissed at the bad analogies that plague the whole issue. IMHO, saying cracking computers like lock picking is only accurate up to a certain point. A computer is not a house. Neither it is totally a con game. But anyone who want to equate cracking computers with housebreaking is probably not examining their metaphors enough to refute my con game analogy. I claim in fact, it is _slightly_ better.

    And no, I don't approve of either house-breaking, cons or cracking.

  • Technology security (unlike physical) is not a place to save a few buck by hiring a few minimum security wanna-be rent-a-drunks.

    How is a company to know which they are hiring? Anybody can call themselves a security expert even if they don't have any real qualifications. There are a lot of people who know less than they think. Heck, how is a "security expert" supposed to know if they really are one? Sure there are certifications but how do you know that the material covered is selected by security experts and not just people out to make a quick buck selling certifications?

    From what I have seen, in the tech industry most successful people start most of their jobs without knowing what they are doing, but have the ability to figure things out as they go. That doesn't work in security- just because you've made something work doesn't mean you've made it secure.

  • by levendis (67993) on Sunday September 10, 2000 @11:14AM (#790447) Homepage
    Yes, but, at some point the user has to enter the card number initially. It could be that the cracker's were intercepting this stuff, before it hit the secure database server.
  • by MrP- (45616)
    because those are put there by my crappy free host, so i remove them also =)

    #----------------------------
    $mrp=~s/mrp/elite god/g;
  • Do you consider hacking a computer to be equivalent to housebreaking? IMHO, they are not the same thing at all.

    I consider hacking a computer to be more a con-game really. You see, your computer is chatty - when hooked up to the internet, it talks to other computers. Just that it could be untrusting or trusting about who to talk to, what to say, etc. Any computer that is naive can be tricked to reveal it's secrets, just like you can trick a idiot to telling you his mother's name, so you can use it to take money from his bank account.

    I say this analogy is more accurate than housebreaking. Who do you say?

  • Masked person walks into a 7-11, walks up to the counter, and pulls out a gun.

    "PUT YOUR HANDS UP. GET THEM UP!"

    Clerk does as he is told.
    "Wha-What do you want?"

    "GIMME ALL OF YOUR DISPOSABLE DEBIT CARDS! NOW!"

    Clerk starts shovelling the cards into a bag.
    "Don't you want the cash in the register?"

    The Masked intruder shakes his head, and looks puzzled.
    "...What?"

    -- Give him Head? Be a Beacon?

  • by waldoj (8229) <(waldo) (at) (jaquith.org)> on Sunday September 10, 2000 @09:32AM (#790457) Homepage Journal
    What would be even better than disposable credit card numbers would be disposable credit cards. I want to be able to walk to 7-11 and pay $51 for a $50 debit card (that can be used like a credit card.)

    If we're ever going to move into e-cash, we have to have a system that is as anonymous as cash. This seems like the best way to assure that.

    -Waldo

    -------------------
  • Royal Bank of Canada. It is possible they do require written notice beyond a certain point; I am unsure.

    As for identity theft, yeah. I can't dispute that. It sucks.
    Perhaps Credit companies should have a way for you to be issued a new card and 'flag' valid transactions.

    Hmm. Come to think of it, why not have a card that is *just* for regular payments? Keep it locked up somewhere.

  • CmdrTaco, define 'we'?


    4 MSNBC: Stealing Credit Card Numbers Online is Easy by Roblimo on Sun 16 Jan 05:22PM EST 341
    4 Largest Online Credit Card Heist Ever? by Roblimo on Sun 09 Jan 04:59PM EST 359
    3 RealNames Customer Data Stolen by emmett on Mon 14 Feb 06:55AM EST 129
    4 British Crackers Demand Millions in Inforansom by Roblimo on Sun 16 Jan 11:52AM EST 195

  • Um... You *can't* run IIS on Windows 98!
    As for B1 Trusted OS: THERE IS NO SUCH THING!

    I'm a consultant for a Fortune 10 company. I've seen IIS/NT boxes that have been PUMMELED and were still secure. I've seen high school kids idiot hack an Apache box. And I've seen the reverse.

    What annoys me is folks who have this backwards notion that the OS actually makes a difference for web serving. It's the ADMIN more than anything.

    A site is only as secure as the Administrator can make it. :-)
  • by Detritus (11846) on Sunday September 10, 2000 @09:36AM (#790467) Homepage
    I would expect the credit card companies to set and enforce security standards for merchants that accept their cards. If you want to accept credit cards, you have to sign a contract with, and be approved by, the card's issuer.
  • by legLess (127550) on Sunday September 10, 2000 @09:36AM (#790470) Journal
    Speaking from experience, it's a major pain in the ass to cancel a credit/debit card and get a new one, not to mention trying to figure out how to live without one for a week. (Heck, I buy coffee in the morning with my debit card.) Never mind the nightmare of straightening out the false charges with your bank.

    So is Western Union liable for this time/expense/pain in the ass? Should you have an expectation, visiting an e-commerce site of some sort, that your CC# will be kept private against the ravages of crackers?

    If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores? You can't really stop someone coming into your store with a gun and robbing you, but you can take much better precautions against someone hacking your site like this.

    I see both sides of this - as an admin and a CC user. Should we have a zero-tolerance law? No mistakes, no excuses - the store that got hacked should just pay up, whatever its customer's expenses are? Honestly, I lean towards "yes." There have been enough public cracks in the last year to encourage even the most brain-dead (heh: "westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98" - NetCraft [netcraft.com] ) to really secure their stores and databases.

    If you can't secure it, don't connect it to the web.

Successful and fortunate crime is called virtue. - Seneca

Working...