Western Union Cracked, Credit Cards Stolen 246
TrumpetPower! writes "NPR just reported that Western Union is recommending that customers who used their web page to send money should cancel their credit cards after somebody cracked their online credit card database.
As I type this, the Western Union homepage simply states, "Our Web site is temporarily out of service We apologize for any inconvenience To find the nearest agent location plase call: 1-800-325-6000."" Not much online yet
besides the AP brief. (Normally we don't post this stuff, but its getting submitted a lot, and it is kinda a big deal). Lends more credibility to the disposable credit card concept.
Re:Why do peopel feel the need to store Credit Car (Score:1)
How do you store the random 56 character string so you can verify it later though? If you need to put all these pieces back together again at a later date, and the only thing the customer is entering is the credit card number, you have to store the other pieces in cleartext or a cleartext-equivalent. If the hypothetical cracker can get their paws on that table and the customer id table, you're back to a few dozen bits to bruteforce.
liability? (Score:2)
Of course, I think Western Union should be held liable anyway: their poor security is causing their customers and credit card companies a lot of effort and expense, whether the cards were stolen or not. Keeping personal information, in particular credit card numbers, on a system that is accessible from the Internet is grossly negligent.
Re:A Clue About Security (Score:1)
well, that seems to be quite a task to properly create and implement. Why don't you get on it and create such a system in a feasible manner and come back then?
And it's not like this is a big, big deal to consumers. Worst case, they pay $50. Probably won't even have to do that, since western union has money and won't flinch about reimbursing for that rather than risk a class action suit.
it'll probably just end up meaning that western union has to pay higher processing fees and take a charge off against earnings because of it. that's it.
Re:The Problem (Score:2)
Geez... either stupidity/carelessness, or intentional. Not to sound conspiracy-ish, but there is some, however unlikely, chance that the 'somebody' did this on purpose.
---
Re:Wait a minute. (Score:1)
coulda sworn I quoted him there. oh well. still, my point was valid... it just took a little bit more reading ability (say, 4th grade) than I remembered.
Re:liability? (Score:2)
People have gotten into problems over misuse of their credit cards, mostly when it happens on a significant scale and they don't notice for a while (as part of an identity theft). That can cause problems with your credit rating: you can dispute and explain all you want, for the lender, you still are less attractive than someone who hasn't had those kinds of issues.
Another problem with canceling credit cards is that they often have ongoing charges (ISP, on-line bookstore, etc.) on them, and all that needs to be changed as well.
No way (Score:1)
This feeling seems to be borne out by reality, the few companies who have taken me seriously have provided the customer with the option to retain CC info. (some of those guys store it regardless) Suprisingly, most people choose to store it, security be damned.
Might this be because the general public is ignorant of the way these systems are connected to the internet? People are used to keeping their money in banks, with big physical barriers to theft, not on a computer that is subject to a seemingly endless stream of security holes.
-----------------------------------------
Down with Credit Cards! (Score:1)
Re:root (Score:1)
--
Why Store CC Info? (Score:2)
We run an ecommerce site and I went as far as to verify that our credit card processor doesn't *ever* store credit card details?
Doesn't anyone care anymore? Am I the only one that doesn't like my financial information being stored?
Re:End the pesimism, research OS security! (Score:1)
As pointed out by the main EROS engineer (if it is right to put it that way), Linux and other systems can never evolve to pure capability systems.
Internally, Linux uses capabilities, but that does not matter at all, as the external API of the system is not capability-based, and can never be one. In order for it to be capability based, the change will be so huge, you wouldn't recognize Linux in the other end. Pure capability systems have to be built from the ground up, because a combination of ACL and Capability systems seems to always end up worse than both.
Another issue with capability systems is that the machine state becomes more complex to set up, while implementing the principle of least privilege, and simplicity. The simplest solution is EROS's, to use Orthogonal Persistancy. This makes a file system obselete and redundant, and only a prone-ness to security holes, not to mention it is the basis of all which is UNIX. This means UNIX will never be able to EFFECTIVELY implement pure capability systems, not while remaining a UNIX.
Re:Cracked... Where was the encryption (Score:1)
Well, it's probably pretty obvious, but all of these companies don't care about security. Security comes in a distant second compared when compared to money. They'd rather concentrate on methods of obtaining more revenue online, than securing their website. That's just my thoughts on these businessmen.
Although, it said that while performing routine security checks they found this problem, right? Well, at least they realized that they had an intrustion. The worst is when the company, and/or the public doesn't find out about the theft, until it is too late.
Re:Ass raped monkeys (Score:2)
But yes I agree, storing credit card numbers simply for the users "convenience" is BAD - afterall, who wants to use a stolen card number more than once
Re: (Score:2)
Re:suuuuuuuuuuuuure (Score:1)
wait
haeiehaihaeehoeoeah
"my workstation". you mean your peecee right?
---
Solaris/FreeBSD/Openstep/NeXTSTEP/Linux/ultrix/OS
Re:The Problem (Score:2)
Re: (Score:2)
It's their fault... (Score:3)
the advantages of storing users credit card numbers does not justify the risk. It's like a restaurant that keeps your credit card number so that next time you eat there you don't have to wait for the check...
sure there could be trojan horses that store credit card info as soon as it arrives to the server, but that seems to be less common.
Didn't anyone read the CNET story? (Score:3)
"We are still in the due diligence period," said Peter Ziverts, a spokesman for the Englewood, Colo.-based company. "But this wasn't an architectural problem; this was due to human error."
Repeat: "it wasn't an architectural problem; this was due to human error."
So, get off the IIS/SQL/NT crap - being desperate for ANYTHING anti-MS doesn't paint
This could have just as easily been a *nix box and it still would have been compromised if propery security methods weren't followed, as was the case here.
facts are in short supply, other sites are serious (Score:2)
I will be interested to hear _why_ they believe any violence was done to the DB. What the clues were, etc.
I do know that once I was attempting to build a site for a company that had content which was going to be integrated into the [insert very large card company here] web site. This small fact was enough for two of their security folks to grill me, they sent a rep to conduct a physical security check, and they wanted a white hat to give our dev server a go. They wanted two firewalls in front of my dev server. I was fairly impressed. So on some sites yr info is considered important.
Re:Disposable Credit Cards (Score:2)
__________________________________________________ ___
After 'em! (Score:2)
Re:Oh, the things I've seen (Score:3)
Me: Sure thing, boss. I'm assuming that they've guarenteed that the Internet between there and here will be both fast and stable enough to keep an X session going for the several hours it will take to install and do basic configuration?
Boss: Huh?
Me: *points to docs that say no character mode install*
Boss: AAAARGH!
Clients: AAARGH@
Nobody was happy at the end of the day.
.... (Score:4)
Back to the Future (Score:2)
The Problem (Score:3)
The problem, as reported by NPR, was traced to human error .. Somebody left a database open, which is where the vulnerability existed. Western Union will correct the problem, says they.
Re:suuuuuuuuuuuuure (Score:2)
Whoa, CT Finds The Conspiracy (Score:2)
You hit the nail on the head. American Express, a huge corporation, but second fiddle to the likes of Visa and MasterCard, needs something to promote its new idea. With the Internet at hand, it has its weapon. It sends some crackers to crack Western Union, thereby pushing people to the 'safer' disposable credit card.
Or maybe they didn't send anyone at all. Maybe they just got Western Union in bed with them. Who knows. The point is, CT found the conspiracy.
Re:c|net's article (Score:2)
I don't see where. This is just a rehash of the AP article linked to in the story.
Re:liability? (Score:2)
The correct way to deal with credit cards is to use an asymetiric algorithm (public-key) encryption, where the private key exists only on a system that has no connection to any network. The encrypted data is then pushed to a floppy/zip/etc, where is is processed by human hands at the secured processing machine. The processing machine is then protected by physical means (cages, keys, cameras), and is done by a person who has been deemed trustable (background checks, etc).
That is a good setup. A serial link should also be acceptable as long as an unprivileged processing daemon (w/o access to the secret key and with no capability to send data) on the processing system is the only thing listening to the serial connection.
Re:Not the first time...remember CD Universe? (Score:2)
But I agree with you about the other hassles, the autobilling, etc. My EZ pass was on the card among other htings.
__________________________________________________ ___
Re:The Problem (Score:2)
--meredith
Re:liability? (Score:2)
When false charges show up on my credit card, that I know I didn't pay, I simply pick up the phone and tell the CC company that I want to dispute the charges. They take them off, and do their own investigating, and inform me of the results (ie: I have to pay, or not).
This in no way at all damages my credit rating. If a lot of charges are showing up, I have the company cancel the card and issue a new one immediately. It shows up the next day in the mail.
For the most part, if you stay on top of your credit card bills (ie: read them when they come in), you are fairly safe from this kind of thing.
Re:Oh, the things I've seen (Score:2)
Re:Disposable Credit Cards (Score:2)
When a redemption trasaction is put through with the "stolen" disposable credit card, the local authorities and Fox's COPS and Deadliest Car Crashes would be notified for the ensuing car chase.
Up and at 'em.
Re:Oh, the things I've seen (Score:2)
BTW, this is a problem in alot of places. Software installs things you aren't aware of (esp. on windows.) And admins aren't paying attention or aren't trained to manage what they are handed.
Putting out the fire - with gasoline (Score:4)
The establishment is not used to how the Hacker culture does things - they are used to order and directed control. The Internet is a terribly chaotic place - if you want something done, you go ahead and do it. Also, the first one there usually controls the situation, no matter whom else joins them in the endeavour (witness that newer posts on
The establishment will likely view this as futher validation that we are out to kill. While the Hacker community has control of the Internet attacke like this may end up being more common. The only way the Establishment can ensure it's continued existatnce is to wrest control back. Napster being stamped out might be the first salvo in the Great Internet War. This little faux pas (likely by a script kiddie) will only accelerate the zeal and ruthlessness with which The Man deals with us. They just might see such attacks as a threat to thier very survival, and react accordingly.
OK, some of you may post "Yeah! Stick it to the man, l337 h4x0r d00dz" and think it's good that the rich are getting thiers. That's fine, and welcomed on one level. However, we need to look at the big picture - The Man can pull the switch on the Internet if he's really threatened (not literally, figuratively), so we end up out in the cold (InternetII, anyone). Or just toss your ass in jail, rights be damned. As much as we don't like it, we have to compromise and let the establishment have its way - for a while.
I hope we can start to see things from the other side of the firewall soon - and use articulate argument, humour, understanding and gentle persuasion to get our way instead of random guerilla attacks on established companies.
Re:They should take the blame, not "hackers" (Score:2)
Re:liability? (Score:2)
If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores?
The important standard here is reasonable care. Sears would NOT be liable if someone takes the credit slips at gunpoint. It is not reasonable to expect someone to risk their life for that. OTOH, if a kid takes a big bag of credit slips from the loading dock and abuses them, Sears may BE liable, since they could have easily prevented the theft, and should have anticipated the possability.
It is the same for an e-commerce site. If the database server had default account and password and was accessable from the net, that's like leaving the slips outside. If someone got the passwords or stole the drives by holding an admin at gunpoint, they would not be liable.
It is also possable that their vendor could be liable if they had assurances that the security measures were adequate. This would be the real world equivilant of putting the slips in a locked office but discovering (too late) that the guaranteed security lock could be opened by jiggling the door knob.
amazon (Score:2)
The practice of keeping credit-card numbers around on an internet-accessible machine after a transaction has cleared is brain-damaged and companies that do that deserve to be sued.
When web sites tell their customers about how safe their transactions are because they are using secure sockets, etc., they should also be telling their customers that, after the safe, encrypted data has arrived on their server, it will be available in plain text to anyone who can type "system/manager".
Disputing charges (Score:2)
From what I remember from personal issues with cc companies, it is fairly easy to dispute charges.
So you'd think. In my case, the company was Chase Manhattan, and it took over nine months to resolve a $200+ disputed charge which appeared on my acount after I'd closed it. The charge wasn't posted to me for over a year, following a resubmission by the merchant. I immediately notified Chase by phone and mail that I wasn't responsible for the charges (to a Florida hotel -- I live in California and have never been to Florida). The charges (and interest, and late charges) continued to appear on my statement. Repeated requests for copies of the actual charge slips failed to produce anything.
It was ultimately the threat of legal action, including criminal charges for fraud, misrepresentation, and malfeasance, and libel (credit history), if the dispute wasn't resolved within 30 days, which got the charges cleared from my account -- nine months after they'd initially appeared, seventeen months after they'd been made, a year and a half after I'd closed the account.
Yes, I got the dispute resolved, the dollar value was low, but it was a complete PITA.
What part of "Gestalt" don't you understand?
Re:c|net's article (Score:2)
I've been walking someone through covering her ass after having her CC# stolen (not through Western Union) and was astounded when the fraud unit of this company (again, not Western Union) admitted that it believed that someone had broken into its database. And she does no online commerce.
So far, it's been nearly a month from the time that she was notified that her card was over her credit limit that she's been able to dispute fraudulent charges (can't dispute charges until the credit card statement arrives; can't file a police report without a credit card statement; can't put an alert on other personal records without a police report).
Translate "No fraudulent charges have been reported [YET!]" to "The shit hasn't hit the fan [YET!]". It's going to take some time before fraud reports can even trickle in. Perhaps about the time of the Thanksgiving Day parades.
Re:This should _never_ have happened! (Score:2)
Computers are deterministic. Your 'con' is simply lock picking on a more complex scale. The fact that some logical constructs involving words similar to English are involved is not relevant. When you con someone into opening their house to you they make a voluntary decision. Computers can't do that.
Nonetheless, hacking computers is not equivalent to housebreaking, because no property is interfered with.
Hacking a system and looking around without making any changes or taking any information is, perhaps, closest to the crime of peeping tom or voyeurism in real life.
Re:Wait a minute. (Score:2)
That is the statement I was addressing, which should have been obvious as I quoted it.
I'm sure I don't even have to point out the irony of your calling me a "thickheaded nitwit".
Re:Ah Yes, Western Union Uses Microsoft Software(z (Score:2)
All SysAdmins should be required to read Slashdot for accurate info as to how best to secure their boxes and networks.
maybe not.
Re:End the pesimism, research OS security! (Score:2)
Internally, Linux uses capabilities, but that does not matter at all, as the external API of the system is not capability-based, and can never be one.
All of the capability information is there, it just never leaves kernel space.
A file system is a file system, even if it is based on persistant objects in virtual memory space. It doesn't really matter if the appropriate pointer to the object containing my new mail is 0x37f739d7 or '0x2f7661722f73706f6f6c2f6d61696c2f736a616d6573'
Granularity IS a problem of course, but I have also heard the alternate view that too fine a granularity will be 'too much trouble' or an 'undocumented mess'. Either condition will lead the very human admins to be too permissive, and thus defeating the security.
Liability -- Insurance (Score:2)
I'd actually like to see guidelines coming out of the insurance industry. Sears, in your example, would be liable, but would have liability coverage through their business insurer if they'd taken appropriate risk-mitigation steps. OTOH, if the credit slips are in an unsecured area and free for the taking, the insurance company would refuse coverage. There's a whole field of risk management concerned with both financial and physical business risks.
What part of "Gestalt" don't you understand?
Re:liability? (Score:2)
Here's [msn.com] one article.
Re:End the pesimism, research OS security! (Score:2)
This UNIX comment applies to Windows as well, which is of the same class of security mechanisms (ACL's). (Not to mention various other systems that are not capability-based)
Re:Oh, the things I've seen (Score:5)
and various other nasties like that. In their defence, they never stored credit card numbers. But nonetheless, I couldn't believe it. IMHO, this all comes from abmitious young new media execs who know nothing about technology being given far too much money to throw around. They hire people who are good at BSing and dressing up their CVs, and they end up missing out the itsy little technical details, like getting a sysadmin who knows what routing is.
Just for fun, let me say that first bullet point again: "the sysadmin had never heard of apache".
Re:Putting out the fire - with gasoline (Score:3)
Re:Ass raped monkeys (Score:3)
Re:liability? (Score:2)
Re:huh? (Score:2)
On the production servers. It doesn't matter where the public key is, because you can only encrypt with it. You cannot derive the plaintext from only the public key when you use a well tested (both mathematically and in practice) asymetric algorithm. You can tatoo the public key on your forehead if you like; it is no less secure.
(Of course, with credit card numbers, you have very real problems with known-plaintext attacks. These are dealt with quite easily; I'll leave that answer as an exercise for the reader.)
And what has this bought you, at all?
It's pretty obvious you don't work with financial data.
It has bought you (close to) airtight security. The database containing the encrypted card numbers could be completely compromised, and it doesn't matter. Without access to the private key, they cannot be decrypted in our lifetime (Of course, this assumes our current understanding of mathematics.)
What many people fail to realize is that for most credit card transactions, the vendor has to keep a record of the cards. You cannot simply discard them. Most businesses have to keep them indefinately.
Doing it this way is much more secure than storing them in a locked file cabinet somewhere.
but its only advantage seems to be having the numbers stored on a non-networked machine
Again, it is very apparant you don't work with financial data. The card numbers have to be downloaded in batches. Because the decryption machine is physically seperate from all other networks, you cannot do this in real time. The encrypted cards have to be stored SOMEWHERE before you download them; without the proper use of an asymetric algorithm, they would be stored in plain text in a database (a bad idea, remember?), or encrypted with a SYMETRIC algorithm, which is just as good as storing them plaintext (In a symetric algorithm, the same key used to encrypt also decrypts. Because you would have to store the key on the server that encrypts them, the key is subject to compromise)
Re:liability? (Score:2)
There is no such thing as overkill security; only difficulties in implementation because of the extra work it places in production.
In online business, credit card theft is much rarer, but it is more devastating, because it is usually many thousands of credit cards at once, rather than just one or two carbon reciepts stolen out of the waste basket.
Don't get complacent...
Absolutely. This is just one component in an overall security policy. Trust me; there is MUCH, MUCH more to the systems I have built than this.
What might be even better would be a Java applet running on the client side doing the encryption there. That way the plaintext never even enters the server.
Unfortunately, the legality of this is still in question with current US crypto laws. This would also be very difficult to implement, due to differences in java runtime environments, etc, etc. But it is an interesting idea.
Re:Oh, the things I've seen (Score:2)
"Can you please put in some helpful error messages to tell the user whether they've entered an incorrect user name or just a wrong password?"
"No problem, should I list the most likely username intended and display the password hint as well? Come think of it, why don't I just delete all the files and drop the database on the live site, and save the "user" some trouble?"
Knowing how to do fancy graphics (actually not all that fancy at all) does not a web designer make.
Re: (Score:2)
Re:The Problem (Score:2)
hmmm... they'll close the proverbial barn door?
Too many amateurs around. (Score:2)
Even my local newspaper, covering around 20,000 people, had as the main headline this week a story about a security breach on a local website. The report was laughable, with the web-hosting site believing that the attacker must have known the userid and password into the web publishing system, as they were unaware of any other means into the machine. Obviously someone else who has never heard of CERT, Nessus or Bugtraq. I'll probably be writing to the newspaper this week to put them straight, once I've let Nessus have a proper probe.
flawed concept (Score:2)
the whole system is screwed. which idiot decided that a merchant should be given authority by the customer to charge their bank account? bah
BPay [bpay.com.au] rules. You tell your BANK to pay the money to the merchant. A payment consists of Biller Code (the company to pay) and the Customer Reference (your customer/account/bill # with the merchant).
Online ordering is easy - either you open an account with the company and all your purchases are pooled together and get paid for under your Customer #, or the website gives you a unique bill number after you confirm your order, and you pay for each individual purchase. Once you have your customer #/bill # you head over to your bank's website, log in, type in the details and your bill is paid.
AFAIK, it's only debit at the moment, but there's no reason it can't be extended into credit. It's no substitute for an in-person credit card, but for online shopping, it can't be beat, IMO.
Best practices anyone? (Score:2)
I'm sure that if some group came up with a basic list of best practices for e-commerce security this sort of thing would be less rare... I'm sure companies would love to show their probably-hack-free compliance(tm).
stv
Re:liability? (Score:3)
I would suggest that this is bordering on overkill. There are lots of brick-and-mortar businesses that handle credit cards without needing precautions like those.
Attacks over the internet are serious because they are relatively anonymous. Credit card numbers stolen by employees are less of a concern because the pool of suspects is small and you know where they all live.
Don't get complacent. As long as your system is working and those credit cards numbers are getting encrypted, you're okay. But if you're hacked that can change. Someone could capture credit card numbers as they enter the system- after they come out of the SSL-encrypted socket, but before they get encrypted by your application. A good rootkit could keep such a process hidden for a long time. Of course, this is a much more difficult attack than just dumping the contents of a database.
Not quite ideal, but a major improvement over what most people are doing right now.
What might be even better would be a Java applet running on the client side doing the encryption there. That way the plaintext never even enters the server. The applet should be signed so that if someone breaks into the server they can't simply replace the applet with a trojan. But this assumes that the users would notice if the applet was not signed- a bad assumption.
Re:End the pesimism, research OS security! (Score:3)
This principle CANNOT exist in a UNIX system, which has very rough granulity to its security, and is based on very huristic security methods that form an extremely complex, impossible to secure system.
Sure they can! There is work in Linux and several other Unixen to move to a capability based systems and implement the principle of least privelege.
EROS does look interesting though.
Re:liability? (Score:2)
The CC Company values customers over merchants. Merchants pay to accept cards. (not that merchants aren't important).
The Card is simply a token of the credit the company has extended to you. It is a means to an end; it is not the credit itself. Same with the number on that card. The number simply identifies your account.
From what I remember from personal issues with cc companies, it is fairly easy to dispute charges.
It used to be that a card imprint was requried. Later, anything would do, but a signature was required. Remember, you have to authorize each and every use of your card.
If a merchant cannot show that YOU actually authorized the transaction, he has no right to collect funds on your card.
Simply using the card yourself is authorization enough; but the merchant should be able to prove it. ie: registered delivery of goods to your home.
The onus should be on each and every merchant who accepts credit cards to ensure that they are taking part in a legal transaction. This is why there is a signature on your card; this is why you must sign your receipt. It *IS* permissible to ask for ID when someone presents a credit card!
Like cheques these days, the system does not verify everyhing. IT's far cheaper to deal with issues should they arise than to simply check every transaction.
Just because society is rushing like a madman into using credit cards for digital transactions for everything on earth, and merchants are forgoing safety checks... this is the MERCHANT'S problem, not the consumers.
Re:On-line Databases (Score:2)
A perfectly viable method would be to send the pending credit-card number over to the database server, and have it (and it alone with access to the actual numbers) confirm it.
-----------
"You can't shake the Devil's hand and say you're only kidding."
Re:On-line Databases (Score:2)
First Data Corporation (Score:2)
Westion Union is owned by First Data Corporation, one of the largest credit card issuers in the US. Assuming the networks of the two corporations were somehow linked (or have systems shared between the two), if the hackers were able to get into FDC's systems, this could be disasterous.
It may be wise to invest in some put options on FDC...hmm
Jason.
Ass raped monkeys (Score:3)
Can anyone point me to an example of this? (Score:2)
Can you point me to any references I can quote for management?
----
This should _never_ have happened! (Score:5)
Any company that does business on the Internet without proper safeguards ( which is what it sounds like ... ) deserves to be sued.
Granted, my view may change - because there is not enough information about how - but this has happened at other sites and it still amazes me.
and in related news ... (Score:2)
IKEA exposes customer information on catalog site [cnet.com]
In short, a bit of URL hacking exposed their whole customer database. Dan Huddle (CTO of xanga.com) said: "What a spammer's dream!", commenting on the potential for abuse of that privacy breach.
Continuous coverage of butt-headed, idiotic eCommerce web page designs continues after these dotCOM messages.
---
A Clue About Security (Score:5)
Lends more credibility to the disposable credit card concept.
Please. It lends more credibilty to the concept that big corps still don't have a clue. Technology security (unlike physical) is not a place to save a few buck by hiring a few minimum security wanna-be rent-a-drunks. Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.
1Alpha7
c|net's article (Score:5)
c|net's article [cnet.com] has a little more information about the hack.
It was unclear whether the hackers obtained any personal account information. No fraudulent transactions had been reported by late yesterday [...] Only Web site users who conducted online transactions would have been affected. Company officials were using email, letters and phone messages to alert between 10,000 and 20,000 consumers to cancel their credit or debit cards and get new ones.
Funny. (Score:2)
Helping people make their lives better, everyday
n0w 7h3 f45735t w4y 70 53nd m0n3y (70 31337 h4x0r d00dz)
Why CC Databases anyway? (Score:2)
If you really, really, want to keep it, set up a dot matrix and print it out. I think the Credit Card companies should charge the fraud back to the company that stored the number. That ought to promote securing a server!
Consumer is NOT liable (Score:2)
Read your agreements carefully; most of my cards hold me with little if any liability (the worst is $50 maximum). The rest of the bill is footed by the credit card company/issuer, not the consumer. When the credit card company denies a charge to 'verify security', it is not doing so for 'your protection', as they say, but for their own.
So, if the credit card numbers were indeed stolen and used illicitly (which is not clearly the case), it's the credit card companies who have something to worry about, not the consumers.
Regardless, Western Union should have had more secure systems; I'm sure this is very embarassing.
Re:liability? (Score:2)
An important component is that no sysadmin at the company has any access to this processsing machine. Only technically inclined executives (i.e. CTO, CIO, COO) have root access to this machine, and if maintence must occur at this machine, the sysadmin is logged into it by the executive, who then physically watches what the sysadmin is doing (and the executive knows his/her shit, so there is no question of foul play).
In this scenaro, if the website is completely compromised and all credit card numbers are stolen, they are completely useless to the cracker, as they cannot be decrypted without that private key.
This is ideal practice, and should be implemented at all e-commerce sites.
I just mail cash (Score:2)
-josh
Re:Oh, the things I've seen (Score:2)
Re:They should take the blame, not "hackers" (Score:2)
Every software developer knows that there is no room for perfection when deadlines and money are involved. It's very common to have bugs here and there.. the problem now is that in web development bugs can easly mean security holes.
Eventually web developers will be required to be educated about security issues.. for now.. it's just a risky business for the customers.
Re:This should _never_ have happened! (Score:2)
Don't give the account that is on the webserver the "SELECT ANY TABLE" privilege.
create packages (stored procedures) on the Oracle Server that perform operations such as insert_cust_info and insert_cust_credit_card.
Don't use public synonyms on the Oracle Database.
In this manner, if (when) the webserver is cracked, the account that is now owned can only insert data. By storing customer credit card info in a separate table that only DBAs (and specific procedures) have access to - the compromise dof the webserver does not allow the type of access that the hAx0r is looking for.
I believe that this is called "Principle of least privilege". Apply it.
Oh, the things I've seen (Score:5)
Numbers not stolen? (Score:3)
And if it was stolen... that's shitty site design. You quickly stash cc#'s off in a secure location; you don't make them retrievable off the website, EVER.
On-line Databases (Score:4)
suuuuuuuuuuuuure (Score:5)
If their security checks are so routine, then why did this happen?
[root@solstice /root]# telnet westernunion.com 80 /
Trying 208.244.136.46...
Connected to westernunion.com.
Escape character is '^]'.
get
HTTP/1.1 501 Not Supported
Server: Microsoft-IIS/4.0
Oh, I see now.
Re:Ah, the joys of a Cashless society (Score:2)
Your bank, maybe...FDIC is a good thing, and 7-11 isn't.
-- Give him Head? Be a Beacon?
Re:Putting out the fire - with CRACK (Score:2)
"ESR didn't break into the server. RMS didn't do it. Linus didn't mastermind the attack. This has nothing at all to do with Open Source, as a movement or software. It's got a lot to do with Microsoft's closed source software and stupid administrators. "
I couldn't agree more. But that being said, have you seen the view from the other side?
You are a hacker, and a hacker broke into the Western Union credit card database. Doesn't matter to them that you specifically didn't do it, just "one of your gang". This type of attack undermines what the establishment wants the Internet for - commerce. As such, they will just bear down more on ANY threat coming via the Internet, not just this specific type of attack. If that doesn't work, they may go after the Internet itself.
I agree that it is shoddy programming pratices, mis-configurations and bad administration that are the usual causes of security breaches, but to a CEO who talks to the lawmakers, it's "Some punk hacker who got through the firewall", key word being "hacker".
My post was to show that we as a group had better be accomodating to the interests of everyone, else they will not be accomodating to us - which could conceivably spill over into the other cases stated in my post. The Man won't care that you didn't do it - just that you could.
Netcraft tells it all... (Score:2)
D'oh! Seriously, you'd think these big banks and money sending whatever it is western union does people would use a B1 Trusted OS or something.
May I suggest BullDog [argusrevolution.com] or possibly TrustedBSD [trustedbsd.com]? I haven't tried TrustedBSD, but I was quite impressed with BullDog's stats at this past DefCon [defcon.org]. They put a server running thir OS (a modified Solaris) on the CTF (Capture The Flag) network running all sorts of insane services. A day into the competition they still hadn't been cracked so they posted the shadow password file. They never did get cracked.
Re:This should _never_ have happened! (Score:2)
I have to disagree. There is nothing about humans which says they are not deterministic too. If I could give you a truth serum, then get you to reveal your password, is that not placing you into a deterministic state of mind, before "conning" you?
Or what about exploits that make use of race conditions in file locking and such to penetrate the system? There is an element of chance in such exploits - so that makes it a con game?
Actually, I was just pissed at the bad analogies that plague the whole issue. IMHO, saying cracking computers like lock picking is only accurate up to a certain point. A computer is not a house. Neither it is totally a con game. But anyone who want to equate cracking computers with housebreaking is probably not examining their metaphors enough to refute my con game analogy. I claim in fact, it is _slightly_ better.
And no, I don't approve of either house-breaking, cons or cracking.
Re:A Clue About Security (Score:2)
How is a company to know which they are hiring? Anybody can call themselves a security expert even if they don't have any real qualifications. There are a lot of people who know less than they think. Heck, how is a "security expert" supposed to know if they really are one? Sure there are certifications but how do you know that the material covered is selected by security experts and not just people out to make a quick buck selling certifications?
From what I have seen, in the tech industry most successful people start most of their jobs without knowing what they are doing, but have the ability to figure things out as they go. That doesn't work in security- just because you've made something work doesn't mean you've made it secure.
Re:On-line Databases (Score:3)
Re: (Score:2)
Re:This should _never_ have happened! (Score:2)
I consider hacking a computer to be more a con-game really. You see, your computer is chatty - when hooked up to the internet, it talks to other computers. Just that it could be untrusting or trusting about who to talk to, what to say, etc. Any computer that is naive can be tricked to reveal it's secrets, just like you can trick a idiot to telling you his mother's name, so you can use it to take money from his bank account.
I say this analogy is more accurate than housebreaking. Who do you say?
Ah, the joys of a Cashless society (Score:2)
"PUT YOUR HANDS UP. GET THEM UP!"
Clerk does as he is told.
"Wha-What do you want?"
"GIMME ALL OF YOUR DISPOSABLE DEBIT CARDS! NOW!"
Clerk starts shovelling the cards into a bag.
"Don't you want the cash in the register?"
The Masked intruder shakes his head, and looks puzzled.
"...What?"
-- Give him Head? Be a Beacon?
Disposable Credit Cards (Score:3)
If we're ever going to move into e-cash, we have to have a system that is as anonymous as cash. This seems like the best way to assure that.
-Waldo
-------------------
Re:liability? (Score:2)
As for identity theft, yeah. I can't dispute that. It sucks.
Perhaps Credit companies should have a way for you to be issued a new card and 'flag' valid transactions.
Hmm. Come to think of it, why not have a card that is *just* for regular payments? Keep it locked up somewhere.
(Normally we don't post this stuff...) (Score:2)
CmdrTaco, define 'we'?
4 MSNBC: Stealing Credit Card Numbers Online is Easy by Roblimo on Sun 16 Jan 05:22PM EST 341
4 Largest Online Credit Card Heist Ever? by Roblimo on Sun 09 Jan 04:59PM EST 359
3 RealNames Customer Data Stolen by emmett on Mon 14 Feb 06:55AM EST 129
4 British Crackers Demand Millions in Inforansom by Roblimo on Sun 16 Jan 11:52AM EST 195
Re:Netcraft tells it all... (Score:2)
As for B1 Trusted OS: THERE IS NO SUCH THING!
I'm a consultant for a Fortune 10 company. I've seen IIS/NT boxes that have been PUMMELED and were still secure. I've seen high school kids idiot hack an Apache box. And I've seen the reverse.
What annoys me is folks who have this backwards notion that the OS actually makes a difference for web serving. It's the ADMIN more than anything.
A site is only as secure as the Administrator can make it.
Re:Ass raped monkeys (Score:3)
liability? (Score:5)
So is Western Union liable for this time/expense/pain in the ass? Should you have an expectation, visiting an e-commerce site of some sort, that your CC# will be kept private against the ravages of crackers?
If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores? You can't really stop someone coming into your store with a gun and robbing you, but you can take much better precautions against someone hacking your site like this.
I see both sides of this - as an admin and a CC user. Should we have a zero-tolerance law? No mistakes, no excuses - the store that got hacked should just pay up, whatever its customer's expenses are? Honestly, I lean towards "yes." There have been enough public cracks in the last year to encourage even the most brain-dead (heh: "westernunion.com is running Microsoft-IIS/4.0 on NT4 or Windows 98" - NetCraft [netcraft.com] ) to really secure their stores and databases.
If you can't secure it, don't connect it to the web.