
Credit Card Database Stolen -- 4 Months Ago 156
jeffw writes: "Once again a Russian cracker got into a online credit card database and attempted to extort money from the company . MSNBC has the details. Previous incidents were covered on Slashdot here and here.
This time it was the appropriately named CreditCards.com, a credit card processing service for merchants. You would probably expect to be notified by one of the processors, the card issuer or the merchant, but in this case victims have to notice the fraudulent charges themselves and contact their card issuer.
Hmm, CreditCards.com. I'm sure no cracker would ever think of that as a juicy target. Why not name your company FreeMoneyForCrackers.com instead?"
Credit Cards R Us ... (Score:2)
--
Blackmail (Score:1)
Would they get arrested?
Or would they just get a whole bunch of free stuff. Of course, I'm sure that someone could have fun with this. Lets see, what could you send; live animals? pornographic material? software that forces all sorts of horrible binding conditions on the user as soon as he breaks the shrinkwrap liscense. The possibilities are endless.
In Related News... (Score:2)
Re:Merchants should use common sense (Score:1)
How many times has slashdot been cracked now?
any way of finding out whether my card was taken? (Score:1)
Credit cards are such a fucking joke (Score:1)
Furthermore, well known algorithms exist to guess valid CC numbers, which can then be used for online or phone purchases. All the resulting fraud has to be absorbed by the merchants, meaning higher prices for everybody.
The only fair solution is this: credit card customers should have to pay higher prices; those of us who use safer payment schemes shouldn't be penalized.
Short of that, boycott merchants who accept credit cards, so that you are not forced to pay for the results of an ill-designed system.
--
Re:Most hacking happens through other channels.. (Score:1)
Even if there really are that many extortion attempts, the problem is allways to find evidence of the break-in. While I understand this can be tough, a creditcard company might be expected to have serious security measures, with enough software and hardware installed to keep an eye on things. The fact that they couldn't even recognise that they had been visited without authority (not even after 4 months even) makes you wonder if this kind of e-business is possible at all (I'm supposing here that creditcards.com did everything in their power to have the most secure systems possible). The risk of your cardinfo getting hacked is not as low as we might hope. Considering the Pentagon gets hundreds of thousands of hacks a year, with the occasional 300 slipping in and about 10 % of that getting into the real deal, chances are sooner or later your cardnumber is going to get hacked.. heck.. maybe my cardnumber is allready on that list, I don't even have a clue!
Ok, this is all pure speculation on my account, and I don't want to sound bitter, but you catch my drift. Unless news like this keeps popping up, how can I convince my family that this is what they should try to get accustomed to because it's simply a new, smarter, easier, and still safe way to spend their money..
In the meantime, not knowing what goes on with our money kinda seems totally unfair to me, allthough in many cases this can be experienced more as a convenience
Re:Merchants should use common sense (Score:1)
Although, now that I look at the "Allowed HTML" codes, I don't exactly recognize any codes as being the HTML code I'm looking for, so...
--------------------------------------
from the pot-kettle-black dept. (Score:1)
credit card database stolen -- 4 months ago
am i to believe that slashdot is making some reference to the untimeliness of someone else? that's just funny. reeeeally funny.
not any more (Score:2)
If nobody knows who the original merchant is responsible for leaking their credit card, nobody can complain (except to creditcards.com, who doesn't do business with the individual customer anyway). Of course, no one can check to see if they did business with on of Creditcard.com's customers and therefore might have a compromised number.
Not only were they careless with the data and refused to notify people after their info was compromised, they are actively trying to prevent people from finding out if they were victimised by Creditcard.com's incompetence. How slimy can they get?
So how much longer are they taking Visa? (Score:1)
Re:What the f**k? (Score:1)
I do agree that a more secure way of credit payment is sorely needed, though. If one time tokens can be used for logging into computers I don't see why the same technology couldn't be extended to making credit card payments.
Obligatory bashing (Score:2)
From Netcraft: The site creditcards.com runs Microsoft-IIS/4.0 on NT4/Windows 98 [netcraft.com].
I wonder if their CTO (aka their MCSE) threw all the CC#s into an Access database on their one big server (also running Exchange)? Just kidding... I hope.
who moderated this comment to troll? (Score:1)
Paymentech.. (Score:2)
And it's bound to happen. They're ripe for the pickings, really. Nearly all of the credit card processors are so insecure it's mind boggling.
Re:Merchants should use common sense (Score:1)
I've been doing e-commerce consulting for seven years now, and with many companies you just can't get them to use decent security -- one of the first ISPs I setup with CC processing is a good example, we got everything setup to deliver orders to the merchants via encrypted e-mail, but guess what: every single one of them refused, they wanted cleartext e-mail.
Pretty darn depressing.
Re:Let's Do the Math... (Score:1)
Re:Yeah honey... (Score:1)
Re:My question is this.. (Score:4)
Security through obscurity, anyone? (Score:4)
I don't pretend to know how the cracker got the credit card numbers from CreditCards.com. But judging from the way they've chosen to handle the problem, I'm not surprised they could be ripped off in the first place; they have all the earmarks of a company that still believes security through obscurity is their best approach.
In all honesty, this is a disturbing attitude that we seem to be seeing more and more from companies: the customer is no longer regarded as someone to be served with enlightened self-interest, so as to reap rewards. It's much easier instead to enter into near-conspiratorial relations with other companies; to regard the other company, the one with the large pre-existing legal team, as the entity who has to be kept happy -- and regard the customer with ill-concealed loathing, as the one who makes your 'job' of pleasing your partner company that much harder.
From this perspective, it seems downright logical to let people's credit cards be compromised and not tell them -- it's only important to please the merchants who want to take credit cards, not the people whose credit cards they are! And what are the chances that poor service to cardholders would ever result in them losing those merchant contracts? Not good enough to make them really care, it seems.
Re:Not freemoneyforhackers.com (Score:5)
Ohhhh, I've got a good domain (Score:1)
Re:Not freemoneyforhackers.com (Score:2)
at least my friend didn't end up paying for it, but i wonder, if they did prosecute more often on even little things (when they have proof of course), would this lower the amount of this type of fraud? and would i be living in a dream world to hope that this might lower those pesky interest rates and/or fees we all love to see?
"Leave the gun, take the canoli."
Re:Ohhhh, I've got a good domain (Score:2)
Re:Merchants should use common sense (Score:4)
If your system is cracked, what's to stop Mr. 1337 hAx0r from putting a sniffer or something like that on your network, then returning in a month to harvest the many credit card numbers? Sure, it's slightly more work for them, in that they have to make two visits instead of one, but any script kiddie can install a root kit to cover his tracks in just a few minutes.
The whole idea of using credit card numbers for online transactions is flawed. Why not have the purchaser write a "digital cheque" and sign it with his private key? The merchant could then present the cheque to a bank to verify that funds were available. Voila! Now, even unscrupulous merchants can't rip you off.
Re:get real (Score:1)
Or the UK, possibly. 3 people I know have been offered jobs by Demon Internet after hacking their servers. One took it up, another is now working for another company he hacked into in New Zealand.
Apparently, this is Demon's standard policy. They believe that an ex-burgalar makes the best security guard, to coin a phrase.
JJ
Re:balance... (Score:1)
However, with Visa's currency exchange fees on top, I'm guessing it'll be around $50 in total.
Re:Merchants should use common sense (Score:1)
--
Re:Almost 100% correct... (Score:1)
Not all online sites are just a catalog.
Those 3 extra numbers (Score:2)
In countless online transactions in the past year or two, I've only been asked for those digits once, by a company that only produces accounting software, a huge fraud target, I am sure!
Creditcards.com is some puny bank in CA? (Score:1)
Re:Almost 100% correct... (Score:2)
Wrong. It's sent directly to the CC company... but even if you (incorrectly) decided to store it anyway:
1. Sale is approved. You inform the customer and delete the CC#.
2. Sale is declined. You inform the customer and delete the CC#.
In either case, you gained nothing by deciding to store the CC# (even temporarily)
when you go later to settle on the card and collect your $, you will need the CC# along with the authorization # to transmit to the clearinghouse.
No, all you need is the authorization number to settle. If you haven't settled within a week (because you haven't shipped the goods), the authorization is cancelled by the bank.
It doesn't matter if you keep the records around for minutes or years, someone with the right skills and opportunity (ie. your underpaid DBA) can get through.
Huh?!?!?!? You're saying that you can't trust your employees, so you should just throw all security precautions to the wind? That would fly really well..
"Well, John, we can't trust our employees, so let's not spend the money on the safe, let's just keep all our money in the filing cabinet."
Having criminals as employees is completely irrelevant to your arguments. (Or, perhaps you could explain how keeping credit card numbers will somehow negate the fact that employees can't be trusted?)
I repeat again: You do not NEED to store credit card numbers.
Re:In Related News... (Score:1)
Even the four months figure is perfect. "Russian" crackers only had access to MS's servers for three months (later whittled down to "five seconds and they only downloaded a virus we designed to stop intruders" by MS's crack PR/damage control team). We have to assume that MS is slightly more expert in the non application of patches than the rest of the world is when it comes to their own products.
Last year about this time, the world was awaiting doom as Y2K approached. Now it's evil crackers and internet piracy of precious IP that are to blame for the world's ills. Why can't these idiot companies see where the real problem lies, fix their internal security, and come up with business models that work? Actually caring about their customers (and in this case, their customers' customers) wouldn't hurt either.
Re:This is why you should NEVER use debit cards. (Score:2)
Why do people use them? Because it's a hell of a lot better to give someone your card to pay $9.00 for something, and only spend that $9, then to take a $20 out at the ATM every time, and blow it simply for the fact that there's extra cash in your pocket.
Plus, it's a great way to track where you've been spending your money, since you get an itemized statement every month. You don't get that with cash.
My bank immediatly put a freeze on the charge I was disputing, and within 2 weeks, reversed the charge, just like any credit card compnay would do.
Re:Poor social skills (Score:1)
All I'm saying is that IT people need to develop some skills to make sure that they are heard in their environments. They don't need to kiss people's butts. They just need to be able to talk to them and to have the courage to stand up for their ideals. Oftentimes, IT people would rather not do that, and we end up with people who don't know what they're talking about making the decisions.
--
Re:The real question here... (Score:2)
So in most cases the card needs to be stored in order to meet customer expectations. Yes, the thing HAS to be encrypted, and yes, the whole friggin database needs to be behind another firewall so that only the webservers and call center can touch it. However, contacting the customer at every point in the transaction (pre-auth, auth, ship, return) is out of the question.
There is also the matter of reporting. Many online merchants are applying a few rules to prefilter out troublesome accounts (such as accounts that have too many chargebacks) because online retailers (unlike brick and mortar) are charged higher premiums for such things by banks. In these cases they run a script against the report that the bank provides and the only real way to match that up with an account is by card number.
I agree though, that after a couple of months the number can be scrubbed. This would keep the number of vulnerable card numbers down to a minimum. I don't work for a .com anymore so some other keyboard jockey is gonna have to do this :)
Re:Most hacking happens through other channels.. (Score:1)
So a lot of companies won't notify you because they're not sure, and people make these threats all the time. When someone calls their bluff, you get fried. But at the same time, if they sent e-mail to their customer base every time someone made the threat, they wouldn't have any customer base left pretty soon. It's like bomb-threats. I don't know what the answer is, myself, but the motivations are pretty understandable.
Re:My question is this.. (Score:1)
Visa and MC are not held liable -- why not? (Score:1)
Most people think that when Joe Sixpack goes to the credit card company to report fraudulent transaction(s) on his statement that Visa/MC is liable for the total amount charged less $50. The fact is that the merchant is required to reimburse for the total amount charged plus fees related to the chargeback, for transactions taken by phone or Internet. Visa threatened me with $25,000/month fines if fraudulent transactions exceeded 1% of my sales volume. So let's see here ... why would Visa/MC give a flying squirrel about fraud when not only are they not liable for it, but actually profit by it at the expense of the merchants?
The fact that anyone can spend your money by simply knowing your account number is mind blowing. That's about as ludicrous as being able to access the Pentagon's servers by simply knowing someone's login name. The credit card processing system is inherently flawed and Visa/MC certainly doesn't seem to care.
The problem is that merchants are generally at the mercy of the banks (of which Visa and MC are consortiums of). Merchants can't survive without credit card processing, and with banks, it's always "you need us more than we need you."
If there's a class-action possible against Visa/MC, then sign me up. You can bet if Visa/MC were liable for the fraudulent transactions then things would get fixed real quick.
An observation on the nomenclature.. (Score:1)
My two cents concerning these things:
--
get real (Score:1)
yeah, i didn't have any ill intent, i just grabbed your cc#s to see if i could. Here's how to protect yourself in the future and i'll just destroy this info I grabbed.
Oh, thank you, Mr. Benevolent Hacker! What would we do without you?! Would you like a job? We can pay you ridiculous amounts of cash to keep hackers who aren't as good tempered and considerate as you away from our sensitive information!
This is the real world. Why employ a security risk when you can have him thrown in prison and gang-raped by all the cro-magnon jock types that drove them into computers in the first place? You're living in a fantasy world.
Any way to find out who was compromised? (Score:2)
That's the big problem (Score:3)
American Express has extra numbers on the card... Visa and Mastercard are going to start using them [cnn.com], too... so what? 3 extra numbers for hackers to pluck out of ripe databases. And our current smart cards?? HA. All they do, so far, is enter your billing information for you. Real secure.
The bottom line is... this problem won't go away until we change the way credit cards work... most likely to a true smart card, like many of us have used with external corporate accounts. Then knowing a credit card number won't get you anything.
list of creditcards.com affiliates (Score:3)
The list includes such e-nobodies as "iKnowledge", "eCashier", "SpyGate", and the "Christian Concert Authority." And those are the more plausible-sounding of the bunch...
Re:Not freemoneyforhackers.com (Score:1)
Correct me if I'm wrong here, but the merchants didn't foot the bill, the credit card company did. Credit card companies routinely write off fraud losses of up to 10% of the total purchases (of course, you and I pay for this through higher prices...).
In fact, the situation is even worse than this. My stepdad told me a few weeks ago that if he went into his bank, and told them that he didn't place a charge on his credit card, they would take off the charge no questions asked. That's right, the first time, they just eat the loss without looking into it any further. Obviously, if you try to get away with this many times, they'll look into it, but I found it pretty amazing that they wouldn't even look into it...
Re:Russians? (Score:2)
What It'll Take (Score:1)
These companies simply aren't sufficiently motivated to clean up their acts. The bad press lasts less than fifteen minutes, and usually never makes it off the internet. The average e-tail customer doesn't get his/her news from internet sources. Security breaches are considered to be the norm; there's no shock felt when a new one is discovered.
Eventually, perhaps, victimized customers will band together and file a class-action lawsuit against these credit companies. It's going to take something that drastic for these folks to sit up and apply the optimal remedies. Unfortunately, it's up to the customers to make it "cost-effective" for the company to do so.
crib
Re:list of creditcards.com affiliates (Score:2)
I knew I shouldn't have bought those Amy Grant tickets online. Damn you, God, damn yoooooouuuuuuuu!
-Legion
Ka-Ching! (Score:2)
-Davidu
Another bad rap for hackers... (Score:1)
Re:Merchants should use common sense (Score:2)
Re:Almost 100% correct... (Score:1)
I just checked the documentation for two major CC transports, Vital Technologies (former VISANet) and Novus. For the methods that I looked up, both required CC# and authorization # on settlement. Therefore you are responsible for storing these somewhere safe in between.
You're saying that you can't trust your employees, so you should just throw all security precautions to the wind? That would fly really well..
I'm not saying that at all -- only pointing out that there is a very strong flaw in the whole system. I agree with what other people have mentioned, that putting all of our faith into a 15-17 digit number maybe isn't the best method available.
"Criminals as employees" is completely relevant, if you're considering as an option storing the CC# somewhere for a very short time and then destroying it -- as in "its only in the order database for 5 minutes, so its unlikely that somebody will steal it." A secure system shouldn't be built around the premise that the users are beyond reproach, its bad for the systems and bad for the user. I mention this only because its usually the first idea I hear from a client when considering this problem.
Slashdot is not the real world.
Re:Not freemoneyforhackers.com (Score:1)
The charge was from INET in Moscow, RU for 217.17 rubles and I had to send in the little form on the back of the statement to get the charge removed.
If this guy claims that I bought something at his web site, then my credit card company definitely will give him cash.
Re:Almost made me turn off my Front Page server! (Score:2)
you IT "cerebral" types are a real pain in the ass. let me ask you something, have you ever tried marketing? have you ever tried to get an MBA?
here's a clue for you: Marketing is not a joke. it's actually real work, it's not trivial, and it's required to sell a product or service. at a technical company, the lines of communication between Engineering and Marketing must be open, and trusting. your IT superiority complex doesn't help things either, and it has been my experience (having worked in both Engineering and Marketing) that it's usually the Engineering or IT side of the equation that doesn't put in the effort to try.
Marketing people are instantly labeled "clueless" or "afraid of technology" or "phoney" but the IT staff. they make no effort to try to understand why Marketing is important and why it's essential to communicate with Marketing. in most cases, bad Marketing is a direct result of IT or Engineering personel's inability to communicate effectively. sometime's that's due to the inadequacies of the people in Engineering (ie, they're not good communicators) but more often it's a result of silly and childish attitudes such as the one you've displayed on the part of IT.
grab a clue: you need Marketing just as much as you need IT and Engineering!
there are always bad Marketers, just as ther are bad Engineers, but in my experience "bad Marketers" are usually a result of "immature Engineers."
but back on topic: what makes you think that this cracking was a result of Marketing not conveying IT's security interests to upper management? did you think for just one second that it might just be the clueless IT worker who's running an insecure Windows NT webserver?
- j
Re:Almost 100% correct... (Score:1)
Also, when you go later to settle on the card and collect your $, you will need the CC# along with the authorization # to transmit to the clearinghouse. You are not allowed to settle until the goods have clearly shipped, for some types of businesses this could be several days.
So you still have to store the CC# for some period of time. I, as a master RDBMS hacker, am so godlike in my power that i set up a trigger on your highly volatile, temporary CC table to copy each new row into a hidden secret table. Then I go pick that up later.
It doesn't matter if you keep the records around for minutes or years, someone with the right skills and opportunity (ie. your underpaid DBA) can get through.
Slashdot is not the real world.
Re:Almost 100% correct... (Score:1)
Re:Let's Do the Math... (Score:1)
Re:System design flaw... (Score:2)
If the cc exist in a database, then anyone who can query the database can get the cards, meaning if the system is compromised, all bets are off.
blowfish (or any other symetric algorithm, for that matter) is absolutely useless in this case, as the key (which is used for both encryption and decryption) must be stored on the machine hosting the database. If the machine is compromised, the cracker can easily get the key, making the crypto as useful as storing the cc numbers plaintext. The only way to do this properly is to use ElGamel or RSA, along with padding generated by a PRNG to prevent known-plaintext attacks.
Using an asymetric algorithm, if the database is compromised, you have sucessfully protected all previous cards (that is, if the private key does not exist on the system; all plaintext cc processing should occur offline). You do have to worry about future cards being snarfed, but you address this with other security measures, not crypto.
When dealing with credit cards, allways assume that the machine that the database is on CAN be cracked, then work hard to prevent this from happening.
Re:Merchants should use common sense (Score:1)
Perhaps this is a question for ask slashdot, but are there any easy to use email programs that will encrypt and decrypt automatically, ala Novus Ordo? That would solve this particular problem.
The real question here... (Score:4)
The article even mentions that the company had "test numbers" in the database. Am I the only one who thinks that those were left in there from the days the code was being developed because noone bothered to clean up the database?
Oh yeah, and these numbers are sold for a couple of dollars a piece in Russia. No joke.
--
Re:gorilla.bas (Score:1)
duh (Score:2)
Re:It's nice to know ... (Score:2)
Unix, I think it is...
not compromised? (Score:1)
"They weren't compromised," Butts said
Um, I'm going to have to go ahead and, uh, disagree with you there, Micheal.
Re:Yeah honey... (Score:1)
-DanThe1Man
(Posting as AC to protect Karma -1 offtopic)
balance... (Score:1)
WITH A DRAFT OF 275 Russian Rubels I JUST CAN'T ASSIGN TO ANYTHING!!!
Re:Not freemoneyforhackers.com (Score:1)
unfortunately that's still theft, and it would be even if the furniture was stolen from your house to begin with.
Falls under vigilateism, and is generally frowned upon by the forces that be.
How did he get the cards (Score:1)
Squeaky Wheel (Score:2)
Re:i care (Score:5)
Return-Path: chad@microsoft.com
Delivery-Date: Mon Dec 11 15:08:14 2000
Return-Path:
Received: from mybigserver.my.domain (mybigserver.my.domain [10.0.0.1])
by mymail.my.domain (8.9.1a/8.9.1/FOO-3.0s) with ESMTP id PAA365001
for ; Mon, 11 Dec 2000 15:08:14 -0700 (MST)
From: chad@microsoft.com
Received: from eb.com ([146.101.3.203])
by mybigserver.my.domain (8.10.1/8.10.1/FooBar+Hesiod (MyConfig)) with SMTP id eBBM8GJ15524
for ; Mon, 11 Dec 2000 15:08:16 -0700 (MST)
Message-Id:
Received: from blu01650-4-1 [127.0.0.1] by eb.com [127.0.0.1] with SMTP (MDaemon.v2.7.SP5.R) for ; Mon, 11 Dec 2000 22:02:44 +0000
Date: Mon, 11 Dec 2000 22:02:44 +0000
Subject: HOT NEWS 11 DECEMBER 2000, HACKERS GOT INTO CREDITCARDS.COM !!!
To: me+myvendorid@my.domain
X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron
X-MDaemon-Deliver-To: me+myvendorid@my.domain
X-Return-Path: chad@microsoft.com
Dear Customers of CREDITCARDS.COM,
Security score rating: -100
Go there to read the STORY about creditcards.com !!!
http://venus.njcc.com/ccs/index.html
http://www.givit.com/content/ccs/index.html
http://203.29.170.11/ccs/index.html
We represent a group of experts trying to save you from companies, which
do not care about their clients. For your attention we have
designed the "Never trust companies" list.
Any simple hacker can get into Creditcards.com where your confident information stored.
We was contacted with President (Michael Butts) of CreditCards.com, and
they was say us " We don't care about information and about customers"
Today is the special time for every Internet user, e-commerce is still growing
and competitors are fighting each other to win your attention, your loyalty
and as the result your money.
But not all the companies are ready to offer their clients best service,
they trying to get you through low prices, quick delivery, etc., while is
it so important for you?
Basically what are you doing when you buy something via Internet?
You let somebody into your personal finances.
Till no completely secure way of transferring the confidential information
invented, the number one priority for each and every online company is
to secure transaction and to hide information about their clients.
Who knows, may be your partner or your online discount shop is one of them.
We are glad to provide you with this information; we want you to use secure
online resources and most important those who care about you.
Kind Regards,
_____
Today TOP Unsecure Company :
Name Specification Security Score*
Name Specification Security Score*
CreditCards.com Credit card Processing network - 100
Security Score:
-100 - no security
1 - simple security
100 - Very good security (firewalls + Crypt of confident information in database.)
name could be worse for attracting crackers... (Score:3)
Re:This should happen more often, actually. (Score:5)
Yeah sure - in the glorious US of A. You again seem to forget that there is a place called "the rest of the world" which is technologically more advanced and actually DOES use these highly secure technologies.
I can do 1024b RSA signatures from all of my various cell phones (or sigs with longer keys for that matter, if needed). And I can pay for things with'em too. All the major banks here use secure payment methods instead of lowsy age old credit cards. I don't have to use one single unsecure method for paying anymore if I don't feel like it.
All I'm saying is that: it's really up to you. If you want things to change in the US, then bloody change them! it's not any more harder than that. YOU are the customer and it's your right to demand things. Start demanding, and keep demanding until they deliver.
Almost made me turn off my Front Page server! (Score:2)
you've got youre IT professionals, some of whom may or may not know what they're doing, but who are mostly competent. But, nine times out of ten, they are not the people who run the show. Instead, marketers make big decisions side-by-side with accountants. Not to say that it's not a good idea to promote your business, or keep on top of the books, but look at the typical scenario - the IT or IS manager comes forward and says something to the effect of, "Look, we have a serious security situation here, and if we don't spend the money it takes to fix it right now, we MIGHT get hacked." Now the marketer, who is generally insecure around the IT person (who, after all, can connect all those scary looking wires and make the computers go), is thinking that the money would be better spent on a big campaign to attract investors. Since these cracking incidents are really flash-in-the-pan news events, the marketer doesn't have a clear sense that the risk is real. The accountant is more impressed by the charismatic marketer than by the somewhat cerebral IT person, and is further swayed by some financial need or another. Thus, the decision is all too often a pat on the head to the IT department, and some paternalistic garbage about "all of us doing the best we can under the circumstances," while the crackers gleefully move on.
While I can't claim to be familiar with the corporate perspective within creditcard.com, I personally find it very hard to believe that anybody who can write more than two lines of code would have been happy with the security situation that must have existed for the crackhead to get all those credit card numbers. More likely, it was a situation of all the money going to fancy-looking animated gifs(Ka Ching!), while the IT department was starved to a point of needing to scramble just to keep the servers running. A brief look around the creditcard.com website tends to bear this out: a lot of pretty pictures, but not much substance.
Re:Merchants should use common sense (Score:3)
Everything is already computerized, so this merely adds a few more DB queries. You phone (or go to their website) AmEx and ask for one. They issue a disposable credit card number with a set credit limit that will become invalid after the first use.
--
Re:Merchants should use common sense (Score:2)
digital cheque is overrated, how many slashdoters use pgp, gpg? try to tell my mother to use that, credit card numbers for online trasnactions is not flawed, it is the weak implementations of infastructures and security around them that is flawed.
Re:i care (Score:2)
Re:System design flaw... (Score:2)
And, not as a reply directly to you...
CC.com didn't need to keep the credit cards, they only do verification, the merchant can send a new transaction each time they need (to check during ordering, and to charge at shipping). This way there isn't one big master DB with all the numbers, CC.com would hang onto the #s only long enough to process the order. The CC never needs to get stored on a HD at any point, if CC.com crashes and they lose the numbers they're processing, the merchant just resends the transaction after the timeout.
The means you have to trust your merchant, but I'd prefer this. It means smaller DBs (less temping for crackers) and a well defined chain of trust. If I shop at Amazon, I should only need to trust Amazon, not three or four back-end companies that I've never heard of.
Obscurity and serving customers. (Score:2)
This is not only credit card processors. This is almost everybody. For example, UUNET, back before they were bought out, used to have a status page at 'nic.uu.net' where you could see the status of service outages. A few years ago they removed that page unless you're a UUNET customer. Problem: My ISP is a UUNET customer, and they have a service outage. Easiest thing to do is (from another Internet provider) go to the UUNET site and see whether it's a UUNET problem or a local ISP problem, and if it's a UUNET problem, when it'll be fixed. Noooo... UUNET no longer allows mere mortals to view such information. Even from my ISP, UUNET says "you gotta be a direct UUNET customer to view this page". Fuck the consumer. Fuck the poor slob sysadmin trying to figure out why his packets aren't getting from point A to point B (it'd sure be nice to see that the route C between point A and point B is flapping and that UUNET knows about it). The marketdroids rule, and the marketdroids say that ordinary people don't need to see that kind of data because ordinary people don't pay the bills.
That's just one example. The world is full of them.
-E
Re:Not freemoneyforhackers.com (Score:2)
What is being discussed here is part of the Truth in Lending act. Chargebacks were set up as a protection for the consumer. Without them, credit cards might never have caught on. No one could forsee the problems which would eventually surface with online transactions because the internet didn't exist then. Get rid of chargebacks and people will not want to use credit cards.
Re:Merchants should use common sense (Score:2)
If Digital Cheques were integrated into browsers, it would be as easy or easier for customers than credit cards are now.
Not all engineers are clueless about marketing (Score:2)
Lazy marketing types are quick to grumble about mumbling engineers etc. But some of us engineers *DO* know marketing -- and get rather infuriated when the marketing types decide to go golfing rather than learn about their product, competing products, the marketplace that their product is to be sold into, and how to reach that marketplace given the product that they have. For some reason, ex-used-car-salesmen who've been jumped up to Marketing seem to think they can sell a complex piece of computer software the same way they sell soap -- i.e., with hype, sex, and tv commercials. And they get upset when us engineers start talking to them about marketing stuff, "go teach grandma to suck eggs" being a typical response.
Not my current company's marketing department -- they're quite eager to hear anything I have to say about the marketplace and how our product line fits into it (though as a perfectionist I sometimes get frustrated with the follow-through, but that's life). Prior to one presentation I was advised by both co-workers and by the project manager to eliminate some of the marketing materials ("they know this stuff", "they'll be insulted by an engineer trying to tell them about marketing stuff", etc). I didn't. Marketing ate it up. But that's very much an exception.
Regarding IT considerations and marketing: I've received pressure in the past to cut corners due to marketing reasons. My general response is, "Having that software for Comdex will do us no good if it gets us a poor reputation for having buggy software," then talk about goodwill and how valuable it is (especially on our balance sheet!). But undoubtedly there are many IT types who do not have that kind of clout.
-E
Re:Merchants should use common sense (Score:2)
I've got a problem with all of these solutions though. They don't address the underlying problems. Creditcards.com showed a complete lack of competence and even a complete lack of accountability. It took FOUR MONTHS for them to go public and they had the audacity to say that customers credit cards weren't compromised.
Let me get this straight, an unknown third party might have my credit card information but it isn't compromised? I'm sorry, but at this point the COO, Michael Butts, should be brought up on charges of criminal negligence and if he maintains this stance in court, purgery and contempt of court as well.
This company deserves to go under, nothing less. They were in a position where due dilligence said they should operate in a certain manner (such as having no physical connection between the database of credit card numbers and the internet at all - or better yet - no database of credit card numbers) and they didn't.
I'm not excusing the cracker, he should be punished as well, but this company (and the bank that owns it) should go under. They aren't competent to operate in the banking industry.
Yeah honey... (Score:5)
My point exactly. (Score:2)
A few hints: we may be in IT, but that doesn't mean we're clueless about Marketing. Some of us have 10 or more years experience in this industry, second degrees in Business Administration or even (gasp!) MBA's, etc., and choose to do IT because we like building stuff rather than selling stuff. That doesn't make us automatically unqualified to comment upon market focus and appropriate venues for reaching sub-markets and so forth!
-E
Russians? (Score:4)
Silly Russians.
Not freemoneyforhackers.com (Score:3)
If you get stolen credit card information, you get free stuff sent to you. You might be able to get people to pay you for the free stuff, but it's not directly cash.
For those who wonder how I know: Someone got my card number, from paper. I found out, when I got a call from Home Shopping Club trying to sell me an extended warranty for my new radar detector. My response was, "What new radar detector?"
The credit card company took the charges off, but beyond that, they didn't care about prosecuting the individual. The merchants had to foot the bill.
the HACKER notified.. (Score:2)
"The victim who originally contacted MSNBC, Michael Sayres, called the company this week to complain and was surprised that it had no
intention of contacting customers.
"It was explained to me that I would need to contact my credit card company and cancel my card," Sayres said. "It appears they have no responsibility with this problem."
Sayres received the e-mail from the hacker on Monday afternoon and spent Tuesday on the phone with CreditCard.com and American Express, complaining about the way the situation has been handled. "What's amazing is I didn't hear about it from CreditCard.com. I heard about it from the hacker," he said.
The hacker was trying to extort and notify at the same time? Maybe s/he called the customers in order to prove to Creditcard.com that they were serious. Or is there more than 1 person at work?
On another note, paypal.com insures your deposits to 100K just like FDIC (tho it is a money market account, not FDIC). Is there some plan for an anti-hacker "insurance" scheme for b2b and consumer credit card users online?
Poor social skills (Score:2)
This has very little to do with "leadership abilities", by the way. There are many different styles of leadership, and not all of them require that you be Mr. Used Car Salesman. They do, however, all require goal setting, effective communication of goals, and a meeting of minds with those you work with, as well as (gasp) initiative and drive (you can't lead from the rear!).
-E
Re:What the f**k? (Score:2)
they won't pay in the first place. Not the first time, let alone the next ones.
//rdj
Re:This should happen more often, actually. (Score:2)
Re:Not freemoneyforhackers.com (Score:3)
System design flaw... (Score:2)
Repeat after me. DB's and their backend processes should be firewalled and limited. Heck, a simple socket that takes in a request and returns a success or failure isn't all THAT hard.
-s
---
Question (Score:2)
Re:Any way to find out who was compromised? (Score:2)
My 94 paisa
Re:Merchants should use common sense (Score:3)
I would also recommend a payment gateway that makes security a top priority. Obviously the merchants weren't at fault in the creditcards.com case; they could have all the security they wanted, and the database would still have been stolen from their payment processor.
If I may be so bold, I can recommend a payment processor [trustcommerce.com] who makes security a top priority...
Re:System design flaw... (Score:2)
According to current (US) laws, the business has to keep a record of the cards, in the event of the charge being challanged, or fraud investigation. (At least, this is what was explained to me at work). If this is, in fact, the case, then the business has to hold onto the cc numbers (for 7 years, I believe, but I could be wrong.)
Almost 100% correct... (Score:2)
Nope, this part is wrong - it should read like this:
"If someone in your company thinks you absolutely must store cc numbers, fire them. You absolutely do not, ever need to store credit card numbers."
There is no reason (at all, EVER) for a merchant to store CC numbers. You don't need them to do returns, you don't need them for "one-click shopping" (if you think you do, you don't need to do one-click shopping) you don't need them.
I don't care how much security you have (or think you have) if the data isn't there, you don't need to worry about it.
I got e-mail by folks talking about this (Score:4)
They mention creditcard.com specifically by name and give it a score of -100 for security (no security).
Using my address tracking I could tell they sent me this e-mail using the address I gave to a merchant I used nearly a year ago. Of the 100s of online purchases I make a year, it looks like one of the few places where I made a personal purchase processed their information through creditcards.com. If it had been one of my many corporate purchases I wouldn't have cared too much, but I guess now I will have to go and change the number on the card I used.
If people care, I can post the entire message.
This should happen more often, actually. (Score:4)
It's time to move towards a more cryptographically secure way of making payments. These secure methods have been developed years ago, and are still not being used on a wide scale. As long as the costs associated with the occasional credit card theft isn't too high, the banks will not take action. So, it's good that things like this happen once in a while, since the banks will take most of the damage anyway (their biggest loss is probably loss of confidence by big consumer groups).
Merchants should use common sense (Score:5)
E-commerce merchants need to use common sense when dealing with credit card transactions.
In addition to the above, do the usual security procedures that you would do for any secured site (e.g., do anti-virus checks, checksum system files, sweep for trojans, etc.)