Dear Sir: Your Credit Card Number Has Been Owned 179
An anonymous reader submits: "California has become the first state in the nation to require companies victimized by malicious computer attacks to disclose what might have been compromised to their customers. Dubbed the Security Breach Information Act, companies whose systems are cracked and have credit card, bank account, and/or other significant customer data stolen are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media. Law takes effect Tuesday, July 1 (tomorrow)."
I Remember when... (Score:5, Informative)
Slashdot was compromised back a few years ago. The maintainers were very quick [slashdot.org] to notify everyone and recommend changing passwords immediately. If only other businesses were as forthcoming!
And there weren't any credit card numbers involved!
Re:I Remember when... (Score:1, Interesting)
fix that damn bug
Re:I Remember when... (Score:3, Informative)
Yup, Somebody Cracked Slashdot
Posted by CmdrTaco on 30/09/00 0:30
from the wiping-egg-off-our-faces dept.
to me, that certainly looks like the 30th of September, 2000.
Fix how you display your dates.
Re:I Remember when... (Score:2)
Re:I Remember when... (Score:3, Funny)
Re:I Remember when... (Score:2)
First of all, it's definitely commendable for Slashdot to notify it's userbase. However, the fact that there's no financial data involved makes it less of a bad thing. If you have an account where basically all someone can do is troll with the account, BFD. It's
"Update:" (Score:5, Funny)
At least they're doing something sorta productive (Score:3, Insightful)
So glad not to be there now.
Hack Attacks (Score:2)
A good security worker will be treating a lot of false readings as possible security concerns. Despite all the audit trails, a thief looking for a backdoor just might find one that leaves an uncertain trail or possible no trail (for
MS Bank v1.1 (Score:5, Funny)
Re:MS Bank v1.1 (Score:5, Funny)
right... sher...
Re:MS Bank v1.1 (Score:2)
Re:MS Bank v1.1 (Score:2)
Actually, the source code to bash is three times as large as the source code to SQLite.
Just means they installed... (Score:2)
BUSINESS PLAN (Score:5, Funny)
Re:MS Bank v1.1 (Score:2)
Re:MS Bank v1.1 (Score:2)
not just any bash shell, but a bash shell well-integrated with some sort of database server...
IANADBA, however, here are some Observations:
First off, it is possible to get bash to do queries like this, though not directly afaik. Bash does run on win32. Secondly, decent RDBMS clients will allow one to enter code not unlike what is pictured above. I don't know that you can do such things to MSSQL, at least with included software (one could write it I suppose) but then I did say decent RDBMS, and you m
Re:MS Bank v1.1 (Score:1)
Re:MS Bank v1.1 (Score:1, Offtopic)
So there.
Re:MS Bank v1.1 (Score:2, Informative)
Sorry, wrong - HotMail was originally running on FreeBSD. When MS bought it, they transitioned to Win2K, which actually managed to perform BETTER in many circumstances - for example, negating the need for SSL accelerators, etc.
You can read the whole case study here [microsoft.com].
Re:MS Bank v1.1 (Score:2)
Here's the Official MSDN sample code (complete with gotos)
Dim Suckers as Recordset
Set Suckers = MyComputer.MyDatabases.ThisDatabase.MyRecordset.[ M y Users]
Rem Whay_Kind_of_Jerk_Puts_Spaces_in_Table_names?
Top:
if ROT13(Suckers.Secret_Account) = "HAX0R3D" then Suckers.[Needs Mail] = True.
If Suckers.EOF() then goto TheEnd:
Suckers.NextRecord
Goto Top
TheEnd:
###
Then Go to word and do a mail merge. Ask the paperclip for help.
Damn straight. (Score:3, Redundant)
Re:Damn straight. (Score:5, Insightful)
Yup.
How about if your local bank didn't lock it's safe at night, and used shitty supermarket padlocks on the doors? Then didn't tell you that people broke in occasionally when no-one was looking, but quietly increased your fees to cover the losses? Sound reasonable? No, of course it doesn't, but it's not far off the level of security some clowns put online. Personally, I'd like to see the sysadmins name posted in the notices too. :-D
Imagine if these were physical break-ins rather than electronic ones. The money's all the same, the only difference is that until now, it didn't make the evening news. It's about time it stopped being swept under the carpet.
Re:Damn straight. (Score:2)
As a customer, there is no difference between the two, but in the eyes of the law there is?
Re:Damn straight. (Score:2)
Because physical break in's are harder to hide, keep out of the public knowledge, off the news, etc.
Generally with a physical break in, you call the police. Soon, all the local news stations with a police scanner know something is up at Bank of Microsoft.
What people should do... (Score:3, Insightful)
People should be responsible if they are negligent, I agree. OTOH, expecting perfect security, as some on this thread seem to be doing, is wishful thinking. The world doesn't work like that. Bank robberies happen, and sometimes they get away with it. Cracks happen, and sometimes they get away with that, too. You should take reasonable steps to secure your facilities and have a sensible contingency plan for when that security fails.
About time ... (Score:2, Insightful)
Security Breach (Score:5, Funny)
Re:Security Breach (Score:1, Informative)
"required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media."
Nice try but I dont think the Judge would be amused
Re:Security Breach (Score:3, Insightful)
I think this law would be a lot stronger if it mandated contact by all of those forms to the extent made possible by available customer data.
This is kind of a sore spot for me at the moment because of a different, but similar misadventure of my own. Recently, my
OT, but worth a laugh (Score:3, Funny)
While on holiday in the Lake District a while back, some friends and I were going up to the top of Scafell Pike, the highest point in England. One of the paths was particularly treacherous, very steep and with lots of stones that slipped under foot. (Not good for those of us uncomfortable with heights!) After a few hundred m
Re:Security Breach (Score:2)
Ah... nice paranoia theory with just one flaw...
Unless the hacker used an EMP that would invariable have to affect a whole lot more than just the CC companies, they'll have backups. There would be no reason for any customers to not be contacted. And since CC companies use multiple backups in multiple places as insuran
Posting on website wouldn't be enough (Score:5, Interesting)
Re:Posting on website wouldn't be enough (Score:5, Insightful)
So? They do that anyway... (Score:3, Informative)
Someone else did it with a note that said they were putting a timer on service so that you had to log in every so often to keep your account active. People went and logged in by the thousands to the phony site they set up.
Re:Posting on website wouldn't be enough (Score:3, Insightful)
Re:Posting on website wouldn't be enough (Score:2)
Re:Posting on website wouldn't be enough (Score:2)
Re:Posting on website wouldn't be enough (Score:2)
Or they should post to Slashdot
Re:Posting on website wouldn't be enough (Score:2)
If I was going to quote the parent, I would say:
If it's not on the Game Show Network, Food Network, or The Learning Channel, I'll never see it.
If you've got my credit information, and some L33T script kiddies have just 0w^3d you, you should be required to send me something.
Re:Posting on website wouldn't be enough (Score:2)
Agreed entirely. Passive notifications for important information are just pathetic.
It's like web sites or ISPs where you sign up, and they have a set of Ts&Cs and a privacy policy, and then a caveat that they may change these at any time by putting the changes on their web site, and the changes take effect immediately. If you don't visit the web site during the minutes after the policy changes, while every spammer
tonight.... (Score:3, Funny)
way better that IPO'S!
...posted in the basement with no lights. (Score:5, Interesting)
To quote the parent:
Yea, all you need to do is find the white-on-white "click here" hyperlink.
Like I'm supposed to go out every day and check every credit card site, all my bank account sites, every mutual fund site, every stock brocker site, etc, etc, etc?
Why? Why does the company that has been hacked have to engage in a deliberate act (e-mail, snail mail, phone calls, whatever) except for this? Why not force companies to own up to their mistakes?
Re:...posted in the basement with no lights. (Score:3, Interesting)
Worse yet, even if you were to somehow check every website on a regular basis, and somehow find the notice (which the law does not give guidelines for, AFAIK), this only covers part of the issue. The other and far more difficult problem: what about when this information gets stolen and the company doesn't notice?
This seems like a step in the ri
Re:...posted in the basement with no lights. (Score:3, Informative)
To quote the parent:
The other and far more difficult problem: what about when this information gets stolen and the company doesn't notice?
There's something in the laws already about how you cannot be held responsible if somebody commits crimes using your materials as long as you make a good faith effort to report it.
For example, if you find your car gone, you report it stolen, and the next day it's used in a bank robbery, you are usually held innocent unless they have your face on the videotape or
I'm suprised... (Score:3, Interesting)
...that this WASN'T required by law before!
a notice on their website? (Score:2, Funny)
If so are they going to post a list of everyone who's information was possibly lifted?
Re:a notice on their website? (Score:2)
I don't think that will be a problem. I'm sure the crackers will take care of that part for them.
I can just see the conversation on 1337 IRC chans (Score:5, Funny)
1337 h4xxor> The company I broke into published it in the morning newspaper!!!1!1!
5kr1p7 k1dd13> That's nothing!1!! I made the evening news!11!!!1!1
Re:I can just see the conversation on 1337 IRC cha (Score:1)
Correction: 0wnx0r3d (Score:5, Funny)
Darn slashdot editors! (Score:2)
Re:Darn slashdot editors! (Score:2)
RJKing: i pwned in that map, ll4m4s
Player: bfg wh0r3
Move... (Score:3, Interesting)
Re:Move... (Score:5, Informative)
Re:Move... (Score:4, Informative)
If you advertise in a California paper and sell to a California resident, that's governed by California law even if your corporate home is in another state.
If you have a branch in California, same deal. You're considered to be doing business *in* California, as opposed to across state lines.
There are a lot of complicated rules about what consitutes "doing business in" a state, rules which evolved back in the meatspace era.
Remember all those "void where prohibited" disclaimers? Those were short for "If your state doesn't allow this, I'm not offering it there, so I'm not soliciting business from anyone in your state".
All legal errors in the above are my fault. If you get in trouble because you got your legal education from Slashdot, that's your fault.
Re:Move... (Score:1)
In the true tredition of slashdot, i haven't read the article. But isn't a business albeit a web business legally binding to the laws of the state where it is registered ?
The physical location of the servers should be immeterial, or is it too rational to expect ?
Re:Move... (Score:2)
Bleh.
internet is not only place where CC #s are stolen (Score:5, Informative)
Re:internet is not only place where CC #s are stol (Score:2)
The _only_ sure-fire way to prevent getting your CC# stolen is to not have a CC to start with. But that still doesnt protect you from identity theft as someone can open a card in your name if they have your SSN from somewhere.
Bad/no credit to the rescue! (Score:2, Funny)
Ha! Finally, having bad/no credit is advantageous! They'll never be able to get a card in my name! Bwahaha!
Re:internet is not only place where CC #s are stol (Score:2)
You started using credit cards only three years ago? Why, in my day we had to use credit cards made out of stone, uphill, both ways, in the snow...
Seriously, you also have to consider "where" and "why" credit card numbes and such get stolen. For example, I've used credit cards over the net for (eeek! I'm old!) about 10 years, and the only problem I've had was some magazines that got charged to the card I use to pay my sister's account. That got fixed easily enough.
In the 30ish years I've used things
Re:internet is not only place where CC #s are stol (Score:2, Informative)
The next time you're at a restaurant, receive the bill, and you're about
What's worse? (Score:5, Funny)
Now I'm not sure what I should be more afraid to find in my email, this or spam....
Re:What's worse? (Score:2)
How abouth your email reader thinking this is spam?
Re:What's worse? (Score:2)
So what happens... (Score:5, Insightful)
Even if they didn't steal any information (other than some emails on the server) they could scare the living crap out of alot of people....like a BIG practical joke.
Then the company would have to send out another email via the notification system to their customers....this ought to be interesting...why trust the company that claimed it was hacked yet it wasn't?
Re:So what happens... (Score:2)
Law takes effect Tuesday, July 1 (tomorrow)." (Score:4, Funny)
Re:Law takes effect Tuesday, July 1 (tomorrow)." (Score:2)
These cost $15 and up now...who do we think that cost is going to be passed on to? Do we believe the credit reporting agencies will absorb it?
No, they will pass it on to the businesses they sell to now, and those businesses will pass it on to the consumer, just as they always do. Thus the cost of credit will go up.
It is the consumer fleecing that I'm referring to.
Re:Law takes effect Tuesday, July 1 (tomorrow)." (Score:2)
To quote the parent:
Federal law requires that credit card companies send you a notice at least once a year if somebody has looked into your history, and they must provide a list of those people for free or a small fee already.
If the California law says they have to give it to you for free, I'll probably be moving.
Re:Law takes effect Tuesday, July 1 (tomorrow)." (Score:2)
I'm talking now only about the credit agencies, and the fees they charge.
While your points are valid, I believe they are another part of the entire credit/financial web, ebb and flow, and thus outside my comment.
Ok so we changed the topic to banks.... I mean, if the butterfly principal is true, and as small an action as an incorrect digit on a beauty shop balance sheet in Peru can affect the price of raw
Re:Law takes effect Tuesday, July 1 (tomorrow)." (Score:2)
So you mean that banks may have another point to compete on, security? And that I as the consumer will have the ability to determine if a bank has been having problems getting its act together from a sec
Need another law (Score:1, Funny)
I definitly want to know who I'm doing business with.
July 1 is New Law Day (Score:2)
Now if we can only get Daylight Savings Time here we might step into the 20th Century (nevermind the 21st!).
California's rules are... well, Californian (Score:2, Interesting)
Tripwire is one that comes to mind, and if used properly is an excellent forensic tool. Too bad some schmoes don't know that. I know an IT director who believes that wiping everything down and reinstalling from a backup image is the way to go. Of course - backups
Re:California's rules are... well, Californian (Score:2)
Re:California's rules are... well, Californian (Score:2)
Yeah, Tripwire is great, but it wouldn't help you know what's been stolen. It only detects modifications to files; it doesn't tell you if someone ran a 'sploit, sniffed a password or two, and lifted your cc# database. The access times would be useless too, as it's probably accessed way too much for that. You'd have to keep very detailed logs to figure out what had happened, and e
Re:California's rules are... well, Californian (Score:2)
True, if you don't know there was a break-in, you don't know what has been stolen. All the more argument for encyrpted traffic, encrypted passwords, and encrypted data. What you ideally should achieve is something where the effort is not worth it. Plan-text traffic is a method that should not work with sensitive account information.
If your credit card database is "lifted" it should be meaningless. Sniffing passwords on encrypted traffic should be pointless
Re:California's rules are... well, Californian (Score:3, Interesting)
Short answer... yes.
Why? Because it means they are paying attention and trying to make an effort at security.
It is doubtful all attacks will be prevented, and its also doubtful all attacks will be monitored. However, all banks will experience attacks by crackers. If one slips by and its detected, I would want to know about it.
I'm curious... (Score:5, Funny)
Heh. (Score:2)
No cards! (Score:1)
Encryption? (Score:2, Insightful)
Re:Encryption? (Score:2)
This project is on a deadline, and we will meet that deadline.
Add in the hoards of "month-degree" programmers, and you have a recipe for disaster,
Which is not to say that I'm all that good at security, because I know I'm not.
Encryption--important but not a cure-all... (Score:2)
make them pay (Score:5, Interesting)
They screwed up they should incur the cost of cleaning up the mess. If companies were responsible to that degree than watch how high security budgets would skyrocket. If they shouldnt be responsible to that degree with my sensitive information than why bother passing legislation like this?
Actually, if you can prove it... (Score:2)
Does anyone know if there are VSA/MC policies on notifying them?
I wonder (Score:2)
Gray Davis Angriest at these Thefts (Score:2, Funny)
... and then they help the intruders. (Score:2, Interesting)
Prevention is far better than cure. (Score:5, Insightful)
These rules are good. I think both notification and public notices of being hacked should be required. But merchants and customers should be smarter to start with.
Many prominent ecommerce sites insist that if you buy with them, you have to open an account where your credit card info will be stored permanently (read the fine print on PayPal, for example, what happens when you try to erase it).
In order to permit you to reuse the credit card number without reentering it later, it generally has to be stored in a place accessible to the web server applications, aka a very hackable location. They usually claim to protect this via n-bit encryption, but their application can easily decrypt it, generally meaning that a hacker who owns the web server can as well.
If a brick-and-mortar merchant insisted on storing a xerox of the credit cards of all his customers in a filing cabinet on the sales room floor in case any time in the future they forgot their credit cards, I would still feel more secure than this sort of e-merchant makes me feel (because the volume of CC numbers is less and it can't be accessed remotely) than a database with millions of card numbers. There is a huge difference between temporarily using the credit card info in a transaction database and making it permanently available in an account database. Not only can transactions records be more-fully isolated from the web servers than account records, but in the transaction case, the most compromised is far less than the millions of credit card numbers compromised in an account database. You make yourself vulnerable forever if you do business with someone who wants to keep your credit card available in your account, and they probably will not even tell you if it is compromised.
IMO, good merchants do not insist on storing your credit card number in the account, but rather permit you to manually reenter it every time. Just like all the Microsoft email conveniences that turn out to be security holes, this sort of ecommerce convenience is asking to have your credit card number abused, with no notification. The number is safer in your wallet or travelling across SSL than in a web-server database with millions of other credit cards.
PayPal refuses to erase the account info even if you erase it. Perhaps this sort of law will eventually force irresponsible merchants to rethink the way they expose millions of cards to cracking. You can't hack what is not on the server.
Re:Prevention is far better than cure. (Score:2, Interesting)
News media? (Score:2)
What is the malicous attack is [paloaltoonline.com] the news media?
California is ahead on thinking about law. (Score:2)
But I thought information wants to be FREE! (Score:2, Funny)
These credit card numbers weren't 'stolen', they were LIBERATED!
It might get just like accounting... (Score:4, Interesting)
That's good news, more IT jobs coming up?
Will we see cracked OS stats? (Score:2)
Back when the attrition.org site was still counting defacements, you had an interesting stat: The number of defacements per OS version.
It would be very interesting to keep tabs on the OS versions of cracked systems, if only to avoid recommending them to new ecommerce sites.
Of course, this supposes that the cracked company will want to add shame to embarassment. Hmmm, that will probably require a little nudge. Maybe friendly BOFHs will "leak" the OS version info in memos titled "I told you so, you freaki
MOD PARENT DOWN : -1, IDIOT DUMBASS (Score:1, Funny)
Re:Moving Out Of California (Score:1, Funny)
Thats a good one!