Security 101: When e-commerce sites make epic flubs
November 6, 2008
Security 101: When e-commerce sites make epic flubs
See this Computerworld article about how credit card thieves have been helped by “well designed” software? Jeez Louise.
The Department of Justice is charging 11 people with fraud in what is considered one of the largest and most organized credit card theft operations ever, targeted at BJ’s Wholesale Club, TJX, DSW Shoe Warehouse, OfficeMax, Barnes & Noble, Boston Market, Sports Authority, and Forever 21.
The process these thieves used was a “packet sniffer” on wireless networks, which let them see customer logins or intercept transactions when they broke into the companies’ wireless network. Once they were logged in with the right access, they could probably see everything, including any stored credit card numbers, Social Security numbers, etc.
Since many login process don’t use Secure Sockets Layer (SSL), they’re easy targets, and the obvious weak link. Even with encrypted passwords, if the login isn’t across SSL, the password is sent as clear text on the login request! Trying to encrypt on the client side is worthless, since the code is exposed and easy to crack. It’s even easier to capture real-time transaction requests with sensitive data that are made outside of SSL.
Once the thieves had the information, they decrypted PINs, made new cards, and then got cash from ATMs. The Department of Justice says the thieves sold credit card data on Web sites that specialize in trading that information. Millions of dollars were lost. And they operated globally, using offshore banks and other methods to turn stolen data into cash.
The solutions here are obvious. Most advanced e-commerce sites complete all of their checkouts across SSL to block that avenue of attack, but few run all logins across SSL. Even if the system doesn’t store credit card numbers or other sensitive data, getting login information could expose other valuable data a thief could use.
From my standpoint, it’s hard to believe that this stupid stuff is still going on. We’re talking absolute Security 101 here. But, then again, after the Wall Street shenanigans, anything is possible in the Wide World of Dumb.
There’s no question that it’s time for some of these negligent IT people — and their CEOs — to do the perp walk. The only way to get their attention is by gently squeezing their cajones … for three to five years.
U.S Rep. Stephanie Tubbs Jones Died
November 6, 2008
U.S Rep. Stephanie Tubbs Jones Died
Stephanie Tubbs Jones is the first black woman to represent the Ohio in Congress. She was only 58 years old when she died.
Testing My SEO Skills “Captivating Capiz”
November 6, 2008
Testing My SEO Skills “Captivating Capiz”
Looking for
Two more Maori electorate polls due tonightMaori Television
November 6, 2008
Two more Maori electorate polls due tonight
Maori Television has decided to release the last two political polls for the Maori electorates of Hauraki Waikato and Ikaroa Rawhiti tonight, rather than on Wednesday. I’ll have those after 8pm tonight.
No charges for former NY governor - BBC Americas
November 6, 2008
No charges for former NY governor - BBC Americas
Former New York Governor Eliot Spitzer will not face criminal charges over his role in a prostitution scandal, federal prosecutors say. US Attorney Michael Garcia said investigators found no evidence that Mr Spitzer or his office had misused public or campaign funds. Mr Spitzer was forced from
Miami jury convicts ex-FBI agent in 1982 killing - Philadelphia Inquirer
MIAMI - Former FBI agent John Connolly has been convicted of second-degree murder in the 1982 slaying in Miami of a gambling executive with ties to Boston mobsters. Jurors deliberated less than three days before delivering the verdict following a two-month trial. The jury acquitted Connolly of
