I notice that they don't even say which direction it's inaccurate in...

That'll be a bloody novelty then!

I watched the piece on the BBC last night about this.

I was quite concerned when they first said that this hack could only be carried out by an organised group of hackers, which is a blatant fallacy.

Also their advice to users was to check for HTTP_S_. Making sure that there's an S at the end. Hmm... ok, that has it's own set of questions, but if the site stores CC details on their database servers (if they have PCI compliance) then no amount of HTTPSing would stop that.

Dafydd/Coalesence

In Terms of PCI the reason for having HTTPS is to ensure that the details are encrypted in transit from the client to the server and to ensure that the server is who it says it is. This would stop packet capturing, man in the middle attacks, redirecting frames, etc ** which could be used to capture individual payment card details. As Coalesence says it doesn't make the site secure, but at least it's better than having the data transferred in clear text.

The statement "customer credit card data is encrypted on our website" doesn't make much sense. If Cotton traders followed PCI DSS (req 1.3) the info should be stored in a Database not in the same DMZ as the webservers themselves. However even if the database is encrypted it doesn't necessarily make it more secure as most people just encrypt the database rather than the data inside it. This means that an app can still read the data in clear as long as it can access the database correctly.

My guess is that either a) the database server was accessible from the internet or b) it was subject to SQL injection which meant it was a simple a case of creating a Select statement that dumped all the customer info.

b) is the most likely and I've demo'd that before to people who claimed to have secure sites.

** Of course if people ignore the warning about incorrect/invalid certificates these attacks would still work.

my dad's bought stuff from them before and his mastero card was cloned and a copy of it used the bank only knew it was cloned as he'd just took money out in paisley and someone then tried to take money out in London 20mins later. the bank said it was caused by spyware on the computer but I guess I now know how the details were copied. he's never got anything from cotton traders.

I too am an unfortunate user of Cotton Traders Website who has had his credit card details stolen, I assume as a result of this attack. Lucky for me my credit card provider managed to spot its fraudulent use instantly, telephoning me to inform me, and canceling the card immediately. Interestingly though, I haven't informed by Cotton Traders of any possible security breach, so do they know exactly who's details are affected?

I was unfortunately having to deal with a CC company yesterday, having found that some third-party had tried to pay their bank account £1800 from my account. Whilst on the phone to their investigations department, I mentioned the Cotton Traders report, and he laughed, saying that it was around 85,000 cards at his company alone.

Somebody is hiding something here - why are Cotton Traders not being forthright about the numbers involved...?

quote from main man "was now encrypted on its website". ha ha arrrrr

well at least not more than 2.3 million details......

Funny; in china some would get shot over this.

As a long term customer with Cotton Traders, I am disapointed that no communication was made reference this breach of data. Consequently the details of my Card were used in April and May without my authorisation. If Cotton Tradres had informed customers of this breach, then steps could have been taken to minimise this fraud.