Cotton Traders has become the latest firm to spill sensitive customer account details. The retailer confirmed on Tuesday that payment details were exposed following an attack on its website earlier this year. Around 38,000 customers were affected by the breach, the BBC reports. Cotton Traders claims this figure is "widely …
38000 "widely inaccurate"
I notice that they don't even say which direction it's inaccurate in...
"Police are investigating the case"
That'll be a bloody novelty then!
Fur Traders have become the latest group to give up personal information. They say the chance of the information being used is low because most of their members are Amazonian Roller Derby Queens who aren't known for having large credit limits.
On this and the BBC story it is stated that Cotton Traders say "customer credit card data is encrypted on our website". Neither actually get a quote stating it WAS encrypted at the time of the security breach.
The journalist in this article states that the data was encrypted but is that an assumption from the above quote or was it actually stated by the company?
Bad BBC, Bad boy.
I watched the piece on the BBC last night about this.
I was quite concerned when they first said that this hack could only be carried out by an organised group of hackers, which is a blatant fallacy.
Also their advice to users was to check for HTTP_S_. Making sure that there's an S at the end. Hmm... ok, that has it's own set of questions, but if the site stores CC details on their database servers (if they have PCI compliance) then no amount of HTTPSing would stop that.
In Terms of PCI the reason for having HTTPS is to ensure that the details are encrypted in transit from the client to the server and to ensure that the server is who it says it is. This would stop packet capturing, man in the middle attacks, redirecting frames, etc ** which could be used to capture individual payment card details. As Coalesence says it doesn't make the site secure, but at least it's better than having the data transferred in clear text.
The statement "customer credit card data is encrypted on our website" doesn't make much sense. If Cotton traders followed PCI DSS (req 1.3) the info should be stored in a Database not in the same DMZ as the webservers themselves. However even if the database is encrypted it doesn't necessarily make it more secure as most people just encrypt the database rather than the data inside it. This means that an app can still read the data in clear as long as it can access the database correctly.
My guess is that either a) the database server was accessible from the internet or b) it was subject to SQL injection which meant it was a simple a case of creating a Select statement that dumped all the customer info.
b) is the most likely and I've demo'd that before to people who claimed to have secure sites.
** Of course if people ignore the warning about incorrect/invalid certificates these attacks would still work.
why didn't they tell the rest of their users about this? how come they know exactly which users were affected and so there was no need to at least mention it to the rest of their customers so that we could keep an eye on our accounts just in case
my dad's bought stuff from them before and his mastero card was cloned and a copy of it used the bank only knew it was cloned as he'd just took money out in paisley and someone then tried to take money out in London 20mins later. the bank said it was caused by spyware on the computer but I guess I now know how the details were copied. he's never got anything from cotton traders.
I too am an unfortunate user of Cotton Traders Website who has had his credit card details stolen, I assume as a result of this attack. Lucky for me my credit card provider managed to spot its fraudulent use instantly, telephoning me to inform me, and canceling the card immediately. Interestingly though, I haven't informed by Cotton Traders of any possible security breach, so do they know exactly who's details are affected?
No of cards affected
I was unfortunately having to deal with a CC company yesterday, having found that some third-party had tried to pay their bank account £1800 from my account. Whilst on the phone to their investigations department, I mentioned the Cotton Traders report, and he laughed, saying that it was around 85,000 cards at his company alone.
Somebody is hiding something here - why are Cotton Traders not being forthright about the numbers involved...?
quote from main man "was now encrypted on its website". ha ha arrrrr
well at least not more than 2.3 million details......
Funny; in china some would get shot over this.
Lack of Communication
As a long term customer with Cotton Traders, I am disapointed that no communication was made reference this breach of data. Consequently the details of my Card were used in April and May without my authorisation. If Cotton Tradres had informed customers of this breach, then steps could have been taken to minimise this fraud.