"we feel very badly"
I suggest they take off their mitts.
A breach at Network Solutions has exposed details for more than 500,000 credit and debit cards after hackers penetrated a system it used to deliver e-commerce services and planted software that diverted transactions to a rogue server, the hosting company said late Friday. The unauthorized software was in place from March 12 to …
I suggest they take off their mitts.
Is this El reg repeating the hack, gathering people's details yourself and siphoning off funds?
"We have been working around the clock to get this announcement ready,"
Maybe working around the clock on security would make less work for the announcement department.
Makes you wonder just what IS actually safe and secure in this cyber-world we live in these days. Hardly a day goes by without a report of a data breach, malicious or otherwise, from somewhere in the world.
But my browser says the site is secure, it has a padlock on it and everything!
Maybe now people will start to think about the security of their payment providers rather than just worrying if they have a stupidly expensise 256bit SSL certificate.
Also, after the smallest bit of searching I see that Network Solutions claim to be fully PCI compliant.
I always said PCI was just a licence to print money, what a complete joke.
The banks should put them out of business.
"We have been working around the clock to get this announcement ready"
How about working round the clock to actually do something useful, like, I dunno, maybe some network admin, IDS, you know, that boring stuff!
It's not so much the fact that their server were owned that I find shocking, it's that they were owned for 3 months!
to use a one-time charge number for each and every online purchase.
If your credit card provider does not offer this service, it might be time to switch.
This story has got me thinking... As we are a small e-shop - what happens to the etailer when a card details are exposed in a manner beyond the etailers control?
Is there a liability insurance scheme which can cover this situation?
What if for instance a crooked person inside your servers ISP is diverting card info from your site and since he/she has full root can mask her self .. leaving just the e-tailer to point the finger to???
I think an article on these lines would be warranted - examine all the kinds of ways theft of cc data can be exposed and what liabilities there are etc....
PCI really is a joke. Current client has an official PCI compliance certificate, obtained from one of the poor sods who paid at least $20k+$10k/yr for the "right" to issue said certificates, yet his security is utterly laughable (it's what I was hired to fix).
PCI compliance is a scam, a ruse, a fucking bad joke.
The reasoning is that if they make clients jump through one more hoop, they might loose either/both client/sale%. Thus, things remain as is...
What i think would be a better way, would be to FORCE them all to provide a REALLY SAFE process as alternative. That way anyone that cared more for safety could take a safe route, others the "fast and easy" way.
Anyway, just another nice example of how some bizz sector seem to be exempt of any checks at all...
If any of these details were to be misused the bad rep would land squarely on the shoulders of the retailer using NS' services. Sure, it isn't their fault - but if you use a company and then your card details are used to buy laptops in Nigeria you're unlikely to ever use that company again - so this situation could have been much much worse.
Seriously, in cases like this, I'm happy for the person(s) that planted it.
All credit cards should be re-issued with a "secure id" built in. that way, even if numbers are taken, you wont be able to use it. The secure id changes every 60 seconds or so, its just one more layer but it is very effective. I used to use these at work and its pretty fool proof. An added pain, but one worth the effort.
PCI isn't a joke. Joke's are funny - PCI is a ongoing disaster. Just check out all the registered providers of PCI services and you'll see why this scam has propagated itself so successfully. Got a copy of appscan and nessus? Great! You can be PCI provider.