Popular UK-based biking site ChainReactionCycles.com has confirmed that a security breach on its systems led to fraud against its customers. Some of the cyclists who shopped with the site earlier this month noticed fraud against their credit cards days later, normally fraudulent purchases of mobile phone top-ups costing around £ …
Why store the credit card details?
Why are they storing the full credit card details in the first place? When I was working on a site which processed credit cards through HSBC, their guidelines specifically prohibited storing the credit card details, aside from the last 4 numbers.
"Details were being stolen 'real time'" suggests a man-in-the-middle attack or something similar, where data is intercepted in transit. Card details don't have to be stored for that, and probably aren't.
theft in realtime
The card detail theft was stated as being 'in realtime', which would imply that the numbers were sniffed from the wire, rather than from storage as you suggest.
and there was me thinking that the way the response stressed that they were being stolen in 'real time' indicated that it wouldn't have mattered whether they were storing details or not as they were being stolen as the details were transmitted. From my limited knowledge of financial transactions, I believe this is a point when the whole card number is rather important to enable the processing to happen and the correct account to be debited.
in "read time" for you
"Details were being stolen 'real time' ..."
No storage implied here, if the crack is inserted in-process. Read them the riot act, yes, but read the article first.
Hats off to them...
Good response - which is much more important than being invulnerable to start with.
Some reports suggest that this has been going on for more than just a month, so perhaps they could be criticized for not acting sooner. But it's good to see that they're going beyond the usual 'oops, sorry' response and are offering to compensate victims. That, and having outside experts confirm that the vulnerability has been fixed, should win back a lot of customers.
Good PR response from them.
Nice to see a company not only admit a flaw, but also go to such lengths to reassure affected customers. Far more honest and effective than a 'it wasn't anything to do with us' type response.
Although I was one of those affected, I have already purchased from them again.
Yup same here
I'm sure that my cards details went missing due to this but it won't stop me buying from them there service is excellent well done CRC
And I quote: "CRC deserves credit for responding quickly to reports of problems, bringing in experts to initiate an investigation, and keeping customers updated about what was happening throughout" unquote
This has been going on for well over a month and most people scammed never hear squat from CRC's customer service when enquiring about the possibility of fraud.
The only time CRC said anything was when this issue gained momentum through the various cycling Forums.
I think El Reg has been used by CRC as a virtual spin doctor! Perhaps you should have read some of the [cycling] Forum content that was linked in the Comments of the original article before complimeting CRC in any way at all...
You don't get service unless you let them know.
I was phoned and reassured by CRC after letting them know, but how many of those forum posters didn't even think to inform CRC of their predicament?
Much easier to whinge I guess.
If the hack is stealing card details in real time, most likely it means the checkout page scripts have had code inserted to pass the credit card number off to a site somewhere else that the shyster controls. It could be done without affecting the normal functionality of the site, so the store owner would probably not notice it was happening.
Achieving write access to modify checkout or other pages seems unlikely, but I've seen it done surprisingly often. A vulnerability like SQL injection can be used to gain back end admin access to the web site, from there one has the ability to upload images and downloadable files for product data. This upload capability can be exploited to upload a script with functions to enable you to write files. From here you can modify any file you like.
- use parametrized SQL queries to avoid SQL injection
- lock down back end systems by IP as well as just username/pw
- ensure file uploads even in the back end are hardcoded to only accept a limited range of file types
- don't have write permissions set in folders that can run scripts, or script permissions set in folders that accept uploads
I should add that the PCI certification system is a total joke. What it should do is make it 100% clear that most businesses should not be handling card data online at all, and should put a clear recommendation that the preferred route for most businesses should be to use a payment system where the card transaction happens off-site. I'm fed up of reading web advice to users that if they see the SSL padlock, they are safe, even when they have no idea what happens to their card details at the other end.
When the Register first mentioned the problem I looked at their website, there was no mention on their front page of a problem. There is also no mention in el reg's story that when CRC realised they had a problem they shut down their ecommerce site until the problem had been sorted. 5/10 at best!
El Reg going soft! Whatever next.
Not a whitewash
I didn't see any outage at CRC's ecommerce site. My card was scammed, but their customer service rep was as nice as could be when I called, and promptly sent me the £30 compo voucher mentioned above. Which I have now spent.
The Reg's coverage was pretty fair, but what I didn't see reported was how scammed cards were first tested by purchasing mobile phone top-ups before being used for bigger spends. But I understand this is an old story.