Crowd-funding site Kickstarter is the latest high-profile Internet property to call on users to reset their passwords, after announcing that an attacker had made off with their account records. However, the site is at pains to emphasise that attackers won't have access to credit card data. In this announcement, the company's …
Mysterious 'frozen card' calls last Thursday...
I got a couple of 'phishing' phone calls last Thursday & Friday saying my card was frozen and please call X number. My card wasn't frozen, someone was trying to get more info about me and all three of my card providers said that they had a sudden large volume of customer inquiries about frozen cards.
I wonder if this is related as I have a Kickstarter account and have funded 10+ projects.
Kickstarter is probably correct in stating that the hackers didn't have access to credit card data. Afaik, they use Amazon for the actual transactions, and Kickstarter isn't really involved in processing the credit card payments.
"... Kickstarter retains the last four digits of non-US credit cards .."
So they are involved? Or do Amazon pass this data back to Kickstarter?
Only if you are in the US, its definatly changed as a Kickstarter I pledged for a week before didn't go via Amazon. I'm not sure when this changed and who they use (Or whether its themselves) as previous Kickstarters required Amazon.
That will explain why I got one from Amazon Payments - last 4 digits right but all the rest was wrong
Initially, Kickstarter only hosted projects originating from US. These were/are USD based, and use Amazon for actual credit card operations as far as I know. However, KS recently introduced support for projects from other areas (UK / GBP, Canada / CAD, etc.) and payment for these clearly goes through another route (ie. you don't need to log into any external site - like you need with Amazon - to pay). I have no idea if those payments are actually processed by KS itself, a different 3rd party or how exactly it all works, but it does look like FULL credit card numbers might be held by others than Amazon too.
I hope the passowrds hashed, and not encrypted..
Passwords were hashed
I was a bit stressed about what they did with passwords as well - the comment (link below) from a Kickstarter person is that:
"... we're being very public with how we hashed them: older Kickstarter passwords used using SHA-1 digested multiple times. More recent passwords are encrypted with bcrypt."
Discussion here - https://news.ycombinator.com/item?id=7245349
transitive verb in-ˈkript, en-
: to change (information) from one form to another especially to hide its meaning
What part of that definition does salted hashing not satisfy?
Anyway it's obvious they were just trying to put it in layman's terms, for the techies they go on to state what hashing algorithms they used.
just makes me miss the 70s and 80s trial bike TV show.
especially the episode with the st john ambulance guy repeatedly falling into a hole.
never pledged...never seen anything of interest the couple of times i've looked.
They probably don't process the cards themselves, most payment processors will pass back the last 4 digits of the card, expiry date and address details to the website so that it can be stored for records. As for the encrypted vs hashed argument, that depends on whether the web servers were compromised as well as the data store. You would have to get hold of the encryption key too, otherwise its better than a hash, but if with the inherent problem that if the key is found in your infrastructure then its far worse than a hash.
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Regin: The super-spyware the security industry has been silent about