back to article Cotton Traders mauled by hackers

Cotton Traders has become the latest firm to spill sensitive customer account details. The retailer confirmed on Tuesday that payment details were exposed following an attack on its website earlier this year. Around 38,000 customers were affected by the breach, the BBC reports. Cotton Traders claims this figure is "widely …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Black Helicopters

    38000 "widely inaccurate"

    I notice that they don't even say which direction it's inaccurate in...

  2. dervheid
    Alert

    "Police are investigating the case"

    That'll be a bloody novelty then!

  3. Solomon Grundy

    Fur Traders

    Fur Traders have become the latest group to give up personal information. They say the chance of the information being used is low because most of their members are Amazonian Roller Derby Queens who aren't known for having large credit limits.

  4. Dafydd Lawrence

    Encrypted data

    On this and the BBC story it is stated that Cotton Traders say "customer credit card data is encrypted on our website". Neither actually get a quote stating it WAS encrypted at the time of the security breach.

    The journalist in this article states that the data was encrypted but is that an assumption from the above quote or was it actually stated by the company?

  5. Coalescence
    IT Angle

    Bad BBC, Bad boy.

    I watched the piece on the BBC last night about this.

    I was quite concerned when they first said that this hack could only be carried out by an organised group of hackers, which is a blatant fallacy.

    Also their advice to users was to check for HTTP_S_. Making sure that there's an S at the end. Hmm... ok, that has it's own set of questions, but if the site stores CC details on their database servers (if they have PCI compliance) then no amount of HTTPSing would stop that.

  6. RainForestGuppy
    Thumb Down

    Encrypted data

    Dafydd/Coalesence

    In Terms of PCI the reason for having HTTPS is to ensure that the details are encrypted in transit from the client to the server and to ensure that the server is who it says it is. This would stop packet capturing, man in the middle attacks, redirecting frames, etc ** which could be used to capture individual payment card details. As Coalesence says it doesn't make the site secure, but at least it's better than having the data transferred in clear text.

    The statement "customer credit card data is encrypted on our website" doesn't make much sense. If Cotton traders followed PCI DSS (req 1.3) the info should be stored in a Database not in the same DMZ as the webservers themselves. However even if the database is encrypted it doesn't necessarily make it more secure as most people just encrypt the database rather than the data inside it. This means that an app can still read the data in clear as long as it can access the database correctly.

    My guess is that either a) the database server was accessible from the internet or b) it was subject to SQL injection which meant it was a simple a case of creating a Select statement that dumped all the customer info.

    b) is the most likely and I've demo'd that before to people who claimed to have secure sites.

    ** Of course if people ignore the warning about incorrect/invalid certificates these attacks would still work.

  7. jai

    cover up

    why didn't they tell the rest of their users about this? how come they know exactly which users were affected and so there was no need to at least mention it to the rest of their customers so that we could keep an eye on our accounts just in case

  8. Anonymous Coward
    Unhappy

    cover up

    my dad's bought stuff from them before and his mastero card was cloned and a copy of it used the bank only knew it was cloned as he'd just took money out in paisley and someone then tried to take money out in London 20mins later. the bank said it was caused by spyware on the computer but I guess I now know how the details were copied. he's never got anything from cotton traders.

  9. Pete
    Dead Vulture

    Cover UP

    I too am an unfortunate user of Cotton Traders Website who has had his credit card details stolen, I assume as a result of this attack. Lucky for me my credit card provider managed to spot its fraudulent use instantly, telephoning me to inform me, and canceling the card immediately. Interestingly though, I haven't informed by Cotton Traders of any possible security breach, so do they know exactly who's details are affected?

  10. Xpositor
    Unhappy

    No of cards affected

    I was unfortunately having to deal with a CC company yesterday, having found that some third-party had tried to pay their bank account £1800 from my account. Whilst on the phone to their investigations department, I mentioned the Cotton Traders report, and he laughed, saying that it was around 85,000 cards at his company alone.

    Somebody is hiding something here - why are Cotton Traders not being forthright about the numbers involved...?

  11. tony trolle
    Pirate

    was

    quote from main man "was now encrypted on its website". ha ha arrrrr

    well at least not more than 2.3 million details......

    Funny; in china some would get shot over this.

  12. Anonymous Coward
    Unhappy

    Lack of Communication

    As a long term customer with Cotton Traders, I am disapointed that no communication was made reference this breach of data. Consequently the details of my Card were used in April and May without my authorisation. If Cotton Tradres had informed customers of this breach, then steps could have been taken to minimise this fraud.

This topic is closed for new posts.