Bot-ched security: Chat system hacked to slurp hundreds of thousands of Delta Air Lines, Sears customers' bank cards Hackers are feared to have swiped sensitive personal information held by two of the best known companies in the US – after malware infected a customer support software maker. Both Sears and Delta Air Lines said Wednesday that hundreds of thousands of customers' payment card numbers, expiration dates, and CVV security codes, …
For something like this, there should independent certification. Not paid for by the client, but out of an online merchants pool etc, that verifies ongoing competence & compliance. The certification should be tied to individuals, not phoenix corporations.
So if you're a company director of this kind of bot or chat service, and you drop the ball, you can never work with CC info ever again. One strike and you're out, that's it. Because lets be honest, every day we are closer to losing the cyber-war - drip by drip...
> independent certification
Like the independent PCI Qualified Security Assessors? The QSAs I've met are smart, paranoid bullies - it's up to you to convince them that you're handling PCI data appropriately, or no certification for YOU. Don't try to BS them, and don't lie to them - they're bulletproof and any consequences will be on you. Including possible criminal fraud charges.
Not that I've ever heard of a merchant having their ability to take cards withdrawn, but I guess their handling fees go up significantly.
I wish I could upvote your comment twice.
PCI is a very strong framework to prevent these types of issues. If major corporations are not following these practices them someone senior there is incompetent or negligent.
There is no need to reinvent the wheel.
"So if you're a company director of this kind of bot or chat service, and you drop the ball, you can never work with CC info ever again. One strike and you're out, that's it."
Right.
So you want to MAKE SURE THAT THEY WILL NEVER EVER EVER LET ANYONE KNOW THEY WERE HACKED?
As ideas go, this is right up there with mandatory death penalties for sexual assault.
The result will NOT be what you want.
"hundreds of thousands of customers' payment card numbers, expiration dates, and CVV security codes, were extracted by the malware and siphoned to its masterminds."
At the risk of sounding tedious, why aren't these records stored in an encrypted form and only allow login access requiring the presence of a hardware dongle that issues a one-time ticket to succeed, something Kerberos
"We are confident that the platform is secure .. we cannot say definitively whether any of our customers’ information was actually accessed"
I'm sorry Dave, I don't understand that bit ..
I get the impression the chats were snooped to siphon off the CC details, so even if they were never stored by the merchant or their partner, they'd been intercepted. The next problem for the criminals would have been to store and exfiltrate the data without being caught by Data Loss Prevention tools scanning for card-like data - not impossible, but yet another hurdle. Given the short time between the attack and detection, DLP scanning may well have been what saved this from being much worse..
This shitty code is in your medical devices, cars, industrial systems, phones and most devices in your homes. It's present on every website you visit.
Insecure by negligence and stupidity, it's everywhere in your life.
But hey - psychopaths are running the companies that make this stuff & they don't give a shit. They are cutting cost to get paid. You are not the 1% so fuck you.
code is written by offshore idiots to the lowest price
Sad but true AC, sad but true.
Code automates process. Process is work. You're paying once to have something you can run for years. Its supposed to be expensive - being a code coder rather than thinking you're a good coder takes decades and a lot of study.
I know a lot of millenials will disagree with the idea that the benefits of experience take time to accrue, but I also know that in time they'll agree with me. And why. Offshore body shops are the very antithesis of good code. In over 20 years professional experience I have never once seen good offshore code.
Does no-one in modern IT do any QA or use Version Control? What ever happened to code reviews? Checking that what is being deployed is what was designed, and that other parts of the code haven't been changed? This is software development 101 people. Maybe it's all Git's fault - in which case throw it away and use tools that are fit for purpose. I know the toolchain I use does all this because it's the single most import reason why we use change management - to track what changes, because our QA and release process regularly asks: what changed? and needs good answers.
From the Delta.com/response web site:
We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.
So the answer is how an outsourced chat bot could access credit card info is answered - because it can access the DOM of the page beneath it.
Most hacked entities don't even know that they have been hacked for months or years. Others who have been hacked fail to report the hacking even though it's required under U.S. law. Having firsthand experience with this type of situation, I can assure that the crims have the upper hand and that apathy is more common by law enforcement than you would believe. This just encourages the crims.
"While we believe we have identified with some precision the transactions that could have been impacted, we cannot say definitively whether any of our customers’ information was actually accessed or subsequently compromised," Delta said.
Yeah, see, Delta would like me to interpret that as saying "probably none of our customers were affected", where as I interpret it as being "We've lost the lot - if you've ever flown with us then we've spaffed your data over the internet for all to see".
Having a third party might sound like fun. But, having a third party ask you to open arbitrary ports and white-list hoards of domains, including blanket CDN's, happens way too often. It's as if they want to tell you what your security policy should be. With all the third parties that you could have, and you could have hundreds, what kind of security policy would you have if you just went ahead and did whatever they told you? Third parties need to conform to your security policy--not the other way around.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
