back to article Bot-ched security: Chat system hacked to slurp hundreds of thousands of Delta Air Lines, Sears customers' bank cards

Hackers are feared to have swiped sensitive personal information held by two of the best known companies in the US – after malware infected a customer support software maker. Both Sears and Delta Air Lines said Wednesday that hundreds of thousands of customers' payment card numbers, expiration dates, and CVV security codes, …

  1. Anonymous Coward
    Anonymous Coward

    What was Delta's outsourced chat doing with cc / cvv?

    New day, new breach / leak / hack. Reminds me of water leaks. Wherever the weak points are in your plumbing you'll be found out! Hope GDPR asks tough questions like: did you need to share all that info with a chat service?

    1. Anonymous Coward
      Anonymous Coward

      GDPR Fines may help - But its not enough...

      For something like this, there should independent certification. Not paid for by the client, but out of an online merchants pool etc, that verifies ongoing competence & compliance. The certification should be tied to individuals, not phoenix corporations.

      So if you're a company director of this kind of bot or chat service, and you drop the ball, you can never work with CC info ever again. One strike and you're out, that's it. Because lets be honest, every day we are closer to losing the cyber-war - drip by drip...

      1. a_yank_lurker Silver badge

        Re: GDPR Fines may help - But its not enough...

        Fines and banishment are too kind. The Chinese have the right idea, major screw up you become the primary target for some soldiers needing target practice.

      2. tfewster Silver badge
        Facepalm

        Re: GDPR Fines may help - But its not enough...

        > independent certification

        Like the independent PCI Qualified Security Assessors? The QSAs I've met are smart, paranoid bullies - it's up to you to convince them that you're handling PCI data appropriately, or no certification for YOU. Don't try to BS them, and don't lie to them - they're bulletproof and any consequences will be on you. Including possible criminal fraud charges.

        Not that I've ever heard of a merchant having their ability to take cards withdrawn, but I guess their handling fees go up significantly.

        1. Richocet

          Re: GDPR Fines may help - But its not enough...

          I wish I could upvote your comment twice.

          PCI is a very strong framework to prevent these types of issues. If major corporations are not following these practices them someone senior there is incompetent or negligent.

          There is no need to reinvent the wheel.

      3. Anonymous Coward
        Anonymous Coward

        Re: GDPR Fines may help - But its not enough...

        "So if you're a company director of this kind of bot or chat service, and you drop the ball, you can never work with CC info ever again. One strike and you're out, that's it."

        Right.

        So you want to MAKE SURE THAT THEY WILL NEVER EVER EVER LET ANYONE KNOW THEY WERE HACKED?

        As ideas go, this is right up there with mandatory death penalties for sexual assault.

        The result will NOT be what you want.

        1. Anonymous Coward
          Anonymous Coward

          'The result will NOT be what you want.'

          Sure, directors won't squeal on themselves. It will take Whistleblowers, who must be offered proper incentives:

          https://www.bloomberg.com/news/articles/2017-06-02/why-whistleblowers-get-paid-in-the-u-s-but-not-in-britain

          1. Anonymous Coward
            Anonymous Coward

            Re: 'The result will NOT be what you want.'

            >It will take Whistleblowers, who must be offered proper incentives

            To make it up?

    2. Valeyard

      Re: What was Delta's outsourced chat doing with cc / cvv?

      don't they teach KISS anymore?

      needless complexity for complexity's sake isn't a good thing, especially when it touches high-risk data

  2. elDog Silver badge

    De rigeur: "You privacy is very important to us."

    Except if it gets in the way of our profits.

    And besides, who wouldn't want a free year's worth of credit monitoring service to find out how badly you've been screwed?

    How do we put up with this? REALLY!

    1. Mark 85 Silver badge

      Re: De rigeur: "You privacy is very important to us."

      The concept of "protection" via credit monitoring service escapes me at that moment. Err.. Experian anyone?

  3. Walter Bishop Silver badge
    Facepalm

    Sensitive personal information swiped

    "hundreds of thousands of customers' payment card numbers, expiration dates, and CVV security codes, were extracted by the malware and siphoned to its masterminds."

    At the risk of sounding tedious, why aren't these records stored in an encrypted form and only allow login access requiring the presence of a hardware dongle that issues a one-time ticket to succeed, something Kerberos

    "We are confident that the platform is secure .. we cannot say definitively whether any of our customers’ information was actually accessed"

    I'm sorry Dave, I don't understand that bit ..

  4. zaax

    I was under the impression the CVC codes should not be stored

    1. tfewster Silver badge
      Facepalm

      I get the impression the chats were snooped to siphon off the CC details, so even if they were never stored by the merchant or their partner, they'd been intercepted. The next problem for the criminals would have been to store and exfiltrate the data without being caught by Data Loss Prevention tools scanning for card-like data - not impossible, but yet another hurdle. Given the short time between the attack and detection, DLP scanning may well have been what saved this from being much worse..

  5. Anonymous Coward
    Anonymous Coward

    All code is written by offshore idiots to the lowest price

    This shitty code is in your medical devices, cars, industrial systems, phones and most devices in your homes. It's present on every website you visit.

    Insecure by negligence and stupidity, it's everywhere in your life.

    But hey - psychopaths are running the companies that make this stuff & they don't give a shit. They are cutting cost to get paid. You are not the 1% so fuck you.

    1. LucreLout Silver badge

      Re: All code is written by offshore idiots to the lowest price

      code is written by offshore idiots to the lowest price

      Sad but true AC, sad but true.

      Code automates process. Process is work. You're paying once to have something you can run for years. Its supposed to be expensive - being a code coder rather than thinking you're a good coder takes decades and a lot of study.

      I know a lot of millenials will disagree with the idea that the benefits of experience take time to accrue, but I also know that in time they'll agree with me. And why. Offshore body shops are the very antithesis of good code. In over 20 years professional experience I have never once seen good offshore code.

  6. aaaa
    FAIL

    Version Control / Code Review? Hello!

    Does no-one in modern IT do any QA or use Version Control? What ever happened to code reviews? Checking that what is being deployed is what was designed, and that other parts of the code haven't been changed? This is software development 101 people. Maybe it's all Git's fault - in which case throw it away and use tools that are fit for purpose. I know the toolchain I use does all this because it's the single most import reason why we use change management - to track what changes, because our QA and release process regularly asks: what changed? and needs good answers.

    From the Delta.com/response web site:

    We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.

    So the answer is how an outsourced chat bot could access credit card info is answered - because it can access the DOM of the page beneath it.

    1. ds6 Bronze badge

      Re: Version Control / Code Review? Hello!

      Hey guys, our phone reps are a bit overworked. Let's inject a live, dynamic script from a third party into our secure payment page.

      That will fix it.

  7. Anonymous Coward
    Anonymous Coward

    It's only going to get worse

    Most hacked entities don't even know that they have been hacked for months or years. Others who have been hacked fail to report the hacking even though it's required under U.S. law. Having firsthand experience with this type of situation, I can assure that the crims have the upper hand and that apathy is more common by law enforcement than you would believe. This just encourages the crims.

  8. LucreLout Silver badge
    FAIL

    "While we believe we have identified with some precision the transactions that could have been impacted, we cannot say definitively whether any of our customers’ information was actually accessed or subsequently compromised," Delta said.

    Yeah, see, Delta would like me to interpret that as saying "probably none of our customers were affected", where as I interpret it as being "We've lost the lot - if you've ever flown with us then we've spaffed your data over the internet for all to see".

  9. GnuTzu Bronze badge
    Flame

    3rd Parties Don't Come With Cake

    Having a third party might sound like fun. But, having a third party ask you to open arbitrary ports and white-list hoards of domains, including blanket CDN's, happens way too often. It's as if they want to tell you what your security policy should be. With all the third parties that you could have, and you could have hundreds, what kind of security policy would you have if you just went ahead and did whatever they told you? Third parties need to conform to your security policy--not the other way around.

  10. Robert D Bank

    Open Banking...

    oh the pain, the PAIN ....!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019