38,000 Card details stolen in web hack

[new2bus]

The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website.

The breach follows last year's attack on the website of TK Maxx, in which 45 million card details were lost.

The exact method used to hack the Cotton Traders website is not known.

I have been selective in my c&p so read the article here

http://news.bbc.co.uk/2/hi/technology/7446871.stm

But it does mean we have to be ever more vigilant and keep looking at our security.

 

[cjd]

And why were they storing their customer's credit card details?

 

[itaufait]

And why were they storing their customer's credit card details?

Lots of companies store CC details for re-ordering purposes, like Amazon, Dabs, etc... Some store it relatively safely, some don't have a clue...

I don't know if you bill your customers through CCs but if you had to bill using continuous authority on the card, you'd have to store the details of the said card

 

[ralph thornton]

And why were they storing their customer's credit card details?

Alot of my clients store credit card details for repeat customers, however these are hack proof - i just don't understand why people like CT don't have the right systems in place its ridiculous!

 

[sysops]

I don't know if you bill your customers through CCs but if you had to bill using continuous authority on the card, you'd have to store the details of the said card

For the zillionth time, no you wouldn't. You get your PSP to store the CC details for you, and you just do a repeat transaction. You supply the last transaction ID.

 

[debbidoo]

If Cotton Traders' system was able to be hacked, they couldn't have been PCIDSS accredited... because at their inspection any vulnerabilities would've been picked up.

I can't believe it - in this day and age, companies are *still* taking risks with card details... ridiculous...

 

[sysops]

I can't believe it - in this day and age, companies are *still* taking risks with card details... ridiculous...

Less than a year ago I came across a company who were having CC details emailed to them (in plain text). These were then being keyed in manually. They were doing a reasonable volume too.

When I questioned it, all I got was "yes, but we've been doing it this way for 8 years"...

 

[pawel]

Alot of my clients store credit card details for repeat customers, however these are hack proof - i just don't understand why people like CT don't have the right systems in place its ridiculous!

I have seen billing systems on the public networks with uncrypted databases storing thousands if not millions of CC details. Sometimes not even SQL databases, but Access or flat files for backup.

Please also be aware of the companies using fax-to-email when you send back the order form with your CC details on it. The content of such fax is likely to end up being send through the public network in completely unecrypted form as well.

 

[itaufait]

For the zillionth time, no you wouldn't. You get your PSP to store the CC details for you, and you just do a repeat transaction. You supply the last transaction ID.

Pretty hard if you're your own PSP Ok, that was a bad example for a general seller, but there are times merchants do store CC details.

 

[business123]

The things that gets me about this, is that it all happened in January!

 

[itaufait]

If Cotton Traders' system was able to be hacked, they couldn't have been PCIDSS accredited... because at their inspection any vulnerabilities would've been picked up.

There are way too many variables for that, and 'scanning' only scans for known attacks...

 

[pawel]

but there are times merchants do store CC details.

IMHO, there is nothing wrong with it, provided the data is protected and useless if stolen. I hate retyping all the details all over again.

 

[PayVector]

IMHO, there is nothing wrong with it, provided the data is protected and useless if stolen. I hate retyping all the details all over again.

You would be suprised at some of the shockers we have come across over the years. The one that springs to mind was a call center with some 250 people. The worker would take the number and write it on a special bit of paper about the size of a post-it note. Another worker would walk up and down the isles picking them up. These were then keyed into an excel spread sheet which was on a public share drive. The billing people would then key them into physical machines. They were doing 10k Tx a day like this. When I asked what they did with the little bits of paper he said the just chucked them with the other waste as it was to much hassle to shred them all.

They were doing 10k Tx a day so thats a lot of bags of money for some bad guy to get a hold of.

It tends to be the bigger older companies that get thigns wrong as they may be on legacy systems or have legacy business procedures. The new SMEs tend to be the switched on cookies.