Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Western Union Cracked, Credit Cards Stolen

CmdrTaco posted more than 14 years ago | from the time-to-start-canceling dept.

The Internet 246

TrumpetPower! writes "NPR just reported that Western Union is recommending that customers who used their web page to send money should cancel their credit cards after somebody cracked their online credit card database. As I type this, the Western Union homepage simply states, "Our Web site is temporarily out of service We apologize for any inconvenience To find the nearest agent location plase call: 1-800-325-6000."" Not much online yet besides the AP brief. (Normally we don't post this stuff, but its getting submitted a lot, and it is kinda a big deal). Lends more credibility to the disposable credit card concept.

cancel ×


Sorry! There are no comments related to the filter you selected.

liability? (2)

jetson123 (13128) | more than 14 years ago | (#790226)

It isn't clear that any numbers were actually stolen, only that people broke into the computer and that it actually had the credit card numbers on-line.

Of course, I think Western Union should be held liable anyway: their poor security is causing their customers and credit card companies a lot of effort and expense, whether the cards were stolen or not. Keeping personal information, in particular credit card numbers, on a system that is accessible from the Internet is grossly negligent.

Re:The Problem (2)

techfreak (144299) | more than 14 years ago | (#790228)

traced to human error .. Somebody left a database open

Geez... either stupidity/carelessness, or intentional. Not to sound conspiracy-ish, but there is some, however unlikely, chance that the 'somebody' did this on purpose.


Why store CCs? (1)

Malevolent (231436) | more than 14 years ago | (#790247)

The question is - why on earth did Western Union keep an /online/ database of transactions. I can understand that companies need to keep records, but why this has to be kept online, and not simply downloaded and burnt onto CD or some other storage mechanism. Having your security broken is one thing, but having databases like this easily available is another!

It's their fault... (3)

Docrates (148350) | more than 14 years ago | (#790249)

To me, the only way to prevent crackers from getting into some system and steal credit card numbers is to not store them in your system... I run an ecommerce site and every transaction made, once cleared with the bank, gets its credit card info deleted.

the advantages of storing users credit card numbers does not justify the risk. It's like a restaurant that keeps your credit card number so that next time you eat there you don't have to wait for the check...

sure there could be trojan horses that store credit card info as soon as it arrives to the server, but that seems to be less common.

Re:This should _never_ have happened! (1)

kirwin (71594) | more than 14 years ago | (#790253)

Who would sue them? Oh, a class action suit? The articles say that as of now, none of the potentially comprised card info has been used. Do you really think the 1337 D00d5 are going to use them with all of the media hoopla about the crack? I doubt it. WU will take a major loss of e-business over this, which will probably teach them not to be so careless next time. Plus everyone will forget this by Friday.

Re:Liability after warnings like this? (1)

Merk00 (123226) | more than 14 years ago | (#790254)

Well, I believe US Federal law requires the credit companies cover any fradulent charges over $50. I also believe that there is a limited amount of time where you can report those fradulent purchases (I'm not sure how quickly it is). So, basically, the credit card companies have to eat the cost. Most credit card companies will cover the $50 also but YMMV. Now, debit cards are another matter and I don't believe that fradulent use of a debit card is covered.

Matt Leese

Re:This should _never_ have happened! (1)

Demona (7994) | more than 14 years ago | (#790256)

But see, to the proles, "proper safeguards" consist of what even the most larval of script kiddies knows is completely laughable. As for those who actually have a clue, we've seen how often they're truly in charge of decision making. So they go and Do the Right Thing, like a right and proper BOFH, and usually end up being yelled at or sacked for making things "difficult", or for just BEING "difficult".

Not the first time...remember CD Universe? (1)

IvyMike (178408) | more than 14 years ago | (#790257)

I was one of the poor saps unfortunate enough to have been a one-time customer of CD Universe when their credit card database was stolen and held for ransom. [] I had purchased one CD (Nina Simone, for the curious) about 10 months before the hacker took the numbers, and I still had to go through all the pain of cancelling my credit card. Worse yet, I had several services (my newspaper, my ISP) auto-billed off the credit card, which I forgot about, and those services were cancelled once they were unable to bill to that old number.

I was very fortunate that there were no purchases made against my number, probably because I had it cancelled very quickly.

In any case, it seems ridiculous that sites should keep your credit-card information forever, thus amplifiying the damage caused by any hacks.

After 'em! (2)

Dirtside (91468) | more than 14 years ago | (#790265)

The varmints're gettin' away on their horses! We'll never catch 'em!

I got the letter (1)

Anonymous Coward | more than 14 years ago | (#790270)

There is more to this than what they say. Think blackmail......

.... (4)

Anonymous Coward | more than 14 years ago | (#790274)

...the fastest way to send money to LEET HAX0RS.

Back to the Future (2)

Britano (183479) | more than 14 years ago | (#790276)

Maybe the hackers are searching for the letter Dr. Brown sent back in 1885?

The Problem (3)

Andrew Dvorak (95538) | more than 14 years ago | (#790277)

The problem, as reported by NPR, was traced to human error .. Somebody left a database open, which is where the vulnerability existed. Western Union will correct the problem, says they.

Re:suuuuuuuuuuuuure (2)

kirwin (71594) | more than 14 years ago | (#790278)

I have the right to. I have the skills to. I don't have a credit card database on my workstation.

Re:(Normally we don't post this stuff...) (1)

legLess (127550) | more than 14 years ago | (#790279)

Well, if you use "normal" mathematically, he's probably correct. If /. posted every story about CC #s getting cracked, we wouldn't have time for Napster stories.

Think different (1)

e-gold (36755) | more than 14 years ago | (#790280)

...Lends more credibility to the disposable credit card concept.

That's not the only concept [] that should be considered (and neither is e-gold [] , I'd just like to see better/deeper thinking on payment options here).

Western Union has objected to e-gold [] -selling market makers [] in the past, ostensibly because some interesting sites use the currency for gram-based gambling [] . Of course, Western Union is owned by First Data, a giant credit-card payment processor, which I'm sure would NEVER process payments related to plastic-using-gambling on the internet, since I'm convinced that they're the very model of moral decorum compared to venal exchange-providers using the filthy yellow metal as a currency. (smirk!)

I want folks to play with our system, especially Slashdot readers, so my usual offer to click a bit to any /. readers who create an e-gold [] account and send me the number applies, as does my usual "I don't care if you moderate this comment down because you think it's 'spam' because I'm self-interest personified," and "my opinions are mine alone" attitude(s). Thanks.

Re:(Normally we don't post this stuff...) (1)

RickHunter (103108) | more than 14 years ago | (#790281)

Its the royal we. Notice that none of the names on that list reads "CmdrTaco." ;-)


End the pesimism, research OS security! (1)

Peaker (72084) | more than 14 years ago | (#790282)

How many more thefts and breakins will it require, until people realize that for security, the principle of least privelege MUST be implemented!
This principle CANNOT exist in a UNIX system, which has very rough granulity to its security, and is based on very huristic security methods that form an extremely complex, impossible to secure system.

Most people gave up, "all systems are hackable", and basically give up the search for more secure technologies. I, on the other hand, am more optimistic.

The positive side of these cases, imo, is that people may finally start looking for more security in their systems, and divert the efforts from various near-useless OS kernels (that hardly add any functionality, albeit adding some elegance and sometimes even performance), to CAPABILITY based systems, which are the best security systems we can implement, and truly implement the principle of least privelege.

EROS technology is the future, it truly is the solution to all of this.
Progress will not be made, until we dump the unsecure designs of the past.

Whoa, CT Finds The Conspiracy (2)

Hrunting (2191) | more than 14 years ago | (#790283)

Lends more credibility to the disposable credit card concept.

You hit the nail on the head. American Express, a huge corporation, but second fiddle to the likes of Visa and MasterCard, needs something to promote its new idea. With the Internet at hand, it has its weapon. It sends some crackers to crack Western Union, thereby pushing people to the 'safer' disposable credit card.

Or maybe they didn't send anyone at all. Maybe they just got Western Union in bed with them. Who knows. The point is, CT found the conspiracy.

Liability - Hassle your Customers (1)

DiS[EnDeR] (195812) | more than 14 years ago | (#790284)

I think its about time that the consumer became legitamately protected from the ignorance of copmpanies such as WU. 20,000 people now have to cancel their credit card numbers and debit numbers and obatin new ID. This is not an easy process and is time consuming. What if their are fraudulent purchases? Once again it wont be WU on the phone convincing an operator that they didnt purchase a pass to

Their needs to be some sort of control over these e-commerce buffoons who screw us by running unsecure boxes and poor transaction servers. would a class action lawsuit be an idea? I wonder what the credit card companies are going to do to WU. I mean it is their property WU messed with. If I were MAstercard or VISA I would be laying some heavy restrictions down on WU, the cost to replace cards and cover any illegitamate purchases is reason enough.

Re:c|net's article (2)

brunes69 (86786) | more than 14 years ago | (#790285)

I don't see where. This is just a rehash of the AP article linked to in the story.

Re:(Normally we don't post this stuff...) (1)

talks_to_birds (2488) | more than 14 years ago | (#790304)

I think the real definition needed here is for the word "don't"

Clearly, "they" "do"...

I think not; therefore I ain't®

what about other services (like paypal) (1)

darthpenguin (206566) | more than 14 years ago | (#790305)

With this incident, I was reminded of many other services, like Paypal and Billpoint, that store credit card numbers. What would happen if someone was able to break these systems? What security measures have they taken? When I signed up for Paypal, I don't ever recall anything about their computer security, so I'm left wondering how vulnerable is the service to giving out my CC#?


Re:Oh, the things I've seen (2)

Cramer (69040) | more than 14 years ago | (#790306)

Well, I'd give Oracle part of the blame for this. Nowhere in he installation instructions or printed documentation with ANY Oracle product do they tell you what users and passwords they are loading. I've only ever been asked for a password during installation on a windows system. I had to look through the setup scripts to find their damned default password.

BTW, this is a problem in alot of places. Software installs things you aren't aware of (esp. on windows.) And admins aren't paying attention or aren't trained to manage what they are handed.

Putting out the fire - with gasoline (4)

Soko (17987) | more than 14 years ago | (#790307)

This is NOT good. Western Union is Old Money - they've been around for a long, long time as far as companies go. This will get the establishment REALLY pissed. Do we really want an all out war with The Man? Something like this will not help the cause of Napster, DeCSS and Open Source in general.

The establishment is not used to how the Hacker culture does things - they are used to order and directed control. The Internet is a terribly chaotic place - if you want something done, you go ahead and do it. Also, the first one there usually controls the situation, no matter whom else joins them in the endeavour (witness that newer posts on /. usually garner more moderation points, and therefore direct the comment stream). Even in Internet startups, there is usually one person who starts the company and then hands over the reigns to an established Buisiness man to run the show (Yahoo!), not like what happens with Internet based projects, where the Alpha Geek or Lone Coder is regarded as the undisputed leader, regardless of how much education or money he has (a Good Thing, BTW).

The establishment will likely view this as futher validation that we are out to kill. While the Hacker community has control of the Internet attacke like this may end up being more common. The only way the Establishment can ensure it's continued existatnce is to wrest control back. Napster being stamped out might be the first salvo in the Great Internet War. This little faux pas (likely by a script kiddie) will only accelerate the zeal and ruthlessness with which The Man deals with us. They just might see such attacks as a threat to thier very survival, and react accordingly.

OK, some of you may post "Yeah! Stick it to the man, l337 h4x0r d00dz" and think it's good that the rich are getting thiers. That's fine, and welcomed on one level. However, we need to look at the big picture - The Man can pull the switch on the Internet if he's really threatened (not literally, figuratively), so we end up out in the cold (InternetII, anyone). Or just toss your ass in jail, rights be damned. As much as we don't like it, we have to compromise and let the establishment have its way - for a while.

I hope we can start to see things from the other side of the firewall soon - and use articulate argument, humour, understanding and gentle persuasion to get our way instead of random guerilla attacks on established companies.

Re:(Normally we don't post this stuff...) (1)

ShaunC (203807) | more than 14 years ago | (#790308)

I believe "this stuff" was a reference to "stories that just came over the wire ten minutes ago with next to no details," not a reference to "stories about credit cards."


Re:They should take the blame, not "hackers" (2)

sbergstrom (107349) | more than 14 years ago | (#790309)

How can you possibly say that hackers aren't to blame? Just because someone was careless doesn't mean it's instantly moral to exploit the new weakness and use it for less than acceptable purposes. Hackers are to blame, because they're the ones who did it.

Re:(Normally we don't post this stuff...) (1)

mangu (126918) | more than 14 years ago | (#790310)

CmdrTaco, define 'we'?

4 MSNBC: Stealing Credit Card Numbers Online is Easy by Roblimo on Sun 16 Jan 05:22PM EST 341

4 Largest Online Credit Card Heist Ever? by Roblimo on Sun 09 Jan 04:59PM EST 359

3 RealNames Customer Data Stolen by emmett on Mon 14 Feb 06:55AM EST 129

4 British Crackers Demand Millions in Inforansom by Roblimo on Sun 16 Jan 11:52AM EST 195

On February 15 CmdrTaco saw the wrongness of his acts and decided to stop posting this stuff normally.

Re:liability? (2)

sjames (1099) | more than 14 years ago | (#790311)

If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores?

The important standard here is reasonable care. Sears would NOT be liable if someone takes the credit slips at gunpoint. It is not reasonable to expect someone to risk their life for that. OTOH, if a kid takes a big bag of credit slips from the loading dock and abuses them, Sears may BE liable, since they could have easily prevented the theft, and should have anticipated the possability.

It is the same for an e-commerce site. If the database server had default account and password and was accessable from the net, that's like leaving the slips outside. If someone got the passwords or stole the drives by holding an admin at gunpoint, they would not be liable.

It is also possable that their vendor could be liable if they had assurances that the security measures were adequate. This would be the real world equivilant of putting the slips in a locked office but discovering (too late) that the guaranteed security lock could be opened by jiggling the door knob.

Re:End the pesimism, research OS security! (2)

Peaker (72084) | more than 14 years ago | (#790334)

This UNIX comment applies to Windows as well, which is of the same class of security mechanisms (ACL's). (Not to mention various other systems that are not capability-based)

Re:Oh, the things I've seen (5)

beacon (23656) | more than 14 years ago | (#790335)

Indeed so. I recently worked on a very large (>$1m) project for a multinational client, with a significant ecom component, where:

  • The sysadmin had never heard of apache
  • I and several other developers had full root access to the production environment
  • The oracle manager account was system/manager

and various other nasties like that. In their defence, they never stored credit card numbers. But nonetheless, I couldn't believe it. IMHO, this all comes from abmitious young new media execs who know nothing about technology being given far too much money to throw around. They hire people who are good at BSing and dressing up their CVs, and they end up missing out the itsy little technical details, like getting a sysadmin who knows what routing is.

Just for fun, let me say that first bullet point again: "the sysadmin had never heard of apache".

the only uncommon thing is that they admitted it (1)

Splork (13498) | more than 14 years ago | (#790336)

This happens all the time people, the only truely uncommon thing is that they admitted to the public that they had a break in. Most of these are kept hidden.

As for cancelling your credit cards, why? With a database of zillions of stolen cards the chance that yours gets used is slim. It's less hassle to deal with the potential fraudlent charge appearing on your bill than to get new cards!

(Now if you used one of those silly "ATM + 'credit' card things" that lets people irreversably take money out of your bank account you'd better think again...)

whatever... (1)

AssFace (118098) | more than 14 years ago | (#790337)

99.9% of the places out there that encrypt their databases just use some lameass XOR scheme (b/c it has to be fast in and out) so that you wouldn't be able to look at it and immediately know what it is, but if yo uwant to crack it, you sure as hell can - esp if you have a full database of them and know the table name is something like "credit_cards".
--------------------------------- -----------------

Re:Putting out the fire - with gasoline (3)

Anonymous Coward | more than 14 years ago | (#790338)

Vandalism and theft have nothing to do with freedom. If I mug or if I pick your pocket and get your credit card and proceed to buy stuff and you just happen to be rich, I'm not sticking it to the man. I am thief, Napster and DeCSS are about very different things, and while the MPAA may try to paint being able to access copyrighted digital data as theft, they are trying to manipulate the language not talk about what pirates are doing. This is illegal because CC#s which can be used to purchase things and cause the unauthorized transfer of money have been taken into posession of which was never intended.

More info on hole? (1)

AssFace (118098) | more than 14 years ago | (#790339)

What hold was left open? It looks as if they were on an MS syste - which would mean MS's SQL server, and I'm not sure what version they were using, but up until very recently (and perhaps still, haven't followed it) - the default login/password for the SQL server was "sa" loging and no pass wasn't it? Tight as a drum, nobody will ever figure that one out.
-------------------------------------------- ------

Re:Liability after warnings like this? (1)

ahaning (108463) | more than 14 years ago | (#790340)

Perhaps credit card companies should now offer "hacker" insurance.

Possibly. But, unlike earthquakes, fires, flooding, and tornadoes, there are ways of protecting yourself from intruders in your computer systems.

On your house, you put a lock. If you're more protective, you get a noisy security system that alerts the police and you pay a fee. I suppose they could call it a "mandatory security fee" rather than "hacker insurance". Would you buy into a company which would basically be telling you "We know we will get hacked. Pay us if you want protection." ? They would at least have to make it sound nicer. A security fee sounds much nicer than "hacker insurance". And a security fee shouldn't even be NEEDED. This sort of thing should be AUTOMATIC when you got a service involving monetary transactions. There should not be optional security.

Re:Ass raped monkeys (3)

beacon (23656) | more than 14 years ago | (#790341)

AFAIK, most of them do. At least, all the banks I've dealt with demand that you follow certain security procedures before you use a merchant account for Internet transactions. The problem is, they get you to sign a bit of paper, but they don't enforce it, and their requirements are fairly lax (e.g. SSL and a firewall).

An Ounce of Physical Separation... (1) (217783) | more than 14 years ago | (#790342)

Is worth a ton of firewalls and proxies. The fact is, if you make it possible to get at the credit card numbers over a public network, someone smarter than you will work harder to get them than you worked to secure them. The solution is simply to physically isolate the long-term storage of credit card numbers -- put them on a database server which is not accessible to the Net. Use a zip disk or a tape or whatever to batch what comes in to your web site. Every day (or hour or whatever), you have a process on the web database server dump the info to removable media, you physically walk it over to the isolated server, and you load it there. Once the batch is transferred successfully, you run a second process that deletes the credit card numbers from the web database server. If anyone manages to crack your web server, they can only credit cards entered from the time the previous batch was completed. If you don't have repeat customers enter their information again (you have the transactions go through the isolated server), then there's even that much more protection. The compromise of a few dozen credit cards (or even a few hundred) is a very manageable situation.

Putting all customers' credit card info on a publicly-accessible server is saying "we don't think anyone can get in" because the result of someone getting in would be catastrophic. That's a foolish and arrogant position. It's like not having homeowner's insurance. If you design your system, which, to some people's surprise, includes actual physical and human considerations, to minimize the effect of failure on any one piece, then you don't have to say "everyone who was ever our customer is now at risk".

Well, now we are seeing the (possibly lack of) disaster recovery plans by Western Union. We didn't ever think it would happen -- now what do we do?

The truth is out th - oh, wait, here it is...


No, you haven't (1)

chazR (41002) | more than 14 years ago | (#790343)

Here's what you did: You connected over the internet, while logged in as root, to a machine that is known to be compromised.

Trust me, if you knew enough about Unix to have a root password, you would't have done this. There is now a finite possibility that a nasty cracker type is looking through the web logs from the compromised box. When they find your connection attempt, you become a target. And now we know you connect to the internet with apps running as root.

You, madam, are now about to become just another roadkill on the information highway.

Share and Enjoy

Re:liability? (2)

jetson123 (13128) | more than 14 years ago | (#790344)

It ought to be the merchant's problem, but it isn't. It is the consumer who has to deal with the false charges, the damage to his credit rating, and going without a credit card for a while. In fact, the liability of merchants and credit card companies for causing the consumer harm through their credit-related actions seems pretty limited.

Get a gold card. (1)

mrsam (12205) | more than 14 years ago | (#790345)

Speaking from experience, it's a major pain in the ass to cancel a credit/debit card and get a new one, not to mention trying to figure out how to live without one for a week.

Most banks who issue gold or platinum CCs will overnight you a replacement card for no extra charge. I've lost my credit card twice, in the last ten years. Each time the bank fedexed me a replacement by next morning.


Re:Oh, the things I've seen (1)

Johnny Starrock (227040) | more than 14 years ago | (#790346)

No one is going to be able to just sit down and effectivly or securely run an enterprise DB. You're going to need either training or preferably real-world experience.

Re:What a title for this post. (1)

AFCArchvile (221494) | more than 14 years ago | (#790347)

The title looks more like it would deserve a score of -1, in contrast to its current score of 2. Oh well, never judge a book by its cover.

Re:End the pesimism, research OS security! (3)

sjames (1099) | more than 14 years ago | (#790369)

This principle CANNOT exist in a UNIX system, which has very rough granulity to its security, and is based on very huristic security methods that form an extremely complex, impossible to secure system.

Sure they can! There is work in Linux and several other Unixen to move to a capability based systems and implement the principle of least privelege.

EROS does look interesting though.

seriously, this is getting blown out of proportion (1)

AssFace (118098) | more than 14 years ago | (#790370)

They are just covering their asses. If this happened and they didn't tell peopel that maybe their credit cards were in the shit that was seen, then I have a feeling they'd get in more trouble with the lawyers that are inevitably swooping in as we type.
------------------------------------------- -------

Re:They should take the blame, not "hackers" (1)

luckykaa (134517) | more than 14 years ago | (#790371)

Personally, I think that people who have ludicrously poor security should take some of the blame. Obviously the hackers are the problem, but its a lot harder to feel sympathy for people who take no measures to stop something that shuld be predictable.

argh! (1)

dolo666 (195584) | more than 14 years ago | (#790372)

Quick!! Purge the pagefiles!!!

Abandon ship!!!


Our data has been stolen!

{{ fade to black }}

/d o0-{W.U. HU BU HU}

Re:Putting out the fire - with gasoline (1)

Soko (17987) | more than 14 years ago | (#790373)

I totally agree with you.The problem is some of these l337 h4x0rs wrap themselves in the cloak of "Free Speech on the Internet" when they get caught. That ties them to OSS in general in the eyes of society at large - don't forget that the "unwashed masses" tend to not differentiate between the sub-sections of a group. If you can use a computer for more that e-mail, you're a hacker, and you'll be lumped in with the idiots who did this. As I said, that's NOT good for worthier things like DeCSS and Napster. Stealing CC#s is illegal and theft - and by current legal standards, sending your friends and MP3 of Metallica's latest song is illegal and theft, too.

From the establishments point of view, these two are one and the same. As such, they deserve the same method of remedy - litigation.

Re:This should _never_ have happened! (1)

aozilla (133143) | more than 14 years ago | (#790374)

Nope, that's not true. Even if you have a 1 way cipher for the credit card data, if you can break into the webserver, you can steal the credit card numbers before they even get encrypted.

Re:You are the candle in the powder magazine. (1)

AFCArchvile (221494) | more than 14 years ago | (#790375)

And I suppose that you would also say that the Hindenburg was sabotaged? That aliens steered the iceberg into the Titanic? That the US Navy Seals had a sting operation to sink the Kursk?

I hate people like you who start the rumors.

Crypto is outlawed to keep it from terrorists... (1)

Anonymous Coward | more than 14 years ago | (#790376)

...and child pornographers. Yes sir, these anti-crypto laws sure are doing us good.

Re:liability? (2)

mindstrm (20013) | more than 14 years ago | (#790377)

I don't know the legalities.. but from a purely idealistic view, it's like this:

The CC Company values customers over merchants. Merchants pay to accept cards. (not that merchants aren't important).

The Card is simply a token of the credit the company has extended to you. It is a means to an end; it is not the credit itself. Same with the number on that card. The number simply identifies your account.

From what I remember from personal issues with cc companies, it is fairly easy to dispute charges.
It used to be that a card imprint was requried. Later, anything would do, but a signature was required. Remember, you have to authorize each and every use of your card.
If a merchant cannot show that YOU actually authorized the transaction, he has no right to collect funds on your card.

Simply using the card yourself is authorization enough; but the merchant should be able to prove it. ie: registered delivery of goods to your home.

The onus should be on each and every merchant who accepts credit cards to ensure that they are taking part in a legal transaction. This is why there is a signature on your card; this is why you must sign your receipt. It *IS* permissible to ask for ID when someone presents a credit card!

Like cheques these days, the system does not verify everyhing. IT's far cheaper to deal with issues should they arise than to simply check every transaction.

Just because society is rushing like a madman into using credit cards for digital transactions for everything on earth, and merchants are forgoing safety checks... this is the MERCHANT'S problem, not the consumers.

Re:Ass raped monkeys (1)

ZeroData00 (223410) | more than 14 years ago | (#790378)

If they took the data that was more then a month old in there database and made a back-up and then deleted it (or least the CC numbers) off there server's maybe the world would be a safer place. yes if they ever needed it, they would have to put in the back-up disks back in the computer.but what really frights me are the companies that remember my Cardit card number, so "I" can use it again.

Re:Back to the Future (1)

myke_hines (128097) | more than 14 years ago | (#790379)

lol!! thats fucking funny

Re:On-line Databases (2)

Foogle (35117) | more than 14 years ago | (#790380)

I don't know about that. The webserver never really needs to see the CC#s. The customer is probably not going to need (or want) the website to re-display their own number... This is something they already have. All it might need to do -- as you mentioned -- is confirm the number; an action that does not require the webserver to actualyly have the number.

A perfectly viable method would be to send the pending credit-card number over to the database server, and have it (and it alone with access to the actual numbers) confirm it.


"You can't shake the Devil's hand and say you're only kidding."

Re:On-line Databases (2)

Detritus (11846) | more than 14 years ago | (#790381)

The web server doesn't need to retrieve credit card numbers from the database server. It needs to be able to store the information, request an authorization, and submit a charge. I'm assuming that the authorization and charge submission is done on the secure database server. It can report success/failure back to the web server. If you want the user to verify the stored information, you could do what some web sites currently do, X out all but the last 4 digits of the card number.

First Data Corporation (2)

gUmbi (95629) | more than 14 years ago | (#790382)

Is there any indication how far the hackers went?

Westion Union is owned by First Data Corporation, one of the largest credit card issuers in the US. Assuming the networks of the two corporations were somehow linked (or have systems shared between the two), if the hackers were able to get into FDC's systems, this could be disasterous.

It may be wise to invest in some put options on FDC...hmm


Re:suuuuuuuuuuuuure (1)

Foogle (35117) | more than 14 years ago | (#790383)

You think that "rm" is all a root-user has to worry about?


"You can't shake the Devil's hand and say you're only kidding."

Ass raped monkeys (3)

Greyfox (87712) | more than 14 years ago | (#790385)

It seems like a fairly common practise for these web companies to store your credit card numbers in their database forever and ever once you make a transaction with them. The very same people seem to have no concept of how to keep a system secure. What will it take to get these idiots to design their sites with some level of security in mind? Maybe a class action suit (malpractise or something) on the behalf of all the customers and credit card companies inconvienenced by this is on order...

Quote from site (1)

kcarnold (99900) | more than 14 years ago | (#790389)

"Helping people make their lives better, everyday". Right...

They should take the blame, not "hackers" (1)

imagineer_bob (163708) | more than 14 years ago | (#790393)

When it's usually their own damn fault for hiring BAD PROGRAMMERS and ENGINEERS! Since I don't know the details of WU, I won't comment on that, but let's talk about IKEA!

IKEA was cracked because you could do any query against their database by changing parameters in their URL.

Fortunately, a QA company caught this before it was too late.

IKEA has NO RIGHT TO BE IN BUSINESS. PERIOD. They try to save a few nickels by hiring CHEAP PROGRAMMERS and it's their own FAULT. p I hope IKEA and Western Union both go OUT OF BUSINESS.

--- Speaking only for myself,

This should _never_ have happened! (5)

CTalkobt (81900) | more than 14 years ago | (#790394)

This should never have happened. With the proper safeguards - ie: having a 1 way cipher to the credit card data and then another machine not connected to the internet to process it; the accounts would merely be a jumble of characters and digits encoded.

Any company that does business on the Internet without proper safeguards ( which is what it sounds like ... ) deserves to be sued.

Granted, my view may change - because there is not enough information about how - but this has happened at other sites and it still amazes me.

Cracked... Where was the encryption (1)

mmca (180858) | more than 14 years ago | (#790397)

Was the database encrypted? Or did they store thousands of people credit card information in the clear on a system that was online?
Who was the system designer who let that get through? When are people going to learn that even though nothing is totally secure, there are many steps you can take so that you don't end up looking like an ass (CDNOW! comes to mind)

Encryption! Encryption! Encryption!

Get some and use it... (especially if you run a large finacial database.)

A Clue About Security (5)

1alpha7 (192745) | more than 14 years ago | (#790400)

Lends more credibility to the disposable credit card concept.

Please. It lends more credibilty to the concept that big corps still don't have a clue. Technology security (unlike physical) is not a place to save a few buck by hiring a few minimum security wanna-be rent-a-drunks. Plus it lends more strength to the idea that money cards, anonymous, variable in value, and secure, desperately need to be implemented, whether Big Brother likes it or not.


c|net's article (5)

Speare (84249) | more than 14 years ago | (#790402)

c|net's article [] has a little more information about the hack.

It was unclear whether the hackers obtained any personal account information. No fraudulent transactions had been reported by late yesterday [...] Only Web site users who conducted online transactions would have been affected. Company officials were using email, letters and phone messages to alert between 10,000 and 20,000 consumers to cancel their credit or debit cards and get new ones.

Funny. (2)

tweder (22759) | more than 14 years ago | (#790405)

Taken from the WU website...

Helping people make their lives better, everyday

n0w 7h3 f45735t w4y 70 53nd m0n3y (70 31337 h4x0r d00dz)

i wonder.... (1)

wdf (176879) | more than 14 years ago | (#790407)

who wanted a date this time?

Re:Ass raped monkeys (1)

0xdeadbeef (28836) | more than 14 years ago | (#790411)

Because that's the only way they can do effective customer profiling, so they can screw people the way Amazon does.

And don't think the credit card companies are on your side. They're part of the problem, pushing a security model where the identifier is also used as a "secret" key. It is their fault credit cards are such a risk to begin with.

Re:Ah Yes, Western Union Uses Microsoft Software(z (1)

shepd (155729) | more than 14 years ago | (#790412)

Hey common man, according to netcraft Western Union is as good at security as:

- Burger King
- Gillette
- The NFL

Doesn't that make you feel better now? :-)

Why CC Databases anyway? (2)

buss_error (142273) | more than 14 years ago | (#790413)

With the number of CC DB's being cracked, hijacked, cloned to hostile servers, I mean why the hell do that have to keep your number after you use it? Amazon does this, B&N,, and most e-stores. Once the transaction is approved, wipe the number. You don't have to have it anymore.

If you really, really, want to keep it, set up a dot matrix and print it out. I think the Credit Card companies should charge the fraud back to the company that stored the number. That ought to promote securing a server!

Consumer is NOT liable (2)

HEbGb (6544) | more than 14 years ago | (#790414)

One of the greatest misconceptions propagated by the credit card industry is that the consumer is liable for charges incurred on a stolen credit card.

Read your agreements carefully; most of my cards hold me with little if any liability (the worst is $50 maximum). The rest of the bill is footed by the credit card company/issuer, not the consumer. When the credit card company denies a charge to 'verify security', it is not doing so for 'your protection', as they say, but for their own.

So, if the credit card numbers were indeed stolen and used illicitly (which is not clearly the case), it's the credit card companies who have something to worry about, not the consumers.

Regardless, Western Union should have had more secure systems; I'm sure this is very embarassing.

Re:suuuuuuuuuuuuure (1)

fluxrad (125130) | more than 14 years ago | (#790415)

if their security checks are so routine, then why did this happen?

[root@solstice /root]# telnet 80
Connected to Escape character is '^]'.
get /
HTTP/1.1 501 Not Supported
Server: Microsoft-IIS/4.0

Oh, I see now.

"Hmmm...i don't get it. the only IRC servers that will let me connect are those on undernet"

After 16 years, MTV has finally completed its deevolution into the shiny things network

Re:liability? (2)

trog (6564) | more than 14 years ago | (#790416)

The correct way to deal with credit cards is to use an asymetiric algorithm (public-key) encryption, where the private key exists only on a system that has no connection to any network. The encrypted data is then pushed to a floppy/zip/etc, where is is processed by human hands at the secured processing machine. The processing machine is then protected by physical means (cages, keys, cameras), and is done by a person who has been deemed trustable (background checks, etc).

An important component is that no sysadmin at the company has any access to this processsing machine. Only technically inclined executives (i.e. CTO, CIO, COO) have root access to this machine, and if maintence must occur at this machine, the sysadmin is logged into it by the executive, who then physically watches what the sysadmin is doing (and the executive knows his/her shit, so there is no question of foul play).

In this scenaro, if the website is completely compromised and all credit card numbers are stolen, they are completely useless to the cracker, as they cannot be decrypted without that private key.

This is ideal practice, and should be implemented at all e-commerce sites.

Re:This should _never_ have happened! (1)

CTalkobt (81900) | more than 14 years ago | (#790417)

Whether a robber breaks into your house and takes something is not the issue. He broke into your house. Here, the stupid script kiddie ( probably ) broke in, and managed to lift some confidential information. It's that disregard for security that I find offensive. It should be punishable.

By just taking a major loss on e-business - woop-de-doo. Like that's really going to affect the company 3 years from now. Larger companies aren't so concerned about 1-time hits of 3 or 4 months duration - they're more concerned about their long-time PR etc... You think Ford really cares about the tire recall right now? For PR sake's they have to - but they know they'll weather this storm. ( in fact, I think it's more Firestone was at fault.. but anyway... ).

Memory is so fleeting. Time passes. People forget. Companies go on without a bump.

They shouldn't. They should hurt, feel pain and remember the lessons learned.

I just mail cash (2)

joshv (13017) | more than 14 years ago | (#790418)

Hell, this would never effect me, I just mail cash. Ones are the best for mailing.


Re:Oh, the things I've seen (1)

paled (22916) | more than 14 years ago | (#790419)

Its not just the fscking installer that's Java-based, but everything except for svrmgrl and sqlplus. The entire DBA studio, Oracle Enterprise Manager are java based - that's why you need 512 MB ram and 1 GHz in your desktop - to watch assinine rotating globe spin around. Assholes.
Have you ever tried to use DBA Studio over a dialup connection with remote control software?
The only way to do that is to use an ICA/RDP connection to the sites LAN to a Citrix server and run OEM from there.

Re:On-line Databases (1)

myke_hines (128097) | more than 14 years ago | (#790420)

that doesn't really make sense.. if the webserver can see the CC#'s, which it will to verify information.. then if the webserver is cracked.. they will be able to do the same thing.. is running Microsoft-IIS/4.0 (1)

Anonymous Coward | more than 14 years ago | (#790421)

'nuff said.

Re:Oh, the things I've seen (2)

SuiteSisterMary (123932) | more than 14 years ago | (#790422)

Perhaps. Oracle's 8.1.x installer (fucking Java based installer; can't install over telnet anymore on most systems) tells you system/manager and sys/change-on-install or the like. But anybody who's used Oracle even once knows about system/manager. Anybody who's used SQL Server knows about 'sa/'. Anybody who's used Windows NT knows Administrator, Guest, IUSR_MACHINENAME. Anybody who's used Linux knows about root, guest, etc etc. There honestly does need to be criminal liability for this sort of thing. If an armoured truck full of gold bricks were stolen because the driver left the keys in the ignition, or in the sun visor, there'd be hell to pay. Well, default passwords and blatently poor installation should be just as liable. Of course, the armoured truck driver doesn't have a CEO who's never gotten a driver's license sitting behind him telling him which pedal to push and which way to turn 'that wheel thing' all the time. It's not always the sys admin's fault. And heaven help the admin who's boss knows JUST ENOUGH to get himself in trouble.

Re:They should take the blame, not "hackers" (2)

kazzuya (135293) | more than 14 years ago | (#790423)

I don't think IKEA needs to save money on programmers. I think that web development is a big business and very well paid.. everybody wants to jump in and it's a relatively new kind of development where there isn't a solid experience of the field.
Every software developer knows that there is no room for perfection when deadlines and money are involved. It's very common to have bugs here and there.. the problem now is that in web development bugs can easly mean security holes.
Eventually web developers will be required to be educated about security issues.. for now.. it's just a risky business for the customers.

Re:This should _never_ have happened! (2)

paled (22916) | more than 14 years ago | (#790424)

Don't give the account that is on the webserver the "SELECT ANY TABLE" privilege.
create packages (stored procedures) on the Oracle Server that perform operations such as insert_cust_info and insert_cust_credit_card.
Don't use public synonyms on the Oracle Database.
In this manner, if (when) the webserver is cracked, the account that is now owned can only insert data. By storing customer credit card info in a separate table that only DBAs (and specific procedures) have access to - the compromise dof the webserver does not allow the type of access that the hAx0r is looking for.

I believe that this is called "Principle of least privilege". Apply it.

Oh, the things I've seen (5)

SuiteSisterMary (123932) | more than 14 years ago | (#790425)

I used to work as developer support for a web application development product. This often involved doing work dirctly on a customer's site. If I had a nickel for every time I asked for the login/password for an e-commerce related database, and it was the admin login with either a null password, or a default, I'd have a shitload of nickels. And if I also had a nickel for each time the database was installed on a computer completely exposed to the Internet, instead of, say, being installed behind a firewall, with possibly only the database access ports tunneled through (and only accepted from the IP of the web machine), or better yet, having both the web and database machines behind the firewall, and requests to the web machine being forwarded through, well, I'd have an even bigger shitload of nickels. Picking up SQL Server for Dummies or O'Reilly's Oracle In a Nutshell does NOT an e-commerce ready database make.

Liability after warnings like this? (1)

Forgotten (225254) | more than 14 years ago | (#790428)

I have a question for all the IANALs out there. I know that normally one isn't liable for purchases made on one's credit card by other people - the card company takes the responsibility of chasing down the offender. However, in a case like this where a subsection of card numbers have been stolen and the cardholders have been warned by the entity that lost them does the onus begin to shift to those cardholders? Maybe I'm paranoid, but I'm visualising a scenario where the card company says "well you were warned and you failed to cancel your card, so you have some responsibility too". Could this happen? Could it happen if instead of Western Union warning the customers affected, it was the card company(s)?

The reason it occurs to me that the card companies might want to partially reverse their long practice of not blaming the customer is that (a) these things are going to become more frequent, and especially (b) when this does happen, it happens en masse instead of a single, easily-tracked theft. If 50,000 cards are stolen and used for 50,000 medium-size automated purchases, it could be hard to seek redress. Indeed the paperwork in tracking down all the unauthorised purchases would probably be more expensive for the card company than the actual purchases themselves.

Numbers not stolen? (3)

mindstrm (20013) | more than 14 years ago | (#790430)

Nowhere in that article (unless I'm blind) does it say that any numbers were stolen. ALl they said is that it was unclear whether any 'personal information' was stolen.

And if it was stolen... that's shitty site design. You quickly stash cc#'s off in a secure location; you don't make them retrievable off the website, EVER.

On-line Databases (4)

Detritus (11846) | more than 14 years ago | (#790432)

I still don't understand why anyone would store sensitive information in a database on a system that is accessible from the Internet. Put the database on a secure server that provides a restricted set of functions to a predefined list of systems. Even if the web site gets cracked, and it will, the intruders would not get unrestricted access to the database.

suuuuuuuuuuuuure (5)

kirwin (71594) | more than 14 years ago | (#790434)

The problem was discovered during a routine security check Friday, he said.

If their security checks are so routine, then why did this happen?

[root@solstice /root]# telnet 80
Connected to
Escape character is '^]'.
get /
HTTP/1.1 501 Not Supported
Server: Microsoft-IIS/4.0

Oh, I see now.

Re:Cracked... Where was the encryption (1)

kirwin (71594) | more than 14 years ago | (#790437)

The article states that they don't whether or not the credit card data was compromised.

Netcraft tells it all... (2)

Dice (109560) | more than 14 years ago | (#790439) is running Microsoft-IIS/4.0 on NT4 or Windows 98

D'oh! Seriously, you'd think these big banks and money sending whatever it is western union does people would use a B1 Trusted OS or something.

May I suggest BullDog [] or possibly TrustedBSD [] ? I haven't tried TrustedBSD, but I was quite impressed with BullDog's stats at this past DefCon [] . They put a server running thir OS (a modified Solaris) on the CTF (Capture The Flag) network running all sorts of insane services. A day into the competition they still hadn't been cracked so they posted the shadow password file. They never did get cracked.

root (1)

pohl (872) | more than 14 years ago | (#790444)

And now we know you connect to the internet with apps running as root.

I'm curious...what does an attacker gain by this knowledge?

Re:Ah Yes, Western Union Uses Microsoft Software(z (1)

jps3 (2870) | more than 14 years ago | (#790445)

Wasn't there something on Slashdot a short while back about MS using default passwords for SQL Server... Or more accurately, admins not changing the default password. That would be grossly negligent if this were so.

Re:On-line Databases (3)

levendis (67993) | more than 14 years ago | (#790447)

Yes, but, at some point the user has to enter the card number initially. It could be that the cracker's were intercepting this stuff, before it hit the secure database server.

Re:This should _never_ have happened! (2)

(void*) (113680) | more than 14 years ago | (#790449)

Do you consider hacking a computer to be equivalent to housebreaking? IMHO, they are not the same thing at all.

I consider hacking a computer to be more a con-game really. You see, your computer is chatty - when hooked up to the internet, it talks to other computers. Just that it could be untrusting or trusting about who to talk to, what to say, etc. Any computer that is naive can be tricked to reveal it's secrets, just like you can trick a idiot to telling you his mother's name, so you can use it to take money from his bank account.

I say this analogy is more accurate than housebreaking. Who do you say?

Anecdote about Discover (1)

Anonymous Coward | more than 14 years ago | (#790451)

The following is a true story about Discover Card and my dealings with them on a security flaw that exposed over 20,000,000 million credit card numbers and other confidential data.


A year ago or so I was browsing the Discover Card web site and noticed they allowed viewing of your account balance and transactions online. I went to their account login page (not that I actually have a Discover card) and what I saw horrified me -- a CGI taking a file name as a parameter. If my assumption was correct, they were directly opening that file and spitting it back out. A simple test confirmed it: I passed /etc/passwd to the CGI and out came their system's password file. Using this same technique, I discovered (no pun intended) that the machine was an IBM server running AIX 4.3. Using IBM's online AIX documentation and some persistence, I was able to navigate throughout the server and read any file on the system that 'nobody' could. What I found next absolutely shocked me: Discover Card's complete database of account numbers, social security numbers, addresses and other contact information. Thus began my conversations with Discover Card.

I called Discover Card's toll-free number as they don't list any other way to contact them by phone. After convincing the rep that I really didn't want a Discover card and I just wanted to talk to someone in management, a lady came on the phone. I told her what I had found and that it was a serious issue. I don't think she knew what I was saying but she said she'd relay the information to the technical department and that they would get back to me quick style.

A week goes by and I have yet to hear from someone at Discover so I call again. I explain the whole story to this new manager and I'm told that I will be contacted about the matter.

A few days later I receive a call from the president of the technical department. After explaining the story for a third time he says that he will talk to his programmers about it and get back to me.

As the president promised, he did call me back -- this time with the president of security on the line. Once again I was asked to repeat my story and how I obtained access to their system. What happened next is a bit sketchy as I don't recall exactly how it took place or in what order: one of the presidents questioned me on whether I believed I was a 'hacker.' I assured him that what I had done was in good faith and even demonstrated that by contacting them as soon as I discovered the hole. I could have easily published a paper on it and sent it to the media and to their shareholders. Not only would their stock price have plummeted, but I'm sure someone would have found grounds for a lawsuit. Not to mention the damage it would have done to their credibility for touting excellent security.

The president of technical affairs mentioned that his programmers indeed looked into the problem but at this time they did not consider it a big issue. He said that if they needed anything more that they would contact me. In amazement of their lack of concern, I hung up the phone.

That was the last of my phone conversations with Discover. Over the next few days I periodically checked back at the site to see if the hole had been secured. I remember it being fixed the next day but then when I visited a week later the hole was back. I'm not sure how long the hole was sitting there in between my call and their permananent fix or even how long it was there before I called. As of today the hole has been plugged.

This just shows you what kind of companies we are trusting with our personal and sensitive information. It's one thing for someone to steal your credit card number -- they can easily be canceled. It's a whole different story if someone gets a hold of your social security number and private contact data. There is absolutely no excuse for these kinds of errors.

Disposable Credit Cards (3)

waldoj (8229) | more than 14 years ago | (#790457)

What would be even better than disposable credit card numbers would be disposable credit cards. I want to be able to walk to 7-11 and pay $51 for a $50 debit card (that can be used like a credit card.)

If we're ever going to move into e-cash, we have to have a system that is as anonymous as cash. This seems like the best way to assure that.



(Normally we don't post this stuff...) (2)

Speare (84249) | more than 14 years ago | (#790459)

CmdrTaco, define 'we'?

4 MSNBC: Stealing Credit Card Numbers Online is Easy by Roblimo on Sun 16 Jan 05:22PM EST 341
4 Largest Online Credit Card Heist Ever? by Roblimo on Sun 09 Jan 04:59PM EST 359
3 RealNames Customer Data Stolen by emmett on Mon 14 Feb 06:55AM EST 129
4 British Crackers Demand Millions in Inforansom by Roblimo on Sun 16 Jan 11:52AM EST 195

Ah Yes, Western Union Uses Microsoft Software(z) (1)

Redking (89329) | more than 14 years ago | (#790460)

Well, a simple Netcraft query [] tells us that the website itself is Microsoft IIS probably on Windows NT. Part of the basic Microsoft ecommerce package is SQL Server, so I'm speculating that was the database that was compromised.

There definitely should be some litigation regarding this case. 10,000 to 20,000 possible credit card numbers?!? That is a lot of people and now they have to go thru the hassle of cancelling their credit cards and getting new ones.

This is Western Union, for crying out loud. A company that makes money by helping people transfer money. You think they would take better safety precautions and use encryption on their database. Or better yet, have the database server offline without a connection to the Internet.


Re:Liability after warnings like this? (1)

kirwin (71594) | more than 14 years ago | (#790462)

Perhaps credit card companies should now offer "hacker" insurance. Perhaps credit card companies should set up security criteria with commerce-related web sites for use of online credit transactions. After all, they are responsible for losses when your card is compromised.

Re:The Problem (1)

ActionListener (104252) | more than 14 years ago | (#790463)

>> The problem, as reported by NPR, was traced to human error .. Somebody left a database open, which is where the vulnerability existed. Western Union will correct the problem, says they.

Hmm. Here is another problem they should also correct :)

bash$ lynx -head -dump
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 10 Sep 2000 18:29:13 GMT
Content-Type: text/html
Cache-control: private

Re:Ass raped monkeys (3)

Detritus (11846) | more than 14 years ago | (#790467)

I would expect the credit card companies to set and enforce security standards for merchants that accept their cards. If you want to accept credit cards, you have to sign a contract with, and be approved by, the card's issuer.

liability? (5)

legLess (127550) | more than 14 years ago | (#790470)

Speaking from experience, it's a major pain in the ass to cancel a credit/debit card and get a new one, not to mention trying to figure out how to live without one for a week. (Heck, I buy coffee in the morning with my debit card.) Never mind the nightmare of straightening out the false charges with your bank.

So is Western Union liable for this time/expense/pain in the ass? Should you have an expectation, visiting an e-commerce site of some sort, that your CC# will be kept private against the ravages of crackers?

If someone with a mask and gun steals a bag full of CC receipts from Sears, then uses the numbers, is Sears at all liable for their misuse? Should they be? How does this change for e-commerce stores? You can't really stop someone coming into your store with a gun and robbing you, but you can take much better precautions against someone hacking your site like this.

I see both sides of this - as an admin and a CC user. Should we have a zero-tolerance law? No mistakes, no excuses - the store that got hacked should just pay up, whatever its customer's expenses are? Honestly, I lean towards "yes." There have been enough public cracks in the last year to encourage even the most brain-dead (heh: " is running Microsoft-IIS/4.0 on NT4 or Windows 98" - NetCraft [] ) to really secure their stores and databases.

If you can't secure it, don't connect it to the web.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?