Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Cosmetic Retailer Lush Targeted By Hackers

timothy posted more than 3 years ago | from the people-are-bad dept.

Security 109

Tasha26 writes "Cosmetic retailer Lush stopped its online activities on Jan 21 due to hacking activities. Their website is still down due to 'continuing attempts to re-enter,' and Lush is thinking of spinning a small PayPal outlet as a temporary solution. The company is urging customers who placed an order between Oct 2010 and Jan 2011 to contact their banks for advice on compromised credit card details. The company even posted a message addressed to the hacker, saying, 'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'"

cancel ×

109 comments

Note to self: (0)

Anonymous Coward | more than 3 years ago | (#34963326)

Don't feed the trolls.

Color me nonplussed (1)

akkornel (1800252) | more than 3 years ago | (#34963358)

Well, you could, that is, if you were able to get your hands on any fine Lush products, but now you can't, so I guess I'm not nonplussed after all.

How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.

Re:Color me nonplussed (1)

daid303 (843777) | more than 2 years ago | (#34964746)

How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.

There are alternatives. For The Netherlands we have iDEAL: http://en.wikipedia.org/wiki/IDEAL [wikipedia.org]

It works very simple, you only authorize a single payment. They could scam you out of a single payment but that's it. I exclusively buy online at shops that support iDEAL. And that list is growing fast, Steam also supports iDEAL for half a year now, and Blizzard accepts it as payment method. The whole credit card setup is so stone-aged compared to this.

Also note that I don't need to setup a different account or anything else. Because I have an account at one of the banks supporting iDEAL. It requires the same 2 factor authentication as I use for online banking. So it all feels familiar.

Re:Color me nonplussed (1)

dtml-try MyNick (453562) | more than 2 years ago | (#34964950)

Agree, iDeal may not be the end all, be all, solution for online transactions but it's pretty solid, safe and simple.

Currently I only do payments via iDeal or paypall only. My paypall accounts is empty most of the times. If I want to buy something via paypall I transfer the amount of money needed first and then make the transaction.

Re:Color me nonplussed (1)

KingAlanI (1270538) | more than 3 years ago | (#34968948)

PayPal has instant transfers out of attached bank accounts available at least in the US.
Then you don't have the delay of waiting for the transfer to clear and add to your account balance, then paying with your balance.

Re:Color me nonplussed (2)

cdrguru (88047) | more than 2 years ago | (#34966414)

Your credit card will be compromised. It is a fact of life.

Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people. Credit card companies do not prosecute - ever. So, even if someone is caught they aren't going to do any time.

Magnify the opportunity and reward 1000 times for a credit card database.

I do not know of anyone ever that had to pay for their credit card being used fraudulently. Generally I get a phone call asking if some purchase was mine and when the answer is no it is removed from the bill and a new card is mailed out. Period. Nothing else.

I don't undersand what all the fuss is about. Yes, you will get a new credit card number periodically. So?

Re:Color me nonplussed (1)

GameboyRMH (1153867) | more than 2 years ago | (#34967058)

Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people.

That's it? Hahaha, suckers!

Oh come on... (3, Interesting)

samcan (1349105) | more than 3 years ago | (#34963360)

It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

Re:Oh come on... (1)

Anonymous Coward | more than 3 years ago | (#34963396)

Such is not always the case. Even if you run a top notch secure system, there will always be bugs and ways to compromise it.

Re:Oh come on... (5, Insightful)

rtfa-troll (1340807) | more than 3 years ago | (#34963648)

A "top notch" IT team will have

  • offline backups
  • the ability to restore quickly
  • the ability to expand capacity quickly
  • the ability to do almost immediate updates*
  • basic forensic ability to work out what's going on

Sure, your system may be compromised. Sure; the first replacement system may be compromised again. During the compromise of the second you should get enough logs that the third (or at worst fifth time) you come back, all the zero day attacks the attacker is using have gone.

Anyone can lose a few hours of outage. To be down for a day and have to start begging for mercy is not a sign that their IT "skills are formidable"

* at the cost of a short term outage;

Re:Oh come on... (2)

Nick Ives (317) | more than 2 years ago | (#34964172)

Not if the "zero day attacks" are in the bespoke code for your website. Then you'd be in the situation of getting whoever wrote your code to to sort their mess out, which for a relatively small firm like Lush would probably mean dragging back in whatever lowest bidder contractor they used.

Re:Oh come on... (1)

rtfa-troll (1340807) | more than 2 years ago | (#34964838)

dragging back in whatever lowest bidder contractor they used.

We are discussing here a "top notch" IT team.

a) they wouldn't have used a lowest bidder in the first place

b) once they know the URL they would be able to use one of the Apache filtering modules or a feature of their load balancer to block that URL

c) once they captured the URL that caused the break in they could just fix the code themselves; being top notch they won't be using anything they don't have the code to.

Even a slightly less than top notch company will have a support contract and in the case of a less than immediate response will have a notice like "waiting for Oracle support to respond"; "up as soon as Microsoft can fix IIS" which is the kind of thing which tends to get these companies to do a very quick fix.

Re:Oh come on... (0)

Anonymous Coward | more than 2 years ago | (#34964898)

Your "URL" is not going to help you every time. There are a ton of other ways to compromise systems.

Let me repeat: Even if you run a top notch secure system, there will always be bugs and ways to compromise it.

A top notch IT team can be prepared for rescuing from a mishap, but not to avoid it. If you believe you are completely secure, you are either misguided about security or plain stupid.

Re:Oh come on... (1)

jimicus (737525) | more than 2 years ago | (#34966354)

The hackers have already demonstrated that they're probably a cut above the average script kiddie, insofar as they hacked the site to forward credit card numbers and this went unnoticed for a couple of months.

There's a good chance that the IT team at the time this all blew up weren't sure exactly how the hackers got in in the first place. And if they were, they had evidence to suggest that attacks continued after the website was brought down and fixed. In which case, one line added to mod_security configuration may block the issue that caused the original hack but it won't do anything for any of the other issues that may exist.

Were I to hazard a guess (and from my own experience of corporate IT), I'd wager that Lush's IT department have been trying to get a project for some major website re-redevelopment approved for some time. It wouldn't surprise me if they knew full well the site was a disaster waiting to happen, but until that disaster does happen it can be very difficult to get such projects approved.

I daresay that the project will be made top priority now.

Re:Oh come on... (0)

Anonymous Coward | more than 2 years ago | (#34964414)

Maybe their admin password was 'password'

Re:Oh come on... (3, Insightful)

internewt (640704) | more than 2 years ago | (#34965162)

Maybe their admin password was 'password'

It was worse than that.... it looks like up until very recently they could well have had their site on a Windows 2000 machine. 2000 was the best version of Windows that MS ever made, but it still had some chronic shortcomings that make it totally unsuitable for most internet-facing tasks.

http://toolbar.netcraft.com/site_report?url=http://www.lush.co.uk [netcraft.com]

Of course it is all too easy to just flame Windows, but even (especially) the MS fans will agree that using IIS5 in at least 2007 is not a clever thing to have been doing.

But lets be honest, the way that site is slinging about the word "hacker" it is clear they do not have any kind of top-notch IT... or even any clue about computers - they probably accepted what the industry told them as 100% truths, and then think that somehow some person is doing fucking magic or something to get into their server. Considering how keen they seem to be to shirk responsibility for the break ins (their list of suspect beliefs, for example), they truly do not recognise their own ignorance. The BBC miss the point too, and just go along with the hacker rhetoric as well.

Re:Oh come on... (2)

catmistake (814204) | more than 2 years ago | (#34966066)

2000 was the best version of Windows that MS ever made

Still... it's a dubious honor.

IMHO, Windows Servers have a purpose... to help administrate lots of Wndows Desktops with Active-Directory, and, of course, Exchange. When running Exchange, you need a couple or three compentant administrators, that do nothing else, who are constantly on top of things... because it doesn't run by itself.

Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

BAD METAPHORE TIME: Hardcore Microsoft-loyalist Windows Admins saw the movie first, and insist it was better than the book. The rest of us actually appreciate literature.

Re:Oh come on... (3, Insightful)

jimicus (737525) | more than 2 years ago | (#34966490)

Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

... perfectly correct, provided the server is administered competently.

This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.

And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.

I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.

The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.

Re:Oh come on... (1)

new500 (128819) | more than 2 years ago | (#34968378)

Upvote please the guy immediately above who knows a bit about Windows. It's hard, but do-able.

Re:Oh come on... (0)

Anonymous Coward | more than 3 years ago | (#34971348)

It's fine that competently administrating a Windows web server is difficult not in the way that math or 100mph fastballs are difficult, but more like how driving is difficult... I hope it works for those that choose it... but I'm looking for a web solution that is really a total pain in the ass just to be reasonably sure you know you'll never know for sure whether or not you'e been pwned... I mean one with an exceptional and surprising amount of security issues... like the rest of the iceberg amount of security unknowns, but at the same time rots twice as fast as Windows. I don't have 6 months to sit around and wait for rebooting the thing to cease being entirely effective at making things appear as though things are working fine, just a little slower. I need this thing to go down almost daily after the slightest abuse in less than 6 weeks of deployment. Windows is far too good for my web needs. What I need is something that hardly works at all... something... delicate.

Re:Oh come on... (1)

jimicus (737525) | more than 3 years ago | (#34971842)

No chance, unfortunately, the /. view is very unlikely to agree.

Thing is, most hacks these days have rather more to do with the application than the platform it's running on. When I said "you have no business running a public website which processes transactions...", I include a public website running Linux.

I don't actually have any experience running Windows on a public server, and hence I wouldn't feel entirely confident I could do a decent job. But to claim it's impossible to do it properly is just ignorant. Frankly, I'd have been just as scathing of someone who was running RHEL 2.1, for much the same reasons.

Re:Oh come on... (2)

jimicus (737525) | more than 2 years ago | (#34964638)

Lush isn't an IT firm, they're a cosmetics firm.

I would be astonished if their IT staff are in-house - there's a very strong chance they outsource it all.

Re:Oh come on... (1)

rtfa-troll (1340807) | more than 2 years ago | (#34964894)

I was going to say that; if they are making most of their business online then they are an IT company; they just haven't realised it yet. However, it seems like in fact they probably do most business over the phone and in shops so I will actually say that it's good that they stood up and admitted what happened. Hopefully they learned and next time they'll get someone competent to run their online store.

Re:Oh come on... (1)

Ritchie70 (860516) | more than 2 years ago | (#34964934)

I doubt much is online sales. The noxious fumes from their heavily scented products make a trip to Macy's highly unpleasant if you wander into the wrong part of the store.

Re:Oh come on... (4, Interesting)

drinkypoo (153816) | more than 2 years ago | (#34965380)

Noxious fumes from heavily scented products? Have you actually smelled their products? It's probably the only thing in Macy's that won't make my airway tighten up instantly. I have asthma and that toxic bullshit that is in most body products makes me react immediately, whether I can actually smell it or not; and so much the worse if I can smell it, since my body has been trained to associate the toxic reaction with the artificial smell.

My lady has Lush products and they are both less scented and less noxious than virtually anything else on the market. Stop with your FUD.

Re:Oh come on... (1)

Kazymyr (190114) | more than 3 years ago | (#34972120)

Second that. Fortunately my wife gets all of her Lush stuff in brick-and-mortar stores, not online.

Re:Oh come on... (0)

Anonymous Coward | more than 3 years ago | (#34972352)

What is does to your asthma is all very interesting but, if you're not interested in a deliciously fruity shopping experience, Lush turns areas of nearly every shopping centre in the UK into a chemical warzone.

I don't care that it's not harmful. It's not somewhere I would voluntarily choose to walk.

Re:Oh come on... (1)

AndGodSed (968378) | more than 2 years ago | (#34967216)

A "top not" IT team will have a proper budget.

Most of the things you mentioned cost money, and sadly most IT teams are the bastard children of management decisions as far as budget goes.

It usually takes something like this before management decides to finally empower the IT team with some form of financial support for their IT needs.

"We'd like to offer you a job..." (2)

mangu (126918) | more than 3 years ago | (#34963412)

"...if your salary weren't way above what us cheapskates are willing to pay!"

Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

Re:"We'd like to offer you a job..." (2)

1s44c (552956) | more than 2 years ago | (#34963862)

"...if your salary weren't way above what us cheapskates are willing to pay!"

Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

No doubt there is some truth is that. However the smart guys work for the challenge not the money. I know plenty of rich crap people and plenty of smart non-so-rich people.

Re:Oh come on... (1)

Haedrian (1676506) | more than 3 years ago | (#34963574)

or whether the guy who designed the kit was formidable.

Re:Oh come on... (0)

Anonymous Coward | more than 2 years ago | (#34963844)

"It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't."

No, it's whether Lush actually HAVE an IT team, or if they hired someone to build them a site and then neglected it.

Re:Oh come on... (1)

LingNoi (1066278) | more than 3 years ago | (#34972410)

or if they hired someone to build them a site and then didn't pay them to maintain it.

FTFY

Re:Oh come on... (1)

1s44c (552956) | more than 2 years ago | (#34963856)

It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

Exactly. I'll bet the lush IT team consists of a few guys who might be reasonably smart but they just can't cover the amount of work they are meant to be doing. Management interference and other distractions most likely mean they could not keep track of all the work they should be doing.

Unless they took the Microsoft route that is. Then they most likely employed a bunch of MCSE's who don't really understand technology, spent a fortune on windows servers and another fortune on active directory servers, and still got cracked endlessly.

Re:Oh come on... (1)

Anonymous Coward | more than 2 years ago | (#34963968)

"It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't."

No, it's whether they actually HAD an IT team, or whether they just paid for a website and expect it to run forever with their great management skills.

Re:Oh come on... (2)

Elentari (1037226) | more than 2 years ago | (#34964088)

This is the forum post from their singular IT team member about the incident: http://img35.imageshack.us/img35/3715/lushpostuk.jpg [imageshack.us]

Re:Oh come on... (0)

Anonymous Coward | more than 2 years ago | (#34964164)

Back doors in the code base? This does seem to imply a former employee or contractor was involved.

Re:Oh come on... (1)

rtfa-troll (1340807) | more than 2 years ago | (#34964924)

I read that as SQL injection points or equivalent. I don't think he means deliberately placed back doors. He's clearly a bit of a novice on some aspects of the security.

Re:Oh come on... (0)

Anonymous Coward | more than 2 years ago | (#34964774)

It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

Not every company has the means to higher the 99th percentile in computer talent, which means that they will be vulnerable to attack from the most skilled attackers. For some reason this jackass has decided to target this company, and they now have to deal with being pushed into the deep end of the black hat pool.

That doesn't make their IT team any less competent in having decent availability and response time. Perhaps you're a super class-A computer guy, but I'd hazard to guess that there are people out there that could eat you for lunch, so don't get too high and mighty just because some other guy may not live up to your standards. We all do the best we can in this world, and sometimes it's enough and sometimes it's not. There's no shame in admitting there are people who are more skilled than you.

Re:Oh come on... (1)

Rogerborg (306625) | more than 3 years ago | (#34971498)

No, really, the guy that beat me up was like seven feet tall. Also, there were three of him. All of them ninjas.

My opposite experience (5, Funny)

cappp (1822388) | more than 3 years ago | (#34963372)

Weird. My ex always sent me off to increase my "online activities" whenever I made "continued attempts to enter".

Re:My opposite experience (1, Funny)

kronosopher (1531873) | more than 3 years ago | (#34963388)

"If you are reading this, our women would like to say that your talents are formidable. We would like to offer you a blowjob — were it not for the fact that your genitalia are clearly not compatible with ours or our customers."

Re:My opposite experience (3, Insightful)

MichaelSmith (789609) | more than 3 years ago | (#34963598)

'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

Re:My opposite experience (2, Interesting)

Anonymous Coward | more than 2 years ago | (#34963850)

'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

MySQL? Looks like the port is open. Running 5.0.91 by the looks of it too.

And they wonder why they were hacked.

Re:My opposite experience (0)

TheLink (130905) | more than 2 years ago | (#34965992)

If you're unlucky, you might be accused of hacking them.

Sometimes it's a good idea to stay clear of crime scenes.

Re:My opposite experience (-1, Troll)

Frosty Piss (770223) | more than 3 years ago | (#34963642)

You're a sick-sick-sick mother fucker. You need help. Seek counseling before you end up on a sex offender registry.

Netcraft says.... (0)

Anonymous Coward | more than 3 years ago | (#34963502)

Lush was running IIS on Windows. Coincidence?

Re:Netcraft says.... (1)

HRH_H_Crab (1746502) | more than 3 years ago | (#34963626)

IIS on Windows has an overwhelming share of the market when it comes to online commerce sites. It's only natural that hackers would...wait, what?

Re:Netcraft says.... (0)

Anonymous Coward | more than 2 years ago | (#34963826)

It's PHP Apache if you look.

Re:Netcraft says.... (1)

1s44c (552956) | more than 2 years ago | (#34963874)

It's PHP Apache if you look.

PHP. The free alternative to visual basic.

Re:Netcraft says.... (3, Informative)

BeanThere (28381) | more than 2 years ago | (#34963938)

Wrong, if you check their 'what's that site running' history [netcraft.com] you'll see that they only switched to Apache yesterday. Before that, they were on IIS 5 on, FFS, Windows 2000, which is a sign that they were probably running on outdated poorly managed systems. The fact that the attack attempts "continue" is probably meaningless as whatever they were, they are almost certainly failing now, but the attempts will still show up in the logs which will make any naive IT administrator nervous.

Re:Netcraft says.... (2)

Nick Ives (317) | more than 2 years ago | (#34964214)

Yea, every computer on the internet is under constant attack. Like a lot of people, I've moved my SSH daemon to a non standard port out of annoyance with my secure log filling up with common username / password login attempts from botnets.

If you're presenting a service to the world on a standard port, botnets will always be trying to robohack you.

I'm not too sure of that Netcraft report though as Lush appear from their statements to have been with their current hosts since at least October last year, so they could've moved from Win2k more recently than three and a half years ago.

Re:Netcraft says.... (1)

jimicus (737525) | more than 2 years ago | (#34966520)

I note that they also switched hosting provider. Obviously they're not too keen on their previous provider.

Every generation... (1)

mwvdlee (775178) | more than 3 years ago | (#34963536)

Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed? If you're doing it for the fun of hacking, how much fun could it be to repeatedly hack a site that's obviously not very difficult to hack? Or is this just some juvinile delinquints trying to steal credit card details?

Re:Every generation... (3, Informative)

jonbryce (703250) | more than 3 years ago | (#34963562)

They were doing it to steal credit card details. There are reports in the comments sections of various newspapers that they were using the cards to buy Telefonica O2 pay as you go credits. Presumably they then use these to phone premium rate numbers and cash out that way.

Re:Every generation... (2, Insightful)

coolmadsi (823103) | more than 2 years ago | (#34964178)

Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed?

I wouldn't really call them evil. They notified all their online customers that their details may have been compromised and to take precautions (my girlfriend was one of them), as opposed to keeping it quiet, not telling anyone, and hope everything blows over.

My girlfriends often tells me how ethical they are as a company, they stopped using plastic packaging for their products wherever possible, and allow customers to return empty pots back to them for a discount on their next purchase (and they then re-use the pots). As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.

Re:Every generation... (1)

jimicus (737525) | more than 2 years ago | (#34964648)

As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.

That's the biggest advert they've got! You can smell one of their shops halfway down the street.

Re:Every generation... (1)

BLKMGK (34057) | more than 2 years ago | (#34966480)

Smells good to me. You can buy their soaps and your bathroom smells wonderful as well. I buy their stuff here in the States and like it actually. Is Lush Canada, Lush UK, and the Lush company here in the US all the same? I wonder what the other web sites are running... :-O

Re:Every generation... (1)

jimicus (737525) | more than 2 years ago | (#34966588)

Very much in so, they've openly admitted that they have been approached by people wanting to license/franchise the brand outside the UK where they're based and refused.

Re:Every generation... (1)

BLKMGK (34057) | more than 2 years ago | (#34967716)

Okay, well that makes sense. Here in the US I don't see them selling so much make-up like others have described as they do mostly natural bath products. I also don't see them in the likes of Macey's as has been described here. At least not that I've noticed. They DO have their own shops however and I've visited them at several malls and at an airport of all things. I always have some of their soap here and while I don't use it all the time the stuff smells great. I've actually found that when women smell it on you they like it too so bonus!

From the "diary" entry posted elsewhere they do really sound like they have a small IT operation. Like three guys and a hosting company which surprises me if they are big enough to have sites for multiple countries and at least 4 shops that I know of here. I guess I would expect them to be using more than just a couple of guys and apparently a Win2K web server at least. I guess if nothing this is working out to be free publicity for them :-)

Re:Every generation... (1)

jimicus (737525) | more than 2 years ago | (#34967916)

The Win2K web server was with an outside hosting company.

I can't believe any self-respecting hosting company is still operating anything running 2K, so my money's on it being their own server in a colo (which is now an Apache server with United Hosting - who I don't think do colo so I'd imagine it's a case of "we need to move our site to something which we can be 100% certain hasn't been hacked 15 ways from sunday - only way to do that is to run it on a different server altogether").

They do virtually no make-up, but they've always billed themselves as a cosmetic company - their UK products are mostly moisturisers, massage bars, bath and shower products. They have a sister company that does do make-up, though I'm not sure that's made it terribly far outside of Covent Garden. Possibly in other countries they put the make-up in the Lush stores.

(My wife is a Lush fanatic and I have a hell of a memory).

And so (1)

Dunbal (464142) | more than 3 years ago | (#34963544)

Someone thought that slashdotting the site would help more...

Glass half empty, or half full? (1)

rts008 (812749) | more than 3 years ago | (#34963676)

Well, after their servers experience a Chernobyl style meltdown from slashdotting, the hackers can't even get close enough to sift through the ashes! :-)

Re:And so (1)

coolmadsi (823103) | more than 2 years ago | (#34964186)

Someone thought that slashdotting the site would help more...

The site is mainly text with a couple of images. No adverts (I don't think). More likely to stand up to a large influx of visitors compared to a site that is half flashy adverts, due to transferring less data.

Lemon detox diet (-1, Offtopic)

jack495 (1975766) | more than 3 years ago | (#34963602)

Good efforts. All the best for future posts. I have bookmarked you. Well done. I read and like this post. Thanks. http://www.healthmantra.co.uk/lemon [slashdot.org] detox diet">Lemon detox diet Lemon detox diet

Ankit Jain (-1, Offtopic)

salwars (1917960) | more than 3 years ago | (#34963628)

Really useful stuffs.. Love all of them.. Salwars [sareez.com]

Our morals and those of our customers? (1, Interesting)

Kaz Kylheku (1484) | more than 3 years ago | (#34963640)

How do they ascertain customer's morals? Just because someone buys something from you doesn't mean they have good morals!

What if the culprits turn out to be customers assisted by an employee? :)

Re:Our morals and those of our customers? (0)

Anonymous Coward | more than 3 years ago | (#34963742)

Serves them right for misshipping my makeup which I use to solicit sex from men while dressed as a woman

Re:Our morals and those of our customers? (1)

Dracula (27111) | more than 3 years ago | (#34963762)

What if the culprit(s) turns out to be an employee?

Re:Our morals and those of our customers? (1)

Anonymous Coward | more than 2 years ago | (#34964152)

Consider that the customers are customers. That means that they pay money in return for products, as opposed to, say, stealing them. This might imply that the customers agree on "stealing is undesirable." Some might even extrapolate to "cracking servers is undesirable."

Re:Our morals and those of our customers? (0)

Anonymous Coward | more than 2 years ago | (#34964326)

It's easy: they're mostly paying customers who are honoring the usual deal between a customer and a proprietor (I'll give you this if you give me a certain amount of money), as opposed to "customers" that try to spoof their web site and/or scam their business and/or scam legitimate customers.

I might be impressed by the skills of a shoplifter and their knowledge of store security, but I wouldn't be tempted to hire them either, especially if they are also pickpocketing other customer's credit cards.

And if it's an employee helping them, well, at the least they should expect to be fired. And after that, prosecuted.

Re:Our morals and those of our customers? (0)

Anonymous Coward | more than 2 years ago | (#34965790)

Just because someone buys something from you doesn't mean they have good morals!

If you can make your customers feel as if they do, then you don't have to worry about profits ever again.

(Religion, cosmetics, what's the difference?)

Perhaps it's a grammatical thing (0)

Anonymous Coward | more than 3 years ago | (#34963712)

I'm thinking the company was meaning to say morale, not moral.

Lush is not a typical 'cosmetics' store (1)

Squiff (1658137) | more than 2 years ago | (#34963906)

They specialise in handmade soaps and seem to be in pretty much every high street in the UK- Example: http://maps.google.com/maps/place?cid=10383864969614968362&q=lush&hl=en&sll=51.494368,-0.154123&sspn=0.049163,0.154324&ie=UTF8&ll=51.518891,-0.2314&spn=0,0&z=13 [google.com] You are more likely to get bath soap from them then eyeliner and you can smell the patchouli from one of their branches from quite a distance... Maybe their 'IT' team is in the same vein?

Smelly (1)

ebcdic (39948) | more than 2 years ago | (#34963920)

The smell from their shops is so strong that it's actually unpleasant to stand at a nearby bus stop.

Re:Smelly (0)

Anonymous Coward | more than 2 years ago | (#34963976)

Ha! I cannot stand them and never understand why so many 16-19 year olds go crazy over a bar of soap..

Re:Smelly (4, Funny)

ettlz (639203) | more than 2 years ago | (#34964258)

Ha! I cannot stand them and never understand why so many 16-19 year olds go crazy over a bar of soap..

Oh, it's only a phase. It normally ends once they go to university.

Re:Smelly (0)

Anonymous Coward | more than 2 years ago | (#34965034)

Hey! I resemble that remark!

Re:Smelly (1)

Threni (635302) | more than 2 years ago | (#34964062)

Exactly. If there were only some way of preventing the stores from opening and instead allowing customers to shop online...

Having a page on eBay and Amazon is something a few companies are doing now. The sort of script-kiddies and spotty virgin bedroom boys who try and take sites down are too lame to be able to affect them, so you'd be safe.

From lush.co.uk (0)

Anonymous Coward | more than 2 years ago | (#34964230)

All customers potentially exposed to this breach were sent an e-mail on 20 January 2010.

At least they gave prior warning!

I always thought... (1)

baloki (1714710) | more than 2 years ago | (#34964296)

Doesn't PCI:DSS forbid the storage of full credit card numbers?

Re:I always thought... (0)

Anonymous Coward | more than 2 years ago | (#34964550)

i thought they could be stored - but not in a human readable format - i.e. must be encrypted. The CVV code must never be able to be recorded for later retrieval.

Re:I always thought... (0)

Anonymous Coward | more than 2 years ago | (#34964594)

No. Think about it. You need to get at least an Auth initially and then possibly a Charge later on despatch. Or - you do both on despatch. Or the bank's system is down and you need to submit later, (not wanting to lose the sale of course by refusing the transaction!). What about refunds to your card if you return items, cancel them pre/post despatch? Tokenisation helps, as does storing the card number decently encrypted.

PCI compliance (for some value of compliant) is extremely expensive. Smaller companies perhaps cannot afford it and take a risk. Any company where management is by sales types rather than IT savvy ones are unlikely to understand the issues and risks. Sales websites are more about "pink tinsel" ( (TM) T B-L at his FIEE acceptance speech), and digital bling than security and integrity. MDG

Re:I always thought... (0)

Anonymous Coward | more than 2 years ago | (#34966566)

Duh. The BANK deals with all of the credit card details, the seller never needs to see them, never needs them on their server, ever. They are sent directly from the webpage to the BANK who then process the sale, then send the code back to the server to say the money has gone through to the BANK.
If you want to refund, you do so through THE BANK.

In other words, Lush never needed to have anybody's credit card details anywhere on its servers - EVER.

"Or the bank's system is down and you need to submit later, (not wanting to lose the sale of course by refusing the transaction!)."

Huh? So how does the customer know if their order has gone through? You just 'accept' all orders when your bank's system is down? How often does that happen? How about never?

Re:I always thought... (0)

Anonymous Coward | more than 2 years ago | (#34968090)

OK - let's look at this carefully and slowly. Actually it's not the "BANK" that the seller sends details to - it'll be some outfit like commidea.com. Usually the transaction is split into an Auth (yes - there is money there at the moment to cover this sale) and a Charge when the goods are despatched. So ... pay attention now ... when you Charge you need to tie it up with the previous Auth. Can't do it on name/address as the purchaser may, quite legitimately have a number of cards - even from the same issuer. Tokens (as I mentioned earlier) are one way round this - but a Tokenised system costs lots more and many retailers aren't too keen. So you do actually need to have some way of keeping the card number (albeit - on a decent system - encrypted).
Refunds/Chargebacks/Recharges are a nightmare - and once again you need to tie up the *original* purchasing card with the Refund. Lots of scope for fraud if you don't :-).
There is another way - at the point of transaction you take the customer away from "your" website - and dump them into a customised screen from (eg) PayPal, which then does the necessary checking. After the Auth/Charge (depending on the set-up) the customer is returned to their "basket". The retailer doesn't get to need the card details - but again - they pay highly for the service from PayPal etc.

As to orders being accepted when the system is down ? YES - that's the way it's done. There's all sorts of reasons the Auth doesn't get done immediately, and usually the customer is none the wiser. Time outs, network glitches at any one of a string of node points without going to the extremes of the recent Mastercard DDOS scenario.

And just to worry you further; PCI DOESN'T properly apply until the Auth has been obtained. When you think about it it can't - you have to store the card number somewhere/somehow in order to pass it on to commidea or whoever. The shopping cart entry form doesn't have some magical power of information transference - bytes are stored, then moved at some later time - could be miliiseconds, could be days.
MDG

Re:I always thought... (2)

jimicus (737525) | more than 2 years ago | (#34966544)

It does not, however, forbid taking the details in the first place. Which means that it'd be easy enough to slip a few lines into the shopping cart script that forward card details for every transaction to some hacker.

Which would explain why they're only worried about customers who bought stuff in the last couple of months.

Mobile Operators and Police don't help (4, Informative)

Ian.Waring (591380) | more than 2 years ago | (#34964320)

My wife is a Lush customer, ordered online in the time period described and did have 2 £15 charges (total just north of $40) for prepay mobile phone credit debited from her account. She spotted that virtually immediately; however, her bank just wanted to snail mail post a claim form to her to get her money back, and O2 (the mobile phone company providing the goods from the fraudulent two transactions) said it was an industry agreed procedure to wait until the bank got in touch with them before they'd do anything. So, bottom line, the thieves have 5 days to use the credit they stole, when O2 could have invalided the transaction immediately and/or aimed some trace to the person using that mobile handset. About as much use as a cow on stilts. We need a Bill Bratton methinks. Follow the money, get to the source.

Re:Mobile Operators and Police don't help (1, Insightful)

cdrguru (88047) | more than 2 years ago | (#34966494)

Why do you want credit card companies to persecute their customers? Shouldn't they be reaching out to their customers with a more friendly business model?

You see, the way it works is the cardholder gets the stuff taken off their bill - usually no questions asked, it just happens. OK, so they want you to jump through some hoops for it, but it will happen no matter what.

Then the credit card company charges back the purchase to the merchant. The merchant should have insurance to cover this sort of thing, so it is no loss to them.

So who loses here? Nobody. Victimless crime.

The only problem is if the merchant doesn't have insurance. Too bad then. Should have gotten the insurance because it is going to happen to you eventually.

Obviously here the credit card company isn't going to prosecute anyone.

Oh, from a closer reading of your post it sounds like a DEBIT card was used, not a credit card. Well, the rules for those are different and banks are extremely reluctant to remove charges. Of course, they will charge back to the merchant anyway, just the same as a credit card. Except you might not ever get your money back from it and it just stays on your bill.

Simple rule here: never, ever use a DEBIT card online. Ever. There are no systemwide rules for how those transactions are cancelled as there are for credit cards. Use a debit card and lose your money. Period.

Re:Mobile Operators and Police don't help (0)

Anonymous Coward | more than 3 years ago | (#34971206)

Disclaimer; I work for an online retailer.
 
 

So who loses here? Nobody. Victimless crime.

This is *exactly* the attitude that lets so much of this crime continue. Actually, I'll cut customers some slack, because most of them think that the "big bad" credit cards' issuing banks eat the cost, when as you say, the retailers actually do. (In fact, I'd guess that the banks are quite happy for that false impression to continue).

But anyway, I don't count people being falsely branded as paedophiles, losing their jobs and being ostracised by their families [bbc.co.uk] as "victimless".

That aside, do you honestly think the cost of this doesn't come out in the wash as increased prices for everyone? That "insurance" you describe that retailers should have- do you think it's paid for with magical pixie pennies?

Yes, they should probably have insurance to cover payment fraud and theft in general anyway- but you can be sure it's going to cost *significantly* more than if the police and credit card companies both remotely cared about preventing such fraud.

The credit card companies do *not* give a toss about fraud. We can cancel obviously fraudulent transactions, but we can't notify the customer directly that their card is being misused (we don't have access to their contact details, which probably makes sense, except that the CC company won't "pass on" or do anything about this anyway).

The police here in the UK will do nothing to investigate blatantly fraud in such cases, even when we have a concrete address, etc.
 
This isn't a case of accepting that there will always be problems with fraud- this is the fact that even when they *know* about such crimes and have a chance to stop them, both the police and the CC companies wash their hands of it and let it continue.

Re:Mobile Operators and Police don't help (1)

Have Brain Will Rent (1031664) | more than 3 years ago | (#34968536)

Wow just yesterday my spouse got called by Amex because a (one single) charge appeared that fell outside her normal spending pattern and they suspended her card right away, told her she would not be charged the amount and told her a replacement card would be received within 5 business days.

I used my business debit card for a sub $100 withdrawal, at an ATM in a branch of my bank, in a small town about 30 miles from where I normally do business. This set off some kind of alert and the fraud division called my number but I wasn't around to take the call so they cancelled the card - all within 2 hours of my using the card.

Sounds like you may need a new bank?

Yum (1)

WarwickRyan (780794) | more than 2 years ago | (#34964374)

Their coconut soaps fantastic.

Goes great with a bit of icecream and and grated dark chocolate.

Re:Yum (1)

uglyduckling (103926) | more than 2 years ago | (#34964452)

I have this problem too - on initial inspection, and smell from a distance, I would far rather eat most of their products. Once you get close and smell the soap, the feeling goes away. I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.

Re:Yum (1)

WarwickRyan (780794) | more than 2 years ago | (#34964536)

> I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.

Yeah, like speciality fudge or something.

Don't think that the ingredients are that different, either. Replace the oil with butter, and add a bit of sugar :)

Morals ... (1)

Martin S. (98249) | more than 2 years ago | (#34964652)

"We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."

Are these the same moral that allow Lush to charge premium prices for what is essential home made soap [wikipedia.org] .

Re:Morals ... (2)

poity (465672) | more than 2 years ago | (#34965064)

I don't get it, how is charging premium prices a breach of morals? Do they have a soap monopoly?

Re:Morals ... (1)

Skidborg (1585365) | more than 3 years ago | (#34970804)

Restaurants charge a premium for what is essentially homemade food after all... if people are willing to pay for the convenience, why not let them?

Lush Should Sell on Amazon Instead (1)

CodeBuster (516420) | more than 2 years ago | (#34965486)

This example demonstrates precisely what can happen when a company which does not specialize in IT and the rigors of running a high traffic online storefront attempts to build same with an in-house crew or a band of hired consultants. Lush would have been much better off creating a storefront on Amazon and selling their products there. The readers of Slashdot will recall that Amazon threw off attempted DDOS attacks by Anonymous during the WikiLeaks affair without even breaking a sweat. My advice to Lush: go with Amazon and use their web services to connect your inventory control system to their storefront. If you had gone with Amazon, instead of trying to roll your own bubble gum and bailing wire solution. then you would be faced with the happy problem of how to restock your inventory instead of explaining to ex-customers how they can get in touch with their bankers in order to limit the damage.

Missed the point (0)

Anonymous Coward | more than 2 years ago | (#34965986)

We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers
 
Wow, this really shows that they missed the point, these people are obviously not interested in jobs since their current pursuit offers them more enjoyment/reward.

Own up already (1)

Suffering Bastard (194752) | more than 2 years ago | (#34966824)

It actually bothers me that they blame "oh noes teh hax0rz!!1!". As if there are all these evil hacker minions out there using their villainous technology to break in to sensitive systems. It's classic deflection of responsibility by generating fear of faceless bad guys.

Windows 2000/IIS? Storing cc numbers as plain text in your online database? If you're gonna lay down next to fire ants, don't cover yourself in honey.

Uhh.. Communication Error... (0)

Anonymous Coward | more than 2 years ago | (#34967072)

Might want to clarify the issue here. It is only the UK site affected. Lush.com has a message saying the North American online store is open and secure.

So, anyone in the USA who uses Lush can still shop securely.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...