"we feel very badly"
I suggest they take off their mitts.
A breach at Network Solutions has exposed details for more than 500,000 credit and debit cards after hackers penetrated a system it used to deliver e-commerce services and planted software that diverted transactions to a rogue server, the hosting company said late Friday. The unauthorized software was in place from March 12 to …
But my browser says the site is secure, it has a padlock on it and everything!
Maybe now people will start to think about the security of their payment providers rather than just worrying if they have a stupidly expensise 256bit SSL certificate.
Also, after the smallest bit of searching I see that Network Solutions claim to be fully PCI compliant.
http://ecommerce.networksolutions.com/CISP-PCI-Compliance.asp
I always said PCI was just a licence to print money, what a complete joke.
The banks should put them out of business.
"We have been working around the clock to get this announcement ready"
How about working round the clock to actually do something useful, like, I dunno, maybe some network admin, IDS, you know, that boring stuff!
It's not so much the fact that their server were owned that I find shocking, it's that they were owned for 3 months!
This story has got me thinking... As we are a small e-shop - what happens to the etailer when a card details are exposed in a manner beyond the etailers control?
Is there a liability insurance scheme which can cover this situation?
What if for instance a crooked person inside your servers ISP is diverting card info from your site and since he/she has full root can mask her self .. leaving just the e-tailer to point the finger to???
I think an article on these lines would be warranted - examine all the kinds of ways theft of cc data can be exposed and what liabilities there are etc....
PCI really is a joke. Current client has an official PCI compliance certificate, obtained from one of the poor sods who paid at least $20k+$10k/yr for the "right" to issue said certificates, yet his security is utterly laughable (it's what I was hired to fix).
PCI compliance is a scam, a ruse, a fucking bad joke.
The reasoning is that if they make clients jump through one more hoop, they might loose either/both client/sale%. Thus, things remain as is...
What i think would be a better way, would be to FORCE them all to provide a REALLY SAFE process as alternative. That way anyone that cared more for safety could take a safe route, others the "fast and easy" way.
Anyway, just another nice example of how some bizz sector seem to be exempt of any checks at all...
If any of these details were to be misused the bad rep would land squarely on the shoulders of the retailer using NS' services. Sure, it isn't their fault - but if you use a company and then your card details are used to buy laptops in Nigeria you're unlikely to ever use that company again - so this situation could have been much much worse.
All credit cards should be re-issued with a "secure id" built in. that way, even if numbers are taken, you wont be able to use it. The secure id changes every 60 seconds or so, its just one more layer but it is very effective. I used to use these at work and its pretty fool proof. An added pain, but one worth the effort.