The all new and only slightly recycled off topic thread (read post 1)

awec · 05-01-2015 12:16am

Trying to sleep the night before going back to work after two weeks off is going to be difficult.

Two weeks of drinking, eating and staying up to stupid oclock.

Right now my body screams BEER and I'm screaming SLEEP.

.ak · 05-01-2015 12:18am

awec wrote: »

Trying to sleep the night before going back to work after two weeks off is going to be difficult.

Two weeks of drinking, eating and staying up to stupid oclock.

Right now my body screams BEER and I'm screaming SLEEP.

Ditto. I've been sleeping in till 10 or 11 every day after a few beers... Gonna be hell tomorrow!

dregin · 05-01-2015 12:23am

mfceiling · 05-01-2015 12:37am

I've 3 gits to try and get up for school in the morning. They only went to sleep about 20 mins ago and are used to getting up at 9 every morning!! 7 bells will be good value in this house in the morning!!

Seems that 1 has stayed awake, probably for the craic like. War in this gaff in the morning.

irishbucsfan · 06-01-2015 5:15pm

http://ifc0nfig.com/moonpig-vulnerability/

This is atrocious stuff.

.ak · 06-01-2015 5:22pm

Amateur hour.

awec · 06-01-2015 5:27pm

irishbucsfan wrote: »

http://ifc0nfig.com/moonpig-vulnerability/

This is atrocious stuff.

Yea saw that earlier, real bad.

17 months unfixed too, which is shocking. That's a priority 0 bug, the sort where you get people out of bed and turn things off until it's fixed.

Also: they say your info has always been safe which is balls. They have no way of knowing if anyone else figured this out who instead of warning them used it to grab huge amounts of their data. All that person would have to do would be to stagger their requests so as not to show up on any monitoring that they presumably don't even have anyway.

.ak · 06-01-2015 5:30pm

Well the issue there is it isn't a bug. It's a totally lazy way of trying to secure the access. You'd imagine because they got someone under qualified or in-house to do it and they're not willing to shell out to have someone re-build it from the ground up, nor pull the server access in the meantime as it'd accrue in loss of revenue.

I'd say the equivalent of the DP guys over there would slap them with a heavy fine though, so you'd wonder if it's even worth that.

awec · 06-01-2015 5:33pm

There are legal standards that you have to adhere to if you store customer credit card data. There is a three letter acronym for it that I forget, but before you can legally store credit card data you have to have it.

This sort of design would presumably not meet that criteria, or even close.

durkadurka · 06-01-2015 5:36pm

awec wrote: »

There are legal standards that you have to adhere to if you store customer credit card data. There is a three letter acronym for it that I forget, but before you can legally store credit card data you have to have it.

This sort of design would presumably not meet that criteria, or even close.

PCI?

awec · 06-01-2015 5:39pm

durkadurka wrote: »

PCI?

YES! That's the one!

durkadurka · 06-01-2015 5:44pm

It's a pain in the neck but the reputational damage caused by a data leakage is nasty

irishbucsfan · 06-01-2015 5:48pm

PCI is a complete pain in the neck, it's completely arbitrarily accredited despite being fairly well defined, but at least it gives some basic guidelines. Would have been pretty useful if the Moonpig guys had been aware of it.

I'd like to assume they kept the rest of the card details encrypted at least...

molloyjh · 06-01-2015 5:58pm

irishbucsfan wrote: »

PCI is a complete pain in the neck, it's completely arbitrarily accredited despite being fairly well defined, but at least it gives some basic guidelines. Would have been pretty useful if the Moonpig guys had been aware of it.

I'd like to assume they kept the rest of the card details encrypted at least...

Yeah from reading it they have. You'll get nowhere with the last 4 digits. Sure credit card receipts generally have those too.

What's most amusing is that technically that Moonpig tweet is accurate. The password information and card information are safe. Despite the fact that it's ridiculously poor data security. In other words "They can't get your password or your card number, but they can get pretty much everything else".

It's also scary how lax a lot of companies are when it comes to data confidentiality. Most are well up on the financial stuff, but when it comes to contact details etc there are so many that don't even consider them in terms of data protection.

awec · 06-01-2015 6:08pm

Well, is your card information really safe if someone can place orders on your account?

I mean, they can't get your full card number, but they can still spend your money!

irishbucsfan · 06-01-2015 6:16pm

molloyjh wrote: »

Yeah from reading it they have. You'll get nowhere with the last 4 digits. Sure credit card receipts generally have those too.

I'll stop you right there, you'll get everywhere with the information available. The customer IDs were sequential and all customer info was accssible by making API requests against the IDs.

So all you need to do is create a script that will query the API consecutively adding 1 to the customer ID number each time, and save all of the output to a database. Then also query each of those customer ID numbers for the card info. You will then have a list of every customer in their database, including: Full Name, Residential Address, Email Address, Last 4 Card digits, Expiry Date of Card, Birthday, Anniversary.

Then you have a huge amount of options (some basic social engineering will give you access to some email accounts for example...)

Synode · 06-01-2015 6:17pm

They could also use the last 4 numbers to try access their email accounts etc. on other websites. Wasn't there a case a few years back where someone was hacked because the hacker got hold of the last 4 digits of their credit card and used it to reset their password on their mail account

Edit: Here it is https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd

molloyjh · 06-01-2015 6:34pm

irishbucsfan wrote: »

I'll stop you right there, you'll get everywhere with the information available. The customer IDs were sequential and all customer info was accssible by making API requests against the IDs.

So all you need to do is create a script that will query the API consecutively adding 1 to the customer ID number each time, and save all of the output to a database. Then also query each of those customer ID numbers for the card info. You will then have a list of every customer in their database, including: Full Name, Residential Address, Email Address, Last 4 Card digits, Expiry Date of Card, Birthday, Anniversary.

Then you have a huge amount of options (some basic social engineering will give you access to some email accounts for example...)

So in other words what I said. No password, no credit card number but pretty much everything else.

molloyjh · 06-01-2015 6:41pm

awec wrote: »

Well, is your card information really safe if someone can place orders on your account?

I mean, they can't get your full card number, but they can still spend your money!

I don't thint they can. There's no CVV information or anything like that there. The authorisation process would require more data and a valid session. The problem is getting access to everything else.

It looks like they protected the really obvious stuff (passwords and detailed credit card info) and left everything else completely unprotected, including order history etc. That's how they are getting the last 4 digits of the card, it's stored on the order history.

irishbucsfan · 06-01-2015 6:43pm

molloyjh wrote: »

So in other words what I said. No password, no credit card number but pretty much everything else.

Yes but you'll get very far with the details available over the wire from their API. If someone had picked it up in time (and it would take me, and I'm nowhere near as quick as some, literally 15 minutes to write a script to do that) then it would be one of the biggest leaks I'm aware of. They have 3.6 million customers (although not all with cards on file) supposedly... Can only imagine what that sort of database would be worth on some corners of the web, and it's only safe to assume someone has that info somewhere now.

molloyjh · 06-01-2015 7:16pm

irishbucsfan wrote: »

Yes but you'll get very far with the details available over the wire from their API. If someone had picked it up in time (and it would take me, and I'm nowhere near as quick as some, literally 15 minutes to write a script to do that) then it would be one of the biggest leaks I'm aware of. They have 3.6 million customers (although not all with cards on file) supposedly... Can only imagine what that sort of database would be worth on some corners of the web, and it's only safe to assume someone has that info somewhere now.

Oh absolutely. That's exactly why I found the tweet so amusing. It was technically 100% accurate but managed to portray that nothing was wrong when in actual fact the whole thing was a total and utter shambles. The "get nowhere" bit in my post was only in relation to the point you made re the full card numbers being encrypted. They'd get nowhere on your card with the last 4 digits. Everything else though is a different matter entirely.

Im fairly sure I know how it happened too. And it's all down to a massive lack of appreciation of data protection as a whole. Far too many people think it's just about protecting passwords and financial data. Which is exactly what happened here from what I can tell. I've seen it happen a fair bit over the years.

dregin · 06-01-2015 7:36pm

molloyjh wrote: »

Yeah from reading it they have. You'll get nowhere with the last 4 digits. Sure credit card receipts generally have those too.

What's most amusing is that technically that Moonpig tweet is accurate. The password information and card information are safe. Despite the fact that it's ridiculously poor data security. In other words "They can't get your password or your card number, but they can get pretty much everything else".

It's also scary how lax a lot of companies are when it comes to data confidentiality. Most are well up on the financial stuff, but when it comes to contact details etc there are so many that don't even consider them in terms of data protection.

The last 4 digits and a date of birth were all that were needed to gain access to apple accounts not that long ago.

irishbucsfan · 06-01-2015 7:39pm

dregin wrote: »

The last 4 digits and a date of birth were all that were needed to gain access to apple accounts not that long ago.

If you can guess the last 4 digits of an account on the phone to GoDaddy in about 50 attempts they'll give you everything

awec · 06-01-2015 8:02pm

irishbucsfan wrote: »

If you can guess the last 4 digits of an account on the phone to GoDaddy in about 50 attempts they'll give you everything

Yea but who actually uses GoDaddy?

molloyjh · 06-01-2015 8:24pm

Jaysus, it's worse than I thought so! What the hell are these companies thinking!?

irishbucsfan · 06-01-2015 8:26pm

molloyjh wrote: »

Jaysus, it's worse than I thought so! What the hell are these companies thinking!?

Unfortunately the average customer forgets everything they know every 30 seconds and complain when any authentication is required

Journeyman_1 · 06-01-2015 8:26pm

awec wrote: »

Yea but who actually uses GoDaddy?

People who want a domain aod/or hosting

Totally not me though, please dont hack me!

.ak · 06-01-2015 9:01pm

Glad I never buy anyone cards, ever.

irishbucsfan · 06-01-2015 9:08pm

Journeyman_1 wrote: »

People who want a domain aod/or hosting

Totally not me though, please dont hack me!

Their turnover on domains is absolute madness, $1.6b last reported I think it was.

mfceiling · 07-01-2015 12:06am

I have absolutely no idea what you lads are on about...

*la, la, la, la, la, la, la, la, la, la*

The all new and only slightly recycled off topic thread (read post 1)

Comments