homepage Welcome to WebmasterWorld Guest from 54.166.96.101
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
Network Solutions Investigates Possible Credit Card Data Theft
engine

WebmasterWorld Administrator engine us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



 
Msg#: 3961129 posted 4:48 pm on Jul 28, 2009 (gmt 0)

Network Solutions Investigates Possible Credit Card Data Theft [news.cnet.com]
Network Solutions is investigating a breach on its servers that may have led to the theft of credit card data of 573,928 people who made purchases on Web sites hosted by the company.

Networks Solutions notified 4,343 of its nearly 10,000 e-commerce merchant customers on Friday about the breach. It affects 573,928 cardholders whose name, address, and credit card number were exposed between March 12 and June 8, said Susan Wade, a spokeswoman for Network Solutions.
"So we notified law enforcement and began the process of notifying our customers," Wade said. "At this point, we don't have a reason to believe that (the data) has been used, but we are working with the credit card companies," nonetheless.


 

rachel123

5+ Year Member



 
Msg#: 3961129 posted 6:08 pm on Jul 28, 2009 (gmt 0)

WOW.

So much for the Network Solutions SiteSafe guarantee.

shman

10+ Year Member



 
Msg#: 3961129 posted 7:22 pm on Jul 28, 2009 (gmt 0)

Hi Engine,

Appreciate posting this. I work for Network Solutions and the team across all levels within the organization has been working round the clock to promptly respond to customer concerns whether it involves using social media or any other resource. We are taking all the right measures to protect our E-commerce customers and minimize the impact of this issue on them

We setup a website for affected merchants to see. Will post only if its ok with admin

Thanks,

Shashi

henry0

WebmasterWorld Senior Member henry0 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3961129 posted 7:41 pm on Jul 28, 2009 (gmt 0)

Shashi,
All my accounts are with you, should I understand that if I was not notified then I am in a "better" shape.
Thanks

shman

10+ Year Member



 
Msg#: 3961129 posted 7:53 pm on Jul 28, 2009 (gmt 0)

Henry0,

Thats correct. Transactions at Networksolutions.com were not impacted by this. I presume you have products such as domains, email accounts, hosting and online marketing which were not impacted by this event.

Thanks,

Shashi

jamiembrown

5+ Year Member



 
Msg#: 3961129 posted 11:50 am on Jul 29, 2009 (gmt 0)

Wow! That's a huge number of credit cards.

"We really feel terribly about this," Wade said. "We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion,"

I'm not sure that's the best thing to say though. It didn't happen to any company - it happened to NS:

It's unknown how the malicious code got onto the system and where it came from, Wade said.

I'd suggest that rather than being a vulnerability that "could have just happened to anybody" a response like "we really badly messed up, we're trying really hard to fix it" would have been more appropriate.

esllou

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3961129 posted 3:22 pm on Jul 29, 2009 (gmt 0)

So much for the Network Solutions SiteSafe guarantee.

at the end of the day, it's just another combination of words that any company can plaster across their site. Totally meaningless as shown by what's happened.

shman

10+ Year Member



 
Msg#: 3961129 posted 4:05 pm on Jul 29, 2009 (gmt 0)

jamiebrown,

Thanks for the feedback. of course we deeply regret this unfortunate incident and are doing whatever it takes to respond quickly and efficiently to our E-commerce customers who are affected.

Thanks,

Shashi

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3961129 posted 11:27 pm on Jul 29, 2009 (gmt 0)

Merchants should never see credit card numbers - all they should see is a unique code that is valid for a single merchant account and a single card. If the merchant's servers are hacked, no useful card data will be available - the worst that could happen would be that fraudulent purchases might be possible on that single merchant account.

Eventually, this will dawn upon someone at Visa or Mastercard and the problem will be solved, but until then, this will keep happening with almost monotonous regularity.

Kaled.

MLHmptn

10+ Year Member



 
Msg#: 3961129 posted 4:31 am on Jul 30, 2009 (gmt 0)

No the sad part is Network Solutions put you and me at risk of more fraud! And guess who is going to pay for it?! You and me! The credit card companies could care less, I mean after all, WE are supposed to KNOW who is and isn't fraud. Right?!

Bad, Bad, Bad Network Solutions...you just introduced more fraud that is on our shoulders. Thank you, I really appreciate it!

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3961129 posted 3:09 pm on Jul 30, 2009 (gmt 0)

The credit card companies allow a system that is vulnerable to human error to be used - blame them. As I outlined above, a system that would be more or less invulnerable to human error (by sellers) could be implemented with little difficulty.

Kaled.

kapow

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3961129 posted 3:54 pm on Jul 30, 2009 (gmt 0)

I agree with Kaled. It is not necessary to store CC numbers for transactions, so why risk it?

ssgumby

5+ Year Member



 
Msg#: 3961129 posted 1:17 pm on Jul 31, 2009 (gmt 0)

It was my understanding the CC numbers were not stored, they were transmitted to a rogue server during the normal checkout.

So customer was on checkout page, enters CC and clicks submit. I nice little cross site scripting planted simply says "oh yeah, send all the data to rogueserver.com as well".

So with an attack like that, it wouldnt matter if it was stored or not. However, that makes me wonder why the checkout wasnt on SSL .. if on SSL then the XSS would have been of little use as the data being sent would have been encrypted.

card_demon

5+ Year Member



 
Msg#: 3961129 posted 2:29 pm on Jul 31, 2009 (gmt 0)

It is very tough when the scum of the earth criminals are targetting you.

Over the last month has been tough for some of the established brands in payment processing -- almost as bad as the years of the DDOS like 2004 where Worldpay etc were targetted. I mean the day outage for Authorize.net, etc.

Now we hear of this noticed in June by Netsol.

But Netsol are not endearing themselves to merchants by that letter they sent where it looked like the merchant was at fault -- at least it was very unclear.

Netsol should hang their head in shame on that one.. This is exactly not how to handle communication and they can kiss good bye to many merchants because of it.

The breach was bad enough but that was just the straw for many who have spent their time paying the fairly hefty costs of the service for so long.

card_demon

5+ Year Member



 
Msg#: 3961129 posted 2:34 pm on Jul 31, 2009 (gmt 0)

kaled wrote:
Eventually, this will dawn upon someone at Visa or Mastercard and the problem will be solved, but until then, this will keep happening with almost monotonous regularity.

The card associations are very much aware of how to fix this. But the simple fact is that the card issuers make good money out of chargeback fees and pushing the liaiblity shift onto online merchants for fraud.

They are the most powerful in the card systems so this is not going to change until cardholding customers really push hard for a charge. As they are not liable for fraud above $50 I think sadly it will be a snow ball in hells chance.

In the meantime the criminals keep on getting fatter. And even terrorists if we are to believe some reports about who profits from stolen carding.

shman

10+ Year Member



 
Msg#: 3961129 posted 2:38 pm on Jul 31, 2009 (gmt 0)

Hi Folks,

The letter got finalized just yesterday. We collected all the feedback from the affected customers and changed the letters incorporating the feedback. If you Google careandprotect you can see the dialog between our customers and us.

Thanks,

Shashi

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved