| 6:08 pm on Jul 28, 2009 (gmt 0)|
So much for the Network Solutions SiteSafe guarantee.
| 7:22 pm on Jul 28, 2009 (gmt 0)|
Appreciate posting this. I work for Network Solutions and the team across all levels within the organization has been working round the clock to promptly respond to customer concerns whether it involves using social media or any other resource. We are taking all the right measures to protect our E-commerce customers and minimize the impact of this issue on them
We setup a website for affected merchants to see. Will post only if its ok with admin
| 7:41 pm on Jul 28, 2009 (gmt 0)|
All my accounts are with you, should I understand that if I was not notified then I am in a "better" shape.
| 7:53 pm on Jul 28, 2009 (gmt 0)|
Thats correct. Transactions at Networksolutions.com were not impacted by this. I presume you have products such as domains, email accounts, hosting and online marketing which were not impacted by this event.
| 11:50 am on Jul 29, 2009 (gmt 0)|
Wow! That's a huge number of credit cards.
|"We really feel terribly about this," Wade said. "We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," |
I'm not sure that's the best thing to say though. It didn't happen to any company - it happened to NS:
|It's unknown how the malicious code got onto the system and where it came from, Wade said. |
I'd suggest that rather than being a vulnerability that "could have just happened to anybody" a response like "we really badly messed up, we're trying really hard to fix it" would have been more appropriate.
| 3:22 pm on Jul 29, 2009 (gmt 0)|
|So much for the Network Solutions SiteSafe guarantee. |
at the end of the day, it's just another combination of words that any company can plaster across their site. Totally meaningless as shown by what's happened.
| 4:05 pm on Jul 29, 2009 (gmt 0)|
Thanks for the feedback. of course we deeply regret this unfortunate incident and are doing whatever it takes to respond quickly and efficiently to our E-commerce customers who are affected.
| 11:27 pm on Jul 29, 2009 (gmt 0)|
Merchants should never see credit card numbers - all they should see is a unique code that is valid for a single merchant account and a single card. If the merchant's servers are hacked, no useful card data will be available - the worst that could happen would be that fraudulent purchases might be possible on that single merchant account.
Eventually, this will dawn upon someone at Visa or Mastercard and the problem will be solved, but until then, this will keep happening with almost monotonous regularity.
| 4:31 am on Jul 30, 2009 (gmt 0)|
No the sad part is Network Solutions put you and me at risk of more fraud! And guess who is going to pay for it?! You and me! The credit card companies could care less, I mean after all, WE are supposed to KNOW who is and isn't fraud. Right?!
Bad, Bad, Bad Network Solutions...you just introduced more fraud that is on our shoulders. Thank you, I really appreciate it!
| 3:09 pm on Jul 30, 2009 (gmt 0)|
The credit card companies allow a system that is vulnerable to human error to be used - blame them. As I outlined above, a system that would be more or less invulnerable to human error (by sellers) could be implemented with little difficulty.
| 3:54 pm on Jul 30, 2009 (gmt 0)|
I agree with Kaled. It is not necessary to store CC numbers for transactions, so why risk it?
| 1:17 pm on Jul 31, 2009 (gmt 0)|
It was my understanding the CC numbers were not stored, they were transmitted to a rogue server during the normal checkout.
So customer was on checkout page, enters CC and clicks submit. I nice little cross site scripting planted simply says "oh yeah, send all the data to rogueserver.com as well".
So with an attack like that, it wouldnt matter if it was stored or not. However, that makes me wonder why the checkout wasnt on SSL .. if on SSL then the XSS would have been of little use as the data being sent would have been encrypted.
| 2:29 pm on Jul 31, 2009 (gmt 0)|
It is very tough when the scum of the earth criminals are targetting you.
Over the last month has been tough for some of the established brands in payment processing -- almost as bad as the years of the DDOS like 2004 where Worldpay etc were targetted. I mean the day outage for Authorize.net, etc.
Now we hear of this noticed in June by Netsol.
But Netsol are not endearing themselves to merchants by that letter they sent where it looked like the merchant was at fault -- at least it was very unclear.
Netsol should hang their head in shame on that one.. This is exactly not how to handle communication and they can kiss good bye to many merchants because of it.
The breach was bad enough but that was just the straw for many who have spent their time paying the fairly hefty costs of the service for so long.
| 2:34 pm on Jul 31, 2009 (gmt 0)|
|Eventually, this will dawn upon someone at Visa or Mastercard and the problem will be solved, but until then, this will keep happening with almost monotonous regularity. |
The card associations are very much aware of how to fix this. But the simple fact is that the card issuers make good money out of chargeback fees and pushing the liaiblity shift onto online merchants for fraud.
They are the most powerful in the card systems so this is not going to change until cardholding customers really push hard for a charge. As they are not liable for fraud above $50 I think sadly it will be a snow ball in hells chance.
In the meantime the criminals keep on getting fatter. And even terrorists if we are to believe some reports about who profits from stolen carding.
| 2:38 pm on Jul 31, 2009 (gmt 0)|
The letter got finalized just yesterday. We collected all the feedback from the affected customers and changed the letters incorporating the feedback. If you Google careandprotect you can see the dialog between our customers and us.