Roboticsonline.com customer orders compromised
Technorati Tag: Security Breach
Date Reported:
12/20/07 (backdated from writing of 1/4/08)
Organization:
Robotic Industries Association
Contractor/Consultant/Branch:
internet4associations.com
Victims:
Online customers
Number Affected:
Unknown*
*There are seven (7) affected individuals residing in New Hampshire according to the breach notification
Types of Data:
Names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and possible Card Security Codes (CSCs)
Breach Description:
On or around December 10th, 2007 a "computer hacker' gained unauthorized access to the administration pages of the roboticsonline.com web site and as a result gained access to online customer orders including credit card information.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the official New Hampshire breach notification and letter sent to affected individuals:
On or around December 10, 2007, credit card information was compromised by a computer hacker that gained access to the association's secure administration site for Robotics Online.
The hacker was able to login to our administration site using a password-cracking program or by making many guesses at the password to gain access to the website.
[Evan] Password cracking is really not feasible for most attackers unless weak passwords are used. Using a weak (and worse yet, default) password would be a big NO NO on the administration portion of an ecommerce site. If the administrator of the site is using a strong password, then it seems more likely that the attacker exploited a vulnerability in software. The www.roboticsonline.com web site is running Windows 2000 and IIS, both of which need to be hardened and patched.
Once access was accomplished, the hacker viewed individual orders, which contained credit card information.
Within hours of learning of this, site protection was reinforced.
We have notified the Michigan state police, the FBI and the consumer reporting agencies.
we have deleted all credit card information from our administration sites.
[Evan] A great idea, but reactive.
We are currently not accepting online credit card transactions, but expect to restore that functionality in the near future.
[Evan] Roboticsonline.com is now accepting credit cards.
The developer and host of our websites is in the process of establishing stricter administration login policies and procedures for our administration sites.
[Evan] Judging from IP address and Whois information, the hosting company is "internet4associations.com"
To protect yourself from the possibility of identity theft, we recommend that you immediately contact your credit card provider and close your account. Tell then that your account may have been compromised. If you want to open a new account, ask them to give you a PIN or password.
[Evan] Tell them that the account WAS compromised. If there is no reasonable assurance that the information confidentiality or integrity is intact, then the information was/is compromised.
We're very sorry for the inconvenience this has caused and assure you that we are working diligently to prevent future attacks on our Web site.
If you have additional questions, please call First Advantage Membership Services, who is assisting Robotic Industries Association with answering your inquiries. They can be reached toll-free at 1-
Commentary:
A strong password, one that is alphanumeric, upper and lowercase, includes numbers and special characters, longer than 8 characters and doesn't use words found in the dictionary takes one helluva long time to crack (many years). A weak password can be broken almost instantaneously. So either the admin was using a weak password, or the site was compromised in another manner such as a vulnerability in the software.
Either way, it is sad when a company collects money online, but doesn't know how to secure the information. I seriously doubt that roboticsonline.com is VISA/PCI DSS compliant, not that this is the holy grail.
Past Breaches:
Unknown
Date Reported:12/20/07 (backdated from writing of 1/4/08)
Organization:
Robotic Industries Association
Contractor/Consultant/Branch:
internet4associations.com
Victims:
Online customers
Number Affected:
Unknown*
*There are seven (7) affected individuals residing in New Hampshire according to the breach notification
Types of Data:
Names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and possible Card Security Codes (CSCs)
Breach Description:
On or around December 10th, 2007 a "computer hacker' gained unauthorized access to the administration pages of the roboticsonline.com web site and as a result gained access to online customer orders including credit card information.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the official New Hampshire breach notification and letter sent to affected individuals:
On or around December 10, 2007, credit card information was compromised by a computer hacker that gained access to the association's secure administration site for Robotics Online.
The hacker was able to login to our administration site using a password-cracking program or by making many guesses at the password to gain access to the website.
[Evan] Password cracking is really not feasible for most attackers unless weak passwords are used. Using a weak (and worse yet, default) password would be a big NO NO on the administration portion of an ecommerce site. If the administrator of the site is using a strong password, then it seems more likely that the attacker exploited a vulnerability in software. The www.roboticsonline.com web site is running Windows 2000 and IIS, both of which need to be hardened and patched.
Once access was accomplished, the hacker viewed individual orders, which contained credit card information.
Within hours of learning of this, site protection was reinforced.
We have notified the Michigan state police, the FBI and the consumer reporting agencies.
we have deleted all credit card information from our administration sites.
[Evan] A great idea, but reactive.
We are currently not accepting online credit card transactions, but expect to restore that functionality in the near future.
[Evan] Roboticsonline.com is now accepting credit cards.
The developer and host of our websites is in the process of establishing stricter administration login policies and procedures for our administration sites.
[Evan] Judging from IP address and Whois information, the hosting company is "internet4associations.com"
To protect yourself from the possibility of identity theft, we recommend that you immediately contact your credit card provider and close your account. Tell then that your account may have been compromised. If you want to open a new account, ask them to give you a PIN or password.
[Evan] Tell them that the account WAS compromised. If there is no reasonable assurance that the information confidentiality or integrity is intact, then the information was/is compromised.
We're very sorry for the inconvenience this has caused and assure you that we are working diligently to prevent future attacks on our Web site.
If you have additional questions, please call First Advantage Membership Services, who is assisting Robotic Industries Association with answering your inquiries. They can be reached toll-free at 1-
Commentary:
A strong password, one that is alphanumeric, upper and lowercase, includes numbers and special characters, longer than 8 characters and doesn't use words found in the dictionary takes one helluva long time to crack (many years). A weak password can be broken almost instantaneously. So either the admin was using a weak password, or the site was compromised in another manner such as a vulnerability in the software.
Either way, it is sad when a company collects money online, but doesn't know how to secure the information. I seriously doubt that roboticsonline.com is VISA/PCI DSS compliant, not that this is the holy grail.
Past Breaches:
Unknown
Posts Atom 1.0
Comments