So... what can be done with my data that hasn't been updated since I bought a pair of Doc Martin's in 2006?

Do you mean to tell me these hackers will know my address and shoe size? Oh the horror.

After having just had to cancel my credit card yesterday, I'm getting a good laugh...

5 - $125 charges to my account in 4 hours. All supposedly from a WaaWaa (gas station / convenience store).

Soccer club had their stuff stolen some how. second time in 4 months. I do believe I'll be using cash when dealing with them from now on.

wildcardjack: So... what can be done with my data that hasn't been updated since I bought a pair of Doc Martin's in 2006?

They have your credit card number as well.

/encryption - if they did it badly, it may be easily broken.

wildcardjack: So... what can be done with my data that hasn't been updated since I bought a pair of Doc Martin's in 2006?

Doesn't take a hacker to tell you're a lesbo.

/NTTAWWT

mcreadyblue: wildcardjack: So... what can be done with my data that hasn't been updated since I bought a pair of Doc Martin's in 2006?

They have your credit card number as well.

/encryption - if they did it badly, it may be easily broken.

Zappos was supposedly using tokenization so they just have the last 4 of your CC number. The whole number was in another db and encrypted, that db was supposedly not touched.

DoBeDoBeDo: mcreadyblue: wildcardjack: So... what can be done with my data that hasn't been updated since I bought a pair of Doc Martin's in 2006?

They have your credit card number as well.

/encryption - if they did it badly, it may be easily broken.

Zappos was supposedly using tokenization so they just have the last 4 of your CC number. The whole number was in another db and encrypted, that db was supposedly not touched.

Still, losing fname, lname, email, and address is embarrassing.

I was checking the email that I use for junk mail and ordering stuff this morning and had about 70 friend request from Facebook. Difficulty, I don't have any Facebook account at all. Apparently somebody had signed up for a Facebook account using that email address as the username. I was scratching my head trying to figure out WTF happened when I saw the email from Zappos explaining the security breach.

ongbok: I was checking the email that I use for junk mail and ordering stuff this morning and had about 70 friend request from Facebook. Difficulty, I don't have any Facebook account at all. Apparently somebody had signed up for a Facebook account using that email address as the username. I was scratching my head trying to figure out WTF happened when I saw the email from Zappos explaining the security breach.

That's weird. Why use an email address you can't verify? All you have to do is request a password reset to cut them off. Easy enough to generate fake addresses.

foo monkey: ongbok: I was checking the email that I use for junk mail and ordering stuff this morning and had about 70 friend request from Facebook. Difficulty, I don't have any Facebook account at all. Apparently somebody had signed up for a Facebook account using that email address as the username. I was scratching my head trying to figure out WTF happened when I saw the email from Zappos explaining the security breach.

That's weird. Why use an email address you can't verify? All you have to do is request a password reset to cut them off. Easy enough to generate fake addresses.

That's what I was wondering as I first found the fake account and had it removed and when I found the email from Zappos explaining what had happened. It was probably some kids that got this and used the fake Facebook pages to harass other people that they didn't like, because all of the friend request and messages that came into my email looked like they were from teens. Unless it was some Chester trying to pick up teens using fake Facebook accounts..

Damnit, I just bought a new pair of shoes from Zappos last week!

I don't typically like buyin shoes without trying them on, but it's just really hard to find a good selection of shoes anymore. Footlocker and Finishline are worthless. Since Zappos has free returns, if I'm buying a brand I'm familiar with, I am comfortable giving it a go.

The servers are located in Kentucky? Smells kinda Drewish.

I only buy my shoes from places that offer Cinderella coverage. You know, if you lose one of your shoes at a ball before midnight, they'll send out a guy to find you if they find the shoe.

foo monkey:

Zappos was supposedly using tokenization so they just have the last 4 of your CC number. The whole number was in another db and encrypted, that db was supposedly not touched.

Still, losing fname, lname, email, and address is embarrassing.

No doubt, it's a blemish as far as customer loyalty goes but it could have been much worse. I'd wager that at least 50% of those customers have all of that info searchable on facebook right now anyway.

wildcardjack: So... what can be done with my data that hasn't been updated since I bought a pair of Doc Martin's in 2006?

If I have the names and e-mail addresses of Zappos customers, I can take advantage of the incident and its coverage to launch a phishing campaign ("Click here to reset your password!" "We here at Zappos feel really bad and are giving victims of the breach 50% off their next order; click here!"). Depending on whether and how they secured their password/hash database, I can use recovered passwords to attempt logins with other online vendors since many people reuse passwords.

Twice Banned: The servers are located in Kentucky? Smells kinda Drewish.

Well, Drewish princesses do buy a lot of shoes...

This is a shame. I've always loved their potato chips!

This is why I hate companies that fail to offer a "Don't save this credit card number" option. I realize that they do save in some form because they have to keep a record of their business. However I assume that server can only be accessed via the company intranet and thus is harder to get at.

/I likely delude myself

foo monkey: Still, losing fname, lname, email, and address is embarrassing.

Definitely reputational risk. But still - how much does an online shoe company really have in the way of reputation to begin with?

FreakinB: Well, crap. I use Zappos since I'm a size 13 and it's never easy to find shoes that I like in my size if I go to a store. This is literally the first negative thing that's happened in the whole time I've been using them. Haven't had any problem yet though.

/knocking on wood

JC Penney's online has some pretty good prices and selections. There's a place out of Chicago I used to walk to, Alamo Shoes, that is sometimes on eBay with some of its inventory.

/wearing 15s now

ha-ha-guy: This is why I hate companies that fail to offer a "Don't save this credit card number" option. I realize that they do save in some form because they have to keep a record of their business. However I assume that server can only be accessed via the company intranet and thus is harder to get at.

/I likely delude myself

No, what happens is they keep a hash of the credit card number, the timestamp, and a transaction number. You can't pull that number apart in order to get the CC number (maybe the NSA can, but you can't).

ha-ha-guy: This is why I hate companies that fail to offer a "Don't save this credit card number" option. I realize that they do save in some form because they have to keep a record of their business. However I assume that server can only be accessed via the company intranet and thus is harder to get at.

/I likely delude myself

"Don't save this number" should be the default; merchants need to adopt an opt-in approach. And they don't *need* to save any of the credit card information; it's done for convenience for them and the customer, for repeat business and if there is a complaint. There are also ways (such as the aforementioned token method) to do it so that merchants aren't the ones actually storing the information. And being accessible via the company intranet only goes so far; if I can compromise one of their employees' workstations, I'm on their intranet. That's not to say it's useless, but there is the whole "weak link" thing at play. Ideally, their cardholder data environment would not be directly accessible from any standard workstation but rather from an isolated subnet of dedicated workstations.

Of course, the ideal situation (from a security standpoint) would be to not store any of that information to begin with. You can't lose it if you don't have it. But the risk analysis often says that the opportunity cost of lost business from not making it more convenient for your customer to buy stuff via a one-click option is greater than the cost of securing the data and/or responding to a breach. It's only when a breach finally happens that you know how good your risk analysis was.

And the vast majority of security breaches are not a failure of technology, it's a failure of people to implement good processes (both Plan As and Plan Bs) or to follow through on them. "End users" are usually the scapegoats, but it's often the people who create and enforce processes who are to blame because they don't take reality into account. Security measures are often designed, implemented and/or enforced to make auditors or regulators happy, regardless of how effective they are in actually accomplishing the stated goal. My go-to example on that one is the "force passwords to expire every X days" policy which won't go away regardless of how many times it's proven to be not only ineffective but actually counterproductive.

was it wrong to play maplestory on the db server?

/lost what?

Dinobot: My feet are weird, I have a hard time buying shoes, so ordering shoes online really doesnt work for me.

Zappos is perfect for you. Free shipping both ways and they generally upgrade your order to free overnight shipping. I usually try a pair on of the brand i''m ordering at a local store and then buy from Zappos. That way I have less returns. Very hard to find anything other than athletic shoes in size 14 locally.

These kinds of breeches tend to expand over time as they realize what the hacker was able to get to.

I wouldn't count on them not having the credit card info, or that they didn't sit there on the servers for years collecting information.