Penetration Testing mailing list archives
Re: reporting a web site breach
From: Jason <securitux () gmail com>
Date: Fri, 17 Oct 2008 19:00:25 -0400
Hi all. Jason, it is actually very shocking how the police will react to something like this. I have been working with several incidents involving a credit card breach and the only way the police will get involved is if the credit card is used fraudulently. Actual theft of the data is not a concern apparently. Nor is selling the data to a Russian website which sells stolen credit cards. At least that's my experience with law enforcement in the matter. Ok with respect to reporting it to the media, although this gets into the whole argument of responsible disclosure vs. full disclosure, we don't live in an ideal world. The real reality is the company could come after you. You might be looked at as someone who did something malicious and the word 'malicious' is all up to interpretation when it comes to security breaches. Just look at some of the news articles on people who have been sued / convicted successfully doing things so minor that it was hardly worth the effort. And the US is all about sue, sue, sue. I don't know if you want to risk it. Unless you are required by law to reveal this issue, as per Bob's comment. PCI is not a legal issue, it's a contractual obligation between a merchant and their acquiring bank. Privacy might be the angle you could play here as that IS a legal issue. If breached they will be in a whole heap of trouble that is for sure. Not only will they be HEAVILY fined they will STILL have to become PCI compliant and this time they will be audited rigorously at their expense for years to come. That being said if their acquiring bank isn't requiring PCI compliance from them, the bank will be in trouble. I think you have done everything you can and more, like others have said, without sticking your own neck out too much. I wouldn't stick it out much further at the moment. And yes, PCI SSC is just a standards organization and will not fine anyone, it is up to the merchant's acquiring bank to levy consequences on the merchant. If the bank doesn't require PCI compliance, and there's a breach, the bank will get the fine from VISA, AMEX, etc. Part of the PCI requirements are that you must have 3rd party agreements with all merchants to be PCI compliant. Not having these agreements is a failure to be PCI compliant and the bank will be nailed by the majors. In addition, a bank cannot just say "please be compliant" and that's it. They have to make sure the merchants are compliant. You can delegate the work but you cannot delegate the responsibility. In addition, a fine can be levied at any point, whether by the merchant failing an audit, a breach taking place, the bank finding out the merchant has not held up to its agreement (if there is an agreement), etc. -J On Thu, Oct 16, 2008 at 8:01 AM, <jason_jones98 () hotmail com> wrote:
Hi Guys. I need some advise. I was using a web site to book a service (details witheld) and found that i could very easily browse thousands of customer details i.e. name, address, phone numbers, the credit card details are masked but just viewed source and the credit card details are cleartext along with valid from, expire and cvv number. I called the company last night to advise that they probably want to bring down their site and advise customers that their details have been potentially breached, basically they told me it would cost them too much money to go offline and that was that! I then attempted to call visa, mastercard and the high tech crime unit and none of them seem to have a process to report this type of event unless an actual crime has taken place. So for my sanity could someone advise me on the ethical steps i should take to try and protect those customers? ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: reporting a web site breach, (continued)
- Re: reporting a web site breach Jason Ross (Oct 17)
- Re: reporting a web site breach David Glosser (Oct 17)
- Re: reporting a web site breach Email Cash (Oct 17)
- RE: reporting a web site breach Nick Vaernhoej (Oct 17)
- Re: reporting a web site breach acey deucey (Oct 16)
- Re: reporting a web site breach Chris Finley (Oct 20)
- Re: reporting a web site breach Dotzero (Oct 20)
- Re: reporting a web site breach David Glosser (Oct 20)