Hackers crack A&B site

[InfoSec News <isn () c4i org>]

http://www.vancouversun.com/newsite/business/010519/5020497.html

Gillian Shaw 
Vancouver Sun 
Saturday 19 May 2001

Internet shoppers surfing A&B Sound's online store early Friday were
surprised to find customer names, credit-card numbers and expiry dates
on the Web site before the company discovered the security breach and
shut it down.

The breach affected only shoppers with outstanding orders at the
online store. A&B Sound was contacting those customers Friday, warning
them to contact their credit-card issuer. Customers at the company's
regular retail outlets were not affected.

A & B Sound representative Tim Howley said his company and police are
investigating the breach, which was thought to have occurred in the
early hours of Friday morning. He said the company doesn't yet know
where the hacker originated or how security was compromised.

"We want to assure people we're full steam ahead on an investigation
and we're taking it very seriously," Howley said.

Reading from a press release, he said:

"A&B has reason to believe that credit-card information belonging to
customers who had open, unprocessed orders on the Web site may have
been obtained, and unauthorized use of that information may have
occurred. www.absound.ca was immediately shut down by A&B Sound
pending an internal and police investigation.

"A&B Sound emphasizes thebreach is limited to open, unprocessed online
orders and that the security of credit-card information belonging to
its retail-store customers has not been affected in any way."

Howley said the Web site, which sells only movies and CDs, accounts
for only one per cent of the company's retail sales. He said he
wouldn't know the number of credit cards affected by the breach until
the investigation is complete.

Valerie MacLean, vice-president of consumer affairs at the Better
Business Bureau of Mainland B.C., said credit-card consumers shouldn't
panic.

"In a situation like this where the security of a Web site has been
compromised, if someone gets your credit-card information, the
credit-card company will be responsible for it, not the consumer," she
said. "I wouldn't over-react. Go to your credit-card company, tell
them what has happened and get a new card.

"You're not responsible for any fraudulent transactions on your
account."

MacLean said despite the inconvenience of such incidents as Friday's
security breach at the A&B site, credit cards are still the best
method of payment.

"You are protected from fraudulent transactions and have the
protection of a charge-back provision in your card-holder agreement if
you don't receive the goods or services within a prescribed period of
time," she said.

"It is certainly unsettling and inconvenient when something like this
happens, but you won't lose money."

MacLean also recommended consumers use one credit-card for all online
transactions, with a low limit as an extra precaution.

Major credit-card companies said Friday they had not yet heard from
A&B Sound customers, but newsgroups on the Internet were abuzz with
subscribers worried their credit-card information may have been
released online.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.