Fun Publications / TFCC Security Update

El Duque wrote:Fun Publications/TFCC have issued the following update regarding their recent security issues.

Here is the latest update on the credit card security investigation.

The firm we have hired to analyze our former ecommerce server and software has preliminarily determined that we did incur a SQL injection code attack sometime before Christmas. Our ISP did have a commercial product installed that was supposed to defeat these types of attacks, but apparently it failed.

This allowed the hackers access to our order information. While it is still unknown exactly what data they were able to harvest (investigation continues) we need to assume that they were able to extract all of our order information. The security firm thinks that this attack has allowed the hackers to come back periodically and harvest more information. However, once the old server was taken out of service (around February 21st) there was nothing left for them to access.

Once this information was stolen, (no matter if it was back before Christmas) there is no time frame as to when the thieves may sell or try to use the information to purport credit card theft.

What does this mean to me?

We are asking again that anyone who has used a credit card in our old online systems in the past year (NOT THE NEW STORE) to get your card replaced immediately. If you have done this already, there is no action required on your part.

We apologize for the inconvenience, we know this whole thing is a pain, but it is better to replace the cards than have to deal with any issues that may result from this theft of data. Even though the amount of fraud has greatly declined, we are still receiving a customer report every few days of someone else (who hasn’t replaced their cards) getting hit. We strongly encourage you to take this step immediately if you have not done so already. Again, this DOES NOT pertain to any cards that have been used in the new store.

What is the plan?

We are still working on all of the issues and are several weeks away from a final resolution. Our new store is currently offline while we complete the entries and audit the data from the renewals we received last week. Just to reiterate, this new store is a totally different piece of software, at a totally different hosting site. There are hundreds of other retailers using this same software as it is hosted by the software creators.

We hope to have the store online and registration system back online sometime next week. When the store comes back online, we will be adding products slowly so it will take some time to have everything back in the store.

Thank you for your patience and support during this trying issue.

Brian

Emperor Galvatron wrote:

El Duque wrote:Fun Publications/TFCC have issued the following update regarding their recent security issues.

Here is the latest update on the credit card security investigation.

The firm we have hired to analyze our former ecommerce server and software has preliminarily determined that we did incur a SQL injection code attack sometime before Christmas. Our ISP did have a commercial product installed that was supposed to defeat these types of attacks, but apparently it failed.

This allowed the hackers access to our order information. While it is still unknown exactly what data they were able to harvest (investigation continues) we need to assume that they were able to extract all of our order information. The security firm thinks that this attack has allowed the hackers to come back periodically and harvest more information. However, once the old server was taken out of service (around February 21st) there was nothing left for them to access.

Once this information was stolen, (no matter if it was back before Christmas) there is no time frame as to when the thieves may sell or try to use the information to purport credit card theft.

What does this mean to me?

We are asking again that anyone who has used a credit card in our old online systems in the past year (NOT THE NEW STORE) to get your card replaced immediately. If you have done this already, there is no action required on your part.

We apologize for the inconvenience, we know this whole thing is a pain, but it is better to replace the cards than have to deal with any issues that may result from this theft of data. Even though the amount of fraud has greatly declined, we are still receiving a customer report every few days of someone else (who hasn’t replaced their cards) getting hit. We strongly encourage you to take this step immediately if you have not done so already. Again, this DOES NOT pertain to any cards that have been used in the new store.

What is the plan?

We are still working on all of the issues and are several weeks away from a final resolution. Our new store is currently offline while we complete the entries and audit the data from the renewals we received last week. Just to reiterate, this new store is a totally different piece of software, at a totally different hosting site. There are hundreds of other retailers using this same software as it is hosted by the software creators.

We hope to have the store online and registration system back online sometime next week. When the store comes back online, we will be adding products slowly so it will take some time to have everything back in the store.

Thank you for your patience and support during this trying issue.

Brian

So if they have all of our order information, they also have our names, ages, addresses, etc that was stored on their site.

Well, that's just peachy.

Hey, cancel your credit cards, never mind the identity theft potential. Disregard the man behind the curtain.

Stormrider wrote:I am not happy for several reasons. How could their security fail and no one noticed it for several months? I still think they are still down playing the threat. The thieves may have had access to our addresses and DOB. They really should be telling people watch your credit reports like a hawk. Fraudulent charges on your credit card are easy to spot. Identity theft and new credit cards that get opened fraudulently in your name using your stolen DOB is not so easy to spot.

An SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a poorly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Seibertron wrote:

Stormrider wrote:Ryan, or others that deal with website design - isn't mandatory for companies nowadays to properly store credit card numbers?

Not at all. It's best practice for companies not to store credit card information such as the card number and CID, but there's nothing to mandate that. Just best practices. Kind of like it's best practice to look both ways before crossing the street but there isn't a law per se about it, not at least to my knowledge.

Firebird wrote:Thanks for posting the email message!

I haven't been a club member since 2008. I got both of my credit cards that I used previously with the club (for botcon registration and buying club toys from their website) hit with fraud charges last month. If it wasn't for you guys posting the news and the site members that I follow on twitter, I wouldn't have ever known why I had the fraud charges.

It's too bad Fun Pub isn't sending these emails to their previous members too...

Seibertron wrote:

Stormrider wrote:I am not happy for several reasons. How could their security fail and no one noticed it for several months? I still think they are still down playing the threat. The thieves may have had access to our addresses and DOB. They really should be telling people watch your credit reports like a hawk. Fraudulent charges on your credit card are easy to spot. Identity theft and new credit cards that get opened fraudulently in your name using your stolen DOB is not so easy to spot.

Just offering my opinion from someone who's got a lot of experience with this ...

Imagine SQL injections are similar to a computer virus of some sort ... you usually don't know if your computer has a virus, you usually don't know that someone is taking advantages of SQL injections until after something bad happens. In one scenario, someone finds a weakness in the site's code by manipulating the URL where variables are being passed (such as a transaction ID, a user ID, a store order ID, etc.). They are able to insert a malicious command into the code because the programmer didn't verify that the variable was an integer or didn't include various characters that shouldn't be passed to the query. I know how to prevent it in my code, but I might not be able to best explain in layman's terms.

Wikipedia has a great explanation / summary ...

(I've always said "see-kwell" for SQL, but it is often pronounced by it's letters S-Q-L)

An SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a poorly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Wikipedia's article can be found at http://en.wikipedia.org/wiki/Sql_injection