What is Digg?Sponsored by Best Buy
He sings, he strums, and he works at Best Buy. view!
www.youtube.com/bestbuy - Musician and Best Buy employee, Keith Parsons, rocks his Best Buy holiday campaign audition.
54 Comments
- jmubane, on 01/21/2009, -2/+17If people knew how insecure the computers are at the individual businesses that take their card they would probably just stop using their credit and debit cards altogether. During my time at one small POS shop I installed countless backroom servers running credit card processing software on password-less windows 2000 and xp boxes, sometimes sitting on the same network with an open wireless AP. These machines more often than not weren't even dedicated to processing and were used by store employees to browse the web, etc etc.
One piece of processing software, PCCharge, out of the box doesn't force you to put a password on its GUI. Anyone with access to the system could pull up the GUI, enter the "TroutD" number on your receipt and get your card number and expiration date. The merchant can of course put a password on this GUI but that requires effort. How many restaurants have you been to that didn't look like they gave a damn about much of anything? Do you think this somehow changes when it comes to protecting your card number? - str1, on 01/21/2009, -6/+17Good old cash works fine.
- Rivetgeek, on 01/21/2009, -0/+8I dare you to send cash on ebay.
- kckinn, on 01/21/2009, -2/+10How is Windows to blame here ? Do you mean to say those servers were running on Windows ?
- dubiousmike, on 01/21/2009, -0/+7I know if I shopped at TJ Max or not. Who the hell is Heartland? What is their list of companies they do processing for? How can I be proactive about this if I don't know if I have been (potentially) affected?
- charlietuna, on 01/21/2009, -0/+7Please pay with single use credit card numbers whenever possible. Discover has them, so does MBNA and BankOfAmerica.
http://www.discovercard.com/customer-service/secur ...
http://www.cardratings.com/feb01new.html - Sultana, on 01/21/2009, -2/+8Well, now over a year later, this explains why myself. brother, parents, husband, and various people at work had new cards issued to them. It sure would have been nice to have known about this at the time. It also would have been nice for Heartland to offer some sort of credit monitoring for free for a time.
- peaceninja, on 01/21/2009, -0/+6this should be a reason for people to scrutinize their purchases, not for people to switch to a cash-only system. credit card companies in my experience have been good whenever I need to contest a charge.
- mediablitz, on 01/21/2009, -0/+6They released this information on inauguration day? How much harder could they try to not get this noticed?
- latin69, on 01/21/2009, -4/+10Stop using Windows..........Unix based OS FTW!!!!
- rondorondorondo, on 01/21/2009, -0/+5Google "VISA PCI Compliance"
- skipdog172, on 01/21/2009, -0/+5That surprises me that they refused your security advice. I also work at a small POS shop and we do most of the work for businesses in a small town. When we tell any of these businesses what they have to do to keep their systems secure, they listen. I'm surprised that these businesses would decide to not be secure, especially with the risk at hand. I am literally boggled, as we have never ever had a businesses decide not to keep their system secure.
It just strikes me odd that you have installed "countless" unsecured servers. Why would all of these businesses allow this, unless the company you work for refuses to adequately inform them of the risks?? - johnfranks999, on 01/21/2009, -1/+6I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach. - billbugger, on 01/21/2009, -1/+5Just wait until the Riemann hypothesis is solved, then your in some real *****.
http://en.wikipedia.org/wiki/Riemann_hypothesis - dazparkour, on 01/21/2009, -0/+4Ramen Hypothesis? Om nom nom!
- skipdog172, on 01/21/2009, -0/+4Not really. There is no magical OS that provides 100% guaranteed security. A windows server setup properly is quite secure.
- ispshadow, on 01/22/2009, -0/+3Almost as bad as an "Internet Tough Guy". Countless servers running processing software that didn't have passwords?!? Countless servers?
You probably underestimated how many other people on Digg do tech work at small businesses. I can't think of a business that hasn't taken our security advice.
Do us a favor, let us know which town you're doing those countless installs. I'm sure someone has wood at the thought of competing against you. - inactive, on 01/21/2009, -1/+4It's too bad Discover SUCKS....They have the worst customer service ever and will fight you every step of the way for something they did wrong....
My story:
In the late 90's I open a Discover card account and use it for general purchases and pay it off every month. One month, I get a notice that I haven't paid my card. I double check, and I the check I sent was not only cashed, but cashed 3 days after I sent it (by Discover). They claim I didn't pay and the service desk refuses to help. I explain to them that yes, the check was cashed, so it must be a mistake. I escalate to a supervisor who refuses to help me. Not only does he ignore the fact the the bank statement in my hands refutes what Discover is saying, but he goes on to say that I my interest rate will go up because I "missed" a payment.
I closed my card that second. I told my bank about the error and everything was cleared up in less than 24 hours (once the bank went after Discover).
Moral of the story? Discover is a scam....Make sure you don't pay off your balance every month... - TheHerk, on 01/21/2009, -0/+3Yeah, it sounds a bit strange to me, as well. I work on card embossers that make credit cards on location and every single customer is dead serious about security. Primarily because Visa is up their collective butts to be so.
For instance, the flying V that used to be embossed on Visa cards, was very well protected. If the machine was open, somebody from the business had to be monitoring me. Unless the embossing punches, topping foil, and cards were removed, I'd never be left alone to do maintenance. - hasslinthehoff, on 01/21/2009, -0/+3I'll just use mah militia dollers, thank yew.
- Kingster, on 01/21/2009, -1/+4Ummm, that doesn't help when dealing with swiped cards (as is the case here). Unless you have some new fancy way of crapping a fully encoded single payment card out of your PC...
- jotchie, on 01/21/2009, -0/+3Just read your statements. Problem solved.
- inactive, on 01/21/2009, -4/+7Stop using Windows for everything would be a great start.
- sinembarg0, on 01/22/2009, -0/+3Don't call it ***** Micro$oft, the name is Microsoft. You only make yourself look stupid and pretentious when you use the $.
- latin69, on 01/21/2009, -0/+2Sr Software Developer: Heartland Payment Systems
http://hotjobs.yahoo.com/job-JN1R8PWRTWR-l-Jeffers ... - inactive, on 01/21/2009, -0/+2True that no OS is 100% secure, but one thing that is true is that Windows is the least secure of any modern OS.
- inactive, on 01/21/2009, -1/+3Did you not read my post? Do you have a sarcasm impairment?
Let me summarize since you are to f*cking stupid to figure it out:
A) I paid my balance, in full, every month
B) Discover screwed up
C) Discover wouldn't fix the screw up
- Tero231, on 01/21/2009, -0/+2"The Highest Standards | The Most Trusted Transactions" :)
- Rivetgeek, on 01/21/2009, -2/+4yah let them charge you interest. that'll show those bastards.
***** idiot - MrEthiopian, on 01/22/2009, -0/+2Bullshat the PII was not compromised, this story and Hartlands CFO Mr Baldwin is misleading and or is giving an incomplete summery of what can / was on the PIN, the PIN has three tracks of data and can include (VISA) user name, PAN, Service code, Account number (FSAN), etc etc a plethora of your data!
Yes the data is encrypted but the DES key is included in the data stream and can be reversed rather easily. - inactive, on 01/21/2009, -2/+4Yes, the story mentioned malware was to blame. Malware strikes Windows boxes.
- inactive, on 01/22/2009, -0/+2I was quiet nice, I didn't miss a payment, it was their mistake, and the only time I got upset was when they refused to fix it. Not to mention that Discover had cashed my check, I provided proof AND they STILL refused to fix it. What more do you want?
Discover may have changed, but I highly doubt it. - inactive, on 01/22/2009, -0/+2Food is cheaper at the market. The market only takes cash..
- inactive, on 01/21/2009, -1/+3Their webserver is Windows. Hence, the job description.
"Experience with web services."
Like comprehension? - Fritzed, on 01/22/2009, -0/+2Charredo is correct about the the fact that mod10 validation doesn't provide you real cards. However, he's wrong about the CVV value. CVV is absolutely NOT stored on the magnetic strip. The CVV is a security measure specifically for the fact that it is not recorded by magstripe readers or a card imprinter. This is also why the CVV code is not raised on the card like the card number.
This is most definitely a breach, it includes card numbers and expiration dates known to be good within the past year. Along with the cardholder's name. Heartland's CFO is indicating that this won't help with online payments because it doesn't include the address. However, a clever hacker can use the BIN number (first 6 card number digits) to find what bank branch issued a card (if it is bank issued) and in conjunction with the customer name they could probably find the customer address with a phone book search. - donolsen1155, on 01/21/2009, -0/+2Just trying not to be so paranoid. Guess I'll go back to the sheeple herd and find my piece of mind in that there is only a small chance in 100 million my data will be used. :)
- inactive, on 01/21/2009, -0/+1If you are worried about your card being part of this, why not just call it in lost or stolen now? No reason not to. You might as well do that every few months if you're really that worried about it.
Chances are though, someone DOES have your credit card number already. It's just that these people have so many millions of numbers that the chances of them using yours are so small. Then even if you do, you simply call the bank and say "I didn't buy an HDTV. Check the cameras from the transaction at Best Buy." They will credit your account with the money that was taken while they investigate, then they will close the case. No big deal really. - charlietuna, on 01/21/2009, -1/+2You can set the credit limit to be equal to the purchase amount. So after the purchase clears the number is useless. Furthermore it expires in two months. So yes, there is a "fancy way of crapping out a fully encoded single payment".
Discover's is single use I believe.
It helps. - latin69, on 01/21/2009, -1/+2Funny you should say that....... I found a job advertised ...........
Sr Software Developer: Heartland Payment Systems
http://hotjobs.yahoo.com/job-JN1R8PWRTWR-l-Jeffers ... - sinembarg0, on 01/22/2009, -1/+2Usually when there is a mistake, discover will fix it if you are nice (it seems that this was the part the you missed). If I miss a payment (as in I forget about it, don't send it in) I call and ask nicely and they will let me pay late without any interest.
- donolsen1155, on 01/21/2009, -1/+2If you take the article at face value, that only CC numbers were harvested by malware, there is no way this is the data breach. There are free web services that will validate CC numbers. Throw a few random, but logical numbers and dates at them, and it doesn't take long to harvest a list of valid CC numbers. However, without an name, address, or CV # they are of little or no value.
This is probably just a PR move. They are looking for sympathy from everybody who hates malware.....which is just about everybody. - LilRabbitFooFoo, on 01/21/2009, -1/+2You're = You are...
- inactive, on 08/07/2009, -0/+1http://www.manifestmoneytalks.com/business-credit- ...
Just trying not to be so paranoid. Guess I'll go back to the sheeple herd - MrEthiopian, on 01/22/2009, -1/+2On the up side for companies that egregiously loose customer data PII, NPI through the credit card data loss can and will be held accountable financially and possibly the loss of using any card services in the future this is because of PCI.
PCI is a set of rules and standards that all companies storing credit cards must adhere too, Ill summarize some of the standards enforced in PCI, CC data must be stored in a encrypted format on a machine with virus protection up to date, behind a firewall, limited user rights and detailed auditing especially around root access.
So penitentially Heartland could loose a majority of there business if found to be in violation of PCI standards, maleware or a virus on your core is definitely a breach of policy. - jmubane, on 01/22/2009, -1/+2To explain I worked for a very VERY shady guy. He did everything as cheap as possible and his customers weren't any different. All the CC companies ever did (while I was doing POS at least) to try to enforce security was charge additional fees if certain standards weren't met but my boss didn't care and neither did the business owners (which I guess runs counter to them being cheap bastards but whatever).
I would never under-estimate the technical prowess of digg users though... what with all the linux crap that gets a million and a half diggs on here. ;) - getoffmybridge, on 05/05/2009, -1/+2Your card info will be stored in your rfid implant
- sinembarg0, on 01/22/2009, -1/+2What Kingster was saying is "How can you get that single use number encoded onto a card before you swipe it (and reencode it every time you use it)?"
Although there are card readers/writers that can write cards no problem (I have a really old one, parallel port interface, that I can't get to work.) - Kingster, on 01/21/2009, -1/+2Doubtful - they suspect that the problem started in May of 2008. If you got new cards more than a year ago, it likely has nothing to do with this breach - more likely with TJX's.
- kckinn, on 01/21/2009, -2/+2This is scary
- stvidguy, on 01/21/2009, -3/+3New Priority for Obama Administration: Establish a new system to ensure that our credit card information is safe.
-
Show 51 - 54 of 54 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is