Posted on 04/02/2002 2:34:17 PM PST by Bush2000
It’s hard to get site to stop spitting out personal information A section of the orders being published by Waxboxes.com.
April 1 — Who’s responsible when a year-old software bug hasn’t been fixed, and as a result, customer credit card numbers are spit out onto the Internet; and when the company involved doesn’t answer e-mails or phone calls, but all the while, keeps handing credit card numbers to hackers? MSNBC.com tried to reach the site, Waxboxes.com, but with no luck. Meanwhile, the source who found the customer records tried to contact the credit card association fraud departments, and that didn’t help. As the process unfolded, victims’ credit cards were still being revealed, and most likely stolen.
“IT SEEMS NO ONE is responsible,” said Dan Clements, who runs CardCops.com, a credit card theft information site. Clements heard about the flaw at Waxboxes.com last week, and passed it along to MSNBC.com.
Almost exactly one year ago, the FBI issued a warning about shopping cart software called “PDG” that accidentally publishes customer order details to the world. A flurry of fun for credit card thieves ensued. But the exposures died down in about a month, after numerous e-mails and phone calls came from PDG with instructions on how to fix the flaw — and after numerous news stories chronicled the consequences of failing to patch.
But the news apparently didn’t reach Waxboxes.com, a small sports memorabilia dealer that only took a few orders a week at its Web site. Until today, it was publishing every customer order onto the Web.
Finally, a call to Waxboxes’ Web hosting provider on Monday shut off the faucet of credit cards. The host, Interland Inc., said it had sold PDG’s software to Waxboxes.com, meaning it was the Web site’s responsibility to install the patch.
“PDG notified customers, in a series of six e-mails,” said Interland spokesperson Barbara Gibson.
But Waxboxes.com wasn’t alone. Clements also found a second Web site, Derbytec.com, that was using the old, unpatched PDG software, and was publishing customer orders — fortunately, without credit card data. The site plugged its flaw when contacted directly by PDG on Monday.
PDG president David Snyder said the company had made numerous efforts to contact the company.
“I don’t know what to say about these sites,” he said. “I am surprised there are still sites out there that aren’t updated, given the massive amounts of effort we put into contacting people.”
But for Clements, the software patching process will always be imperfect. Clements thinks the credit card companies need to take a more active role in preventing security breaches and reacting to them. For example, there should be fraud hotlines ready to cancel stolen cards that are found online.
“I contacted the fraud and risk people at Visa, Mastercard, American Express ... at noon on Friday,” he said. At noon on Monday, the card numbers were still being spit out by the Waxboxes.com site. “I copied 20 people. But it goes to the bottom of their to-do list. They just haven’t adapted to the speed of the Internet.”
Not so, says Casey Watson of Visa. Concerned Internet users who run across stolen card numbers can contact the company at Visa.com or at 1-800-Visa-911, and the company will begin an investigation.
“E-mail is very powerful quick and instantaneous,” Watson said. “We have people watching {Visa.com e-mail} daily — e-mails get fired around the company very quickly, and investigations are initiated. I’m not familiar with this case, but I wouldn’t be surprised if Visa was involved.”
The card companies do have policies in place designed to encourage merchants to take better care of customer data, like Visa’s Cardholder Information Security Program. But Clements says those policies have no teeth.
“Have any of these guys suffered any consequences for listing those cards in public?” he said. “Many times in the past CardCops has notified the credit card associations of vulnerabilities. And many times the flaw or hole is still up after a month.”
The site www.waxboxes.com is running Apache/1.3.19 (Unix) FrontPage/5.0.2.2510 mod_ssl/2.8.3 OpenSSL/0.9.6b on Linux.
http://uptime.netcraft.com/up/graph/?mode_u=off&mode_w=on&site=www.derbytec.com
The site derbytec.com is running Apache/1.3.19 (Unix) PHP/4.0.6 on Linux.
A Google search of newsgroups shows that Waxboxes.com is a prolific spammer of newsgroups.
Someday maybe people will learn that you just do not buy from spammers. Spammers lie, cheat and steal.
If you're searching on "waxboxes.com" you're actually getting the same results you'd get with "waxboxes", since google treats "com" as a common word and won't search for it by default. "waxboxes" is a very common term in the card collecting world, so it's not surprising that you'd get a lot of hits for it.
Yes, I searched not for waxbox.com but for waxbox.
“I don’t know what to say about these sites,” [Snyder] said. “I am surprised there are still sites out there that aren’t updated, given the massive amounts of effort we put into contacting people.”
http://uptime.netcraft.com/up/graph/?mode_u=off&mode_w=on&site=www.waxboxes.com
The site www.waxboxes.com is running Apache/1.3.19 (Unix) FrontPage/5.0.2.2510 mod_ssl/2.8.3 OpenSSL/0.9.6b on Linux.
http://uptime.netcraft.com/up/graph/?mode_u=off&mode_w=on&site=www.derbytec.com
The site derbytec.com is running Apache/1.3.19 (Unix) PHP/4.0.6 on Linux.
Well, are we to conclude that Mr. B2K thinks where Open Source servers are concerned, the servers should update themselves?
Is that what happens in Windows World?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.