[Dataloss] Improperly-configured shopping cart on compromised server reveals CC#s to hackers in Viet Nam

Chris Walsh cwalsh at cwalsh.org
Tue Apr 4 20:59:24 EDT 2006 

 From http://roadracingworld.com/news/article/?article=25398


Internet Security Breach Affects STT Track Day Customers

Apr 04, 2006

Copyright 2006, Roadracing World Publishing, Inc.

An Internet security breach has led to credit card information  
belonging to Sportbike Track Time customers falling into the hands of  
criminals and some fraudulent charges being made on those cards.  
According to a Sportbike Track Time spokesman, security improvements  
have been made to the company's website, www.sportbiketracktime.com .

Beginning March 23, 2006, several entries began appearing on  
Sportbike Track Time’s online forum (http://www.sttforum.com/sttforum/ 
viewtopic.php?t=272) discussing unauthorized online purchases made  
with the credit cards and debit cards of Sportbike Track Time  
participants who had registered at www.sportbiketracktime.com . As  
the number of instances grew, it became clear Sportbike Track Time  
had a problem.

The source of the problem was vulnerability in the “shopping cart”  
software provided by VP-ASP (a software company specializing in e- 
commerce solutions) to Sportbiketracktime.com, according to Monte  
Lutz, co-owner of Sportbike Track Time .

“Some enterprising hackers from Vietnam took over -- and I’m not a  
computer guy -- a Utah company’s ISP and their servers and used that  
to hack into, simultaneously, several of the VP(-ASP)-driven sites.  
And we were one of them,” Lutz told Roadracingworld.com Tuesday. “It  
was only a very short window. It was only 24 hours that the hackers  
had access to it, but you can take a lot of stuff in 24 hours. It was  
March 19. Anybody who signed up (for a Sportbike Track Time event)  
this year before March 20 was potentially affected.”

Another part of the problem was that Sportbike Track Time customers’  
credit card information was being stored within the “shopping cart”  
system.

“We no longer store any data within the system,” said Lutz. “We have  
no reason to keep that information. We do not store your credit card  
numbers. I do not want that responsibility. And the system was  
supposed to do it that way, but VP(-ASP) didn’t set it up that way in  
the first place.”

[...]

More information about the Dataloss mailing list