[Dataloss] Improperly-configured shopping cart on compromised server reveals CC#s to hackers in Viet Nam
Chris Walsh
cwalsh at cwalsh.org
Tue Apr 4 20:59:24 EDT 2006
From http://roadracingworld.com/news/article/?article=25398
Internet Security Breach Affects STT Track Day Customers
Apr 04, 2006
Copyright 2006, Roadracing World Publishing, Inc.
An Internet security breach has led to credit card information
belonging to Sportbike Track Time customers falling into the hands of
criminals and some fraudulent charges being made on those cards.
According to a Sportbike Track Time spokesman, security improvements
have been made to the company's website, www.sportbiketracktime.com .
Beginning March 23, 2006, several entries began appearing on
Sportbike Track Time’s online forum (http://www.sttforum.com/sttforum/
viewtopic.php?t=272) discussing unauthorized online purchases made
with the credit cards and debit cards of Sportbike Track Time
participants who had registered at www.sportbiketracktime.com . As
the number of instances grew, it became clear Sportbike Track Time
had a problem.
The source of the problem was vulnerability in the “shopping cart”
software provided by VP-ASP (a software company specializing in e-
commerce solutions) to Sportbiketracktime.com, according to Monte
Lutz, co-owner of Sportbike Track Time .
“Some enterprising hackers from Vietnam took over -- and I’m not a
computer guy -- a Utah company’s ISP and their servers and used that
to hack into, simultaneously, several of the VP(-ASP)-driven sites.
And we were one of them,” Lutz told Roadracingworld.com Tuesday. “It
was only a very short window. It was only 24 hours that the hackers
had access to it, but you can take a lot of stuff in 24 hours. It was
March 19. Anybody who signed up (for a Sportbike Track Time event)
this year before March 20 was potentially affected.”
Another part of the problem was that Sportbike Track Time customers’
credit card information was being stored within the “shopping cart”
system.
“We no longer store any data within the system,” said Lutz. “We have
no reason to keep that information. We do not store your credit card
numbers. I do not want that responsibility. And the system was
supposed to do it that way, but VP(-ASP) didn’t set it up that way in
the first place.”
[...]
More information about the Dataloss
mailing list