Re: RFID Flap Silences Security Researchers

["Robert Green" <ROBERT_GREEN1963@xxxxxxxxx>]

"Dave Houston" <nobody@xxxxxxxxxxxx> wrote in message
news:460c4a4c.1227393125@xxxxxxxxxxxxxxxx
> "Robert Green" <ROBERT_GREEN1963@xxxxxxxxx> wrote:
>
> >Egghead died after their massive breach.  I expect TJX might very well
> >follow them to the corporate grave.
>
> A post mortem showed that the Egghead hackers never reached the credit
card
> info but Egghead was never-the-less punished for doing the right thing and
> alerting their customers to the possibility.

That's news to me.  Shortly after I received the Egghead email assuring me
that thieves broke in to their data but merely "looked around and didn't
take anything," my credit card company sent me a notice that my card was
being changed.  There was also a $10 charge from a Russian Telecom company
that I ended up eating because getting a notary and filling out all the
forms required was worth more than $10 of my time.

I never dealt with Egghead or Citibank after that.  Here's my take on
notification, bolstered by the details of TJMaxx's breach only appearing in
an SEC filing.  Companies do it only when they terrified that by NOT
notifying customers, a court would find that they possessed the last clear
chance of helping a customer prevent a fraud.  In other words, they send out
notification not to help the customer as much as help themselves gain
immunity from serious "punies" as the lawyers like to call "punitive damage
awards."

TJMaxx was in the same position, and had to spill more details to avoid
running afoul of SEC filing regulations as well.

While I realize this is all old stuff:

http://attrition.org/dataloss/2001/04/egghead01.html  says:

<<A day later we obtained a letter written by Visa USA Senior VP and
security specialist John Shaughnessy to card issuers warning about the
Egghead hack, which unfortunately raised more questions than it answered.

The letter, dated 23 December 2000, warns card issuers that "on December 21,
Visa USA was informed that a merchant had discovered a security breach in
its computer system that may have put cardholder data at risk."

The next sentence, however, reads: "The cardholder data compromised included
account numbers, CVV2*, cardholder names, addresses and possibly card
expiration dates." >>

Something's not right there.  As the author of that document further notes:
"Sentence one says the breach 'may have' compromised account data. Sentence
two assumes that the data was compromised. We very much wished to clear that
bit up."

> There was strong evidence that the real breach was at a much larger entity
> that never 'fessed up and is now part of an even larger entity popular
with
> those who find things that have fallen from passing trucks.

That may be true, but I only used that credit card online for Egghead
purchases.  I use cash almost exclusively so I didn't have very many charges
on the card except for egghead, and they were all with local merchants.

There's another site, CNN, that reports data that directly coincides with
mine:

http://archives.cnn.com/2001/TECH/computing/01/09/egghead.data.idg/index.htm
l

<<Presson, who e-mailed Computerworld from her parents' home near Berkeley,
Calif., said she notified Egghead.com more than six months ago that her
credit card number had been used by someone in Russia.

"I knew they got it from Egghead.com because that was the only [online
company] where I used my credit card and within a week my card was debited
for $26.30 for a URL in Russia that didn't even have a site up," Presson
said. "I'm really angry because Egghead.com did not even acknowledge my
message to them." . . . The important thing here is that if these people
feel they were victimized [by shopping at Egghead.com] they will not
patronize Egghead again, no matter what happens," said Eric Hemmendinger, an
analyst at Aberdeen Group in Boston.>>

And that's why TJMaxx may roll over and die because of this breach.  As
always, the facts don't seem to matter as much as the perceptions.

Yet another site details EXACTLY what happened to me:

http://www.internetnews.com/dev-news/article.php/10_543591

<<Meanwhile, the FBI is reportedly investigating reports by dozens of online
shoppers of fraudulent charges to their credit cards by a mysterious Russian
telecommunications firm.  Numerous Internet users have discovered
unathorized charges of about $10 on their credit card statements this month,
paid to a company called Global Telecom.>>

I'd certainly be interested in reading further, Dave, but what I am finding
still seems to point to Egghead.  Yes, I know Kroll and the FBI investigated
but the FBI couldn't even find superspy Robert Hanssen in their own midst,
nor did they find the 9/11 hijackers until it was too late.  Having them
sign off on Egghead's innocence doesn't do much to convince me, especially
considering the "weasel wording" Egghead used in its notification.

I'm still quite strongly convinced that Egghead was the source because of
the unbelievability of the statement "hackers broke in but all they did was
look around and not take anything."   Aw, c'mon.  Thieves breaking in but
not stealing?  It defies common sense.  I also recall reading at the time
that their security was so poor, they couldn't even determine when or how
the hack occurred, just that it did.

That seems to be in perfect tune with the very plausible possibility that
they began an audit only *after* their first being alerted to the hack by
thousands of customer complaints from people who only did on-line business
with them.  In fact, it's the only explanation that really flies.

"They looked around but didn't steal anything."  Doesn't that just *sound*
unbelievable?

--
Bobby G.