Skip

Western Union's site
September 10, 2000 6:30 PM   Subscribe

Western Union's site is down, as hackers have accessed their "secure" database. Western Union's only suggestion so far is to tell all customers to cancel their credit card accounts. Is anything really secure on the internet? Do you trust amazon to hold your credit card numbers, Wells Fargo to keep your checking account private, and Kozmo employees not to pilfer your credit card numbers for fun?
posted by mathowie (8 comments total)

 
the real question is, can you trust the businesses enough to tell you as soon as they discover they've been compromised? no accessible data is absolutely secure.
posted by greyscale at 6:49 PM on September 10, 2000


I don't understand how the data in their database is not encrypted (I'm assuming it's not)...it seems to me that's just common sense. You've got people's credit card numbers, you encrypt them. That way, if someone does crack the database, the cracker would then have to brute force decrypt some 64- or 128-bit encryption...something that isn't exactly easy to do.

It's not like it's very hard...we did it for a very small online store for a place I worked at 4 years ago.
posted by jkottke at 7:25 PM on September 10, 2000


But wouldn't it be a problem to scale it up? And isn't this sort of situation an indication of the inherent unsurvivability of big businesses?
posted by davidgentle at 7:59 PM on September 10, 2000


it's a chestnut but i *am* fond of the comparison between doing business with a credit card on the internet, and handing that same card to a 17-year-old waiter at the local theme steakhouse with the implicit trust that he won't take it back to the kitchen and use it to buy another block of phone-porn time or something.

life is full of risks.

It's not so much Kozmo storing my credit card number that concerns me, because their business depends on that and they damn well have to get it right, as say a small-town doctor's office taking a whim to go wired (because their employees demand it, ostensibly in the name of efficiency and keeping up with the marketplace, in reality dreaming of playing internet poker or something when things get slow), getting cable internet installed by some toolbelt-and-asscrack subcontractor guy who's thinking about blowing off his next approintment so he can go fishing, and no one thinks to check file sharing settings to make sure that their super-high-tech Excel spreadsheet containing my prescriptions, allergies, weight and blood type are inaccessible from outside.

I'd like to think that people building networks are professionals with a thorough understanding of security issues, but I think that's less true all the time, even while American business down to mom-and-pop operations are all jumping on the computer-technology bandwagon. I don't think that jumping is a *bad* thing, but what you can say for filing cabinets is that you've got to least leave have access to the building to hack 'em.

am I suffering the paranoia of the woefully undereducated? i don't know much about network security anything, but it seems very straightforward that networking anything at all becomes a risk, and that sheer prevalence of the technology just means greater odds that clumsy and incompetent mistakes like what happened with Western Union will happen again.

posted by Sapphireblue at 8:47 PM on September 10, 2000


Is anything on the net secure? A few sites, probably. Could this have been prevented? Yeah. Pretty easily.

First, as was already suggested here, they should have encrypted their database. I prefer taking it one step further, though.

I think the best solution is to have two, physically seperate servers. The first is the web server, and the second is the database server. The DB server should be outside the DMZ (and thus inaccessable from the internet). When the web server needs to access customer info, it talks to the DB server. Additionally, the DB server should have rules set so that only the web server can communicate with it.

Or heck, do both. Make sure only the web server can access it, then encrypt the data anyway.
posted by CrayDrygu at 9:19 PM on September 10, 2000


I don't think this is a story about security so much as it is about cluelessness. If Western Union had had one, the database would have been encrypted. Of course, if any businesses had a clue, they'd use something like a Mac as their server, not something that's filled with a zillion security holes almost by definition. ;)
posted by aaron at 10:07 PM on September 10, 2000


or OpenBSD ;)

There was a survey a while ago which said that ecommerce-web/DB developers were less likely than the general public to buy online, because they were more aware of the potential for exploits.

One problem with corporate sites is that middle-management are so often sold whizzy proprietary middleware/backend products which the onsite developers then have to hack up in order to get things working. I worked on a webmail project where we were forced to use a Java-based app that was basically a hacked-together piece of shit. All we could do was close off the obvious loopholes and submit a load of bug reports to the third-party developers in the hope that they'd be fixed for the next release.
posted by holgate at 5:37 AM on September 11, 2000


Someone's attacking the Net WAY too much. Do you trust the employee at the department store not to take the numbers off of receipts? What about the person checking the receipt boxes on gas pumps for people who left their receipt? Come on, your as hyped up as a cheesy segment on Extra or Inside Edition.
posted by thirdball at 12:38 PM on September 12, 2000


« Older   |   Does GW's great Texas... Newer »


This thread has been archived and is closed to new comments



Post