8 comments

[ 3.9 ms ] story [ 28.4 ms ] thread
http://time.com/5230288/delta-sears-data-breach-credit-cards... "Hackers may have accessed names, addresses, credit card numbers, CVV numbers and expiration dates for “several hundred thousand” customers during that time, according to the airline." You're 100% not allowed to save CVVs. I really hope this is just bad reporting and not true. In fact, I think you're even supposed to scrub CVVs from call center recordings!
I recently had to give my CVV to a call centre and they paused recording for that part. Probably more reliable than trying to scrub it afterwards.
Edit: It appears it might be an issue with 3rd party JS on their website, not being stored.
Why are CVVs, a 3 digit number that would be trivial to brute force, the key to unlocking access to a user's credit? Why don't we start with that problem first?
AFAIU, you cannot check whether a CVV is correct without pinging the company that manages the card, and attempting to ping them on average 500 times per card with different CVVs is not normal activity and should be blocked/shut down. This is CC fraud prevention 101
Ok, how about the fact that it's incredibly visible to begin with? It's being used like a PIN, a PIN that's literally printed right on the card. Who writes their debit card PIN on the back of their card?
It supposed to be used as proof that you have physical control of the card, which is why it is on the card and not supposed to be stored.

It's not used “like a PIN” as a second factor with the physical card as the first factor, it is used to make online and certain other uses of a card equivalent to card-present transactions with no substantive second factor.

> The software company said it discovered and fixed the breach in October.

Disgusting, how was this buried for 6 months?

> The Atlanta-based airline said that it wasn’t sure whether customers’ information was actually compromised by malware that it believes was in software used by (24)7.ai, which provided the airline with online chat services for customers, for about two weeks.

Your website, your liability. This is Delta's fault. By letting third-party Javascript execute on your webpage, that's basically a remote code execution right there. That's like giving an outside company root on your database, or domain controller. Maybe this will serve as a wake-up call for web devs, instead of piling more and more terrible JS onto a page.