42 comments

[ 3.9 ms ] story [ 75.5 ms ] thread
I love this part (no trolling from me):

    > We are sorry. We regret that this incident has caused worry for our partners and people. We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We are fully committed to maintaining your trust.
I know there will by a bunch of cynics who say that an LLM or a PR crisis team wrote this post... but if they did, hats off. It is powerful and moving. This guys really falls on his sword / takes it on the chin.
The hard line:

"We will pay $500,000 to anyone who can provide information leading to the arrest and conviction of the perpetrators. If the perpetrators can be clearly identified but are not in a country which extradites to or from the United States, we will pay $500,000 for their heads."

The donation is more or less virtue signaling rather than actual insight.

The problem can not be helped by research research against cybercrime. Proper practices for protections are well established and known, they just need to be implemented.

The amount donated should've rather be invested into better protections / hiring a person responsible in the company.

(Context: The hack happened on a not properly decomissioned legacy system.)

(comment deleted)
Sidenote, it's interesting how the term "virtue signaling" is arguably objectively an individualistic right-wing dog whistle these days.

I would argue that it is being used all over the media to complain about anyone showing any signs of not being purely individualistic, as if individualism is the only true thing people actually honestly feel. This is obviously incorrect, empathy, professionalism, a desire for a sense of purpose, are all things that people objectively feel in the real world, everyday, everywhere.

I would argue that the expression "virtue signaling" is used systematically in individualistic right wing media by the right about anyone who say, for example, that they care about minorities or less fortunate people or to take action to support them, as if it was false. I would argue that this is harmful.

People do care a good fraction of the time, and they should be recognized for their positive actions, and encouraged. I would argue that we should definitely strive for a culture where individualism is not seen as the only true emotion that people can feel.

So, knowing the negative political and philosophical baggage, I would not use that expression, especially if you don't have actual proof that they don't care about security, professionalism, etc.

Could this be aws s3?
If i was a customer id be pissed off, but this is as good as a response you can have to an incident like this.

- timely response

- initial disclosure by company and not third party

- actual expression of shame and remorse

- a decent explanation of target/scope

i could imagine being cyclical about the statement, but look at other companies who have gotten breached in the past. very few of them do well on all points

When they say "The episode occurred when threat actors gained access to this third party legacy system which was not decommissioned properly. " for me it sounds like a not properly wiped disk that got into the the bad guys hands. It would be interesting to know more to be prepared for proper decommissioning of hardware.
> The attackers gained access to a legacy, third-party cloud file storage system.

I think the answer is ok but the "third-party" bit reads like trying to deflect part of the blame on the cloud storage provider.

For all their boasting, I can't help but wonder how their response would have been different if the attackers actually had gotten their hands on sensitive data.
Sometimes cyber insurance will come to the rescue. That’s why companies Don’t pay.
So, I used to work in the fintech world and it looks to me like what was hacked was merchant KYB documents. I.e. when a merchant signs up for a PSP they have to provide various documentation about the business so the PSP can underwrite the risk of taking on this business. I.e. some PSPs won't deal with porn companies or travel companies or companies from certain regions etc.

This sort of data is generally treated very differently to the actual PANs and payment information (which are highly encrypted using HSMs).

So it's obviously shitty to get hacked, but if it was just KYB (or KYC) type information, it's not harming any individuals. A lot of KYB information is public (depending on country).

Fair play on them for being open about this.

"The system was used for internal operational documents and merchant onboarding materials at that time"

To me it seems most likely that this is data collected during the KYC process during onboarding, meaning company documents, director passport or ID card scans, those kind of things. So the risk here for at least a few more years until all identity documents have expired is identity theft possibilities (e.g. fraudsters registering their company with another PSP using the stolen documents and then processing fraudulent payments until they get shut down, or signing up for bank accounts using their info and tax id).

>So the risk here for at least a few more years until all identity documents have expired is identity theft possibilities

Essentially nobody checks the validity of document numbers, there’s rarely any automated mechanism to do this. You could just photoshop the expiry dates on the documents and use them for years and years, even if document designs changed you could just transplant the info from the old document into a new template.

So no, documents expiring does mostly nothing to alleviate identity theft risks in most of the world.

And anyway, targeted phishing attacks are of much much higher severity than identity theft. From this data you can probably gather everything you’d need to perform rather high quality phishing attacks against the bank accounts of checkout.com clients, easily causing tens or hundreds of millions of losses that would never be recovered.

This should be law. Any company that is hacked should be required by law to make a sizeable investment in a third-party security research company.
Isn't it illegal in many countries to pay a ransom?

(If not, why not?)

(Imho, it would make sense if only the state can pay ransoms)

It is generally not illegal. I’ve been following this for a while and can not think of any place where it would be.

Why not? Legislators haven’t caught up yet, and banning ransom payments would likely cause some very uncomfortable situations.

This of course raises some pretty uncomfortable questions, should ransom payments in kidnapping cases be banned too? That would presumably cost actual human lives.

A more pressing issue is that banning ransom payments might dissuade ransomware, but wouldn’t affect the main problem of financially motivated hacking. The costs of these attacks are so low that a ransomware payments ban would probably not have stopped checkout.com from being hacked and having their customer data stolen, the criminals will still do crime even if they have to do slightly different crime that pays less.

The group responsible in this case was just selling data stolen from their victims for a long time before they pivoted to much more profitable ransom operations.

Giving me MBA vibes. Will they close up shop and go when it's the remaining 75% of their infrastructure next time?
At this point I think we all understand that we will never be able to trust any company in this world with our data.

In most cases they can get away with "We are sorry" and "Trust me, bro" attitude.

> Checkout.com hacked, refuses ransom payment, donates to security labs

This submission's edited title reads like the "target headline" from The Office (US):

> Scranton Area Paper Company - Dunder Mifflin - Apologizes - to Valued Client - Some Companies - Still Know - How - Business - is - Done

I have checkout.me domain, and it is for sale. email me if you want to get it.
How much do you want for it?
They're "sorry", they want to be "transparent" and "accountable", they want your "trust", but not enough to publicly explain what happened or what kind of data got taken (is a full CRM backup from 6 years ago considered "legacy" "internal operational documents"?). There's not even a promise to produce more information about their mistake.

> Jimmy, where did the cookies go?

> Something that was on the counter is gone! I don't know how! It might not even be my fault! But I'm sorry!

What kind of an apology is that? It's not. It's marketing for the public while they contact the "less than 25% of [their] current merchant base" whose (presumably sensitive) information was somehow in "internal operational documents".

Oh but also took some of what they charge their customers and gave that (undisclosed?) sum away to a university. They must be really sorry.

It’s notable that there were ShinyHunters members arrested by the FBI a few years ago. I was in prison with Sebastian Raoult, one of them. We talked quite a bit.

The level of persistence these guys went through to phish at scale is astounding—which is how they gained most of their access. They’d otherwise look up API endpoints on GitHub and see if there were any leaked keys (he wasn’t fond of GitHub's automated scanner).

https://www.justice.gov/usao-wdwa/pr/member-notorious-intern...

They are downplaying the severity of the data theft, which most likely includes user identification documents, the most dangerous type of breach, since it directly enables identity theft

Reading between the lines reveals the severity they're obfuscating, with contradictions:

> This incident has not impacted our payment processing platform. The threat actors do not have, and never had, access to merchant funds or card numbers.

> The system was used for internal operational documents and merchant onboarding materials at that time.

> We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators

They stress that "merchant funds or card numbers" weren't accessed, yet acknowledge contacting "impacted" users, this begs the question: how can users be meaningfully "impacted" by mere onboarding paperwork?

I dont understand some of the cynicism in this thread. This is a bold move and I support. It is impossible to not have incidents like this and until theres a proper post mortem we wont really know how much of it can be attributed to carelessness. They could have just kept is hush hush but I appreciate that they came forward with it and also donated money to academia. The research will be open and everybody benefits.
Cynicism? The post they published is blaming the 3rd party and "legacy" bs. They are talking about "credit cards are safe," but 25 god damn percent of their merchants' data have been leaked. This is messed u, and they play it cool by saying "we donated money because the issue wasn't o big deal". I read that posts as a professional deflection.
If everyone refuses to pay, such incidents would largely reduce.
Interesting spin for a core infrastructure provider who deals with the most sensitive part of most businesses, tries to bury the lede of getting hacked with a tale of their virtuous refusal to pay a ransom; is this supposed to make them attractive or just have people skip the motivating events? Swing and a miss in my books.