- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
You do know that it works fine with the Chinese symbols on the CC, don't you? After all CC is an acronym for Chinese-Characters
Admin
Or any male republican congressman...
Admin
Except when that credit card number is actually for a debit card... then you enter the 'you can't get to your money, if you have any left' hell. Been through that too many times...
Admin
Or your mother...
Admin
Admin
Rogier is correct in identifying cake as the proper course of action. And the cake shall be good cake. Also: I would like some of this cake.
Admin
It still boggles my mind that my $15 a month WoW subscription has vastly superior security than my debit or credit cards.
I can't go through the drive-through at McDonalds without handing over all of the information Joe McBurger guy needs to buy anything he wants off the internet, with my account.
Admin
No, it still looks good on the resume, just not so much on the blue dress.
Admin
This.
If a video game company that is willing to shell out for multi-factor authentication, why the hell won't my bank do it?
Admin
But, the cake is a lie!
Admin
Don't laugh. Many years ago, I had a customer who wanted his data files obfuscated in order to prevent his competitors from using them. since they had a lot of numbers in them, I simple rot-5's the numerical parts of the files. turns out his competitors were as technically unskilled as they were unethical, and as far as I know they are still using the program fifteen years later.
Admin
Yep. Report 'em to Visa. That'll get them in some trouble real quick.
Also, sometimes this sort of thing can violate key requirements of the Sarbanes–Oxley Act as well. That's no fun.
Admin
Admin
That would depend on what job you are applying for.
Admin
Admin
Admin
You kidding? It did wonders for my career as a professional whore / handbag designer.
Admin
Admin
Admin
Companies that do this kind of thing need to be taught a lesson. A very hard, expensive lesson.
Like they said in the olden days, "Those who will not learn from the Word, shall learn by the sword".
Admin
When my card number was stolen without my knowing (the card itself was still in my wallet), my card company called me up.
Visa: "Are you aware there is a $3000 charge on your card in Greece?" (I live in the U.S.) Me: "Uh, no ma'am. That sounds suspicious." Visa: "We thought so. We just canceled your card, credited the suspicious charge, and issued you a new card number. Your new card has already been sent, and you should receive it in 3-4 days. Please review your history and let us know if there are any other recent fraudulent charges." Me: "Oh, ok. Thanks!"
The CC company handled everything and all I had to do was print a form, sign it, and send it back to them at my leisure. What a pain in the ass!
<disclaimer> In all seriousness, no matter how easy the fraud resolution process has become, it doesn't excuse a lack of proper security. </disclaimer>Admin
You seem to be suggesting that we do not give them knives to cut their cake with. But how far are you willing to take it: regular or ice cream?
Admin
Yeah, man. My org is going crazy to be PCI compliant. IMHO, "Bonnie" should anonymously blow the whistle on her employer--or at the very least seek another work place. I mean it's irritating to see my org spending a lot of time and money to be compliant with something that another org is flagrantly violating.
IIRC, the fines issued to the violating company are substantial and they can be issued on a per transaction basis--so like each transaction that you process where you save the credit card data in a non-compliant fashion can get you another fine. Ouchie.
-- Furry cows moo and decompress.
Admin
It doesn't surprise me that they removed her encryption code. Unapproved changes (read not requested by mgmt), especially in large companies, usually get your hands smacked no matter how useful or appropriate they are.
Admin
Amazon.com does not ask me for my CVV on every transaction, even though I have a credit card number stored there, which I use to buy stuff. I know that many online companies do this (including Paypal).
On the other hand, I have read some of the Visa and MasterCard merchant agreements and their data protection requirements. A local restaurant was using a software program to send credit card information to their clearinghouse, and the software was actually storing the entire card number (perhaps without the CCV) and expiration date in a database. ("Card Present" rules are different than "Card not present" rules.) Retail places that swipe credit cards are NOT supposed to store the entire card number.
The newer version of this particular software only stored the last 4 digits of the card number, which is acceptable IIRC. They finally upgraded, then they went out of business. I tried to contact them to offer to securely erase the hard drives containing their database, but I was not successful. Ugh.
Admin
newegg does this.
capcha: saepius
Admin
Maybe you are kidding, but credit cards have numbers that can (and generally are) stored as characters. You realize that the digits from 0-9 do exist in the ASCII (and even EBCDIC) code tables, right?
ROT26 and ROT215 would work perfectly well on these characters that happen to be digits.
I like the ROT215 comment! Random, and a prime...
Admin
What a load of ROT.
Admin
I also had some money taken from my checking account, when my debit card had been used IN POLAND at a physical ATM to withdraw about $700.
Turns out that a major company (I think it was Ross or Marshall's or OfficeMax) had been hacked. If they had followed the https://www.pcisecuritystandards.org/index.shtml standards for "card present" transactions, this would not have happened to me.
The bank was quick to believe that I had never been to Poland; several dozen local people had been victimized in the same way, and it was a national data breach. (Although they seemed to think at first that the data was hacked from Wal-Mart, but I never, ever go there.)
They refunded slightly more than what I lost. When I pointed out that they had double-refunded some "foreign transaction fees", and so I came out ahead by about $8 or $12 (I forget exactly how much), the bank said "don't worry about it. It would cost us more to fix that than it's worth". I said OK.
Admin
Of course, even storing encrypted passwords is usually bad practice, because in most cases you don't need to be able to decrypt them. (There are a few exceptions to this.)
There's a huge difference between saying "this company stores their data in plain-text, be wary" and saying "here's a bunch of credit card numbers we got because this company stores their data in plain-text."
And if you think the latter is acceptable, then... well, I have no respect for you or your ethics. Talk about bullshit...
Or what about when that CC was being used for some automatic payments that are now bouncing, and now all of a sudden they have a couple hundred dollars in late charges?
Admin
You're making it too hard. My ROT130 implementation does the same thing with half the work.
Admin
This is common at far too many corporations, they never heard of PCI DSS. They'll have plenty of time to read it in jail though when someone liberates a few thousand records and the investigators find out about this.
Admin
Admin
Admin
With Big Businesses corporates inability to think about securing sensitive data like credit card information, then why do we need hackers to show these security flaws, when any pimple faced teenager can do it for free.
Admin
At least now I know what Fortune 500 stands for. Clearly they built 500 temples to goddess Fortuna, so out of pure luck no one will every try to abuse their data.
Geez...
Admin
You win. Give this man a cigar!
Admin
We store all our clients' login data in clear. Otherwise how would we know how to log into their data to debug it?
I am sorry, I am not being ironic, I am not being facetious, I am being honest about our working practices.
Admin
Fourteen days? Fourteen days? Nowhere I've ever worked could answer the phone in fourteen days.
Admin
Well, AOL (ICQ) stores all passwords simply XOR'd in their database. ROT26 almost seems useful from that point of view.
Admin
Or customers dime them out, which I'm going to start doing. (If you can show me a link to the actual agreement, I'd appreciate that.)
Visa doesn't have a central website, but 1-800-VISA-911 or 1-410-581-9994 internationally.
And Mastercard:
http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html
Admin
Actually, on this site, you have to watch out for people who are ironically pretending not to recognize facetiousness when they really do.
Admin
Assuming they're are ethically distributed with the same mean and variance as we are, the ones who are somewhat crooked must realize that they can beat feet to their foreign nation and get away clean.
Admin
They could have at least used the little orphan Annie decoder ring - no one could crack that code.
Admin
If you only double click, you will miss out on some of the 80's Van paintings.
Since triple ROT26 is better than normal ROT26, Clicking ROT26 100 times must be better than double clicking
CAPTCHA: inhibeo = a CEO that inhibits the success of a company?
Admin
I worked on a production database that our company hosted for an investment bank. It contained about 1000 users who had signed up for the bank's investment program. The passwords were in clear text. Not only was it an obvious security risk (anyone with access to the data could go online and trade using the customers' details), but some of the passwords were hilarious. One password stands out in my mind. It was "f***ingslut" (without the stars).
Admin
Me: "Uh, yes, I've recently been there buying antiques."
Visa: "We thought s... Oh. Well, er... We just canceled your card, credited the suspicious charge, and issued you a new card number. Your new card has already been sent, and you should receive it in 3-4 days. So, um... Please destroy it immediately, because we will now have to re-debit the original transaction and re-issue your card. That should take another 2-3 weeks, and there will be some charges. Sorry for the inconvenience."
Me: "Oh, ok. Thanks!"
The CC company handled everything and all I had to do was print a form, sign it, send it back to them at my leisure, and get by without my credit card for 3 weeks. What a pain in the ass!
<disclaimer> In all seriousness, no matter how easy the fraud resolution process has become, it doesn't excuse not checking with the customer first. </disclaimer>Admin
Admin
Because of the increased security it Triple-ROT26 is also called "ROT-FL" (Financial Level)
Admin
In all fairness, the previous charge was that same morning at a coffee shop next to my office. It was pretty safe for them to assume the charge was fraudulent.
If you want to complain about CC companies, just complain about one of the many evil things they actually do. It's not necessary to rewrite a story about a good experience with them in order to make them look evil.
Wonderful rewrite of my story though, M. Night Shyamalan; what a twist!