Back to the articlePosted Wednesday 19th December 2007 16:34 GMT
Why are the CC#'s being saved?! #
What the hell is wrong with these companies? Why are they saving people's CC#'s? Apparently they can't even be bothered to encrypt them.
Man siphons info for 300 credit cards from hotel kiosks
A former computer consultant has admitted to breaking in to more than 60 business kiosks at hotels and stealing credit card information during a three-day crime spree earlier this year. Hario Tandiwidjojo, 28, of Lomita, California, pleaded guilty to one count of unauthorized access to a protected computer. He faces a maximum …
This topic is closed for new posts.
Posted Wednesday 19th December 2007 08:35 GMT
And they didn't #
Sorry, as much he is responsible but any time a person in some sensitive role leaves the company all the passwords he/she had access are changed automatically for next person in that role. This was in 70's and it has been the rule in all the systems I have designed since then. No exceptions, be it a CEO, developer or one of door guards. Weird? Not too difficult, one role has just a limited access so there are not too many things to change. Now, of course, I do get arguments as what about this and that password? It is vital to use two way passwords, you have an access to system generating / assigning the needed password which will never released to anybody, no need for that. Block the access and good luck trying to find the real password(s). You design that right, remember changing technology / platforms / even languages and it works. Forget politics!
Posted Wednesday 19th December 2007 17:20 GMT
CCs #
Ever heard the word "keylogger"? That is the problem: he was logging all the keys pressed.
Posted Wednesday 19th December 2007 22:09 GMT
Question... #
Would it be possible to have these kiosks working in a way that remote access is not possible? Would being behind a properly configured router avoid this? Sounds too simple, so it probably is not the case. But I couldn't help wondering (since I had to change some configs in my home router once to be able to SSH into my home computer from work).
PH because this is probably a PH-level question...
Posted Thursday 20th December 2007 00:31 GMT
I tend to agree with Tuomo #
It lies squarely with whatever company is involved to keep their public systems secure against these types of crimes. The guy obviously had login credentials sufficient enough to install software and that should never happen without the proper authorities knowing exactly who is logging in at all times. It's not rocket science to update passwords and remove any default ones and assign unique ones only to authorized personnel. How lazy are these companies and do we want to trust their services if they can't do something as simple as that? Oh yeah, they have to pay someone for the time to do it.... forget it.
Posted Thursday 20th December 2007 01:56 GMT
netgeek #
I guess the former employer has never been introduced to the concept of granting access to _groups_, then adding an employees' account to the group. When the account is removed, access is gone, and no need to scramble around changing passwords. Of course, then they'd have to know how to remotely authenticate...
Posted Thursday 20th December 2007 02:26 GMT
Re: J #
Probably not. Since he had physical access to the machines, he was able to install the software, which then sends him the information. Firewalls only protect against incoming traffic, not outgoing. Further, if the machines were to initiate an outgoing connection to his machine, he would be able to "shovel a shell" across the connection, turning it in essence into an incoming connection.
When physical access is granted to a machine, all security is considered null and void, or so the saying goes...
Posted Thursday 20th December 2007 17:20 GMT
How did he get caught? I don't want to make the same mistake... :P #
"...and I would have got away with it, if it wasn't for those pesky, meddlesome kids."
This topic is closed for new posts.
Most read
Popular Whitepapers
- Reshaping IT
in a consumer driven era - Register Research on: Application Platforms
The state of play - Secure Mobile Working
Beyond the Technology - Reg Reader Research: SaaS based Email and Office Productivity Tools
A critical look at the promise and practicality for SMBs - The Impact of IT Security Attitudes
Putting the pieces in place for effective security delivery - The Evolving Security Landscape
Reg Webinar
Transforming IT culture
Driving Situational Awareness:
Application Performance Management:
Ensuring service assurance in the new normal
