News Adobe breach leaks source, millions of customers' details

Credit card details and source code stolen.
http://www.bit-tech.net/news/bits/2013/10/04/adobe-breach/1

 

The don't believe ! i would hope they know for certain. And have they just admitted they actually store decrypted credit or debit card numbers on their systems

 

Welcome to the subscription business model Adobe, with all that comes with it!

 

As long as all those pirates have been stopped, that's OK, right?

 

If a bank stores your stuff and gets robbed, then the bank will pay you the value of stuff they stored unless it goes under.
If companies had to pay a value of compensation when your data gets robbed, i bet they'd think twice about needlessly storing it.

 

To true

Sent from my GT-I9505 using Tapatalk 2

 

I hope they had everything backed up on the cloud.

Oh... wait...

 

Yet another large organisation proves it can't be trusted with personal data.

 

They have a subscription model. That requires ability to periodically charge fees against your credit card. To do that, they need to have your credit card number. That means the credit card number cannot be hashed, unlike passwords. Credit card number can be encrypted, but to have the ability to use that number for anything the decryption code must be there on the server too. Which means encrypted credit card number is as good as the unencrypted.

In short - everyone who has to charge you more than once must have your credit card number in their system stored, and encrypted/plain text doesn't really matter, because if they breached the system the encryption key is there as well.

 

Yet more proof that if they want your details badly enough there's not an awful lot you can do about it...

Poke hard enough in the right place and you'l find/make a hole in even the most robust security... Look at what's just happened to Barclays and Santander...

 

There's a lot can be done about it but I doubt anyone will have the guts to do it.

For a private organisation hit them hard in 2 places, the pocket i.e. massive fine, head of security fined and/or sacked. Chairman of the board heavily fined.

For a public organisation same thing except no massive fine but multiple sackings.

That might just give them enough incentive to stop it happening again.

Edit: you can't really hold Santander or Barclays up as examples of competent organisations.

 

Well if a company is doing that i wouldn't trust them with my details.

In the end nothing is %100 secure, but storing credit card details in plain text or on the same system used to decrypt the hashes is asking for trouble. If you needed to go in and out of your house on a regular basis you wouldn't leave your keys in the lock, or under the mat.

 

Means you can never use credit card online, ever. It is irrelevant if it is one same system or other - once you can access the other database (and you need it so users can change their details) via any means, so can the attacker.

 

Well most of the time i have used a CC online it redirect to another server to authenticate, even when i make regular purchases. Like i said no system is %100 secure, but storing CC details or the hashes on a separate system to the one that authenticates/decrypts those details means you double the chances of spotting that the system has been compromised.

 

That doesn't redirect you to another server, but to the payment processor website. That is all good and nice in case you are doing one time payment, but absolutely unusable for recurring payments.

 

So contrary to you saying "Means you can never use credit card online, ever." you are more secure when being redirected to the payment processors website. Having both the lock and the key on the same system is asking for trouble, its as dumb as keeping the source code for your products on the same system. There are reasons backups are stored of site, if something happens to the main systems you don't risk compromising all your data.

2.9 million peoples personal data has been put at risk by Adobe because they put all their eggs in one basket. Its even more worrying when you learn this actually happened mid-August, and its only when a third party discovered Adobe source code in the wild that they notified people.

 

@Corky42: But again, you cannot do it that way for recurring payments. What you describe is good only for one time payments - Creative Cloud is a recurring payment, not one time fee.

 

As stated previously though, nothing is 100% secure. So you can take it out on Adobe as much as you like, but at the end of the day, it's the hackers who did this. I was one of the 2.9 million who had their details taken (although I think I am as Adobe have sent me the email). I have changed my password, and will keep an eye on my bank account to see if any payments are taken. If that does ever happen, then I will see what form of compensation is available from Adobe. There really isn't anything else you can do, other than never use your credit card for recurring payments on-line.

 

@faugusztin, So you are saying they had to keep all the source code, customers personal details, hashed CC details, decryption keys, and login details all on the same network/system ? It doesn't matter if its a one time payment or a recurring payment, you don't keep all your critical data on one system.

Its beyond stupid, anyone with half a brain would segment critical data so if an attack is successful you only compromise part of your data, you also have more chances for any IDS to pick up a compromise.

As i keep saying its not about %100 security, its about delaying and identifying the attack so something can be done about it. Adobe kept everything on one system and they didn't even know they had been hacked for around three weeks.

If they split the critical data across different systems it would have been simple for any IDS to pick up suspicious activity, like the 2.9 million accounts being access all at once, or the 40GB of data download.

 

But how do you know that? From a news article? Do you know how their system is setup? Has there been several attacks - to several networks? Unless you have ALL of the facts, you can't really judge - can you?