Feeds

Guess leaks credit cards of the fashion-conscious

Unwilling to be warned

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

The Web retail site for fashion label Guess was leaking customer credit card numbers like so many cotton-poly five-pocket jeans, and 19-year-old Jeremiah Jacks wasn't sure how to get it fixed.

Jacks discovered last month that Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all, by Jacks' count. But if accessing the trove of card numbers was easy, getting the word to the right person in the company proved to be more of a challenge.

Three emails to the customer service address buried in the Web site's privacy policy bounced, Jacks says, and no other email address was to be found. When Jacks dialed the company's toll-free number, he recalls being initially mistaken for a salesman. "Then when I told her again, she was silent and asked me to 'hang on,'" Jacks wrote in an email interview. "All of a sudden I was transferred to another office where a voice mail picked up. I once again left the message... I even left my email address as a contact."

A week later, Jacks, a California independent software developer, hadn't heard anything back from Guess, and the credit card database remained exposed.

After being contacted by SecurityFocus Online and provided with a demonstration URL offered by Jacks, the company closed the hole within hours. A Guess spokesperson disputes Jacks' account, insisting that they have no record that he ever phoned the company. "I don't know how long this has been like this," says company spokesperson Jennifer Munakash. "It was an easy fix."

Guess.com's situation is hardly unique; Credit Cards Numbers Exposed is fast becoming the Dog Bites Man story of Internet crime reporting. But the case underscores one of the chronic obstacles to making e-commerce more secure: that good Samaritans often have no clear channel for reporting security holes in Web sites that handle sensitive customer information.

"I've probably reported twenty vulnerabilities to e-commerce companies in the last year-and-a-half, all with different results, but generally pretty disastrous," says Dan Clements, founder of CardCops, an on-line merchant fraud education venture that tracks credit card abuse. "Trying to get through customer service, that's a problem. And then the IT people have a definite conflict of interest when you're reporting a vulnerability, because their job is on the line. They don't want to go to upper management and say, 'We left a hole open.'"

"A lot of times it winds up on a security mailing list because the person just gets so frustrated," says Chris Wysopal, director of research and development at security consultancy @Stake. "Sometimes the person has tried for six months."

In some ways the problem parallels the long-running issues surrounding disclosure of security holes in commercial software. But if that debate rests on a now-well understood mosaic of interests -- software vendors, users and bug hunters -- the e-commerce brew is a bit murkier, with customers, banks, credit card companies, businesses that expose card numbers to theft and others that inadvertently accept them later all playing different roles.

Consumers are generally not liable for fraudulent charges, and merchants are often left holding the bag. The Web sites who leak the card numbers in the first place generally stand to suffer -- at worst -- a momentary public relations black eye.

Last month Wysopal, along with MITRE's Steve Christey, formally proposed an official standard for handling product vulnerabilities that would -- among other things -- put obligations on vendors, encouraging them to acknowledge reports within seven days, fix bugs within thirty days, and establish a standard email alias, "secalert," for receiving security bug reports.

But the standard would not apply to holes in particular Web sites, like the Guess credit card leak, says Wysopal.

"We haven't proposed it, but we think it's a great idea, and a lot of things that could be standardized around product vulnerabilities could have corollaries in the services space," Wysopal says. "Certainly the corollary of an address, and that they'd have to respond within a certain time frame, a lot of those things would work the same."

Clements had the same idea. "If there was protocol where companies could have a standard email address on their site, say, 'vulnerabilities' or 'security', that would totally take care of the problem."

Meanwhile, Guess' Munakash emphasizes that there's no evidence that credit card thieves ever discovered the information leak, and says that company technicians are scouring the site for other vulnerabilities. "They're dissecting the site right now," says Munakash.

"The difficult part here is the fact that a lot of these companies don't take you seriously at first," writes Jacks. "It's like telling them the sky is falling. They aren't going to believe you unless you can shove some sky in their face."

© 2001 SecurityFocus.com, all rights reserved.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.