[ISN] Egghead credit card hack: serious questions remain

From: William Knowles (wkat_private)
Date: Fri Apr 27 2001 - 01:42:18 PDT

  • Next message: vuln-newsletter-adminsat_private: "[ISN] Linux Advisory Watch - April 27th 2001"

    http://www.theregister.co.uk/content/8/18547.html
    
    By: Thomas C Greene in Washington
    Posted: 27/04/2001 at 07:08 GMT
    
    It started with a tip from a Register reader whose bank advised him to
    cancel his Visa credit card after shopping at on-line retailer
    Egghead.com, then developed into a tour de force of public-relations
    worst practices, and finally ended in lingering doubts about whether
    Egghead's vehement claim that no credit card data was compromised
    during its Christmas hack is trustworthy.
    
    Initially, all we knew was what our reader told us: "Late last week my
    [bank] called to tell me that Egghead had told the Visa company that a
    large number of their customers credit card info had been accessed by
    a hostile cracker. They told me to cancel my card and request a new
    one. I asked if my card had been used by the crackers, and they said
    'no.'"
    
    We first replied to the reader asking the name of his or her bank; and
    then contacted Egghead. We were intensely curious because if our
    reader was right, we'd found a real discrepancy between what Egghead
    told Visa, and what they told the public, about the extent of the
    December attack.
    
    We also needed to learn whether this item indicated a more recent
    hacking incident, as we originally suspected, because a full four
    months had elapsed between the holiday hack and our reader's warning
    from their bank.
    
    Yesterday's news
    
    "Oh, this is nothing," Egghead PR bunny Robin Crandall chuckled to us
    in a flutey voice. "This happened ages ago. It's old news, nothing to
    report at all."
    
    Crandall suggested that the bank was needlessly alarming customers
    about an incident which Egghead had determined to be harmless. She
    also cast doubt on their security competence, noting more than once
    that it had taken them four months to alert their Visa customers.
    
    "I'm sorry to say it, but you just don't have a story here," she told
    us in a patronizing tone, as if we were some greenhorn who needed a
    bit of friendly advice from a real insider.
    
    We assured her that we'd been around long enough to know that we
    already had a story, as the glaring discrepancy between Egghead's
    reassuring press release, and the decidedly skittish behavior of a
    bank which issues Visa cards, is news in itself. We made it clear that
    we intended get to the bottom of it as well as we could.
    
    That little performance instantly concluded our friendly chat with
    Crandall, but soon yielded a phone call and e-mail memo from her
    supervisor, Egghead Corporate Communications VP Joanne Sperans
    Hartzell.
    
    "We are confident that the breach was contained, our database was not
    accessed, and customer data remained uncompromised. We have been
    confident of this since a thorough investigation led by Kroll
    Associates, working with our internal team, the FBI and the credit
    card companies, completed in early January, revealed no evidence that
    any customer information left our system," Hartzell told us.
    
    Which is not the same as saying that they'd determined that no
    customer information had left their system. 'Revealed no evidence'
    wasn't quite final enough for us. We pressed on.
    
    Meanwhile, back at the bank
    
    Once we learned the identity of the Visa issuer (bank) which sent out
    the warning, we contacted their security department. We didn't
    identify ourselves, and in fact affected to sound like a worried
    customer. Because the bank's Visa security officer never knew they
    were talking to the press, we won't quote him or her; but we will say
    that their understanding of the Egghead hack struck us as not quite in
    alignment with Hartzell's.
    
    Next we spoke on the record with the bank's card-holder account
    manager, who asked that s/he, and the bank, not be identified in
    print. "There's got to be something going on here," they reasoned.
    "Surely the Egghead database was compromised; otherwise, why would
    Visa recommend [that we cancel our customers' cards]"?
    
    Visa cowers in fear
    
    Why indeed, we wondered. Surely, if Egghead's version of events was
    accurate, there'd be no need for a bank to go to such lengths. And
    surely, no image-conscious bank would inconvenience its customers
    needlessly.
    
    A day later we obtained a letter written by Visa USA Senior VP and
    security specialist John Shaughnessy to card issuers warning about the
    Egghead hack, which unfortunately raised more questions than it
    answered.
    
    The letter, dated 23 December 2000, warns card issuers that "on
    December 21, Visa USA was informed that a merchant had discovered a
    security breach in its computer system that may have put cardholder
    data at risk."
    
    The next sentence, however, reads: "The cardholder data compromised
    included account numbers, CVV2*, cardholder names, addresses and
    possibly card expiration dates."
    
    Sentence one says the breach 'may have' compromised account data.
    Sentence two assumes that the data was compromised. We very much
    wished to clear that bit up.
    
    Reading further, we noticed that in paragraph five, Shaughnessy says
    that "Visa has begun to monitor the account numbers at risk from this
    compromise through our neural network fraud detection system," once
    again implying that account information did get out.
    
    He also says that the affected accounts would be "monitored as a
    portfolio at risk, measuring fraud rates outside the norm," and
    promises to "notify [issuers] directly if we have additional
    information."
    
    So, in addition to clearing up the uncertainty in Shaughnessy's
    wording about whether a compromise of data 'may have' occurred, or did
    in fact occur, we also needed to know if our bank might have been
    responding to 'additional information' as he promised to supply.
    
    We thought it would make sense that the bank in question would be
    canceling credit cards four months after Shaughnessy's initial contact
    if he had delivered specific warnings in the interim.
    
    So naturally we rang Shaughnessy's office and asked him to clarify his
    wording in the letter. An hour later a Visa flack rang to tell us that
    we'd be getting a call regarding our inquiry later that day.
    
    We were quite surprised a few hours later to take a call, not from
    Shaughnessy, but from Devorah Goldburg, with Visa's media relations
    contractor, Ketchum, whose home-page mousetrapped us (hence our
    omission of a link).
    
    There was absolutely nothing, Goldburg told us (with a redeeming hint
    of embarrassment, we should add), that Shaughnessy was willing say
    about his own written words. And not only was he unwilling to explain
    his letter, he lacked the spine to ring us and tell us so himself, but
    had cowered behind a third party -- not even a Visa employee -- whom
    he ordered to disappoint us on his behalf.
    
    As so often happens in news-gathering, we were shut down by a
    frightened wimp. And his pretext was ever so tired; he couldn't bring
    himself to comment because an FBI investigation was still underway (in
    contradiction to Hartzell's assertion above that it had been completed
    months ago).
    
    When we started this story we'd hoped to advise those of our readers
    who shopped at Egghead prior to the holiday hack as to whether
    canceling their credit cards would be a prudent move, or an
    overreaction; but thanks to Shaughnessy's irrational fear of
    explaining himself, we remain unprepared to do so.
    
    For now.
    
    Ironically, Egghead's Hartzell approached us last week proposing to
    "put an end to the disinformation regarding the attack on our systems
    in December," but, as events would have it, she only contributed to it
    in the end.
    
    * CVV2 refers to a three-digit number on the back of a credit card
    which provides a checksum based on the owner's address and postal
    code. Egghead is one of the few Web merchants which currently advises
    shoppers to supply the CVV2 value for added security, thus.
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 01:56:55 PDT