Scrag Posted March 29, 2010 Share Posted March 29, 2010 "At no time did the hacker have any access to sensitive customer data. More importantly the hacker could NEVER have gained access to customer credit card information because that information is only used virtually in the SSL (secured connection) when the order is placed. What that means is that it is NEVER saved to our server's disk. NEVER. Passwords and other critical account information are stored in encrypted files, so even that information was inaccessible to the hacker." I am tossing the BS flag on this one - either the SOB got the info or he did not. Regardless it makes zero sense to reset all passwords and instruct us NOT to use the old ones unless they WERE compromised or the strong possibility exists that this will occur in the near term. Eitherway someone needs to set the story straight - do I need to cancel my credit card/paypal account or not? Sorry for the tone - I use yahoo for overseas email and this entire thing has been a pain in my rear and wallet. 0 Quote Link to comment Share on other sites More sharing options...
Elmar Bijlsma Posted March 29, 2010 Share Posted March 29, 2010 There's varying degrees of data. Stuff like CC data is, given its nature, made pretty much unreachable. So "either the SOB got the info or he did not" is incorrect. All the evidence points to a relatively superficial breach where he injected code on to the site. And he had a go at the forum accounts. From what I've seen he so far managed to get mostly low hanging fruit with such brilliant passwords as "password", 1234567 etc, though other numerics were also cracked. Heck, I could pull that off. The reason you should change the passwords is that every bit helps. Yes, there's a risk he might try again (and succeed) even if you do. But generally I lock my doors despite the existence of burglars with crowbars. Quick recap: your CC info is safe, your BFC account shouldn't hold anything that can seriously effect you and the forum account is the bitch of anyone who cares. No reason to panic. I reckon the most serious threat was to those that downloaded the client .exe, which might have installed just about anything on your PC, potentially compromising it. In that case a full HD format is the smart move. How is this hurting your wallet, that one puzzles me. 0 Quote Link to comment Share on other sites More sharing options...
Pak_43 Posted April 1, 2010 Share Posted April 1, 2010 "At no time did the hacker have any access to sensitive customer data. More importantly the hacker could NEVER have gained access to customer credit card information because that information is only used virtually in the SSL (secured connection) when the order is placed. What that means is that it is NEVER saved to our server's disk. NEVER. Passwords and other critical account information are stored in encrypted files, so even that information was inaccessible to the hacker." I'll wade in and defend BF here. We had a similar issue with our forums which I won't go into details about since this may even be the same people. My game company contacts tell me there has been a massive increase in brute force attacks on game company accounts recently, and I wouldn't be suprised if this was part of that concerted attack. It's perfectly possible the hackers got away with the forum names and not the passwords, hence a global password reset is really the only sensible measure. You'd be suprised how many passwords are either the same as the username or just "password" or "password1", easy meat for a brute force attack... Just like BF we don't store our customers credit card information in our system anywhere, it's held by 3rd party payment providers, all of whom have the requisite levels of PCI compliance (and means we only have to adhere to a lower requirement level). I'd say your CC information is as safe now as it ever was... I'm certainly not cancelling my cards... 0 Quote Link to comment Share on other sites More sharing options...
Moon Posted April 1, 2010 Share Posted April 1, 2010 There is a major difference between credit card numbers and login passwords. The latter (login passwords) HAS to be stored on our end. It is needed every time you log in. The code needs to be able to compare what you enter during your login with what password you have chosen. Passwords are stored encrypted. Anything that is encrypted can also be decrypted given sufficient time and determination. We are already using enhanced encryption for passwords but very simple passwords can still be decrypted sooner or later, while more complex passwords can also be decrypted eventually. We have reset passwords as a security precaution therefore, instantly making any data a hacker may have gained completely useless. Credit card numbers are different. Only the last four digits are ever stored (it's what you see in your customer account), and even that is stored using a very strong encryption (stronger even than for login passwords). The rest is only used "at runtime" to process your order (using a highly encrypted https connection with SSL) and not stored at all. What isn't there cannot be stolen And since we're using highly encrypted https during the order processing itself, it cannot be hijacked either even during your purchase. Martin 0 Quote Link to comment Share on other sites More sharing options...
Redwolf Posted April 1, 2010 Share Posted April 1, 2010 "At no time did the hacker have any access to sensitive customer data. More importantly the hacker could NEVER have gained access to customer credit card information because that information is only used virtually in the SSL (secured connection) when the order is placed. What that means is that it is NEVER saved to our server's disk. NEVER. Passwords and other critical account information are stored in encrypted files, so even that information was inaccessible to the hacker." I am tossing the BS flag on this one - either the SOB got the info or he did not. Regardless it makes zero sense to reset all passwords and instruct us NOT to use the old ones unless they WERE compromised or the strong possibility exists that this will occur in the near term. Eitherway someone needs to set the story straight - do I need to cancel my credit card/paypal account or not? Sorry for the tone - I use yahoo for overseas email and this entire thing has been a pain in my rear and wallet. Steve's message about the credit card storage wasn't clear enough. What happens is that the CC companies do not allow a small shop like BFC to store CC numbers, at all. So the secure (SSL/https) connection from the customer transports the info to BFC all right but there it isn't stored or processed. The CC data gets transported right that moment to the CC company which then says whether it succeeded or not. If it succeeded the BFC shop knows that it can give out the goods. While it would be technically possible for BFC to intercept and read the CC numbers during this transfer it is true that as the system is designed there is no space in BFC's computers where they are stored. An intruder could then for a while read CC numbers as live sales flow through but there would be no way to get at previous transaction's CC numbers. ETA: Moon posted at the same time, hope this clears up things anyway. 0 Quote Link to comment Share on other sites More sharing options...
Battlefront.com Posted April 1, 2010 Share Posted April 1, 2010 And to repeat something else I posted elsewhere... Back in the "old days" credit card information was stored on individual servers like ours. At that point, when virtual commerce was still young, nobody had really thought about the hacker problem getting so out of control. Which meant consumer data was stored on every single server he/she did business with, whether the IT department was a Fortune 500 company or managed by someone who could barely log into his own email account. Very bad, obviously. Shortly after the makers of the store and credit card processing software got smarter about things, probably at the requirement of the credit card processors themselves. Now the only places where a customer's credit card info is stored are those places which allow you to make new purchases without reentering your payment info. Places like iTunes, Amazon, PayPal, etc. These are billion Dollar companies who can afford the massively expensive IT departments necessary to protect such data. And even then they get hacked into sometimes. Which is why we aren't terribly surprised we got hacked and why we're very happy that we do not have credit card info on our server at any time Steve 0 Quote Link to comment Share on other sites More sharing options...
Battlefront.com Posted April 1, 2010 Share Posted April 1, 2010 Oh, funny coincidence. Just now (literally) we received an email from a major Fortune 500 company about resetting our password for a user account we setup two years ago. Why? They said it wasn't good enough and they wanted something less likely to be cracked. So if they are concerned about lame passwords being decrypted... Steve 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.