Ghost Story: Hackers Steal Credit Card Data

Most Halloween Ghost Stories are fictitious. This one is not. It's a scary reminder that you don't have to be Home Depot or Target to fall victim to hackers. Streets of New York, headquartered in Phoenix (great pizza by the way!) came to us in June to have us redesign their website. Unfortunately before their new site went live they became a victim of Team-Ghost's (told you it was a ghost story!) hackers who stole credit card data from their old website's database. Here's the story as I know it.

In June of this year, thanks to a referral from Matthew Bullock at Accelera Data Systems, Streets of New York hired us to redesign their website.

In early August we got started on their new site working on preliminary design concepts that included the look and navigational structure.

Late September Team ghost's hackers hacked into their old sites database and stole credit card data that had been stored by the previous developers in plain text (meaning the hackers got unencrypted credit card numbers, expiration dates, etc.). Accelera Data and Streets of New York notified and worked with the FBI to report the theft.

Talking with Matt Bullock, the previous hosting company suggested turning off old existing site. Matt and I agreed that that wasn't a good solution as it would have left Streets of New York without a Web presence of any kind. I offered to take the existing design concepts we had and quickly put together a temporary site for them and move the hosting to BANG! Matt liked that suggestion and over two business days we went from concept to temp site and had Matt change DNS records moving the website to our servers. Our goal was to prevent further damage by the hackers who had threatened to publish the stolen credit card numbers on the homepage of the site unless they received a payment through Bitcoins estimated at $10,000.

During conversations with the FBI it became apparent that Streets of New York wasn't singled out and the hack was one of many by the same group of hackers. The Phoenix Business Journal ran this story on October 8th. Streets of New York did everything right after the hack including notifying credit card holders, the FBI and the Attorney General of several states. The credit card data was being stored without their knowledge and was simply a poor choice made by their previous developer.

How BANG! handles credit card data

For most of our client's, all credit card transactions are handled immediately in real time using the Authorize.net payment gateway. In these instances, the credit card data is never stored in the website's database at all. This is our preferred method to handle credit cards as it puts the responsibility for security of the card data on Authorize.net not the business owner. We typically only store the last 4 digits of the card number for reference purposes. PCI Compliance, which is a standard for how businesses handle credit cards stipulates that credit card data will not be stored.

When a client insists that we store credit card data, that data is always encrypted to prevent these types of hacks from happening. We also encourage our client's to mark the transaction as processed as soon as possible which then wipes the data from the database. Client's need to realize when they store credit card data they are putting their customers at risk. 

How to avoid becoming the next hack victim

If you aren't a BANG! client, call and talk to both your Web designer and hosting company, as often these are two different companies and they need to be working together for you to protect your data. That's one of the advantages of working with BANG! Web Site Design as we handle both the design and the hosting of the site. Ask whether or not credit card data is ever stored anywhere on the site. For safety's sake it shouldn't be. IF credit card data is being stored, ask if the database is on another server secured behind a firewall. While it's common practice in the open source world to place both a MySQL database and the Apache Web server on the same box (computer server), it makes it easier on hackers to get to the data.  

Also ask and verify that any sensitive information such as passwords or credit card data is always transmitted using a secure protocol and encrypted using a SHA-2 SSL certificate. The older SHA-1 certificates are rapidly be phased out due to the potential that they can be decrypted, and if you haven't reissued your certificate using SHA-2 that should be done immediately.

Check to make sure the Web platform you are on and all related software such as site plugins has been updated. If you are on a WordPress powered site this is especially important as there were at least 7 security releases for the base platform alone in the last 10 months. See this blog post about WordPress Security for more information on that topic.

Make sure your passwords for the site are complex and contain at least 8 characters and a combination of UPPER CASE, lower case, numbers and preferably a symbol in the password. Longer is obviously better. Using password phrases, that combine multiple words and use misspellings of those words is one way to increase the number of characters in the password. Think "My1stCarWa$AChe^y" as opposed to single words.

Have you had staff turnover? When staff leaves, make sure any passwords they had access to are changed to prevent disgruntled former employees from compromising your security.

We also recommend changing your password regularly. 90 days is a good time frame for most password changes, less is better for extremely sensitive passwords.

Make sure you are running a good anti-virus solution on your computer and keep it up to date. Be careful with e-mail. Don't open attachments from messages you aren't expecting as this is a frequent way into a network. Don't fall for phishing attempts either. A reputable company is not going to ask you for your username and password for your e-mail or banking information!

Stay safe out there everyone. I'd like this to be the last story I write about a client's website being hacked!