Jazzy Hunter

No matter of what, all etailers must store the CC numbers in the database. Without keeping these information, they will not be able to do things like issuing credit for returned or exchanged items, collecting money from the banks, transaction disputing from the customers ... etc.

Just like after a dinner in a restaurant, it will keep your signed form with credit card information on it for a while, maybe forever.

absound.ca's web site always looked like someone's home page. I bet the database's design is probably very poor and vulnerable.



[Edited by Jazzy Hunter on 05-21-01 at 03:47 PM]

ModoReese

Actually, that is not entirely true. You can do all those things that you mentioned simply with a transaction ID, and the approval code (I can't remember the exact term for it). You do not have to store a customer's CC number on site. There are plenty of sites that give you the option to store it or not, and that is how they issue refunds, adjust billing, etc.

M

DVDealer

Credit card #'s need to be stored someplace to do billing, etc., but it should be done on a system that's not directly accessable via the web. From the web-site's point of view, there should never be a CC# retrieved to be viewed by a user. It should be a "write-only" setup where the back end system can approve or not what's typed in, but never spit out CC info that's already contained in it's DB back to a system that's exposed beyond the firewall. And even the write-only setup should be safeguarded against users doing brute force type of attacks to hammer the DB with combinations of random CC info until something gets approved. Any brute force attack should start alarms and timeouts.

I think the problem here is that there are too many "home-grown" sites with their own ways of storing cc info, etc. in a back end DB. At some point one's bound to get holes with this wide variety of implementations. Look in this coming year for a big shakeout of web-based CC transaction handling software that will be either outsourced by web sites, or packaged in such a way to prevent security problems, and then sites will be able to post "branded" icons of what kind of CC-handling software is being used and that the site is "approved" security-wise by said vendor. That way, customers will feel a lot safer about shopping. Without this coming and the more site breakins that are sure to happen in the future, more and more customers (and perhaps a critical mass) will walk away from ecommerce soon. Customers just don't need this hassle and won't put up with it much longer.

I can't blame them, and am po'd with the problems myself.

cburt

When I first heard about absoud.ca's site being hacked into, I read their press release that stated something like, "we wish to emphasize the fact that only OPEN, UNPROCESSED orders have been hacked". I believed them and thought I was perfectly safe, since I have no open orders with them. However, tonight when I went to look at my Mastercard online statement I discoved a charge to PORNOTHERAPY.ORG. I called Mastercard immediately and they cancelled the card for me. The CS representative was very helpful and noted that he had received another call yesterday from someone who'd received a bogus charge for PORNOTHERAPY.ORG. If you've EVER placed an order with absound.ca, your CC info has been made quite public. It would seem to be a good idea to cancel any card that one ever used to purchase something from absound.ca. Also, it's interesting to note that I never actually purchased anything from absound.ca; I did place one order with them about 1 & 1/2 months ago (of course, I did have to enter my CC #), but I cancelled the order 2 weeks ago because I found the title cheaper at half.com.

Chris

Petoff

I placed my first order with them last week. I'm at work now so I can't even remember which credit card I used. It looks like they are all vunerable, not just open unprocessed orders, whatever that means.

I am right to understand that ALL outstanding orders will be cancelled? So if I had a DVD on pre-order with them I should just order it somewhere else if I want to get it? I just want to make sure they don't mail it to me weeks later if they are telling me now that it will be cancelled.

A&B Sound certainly lost my business. What a big blunder on their part. Yes the hackers are at fault but you have to protect credit card numbers as well as other information which is personal

mysteriousjimmy

4. WE ARE ENDEAVOURING TO IDENTIFY AND CONTACT ALL AFFECTED CREDIT CARD HOLDERS. GIVEN THE TIME THIS MAY TAKE, WE RECOMMEND AS A PRECAUTIONARY MEASURE THAT ALL A&B CUSTOMERS WHO ORDERED ONLINE IN THE LAST NINE MONTHS CONTACT THEIR CREDIT CARD ISSUER AND INFORM THEM OF THIS INCIDENT.

3. IN ADDITION TO INVESTIGATING THE BREACH, WE ARE INVESTIGATING THE STATUS OF INDVIDUAL ORDERS. AS YOU CAN APPRECIATE THIS IS A VOLUMINOUS TASK. WE WILL NOT PROCESS ANY ORDERS WHICH WERE OPEN AT THE TIME OF THE SECURITY BREACH WITHOUT A CUSTOMER’S DIRECT CONFIRMATION. WE HAVE HAD A NUMBER OF E-MAILS REQUESTING US TO CONTINUE WITH AN ORDER AND WE HAVE HAD A NUMBER OF E-MAILS REQUESTING US TO CANCEL AN ORDER. WE WILL RESPECT ALL SUCH REQUESTS THAT INCLUDE CUSTOMER AND TRANSACTION IDENTIFICATION NUMBERS. WE WILL BE IN TOUCH WITH THOSE WHO HAVE MADE A REQUEST WITHOUT IDENTIFICATION NUMBERS TO CONFIRM THOSE NUMBERS. WE WILL EVENTUALLY BE IN INDIVIDUAL CONTACT WITH ALL CUSTOMERS WITH OUTSTANDING ORDERS. WHILE THIS WILL TAKE SOME TIME GIVEN THE SPECIFIC NATURE OF INDIVIDUAL ACCOUNTS, NO ORDERS WHICH WERE OPEN AT THE TIME OF THE SECURITY BREACH WILL BE PROCESSED WITHOUT THE CUSTOMER’S DIRECT CONFIRMATION. WHILE WE UNDERSTAND THAT THIS MAY BE AN INCONVENIENCE TO SOME CUSTOMERS, WE TRUST THAT IT WILL PARTLY ALLEVIATE THE ANXIETY OF MANY WHO HAVE WRITTEN TO US.

when and if they come back online I will still placing orders with them...

DVDealer

I'm also interested. Mine should have been shipped out today had things been normal. Has anyone tried calling them up or emailing with any success recently? I don't mind waiting a bit, if I'm told that eventually my order will ship within a certain period of time while things are "corrected manually".

I would rather give them my new CC # over the phone than enter it in without knowing that they've got the earlier security problems *permanently* and *completely* fixed. I might also want to use one of those one-time credit card numbers, since presumably my order will be ready to ship and no preorder delays will be needed.

BTW, those of you who haven't cancelled cards yet or are unsure of which ones were compromised still. They haven't taken AMEX cards, so those shouldn't be at risk. I'd earlier canceled mine, thinking that was one that was used, but found out later it was another card and that I'd canceled my AMEX card unnecessarily. Not sure if they'd ever accepted AMEX in the past, but you might want to confirm with them before cancelling.

[Edited by DVDealer on 05-31-01 at 10:27 AM]

martin.s

I actually emailed them a couple of days ago and they told me the last 4 digits on the creditcard I used on their site.

Wouldn't it be possible to email them and tell them to ship open orders using your stored creditcard?

///Martin

DVDealer

I would hope that you've canceled your "stored creditcard" by now... It would probably be turned down if you had. I wouldn't want any valid credit card on their site now without guarantee that the site wouldn't be turned on without fixing its security first.

I also got an email a bit ago with the last four digits of the ones I'd used. It was at that point I noticed my AMEX card wasn't on there and they added the note on it saying they didn't accept them. I'd already canceled my AMEX card by that time as a precaution, having not heard from them for a week.


[Edited by DVDealer on 05-31-01 at 02:06 PM]

rtiangha

Yup, A&B Sound in-store and on-line only accepts Visa and Mastercard so AMEX cards are at absolutely no risk at all.


[Edited by rtiangha on 05-31-01 at 03:02 PM]

Ben732

I have an open order for 2 dvds that should have shipped around 5/22 but because of this nothing has happened. I'd like to send them a new CC # (one only good for one month via my mastercard's ShopSafe Service, but I don't see a phone # to call them. I guess I'll email them.

Any word on when they'll be back up????

AliJ

it says on the site now that they should be online by the 8th June !!!

DVDealer

I called them yesterday at the non-800 number that you can find if you search for A&B Sound here in these threads. It was a post with only a single message in the thread.

Anyway, the guy responding seemed nice enough but didn't have any firm data as to when things were coming back just yet, but it sounds like they were making efforts to make good on ones' existing orders when they were ready.

I noted some feedback to them that it would help to have an update to the site that things were moving along so that customers didn't think they were "disappearing" like other ecommerce vendors have in the past. Don't know if that prompted them to update their site or not.

He noted that their main disk were data was being kept was infected with a virus, which is why it's been hard for them to extract the existing orders to a new system. That may be why they are asking us to reenter our account info.

They are stating we need to reenter customer info to "reinitiate any oustanding orders". Does that mean we will be prompted for entering existing order numbers on the site and corresponding items ordered/pricing, etc.? That would be my preference, since a couple of items that were in my outstanding order no longer are listed on their site. I really would like to be getting the stuff that was still in my order. If we have to reenter orders, hope we can get the pricing we had earlier in case some of them have changed by now.

[Edited by DVDealer on 06-02-01 at 07:16 AM]

matchpenalty

I am NEVER going to deal with them again. My first order was pending. I was on vacation and thank goodness no charges hit. Cancelled my card but will not give them any info ever again. If a company won't take amex for online stuff, I won't use em. I don't want to deal with multiple single use card setups.

DVDealer

Checking their site again it appears that they have delayed their reopening that was supposed to have happened yesterday until the 13th. From their website

"June 8, 2001

Update

The re-launch of our web site has been rescheduled to June 13, 2001 due to delays in implementing functionality and security enhancements. Thanks for your patience and hope to see you on-line soon."

Ben732

I think they've totally redone their site, and if that's true, perhaps it will be a little easier to navigate. I really hope this doesn't affect their pricing!

I'm looking forward to the 13th. I know they want us to reenter our customer info, but for previously open orders, I really hope they honor the pricing. I ordered the Stargate SG1 season1 box set and the season 2 sex and the city dvds... I hope they keep the preorder prices...

matchpenalty

I said 'no way' and ordered sex and the city from totalactionuniverse