nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
You Acer holes! PC maker leaks payment cards in e-store hack

Silver badge

You would think...

being in the computer industry that they would understand security but one after another computer manufacturer has blown security for quick roll out. Bad update software, drivers, security certificates, and data breaches leave no room for trust.

Wipe your new machines and use as few manufacturer services and as little OEM software as possible.

10
0
Bronze badge
FAIL

"We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts, as we obviously have no such expertise in-house" said Acer vice-president of customer service Mark Grovel and hide under."

Only took 'em a year to find out, par for the course. What were we saying in another thread about peanuts and monkeys and outsourcing?

9
0
Silver badge

outside cybersecurity experts

Hopefully not one of the "cybersecurity" outfits taken down previously by actually skilled hackers.

1
0
Silver badge
Unhappy

"Acer did not say how many customers had their details swiped."

Don't worry. I'm sure it will only be "a small number of people" who have been affected.

10
0
Silver badge

...by the 'sophisticated' hack....

2
0
Silver badge

Storing CC security verification codes

Is this allowed? It shouldn't be.

10
0

Re: Storing CC security verification codes

Per PCI DSS section 3.2.2:

Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.

This goes all the way back to PCI DSS 1.2 (2008). But hey, we like to treat them more like "guidelines" than rules.

26
0

Re: Storing CC security verification codes

Strictly not allowed to store the security code - but I come across companies that do it all the time. If I realise in time (usually on a phone transaction) I ask if they are doing so, and then cancel the transaction in a very pointed way - including reporting them,

The SHOULD have their card-not-present permission removed, but I doubt it ever happens.

7
0
Silver badge

Re: Storing CC security verification codes

"Strictly not allowed to store the security code"

They're allowed to store it up to the point the transaction is authorized, but not afterwards - not even if it is encrypted.

0
0
Silver badge
Facepalm

Personal records siphoned off from online store

"The lost data includes customer names, addresses, card numbers, and three-digit security verification codes on the backs of the cards."

Presumably the people that wrote the e-commerce platform couldn't figure out a way of defeating the build-in password salting-and-hashing functions of the Operating System. And given that I don't understand the intricacies of the modern online ecommerce platform, what was such information even doing being stored online unencrypted and in the clear.

'no passwords or social security numbers were obtained by the thieves'

Not exactly what they said:

"we have not identified evidence indicating that password or login credentials were affected"

What they should have said: If the 'cyber' thieves got hold of your encrypted password they could run it against a rainbow table and extract the plain text. If you use the same password here or elsewhere change the password immediatly.

2
0

Re: Personal records siphoned off from online store

This isn't necessarily what happened. It's possible that the attackers managed to do a bit of code injection on the app server so that any https responses got intercepted, processed and hijacked. All it takes is a custom module and minor config change on some systems. Maybe nothing at all to do with their database. That would explain why it only happened for a certain number of time-limited transactions.

0
0
Silver badge

Re: Personal records siphoned off from online store (@ Tessier-Ashpool)

"That would explain why it only happened for a certain number of time-limited transactions."

For "more than a year"???

0
0
Silver badge

Bah!

I hope visa and co hound these stupid, stupid people for all the costs incurred.

How could anyone be so shit thick as to store the three digit security code when they've been told in as many words not to do so, and how could these stupid, stupid morons store any credit card information in an unencypted form?

Who in god's name is doing their IT?

It is beyond stupid. Radio waves take three hours to get from stupid to where these morons do business.

Acer deserve to have their accreditation with whatever merchanting system is handling their transactions rescinded so they'll be forced to use a third party that understands the importance of protecting people's personal financial instruments to transact any sales.

Good Christ Almighty on a crutch.

19
0
Silver badge
Thumb Up

Re: Bah!

> Radio waves take three hours to get from stupid to where these morons do business.

Quality rant!

12
0
Silver badge

Re: Bah!

Remember: when asking "why are my credit card charges and fees so high?" that the answer is "shit like unto that perpetrated by Acer's crack IT team".

Who do you think ends up footing the bill for fraudulently lost funds?

3
0
Silver badge
Thumb Up

Re: Bah!

"Radio waves take three hours to get from stupid to where these morons do business."

Straight to my quotes/scrap book, with attribution!

2
0
Silver badge
Thumb Up

Re: Bah!

Fukken saved!

There is a link for "Report abuse", but none for "Report excellent abuse". Pity.

8
0
Silver badge

Re: Bah!

I'll hazard a guess that high credit card fees also reflect the greed that demands multi-billion dollar profits each quarter.

Losses are likely insured.

1
0
Bronze badge

Going to cost Acer a fair whack of change in compensation for any fraud, unless their lawyers have already come with with excuses to avoid liability, before making new public !!

0
0
Silver badge

Another week another hack, yet again

If it's Tuesday, this must be Belgium.

That an old movie ref, BTW.

1
0

Happens All The Time

Acer mailed me a letter about this last week. This happens often in America, my card number had already been compromised through some other merchant, so this card is long gone.

1
0
Silver badge
Headmaster

Re: Happens All The Time

I'm afraid I take issue with your brutish command of the English language good sir. So naturally, after a cup of tea this fine morning, I have re-written it for you.

Consider:

Those devilish blighters working for Acer mailed sent me a letter about this last week via the outfit pretending to be Her Majesty's postal system that one uses here in the Americas. This happens so often in America the former colonies, my that of course one's card number had already been compromised prior, through some other merchant another scallywag masquerading as a purveyor of goods, so one took the liberty of disposing of this card is long gone quite some time ago as a suitable precaution. What?

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing