Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security

WHMCS Data Compromised By Good Old Social Engineering 87

Posted by Unknown Lamer
from the the-classics-never-get-old dept.
howhardcanitbetocrea writes "WHMCS has had 500,000 records leaked, credit cards included, by hackers calling themselves UGNazis. Apparently UGNazis succeeded in obtaining login details from the billing software's host by using social engineering. UGNazis accuse WHMCS of knowingly offering services to fraudsters. After almost 24 hours UGNazis still seem to have control of WHMCS twitter account @whmcs and is regularly updating their exploits. These tweets are also feeding into WHMCS software."
This discussion has been archived. No new comments can be posted.

WHMCS Data Compromised By Good Old Social Engineering

Comments Filter:
  • by P-niiice (1703362) on Tuesday May 22, 2012 @08:30AM (#40075657)
    It was social engineering. Encryption cannot help with human gullibility.
  • by hey! (33014) on Tuesday May 22, 2012 @10:19AM (#40076793) Homepage Journal

    It was also lousy but unfortunately common business practices.

    Suppose you're a company that handles billing and payments for clients. One of your clients asks you for the credit card information for all of *his* clients. This scenario shows why you should be very reluctant to give that data to him. And for all you know, *he's* going to use it to commit identity fraud, or sell it on the black market.

    Not disclosing this information inconveniences the customer slightly, but it also protects him.

    When you receive sensitive private information from someone, you should not use it or transfer it to any third parties except as necessary to fulfill the purpose for which you received it, *even if* you are just a middleman between the buyer, the vendor, and the vendor's bank. Get the money transferred into the customer's account and the order to the customer's order fulfillment people and your job is done.

    These problems come from not *thinking*. End user sends you data, you automatically store it without thinking, whether you need it or not. Customer asks you for that data, and you automatically give it to him without thinking. A service agreement should be concluded between you and your customer establishing what the customer is going to do with that data, and when and how the data will be provided. You shouldn't just give him data that is not necessarily *his* by right just because he asks for it.

    The underlying problem is that companies operate as if the privacy and security of their end-users is none of their concern.

The meta-Turing test counts a thing as intelligent if it seeks to devise and apply Turing tests to objects of its own creation. -- Lew Mammel, Jr.

Working...