UPS: We've Been Hacked 62
paysonwelch writes The United Parcel Service announced that customers' credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS. The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.
Is this for real? (Score:5, Funny)
I made sure my password is at least 8 digits, alpha-numeric with at least one unique character!
Is this for real? (Score:2)
HA! I will point out your problem. You went mainstream. Years ago, I realized that all the hacking tools go that route too. So, all my passwords are only 2 characters......and only binary numbers. Hack That!
Re: (Score:3)
"at least 8 digits, alpha-numeric with at least one unique character!"
A surprisingly common password.
LOLCam (Score:2)
Congratulations, you're on LOLCamera!
Everyone gets hacked these days. eBay gets hacked every week!
Re:LOLCam (Score:5, Insightful)
Only institutions that do not care get hacked. While absolute security is not to be had, it can be made expensive enough that hackers give up. These days, however, hacking a major company is often within th reach of amateurs with enough patience. Until these companies become liable for any and all stolen credit card and address information (say, $100 for each address and $500 for each credit card set to the owner without the need to prove anything, and unlimited for damage the owner can proof), nothing will change.
Re: (Score:3)
Re: (Score:3)
Re: (Score:3)
The thing is, all companies need some people that give the appearance of caring, or they would be criminally negligent. But you typically find that these folks can only do after-the-fact analysis, have no input on security decisions that could prevent this and are understaffed and do not have the rights they need. I have personally seen one instance where the "IT Risk Officer" reporting directly to the director was a very junior person without the self-assurance to escalate anything or even ask questions an
Re: (Score:3)
The fundamental issue is that credit cards are based on the premise that you can authenticate somebody using a shared secret that you share with everybody you do business with.
I can post my ssh public key in this post if I wish, and about the only thing anybody could do with it is give me access to their systems. There is no reason that credit cards can't be made secure in this day and age. Nobody wants to bother, so we deal with messes like this.
If all UPS had were credentials that authorized only UPS to
Re: (Score:2)
Sure, the credit card system is broken. But that only means you have to be extra careful with the data. These companies come close to actually throw them at the attackers.
Insightful! Govt. & US Post Office might also (Score:2)
Sharing such rarely changing authentication data is at the heart of the issue as you point out. It seems like a trade-off of convenience and security with some background fraud cost. However, the issue is always convenience for who and fraud for who? In this case, banks have succeeded in mostly privatizing gains from transactions costs from credit card transaction fees while socializing the cost of identity theft to the general public (who have to change their accounts, deal with years of worries, try to st
Re: (Score:2)
It seems like authentication is important to modern society. I think the only real solution is a government-issued ID, capable of challenge-response. Even a PIN for the ID is useless if every company expects you to hand it over to them.
Re: (Score:2)
Make stiff penalties for breaches and make breach insurance required. Then the insurance companies will heavily encourage protective measures from those they insure because their profits are on the line.
Insurance companies would care more than regular companies because they deal in bulk. If there are lot of breaches, then they have a lot of payouts and lose money. A regular company views breaches as all or nothing incidents, which tempts them to gamble.
Re: (Score:1)
May work, may also fail. Back when nuclear power was in its infancy, some countries tried to mandate insurance. Guess what, nobody was willing to even make an offer. While that would have told any sane person right there that nuclear power was not a good idea, the governments in question just dropped the requirement.
Re: (Score:2)
Apply the same reasoning to living in New Orleans and you are a racist.
Well I am Glad (Score:5, Insightful)
Well, I am glad they waited until the issue was resolved before letting their customers know they were at risk. I would have hated for UPS's bottom line to be hurt by letting us know as soon as they realized there was a breach. After all, the company bottom line is more important than my security.
Well I am Glad (Score:3)
If they told everybody "your info was hacked" while they hadn't cleaned it up yet, a bunch of folks would have logged on and changed their passwords, immediately exposing the NEW ones. You clean up first, then you engage the PR folks.
Re: (Score:2)
Or new customers may have chosen to use Fed Ex instead of having their information on compromised systems.
Re: (Score:2)
Or the breach was one that pulled stuff out little by little to avoid detection, and they were afraid of the hackers opening the flood gates if they went public that the breach had been detected.
What about Canada? (Score:3)
Don't tell me there's separate servers for UPS Canada and that data is never shared across both servers...
Re: (Score:1)
Honestly, it would not surprise me at all if this were the case. I'm actually working with two large transportation companies similar to UPS on a software integration project, and dealing with different countries involves dealing with different systems/people/etc. I'd have thought that they would have had a global system to manage international transportation, which is of course global by its very nature. Perhaps some elements of their systems are global, but the information we need seems to be in system
Re: (Score:2)
Nah... CSIS and NSA already take care of this...
And this is a surprise? (Score:1)
I am not surprised at all. Windows XP support ended long ago but still extensively used in the US government?
But guess what; we still take ourselves as the epitome of what/how technology should look like.
UPS Mail Innovations (Score:2)
Re: (Score:1)
In capitalist USA, private companies are the government.
In other news (Score:1)
Here is a list of the following companies that where not hacked this week:
Thank you for watching the 10 O'clock news and have a great weekend.
Security's Illusory (Score:2)
That is pretty fast for UPS (Score:1)
Eight months. That is why I stick to USPS. Slow, but safe.
Take your time (Score:4, Insightful)
The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.
What? So the malware had half a year to rumble around?
You know it's a fail when (Score:1)
Re: (Score:2)
So. They don't know what was taken. They don't know who was compromised. All they know is that they were hacked, and various information COULD have been taken.
Yi! That's not enough information for anyone to make any decision based on anything but level of paranoia. They could at least have said whether it was historic records or only current accounts.
OTOH, I don't think I've ever paid UPS with anything but cash.
Cards cards cards (Score:1)
Everytime a see a stroy like this I wonder what it will take before the world finally moves away from credit/debit-card billing on line.
In the Netherlands we already have a system (iDEAL) which allows you to transfer money from your bank to an online shop/service safetly (it's basically a protocol and redirect to your bank, meaning nothing *can* be stored on servers of said store). It's *far* from perfect but it's a whole deal safer then storing card-data, and at least someone is taking initiative.
Re: (Score:3)
This is true. I just visited the Netherlands and as an American I had this impression exactly. We want to think we're all so hot, "invented the Internet" and all. But the Dutch do technology way better than us. I was very envious of their chip and pin technology.
UPS sucks (Score:2)
Re: (Score:2)
That's because FedEx is teamed up with USPS. Most remote FedEx boxes are serviced by US postal workers on their routes.
Don't panic (Score:2)
While UPS customers may be worried, those are the people that send stuff by UPS. Just because you receive stuff by UPS doesn't make you vul;nerable.
UPS hasn'r got my ccard info...
New Normal (Score:2)
I've now come to realize that it is the norm to cancel and request new credit cards/debit cards every 3 quarter just in case my card number has been compromised by one of these hacks.
Maybe if the whole country did the same, banks would finally switch to a more secure card.
Hope their IT got better (Score:2)
I worked for them about 20 years ago in customer service. My workstation was a PC running a terminal connected to an AS/400. I had to press ESC to do certain things. If I pressed ESC twice I went to the AS/400's menu where I could send broadcast messages and reset terminals.
They had to send someone from UPS in New Jersey as they refused to believe someone could access their holy system from a simple customer service terminal.
The rest of the stupidity I saw at that company fit with that experience.
What can BROWN do for you? (Score:1)
Fuck you in the ass mostly, it seems.
Big Data (Score:2)
well I for one, am glad for big data, the cloud and internet of things. can't wait for whats next... perhaps a bigger cloudier internet
Re: (Score:1)
BigNodeCloudNoSqlSocialJS
To expand a bit.. (Score:2)
.. For those who didn't click-thru and read:
"An assessment by The UPS Store and the IT security firm revealed the presence of this malware on computer systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States." .. so it's not super wide-spread. Only 1% of their locations? I think it would be interesting to pick ANY national retail operation and see if malware could be found on LESS than 1% of their systems.
It also only impacts particular The UPS Stor
FTA... (Score:2)
each store is a independent computer node and not all are interconnected. That indicates to me that it almost has to be an insider/employee/contractor travelling from store to store implementing the malware ? It seems unlikely that a hacker group could/would have the organization to get around to that many states/stores.
Re: (Score:2)
Nah, an infected USB key would do it. So would a phishing attempt that most people ignored. UPS stores are franchise operations, so it's not too hard to imagine something like this slipping through the cracks for a tiny percentage of the stores.
EMV will...oh no it won't (Score:1)