Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

UPS: We've Been Hacked 62

paysonwelch writes The United Parcel Service announced that customers' credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS. The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.
This discussion has been archived. No new comments can be posted.

UPS: We've Been Hacked

Comments Filter:
  • by GeekWithAKnife ( 2717871 ) on Friday August 22, 2014 @08:15AM (#47728033)

    I made sure my password is at least 8 digits, alpha-numeric with at least one unique character!
    • HA! I will point out your problem. You went mainstream. Years ago, I realized that all the hacking tools go that route too. So, all my passwords are only 2 characters......and only binary numbers. Hack That!

    • "at least 8 digits, alpha-numeric with at least one unique character!"

      A surprisingly common password.

  • Congratulations, you're on LOLCamera!

    Everyone gets hacked these days. eBay gets hacked every week!

    • Re:LOLCam (Score:5, Insightful)

      by gweihir ( 88907 ) on Friday August 22, 2014 @08:31AM (#47728135)

      Only institutions that do not care get hacked. While absolute security is not to be had, it can be made expensive enough that hackers give up. These days, however, hacking a major company is often within th reach of amateurs with enough patience. Until these companies become liable for any and all stolen credit card and address information (say, $100 for each address and $500 for each credit card set to the owner without the need to prove anything, and unlimited for damage the owner can proof), nothing will change.

      • by ZiakII ( 829432 )
        I disagree it's usually organizations who don't care who find never find out they've been hacked. In they do what you are proposing most companies will attempt to just sweep it under the rug. That's when it really becomes bad for the customer.
        • by ZiakII ( 829432 )
          Ugh I should not try posting on mobile, the above was supposed to say. I disagree it's usually organizations who don't care who never find out they've been hacked. If they do what you are proposing most companies will attempt to just sweep it under the rug. That's when it really becomes bad for the customer.
          • by gweihir ( 88907 )

            The thing is, all companies need some people that give the appearance of caring, or they would be criminally negligent. But you typically find that these folks can only do after-the-fact analysis, have no input on security decisions that could prevent this and are understaffed and do not have the rights they need. I have personally seen one instance where the "IT Risk Officer" reporting directly to the director was a very junior person without the self-assurance to escalate anything or even ask questions an

      • by Rich0 ( 548339 )

        The fundamental issue is that credit cards are based on the premise that you can authenticate somebody using a shared secret that you share with everybody you do business with.

        I can post my ssh public key in this post if I wish, and about the only thing anybody could do with it is give me access to their systems. There is no reason that credit cards can't be made secure in this day and age. Nobody wants to bother, so we deal with messes like this.

        If all UPS had were credentials that authorized only UPS to

        • by gweihir ( 88907 )

          Sure, the credit card system is broken. But that only means you have to be extra careful with the data. These companies come close to actually throw them at the attackers.

        • Sharing such rarely changing authentication data is at the heart of the issue as you point out. It seems like a trade-off of convenience and security with some background fraud cost. However, the issue is always convenience for who and fraud for who? In this case, banks have succeeded in mostly privatizing gains from transactions costs from credit card transaction fees while socializing the cost of identity theft to the general public (who have to change their accounts, deal with years of worries, try to st

          • by Rich0 ( 548339 )

            It seems like authentication is important to modern society. I think the only real solution is a government-issued ID, capable of challenge-response. Even a PIN for the ID is useless if every company expects you to hand it over to them.

      • by Tablizer ( 95088 )

        Make stiff penalties for breaches and make breach insurance required. Then the insurance companies will heavily encourage protective measures from those they insure because their profits are on the line.

        Insurance companies would care more than regular companies because they deal in bulk. If there are lot of breaches, then they have a lot of payouts and lose money. A regular company views breaches as all or nothing incidents, which tempts them to gamble.

        • by gweihir ( 88907 )

          May work, may also fail. Back when nuclear power was in its infancy, some countries tried to mandate insurance. Guess what, nobody was willing to even make an offer. While that would have told any sane person right there that nuclear power was not a good idea, the governments in question just dropped the requirement.

  • Well I am Glad (Score:5, Insightful)

    by MyLongNickName ( 822545 ) on Friday August 22, 2014 @08:16AM (#47728045) Journal

    Well, I am glad they waited until the issue was resolved before letting their customers know they were at risk. I would have hated for UPS's bottom line to be hurt by letting us know as soon as they realized there was a breach. After all, the company bottom line is more important than my security.

    • If they told everybody "your info was hacked" while they hadn't cleaned it up yet, a bunch of folks would have logged on and changed their passwords, immediately exposing the NEW ones. You clean up first, then you engage the PR folks.

      • Or new customers may have chosen to use Fed Ex instead of having their information on compromised systems.

      • by Calydor ( 739835 )

        Or the breach was one that pulled stuff out little by little to avoid detection, and they were afraid of the hackers opening the flood gates if they went public that the breach had been detected.

  • by ArcadeMan ( 2766669 ) on Friday August 22, 2014 @08:19AM (#47728063)

    Don't tell me there's separate servers for UPS Canada and that data is never shared across both servers...

    • by Anonymous Coward

      Honestly, it would not surprise me at all if this were the case. I'm actually working with two large transportation companies similar to UPS on a software integration project, and dealing with different countries involves dealing with different systems/people/etc. I'd have thought that they would have had a global system to manage international transportation, which is of course global by its very nature. Perhaps some elements of their systems are global, but the information we need seems to be in system

    • Nah... CSIS and NSA already take care of this...

  • I am not surprised at all. Windows XP support ended long ago but still extensively used in the US government?

    But guess what; we still take ourselves as the epitome of what/how technology should look like.

  • by Anonymous Coward

    Here is a list of the following companies that where not hacked this week:

    Thank you for watching the 10 O'clock news and have a great weekend.

  • Security theatre is not limited to the wholly distasteful airport search.
  • by Anonymous Coward

    Eight months. That is why I stick to USPS. Slow, but safe.

  • Take your time (Score:4, Insightful)

    by jones_supa ( 887896 ) on Friday August 22, 2014 @08:27AM (#47728109)

    The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.

    What? So the malware had half a year to rumble around?

  • They say they're now secure. Anybody who knows anything about security knows you're never "secure." You're more secure than you were before, but 100% security is impossible.
  • by Anonymous Coward

    Everytime a see a stroy like this I wonder what it will take before the world finally moves away from credit/debit-card billing on line.

    In the Netherlands we already have a system (iDEAL) which allows you to transfer money from your bank to an online shop/service safetly (it's basically a protocol and redirect to your bank, meaning nothing *can* be stored on servers of said store). It's *far* from perfect but it's a whole deal safer then storing card-data, and at least someone is taking initiative.

    • This is true. I just visited the Netherlands and as an American I had this impression exactly. We want to think we're all so hot, "invented the Internet" and all. But the Dutch do technology way better than us. I was very envious of their chip and pin technology.

  • I hate UPS. Their nearest pickup/dropoff location to me is 35 miles away. For any special delivery instructions, you have to pay a membership fee + a charge for each package you want delivered per instructions. Fedex pickup/dropoff locations, on the other hand, are ubiquitous and there's one just 1 mile from my house.
    • That's because FedEx is teamed up with USPS. Most remote FedEx boxes are serviced by US postal workers on their routes.

  • While UPS customers may be worried, those are the people that send stuff by UPS. Just because you receive stuff by UPS doesn't make you vul;nerable.
    UPS hasn'r got my ccard info...

  • I've now come to realize that it is the norm to cancel and request new credit cards/debit cards every 3 quarter just in case my card number has been compromised by one of these hacks.

    Maybe if the whole country did the same, banks would finally switch to a more secure card.

  • I worked for them about 20 years ago in customer service. My workstation was a PC running a terminal connected to an AS/400. I had to press ESC to do certain things. If I pressed ESC twice I went to the AS/400's menu where I could send broadcast messages and reset terminals.

    They had to send someone from UPS in New Jersey as they refused to believe someone could access their holy system from a simple customer service terminal.

    The rest of the stupidity I saw at that company fit with that experience.

  • Fuck you in the ass mostly, it seems.

  • well I for one, am glad for big data, the cloud and internet of things. can't wait for whats next... perhaps a bigger cloudier internet

  • .. For those who didn't click-thru and read:

    "An assessment by The UPS Store and the IT security firm revealed the presence of this malware on computer systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States." .. so it's not super wide-spread. Only 1% of their locations? I think it would be interesting to pick ANY national retail operation and see if malware could be found on LESS than 1% of their systems.

    It also only impacts particular The UPS Stor

  • each store is a independent computer node and not all are interconnected. That indicates to me that it almost has to be an insider/employee/contractor travelling from store to store implementing the malware ? It seems unlikely that a hacker group could/would have the organization to get around to that many states/stores.

    • Nah, an infected USB key would do it. So would a phishing attempt that most people ignored. UPS stores are franchise operations, so it's not too hard to imagine something like this slipping through the cracks for a tiny percentage of the stores.

  • The sad thing is EMV chipped cards won't even fix this or the target breach. Malware can still get the card info even if you authenticate the card. Someday in a few years when most in person transactions are EMV enabled, the card-present fraud ( fake card used in person ) will drop significantly, but unless the credit card companies allow you to deny all card-not-present and non-EMV transactions it won't fully work. I want one card that I use for EMV only that has no other capability and another that I use

"I'm not afraid of dying, I just don't want to be there when it happens." -- Woody Allen