October 23, 2014

In the interests of full disclosure: Sourcebooks — the company that on Nov. 18 is publishing my upcoming book about organized cybercrime — disclosed last week that a breach of its Web site shopping cart software may have exposed customer credit card and personal information.

Fortunately, this breach does not affect readers who have pre-ordered Spam Nation through the retailers I’ve been recommending — Amazon, Barnes & Noble, and Politics & Prose.  I mention this breach mainly to get out in front of it, and because of the irony and timing of this unfortunate incident.

From Sourcebooks’ disclosure (PDF) with the California Attorney General’s office:

“Sourcebooks recently learned that there was a breach of the shopping cart software that supports several of our websites on April 16, 2014 – June 19, 2014 and unauthorized parties were able to gain access to customer credit card information. The credit card information included card number, expiration date, cardholder name and card verification value (CVV2). The billing account information included first name, last name, email address, phone number, and address. In some cases, shipping information was included as first name, last name, phone number, and address. In some cases, account password was obtained too. To our knowledge, the data accessed did not include any Track Data, PIN Number, Printed Card Verification Data (CVD). We are currently in the process of having a third-party forensic audit done to determine the extent of this breach.”

So again, if you have pre-ordered the book from somewhere other than Sourcebook’s site (and that is probably 99.9999 percent of you who have already pre-ordered), you are unaffected.

I think there are some hard but important lessons here about the wisdom of smaller online merchants handling credit card transactions. According to Sourcebooks founder Dominique Raccah, the breach affected approximately 5,100 people who ordered from the company’s Web site between mid-April and mid-June of this year. Raccah said the breach occurred after hackers found a security vulnerability in the site’s shopping cart software.

Shopping-Cart-iconExperts say tens of thousands of businesses that rely on shopping cart software are a major target for malicious hackers, mainly because shopping cart software is generally hard to do well.

“Shopping cart software is extremely complicated and tricky to get right from a security perspective,” said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, a company that gets paid to test the security of Web sites.  “In fact, no one in my experience gets it right their first time out. That software must undergo serious battlefield testing.”

Grossman suggests that smaller merchants consider outsourcing the handling of credit cards to a solid and reputable third-party. Sourcebooks’ Raccah said the company is in the process of doing just that.

“Make securing credit cards someone else’s problem,” Grossman said. “Yes, you take a little bit of a margin hit, but in contrast to the effort of do-it-yourself [approaches] and breach costs, it’s worth it.”

What’s more, as an increasing number of banks begin issuing more secure chip-based cards  — and by extension more main street merchants in the United States make the switch to requiring chip cards at checkout counters — fraudsters will begin to focus more of their attention on attacking online stores. The United States is the last of the G20 nations to move to chip cards, and in virtually every country that’s made the transition the fraud on credit cards didn’t go away, it just went somewhere else. And that somewhere else in each case manifested itself as increased attacks against e-commerce merchants.

If you haven’t pre-ordered Spam Nation yet, remember that all pre-ordered copies will ship signed by Yours Truly. Also, the first 1,000 customers to order two or more copies of the book (including any combination of digital, audio or print editions) will also get a Krebs On Security-branded ZeusGard. So far, approximately 400 readers have taken us up on this offer! Please make sure that if you do pre-order, that you forward a proof-of-purchase (receipt, screen shot of your Kindle order, etc.) to spamnation@sourcebookspr.com.

Pre-order two or more copies of Spam Nation and get this "Krebs Edition" branded ZeusGard.

Pre-order two or more copies of Spam Nation and get this “Krebs Edition” branded ZeusGard.


40 thoughts on “‘Spam Nation’ Publisher Discloses Card Breach

  1. Allan Jude

    I thought the PCI-DSS specifically disallowed the storing of the CVV2 data specifically for this purpose.

    The CVV2 is NOT to be stored, so that when a breach happens, the malactors do not have the CVV2, and cannot perform new online transactions where a CVV2 is required.

    The entire point was to enhance the security of online transactions, and prevent these types of database breaches from causing so much harm.

    1. Joe

      It’s possible to get the CVV2 data, even if it’s not being stored by the merchant. For example, a persistent XSS vulnerability could allow an attacker to run a Javascript keylogger in the context of your browser, and forward your keystrokes to a remote server. Something similar would also be possible if the server was owned, since source code could have been altered to do something similar.

  2. NotMe

    Wow 4 9’s, so who was the unlucky purchaser?
    I did have to go and check to see that I had used Amazon, 4 9’s leaves some room.

    Ironic Indeed.
    But also amusing, Thanks for the heads up.

  3. pookie

    Brian, just wondering if you were notified by the publisher, or by another source?

  4. David Longenecker

    4 9s means at least a million units … best seller before it is even published? All in good fun – I’m sure you mean 99.9999% in the figurative sense 🙂

    Nice job staying ahead of this before someone else took advantage of the association.

    1. silly math

      Or it could just be simple math, as in a percentage.

  5. Tom

    Brian, do you have any reason to believe (however unfortunate) that the target on your back drove the perpetrators to Sourcebooks? I would imagine there are a number of publishers out there with vulnerable credit processing systems….why Sourcebooks, and why now?

    Basically, I’m highlighting the irony you mentioned in the article. Thoughts?

  6. Dean

    Interesting read.

    FWIW, in the last paragraph of the article, you call your new book “Span Nation”.

  7. Jeff Man

    The BIGGEST problem with shopping cart software is that it is technically a PAYMENT APPLICATION and yet it is rarely subjected to the PAYMENT APPLICATION DATA SECURITY STANDARD for one of two reasons

    1. is is developed in-house, or
    2. it is commercially developed for a specific client (commonly referred to as “BESPOKE”)

    Both instances of software are excluded from being subject to PA-DSS. The fallback is to revert to PCI DSS, but how often does that happen?

  8. Tom

    “So again, if you have pre-ordered the book from somewhere other than Sourcebook’s site…you are unaffected.”

    That should probably read “By this particular breach” given how often it’s happening lately…

  9. Dan Kuykendall

    To Allan Jude’s comment about the CVV2 data, and to Jeremiah’s point, this is hard stuff to do for smaller retailers. They are almost always better off using another web service (such as paypal) to handle the credit card processing. Small shops trying to do it all on their own will always struggle, and as a shopper I want to support small shops, but also limit those that are trying to do everything themselves.

    1. Jason

      Even for medium-sized businesses, this makes a lot of sense. Working at a regional electric utility we pushed to have a hosted payment system for both our Web and IVR systems. It actually cost us nothing more, and we have nothing to do with PCI-DSS except to train our CSRs never to touch a customer credit card (which includes assisting old people with trying to dial our IVR payment system). No, we don’t accept CCs via over the counter – we direct customers to pay either online or via IVR (phone). We only take cash or check over the counter. One of our unstated goals is to never make it in the paper, and as far as CC fraud goes, we never will because we never accept or touch CCs.

      1. Jeff Man

        Jason,

        Your company IS still responsible for PCI DSS. Based on what you are stating, you should be filling out an SAQ-A. Now, your involvement is minimal, but you should be validating that the third party(ies) that are providing your web payment and IVR payment systems are themselves PCI compliant (they are Service Providers). There is actually a provision within SAQ-A that allows for some paper copies of card data to exist (invoices, hand receipts, notes, etc.) but mostly you are validating on an annual basis that you don’t touch any electronic form of payment card data. It’s great when you can outsource – but then Jimmy John’s thought the same thing…and look what happened to them.

    1. sven

      just from looking at their checkout page it seem to be cs-cart.

      1. Jonathan E. Jaffe

        sven wrote Sourcebooks is using cs-cart software.

        a) How many sites use that software?
        b) How many of them have the same vulnerability?
        c) How many of the vulnerable sites have been compromised?

        The reason for processing web orders in house is the same for many decisions … money. The cost savings for doing it yourself is compared to outsourcing.

        Missing from this analysis is the expected cost for a breach where EV=p(e) x v(e) where p(e) is the probability of the event and v(e) is the value of the event. The product is the “expected value” of the event.

        If you don’t do it yourself the probability of you being breached and exposing consumer financial information is zero. The probability of your contractor being breached is another question, so make sure they (not you) are contractually responsible for those costs.

        If a company does do it themselves the value (expressed as a negative number or a cost) of a breach is high, and we hope the probability of a breach is low. Small companies generally can’t afford large I/T budgets which, as we’ve seen all too frequently, are no guarantees of security.

        Add the EV(breach) to each cost and the cost of outsourcing might be more attractive.

        Jonathan @nc3mobi

  10. Todd Vierling

    I note that you haven’t mentioned Google Books (Google Play Store) in your list of retailers now or previously, and I did order through that venue for my own convenience.

    Is the author’s cut of the retail price from Google Play that much lower than Amazon, for instance? (I’m actually curious, as this would impact many small indie authors whom I’d like to support as much as possible.)

  11. Carma B

    More”bad” news to come i think .How about hacking a printing shop it was printed at and change couple of pages to something “Fresh and interesting ” ???

  12. TheOregnoRouter.onion.it

    You need to bring your book tour to sunny Daytona Beach Florida. I need to pre-ordered that book.

    Good article by the way :–)

  13. Infosec Pro

    Iroic, yes, but the timing and targeting seem unlikely to be mere coincidence. It will be interesting to see what (if anything) the forensics team can learn about the perpetrators of the breach. Hopefully you’ll be able to get some inside information instead of the usual close-lipped law enforcement silence.

  14. Chriz

    Unencrypted credit card numbers? Storing CVV2?

    Sounds like no one at Sourcebooks has been reading your blog Brian 😉

    How sad: This risk could have been greatly reduced by using one of the many payment processor out there…

    What’s next for Sourcebooks? Lawsuits? Heavy fines or higher fees? That’s gonna hurt.

  15. Jeff

    Really looking forward to this book. Difficult to find good books on Cybercrime. Kingpin, Takedown, and the Cuckoo’s Egg are my favorites.

  16. JD

    Personally, I always use “Virtual Card Numbers” (Citibank’s name for tokenization) when making online purchases. The ‘virtual’ card number works for only one merchant and therefore cannot be used again or sold by criminals, and of course provides a gap between it
    and my ‘real’ static payment-card number.

    Apple Pay & Google Wallet are the physical versions of tokenization technologies that have existed for years.

  17. Katrina L.

    How ironic…this is quite the headline! Luckily for most buyers, Sourcefire was not where purchases were made.

  18. Nick Jr

    How can emails stored on some third party servers be secure? Binfer bypasses email storage servers. This is the best way to send secure email. The link is http://www.binfer.com.

  19. Peter

    Man, who handles their own payments anymore? I can’t imagine not outsourcing to a dedicated substantial, well-regarded payment company, which implies security measures.

    1. s7

      I thought this was going to be a Confucius quote…

      Man who handles own payments
      Loses much money

  20. Maria

    It is still possible to pay with your Mastercard with no signature NeXT to the magnetic stripe and later find out, that your Mastercard payment ended up as an illegally activated account with Paypal – and you find out that EU Law dictates the Paypal “Man-in-the middle” to be registered as a bank in Luxenburg. So – consequently – your data and transactions are suddenly stored in a different server – than the one “safeguarded” by your own bank. I live in a ham nation but look forward to read about the Spam nation.

  21. JATny

    Poor Brian, your fans still love you. What a bunch of losers, the thieves not the publisher! Don’t feel bad. A soldier on the front lines of a war is bound to get hit with something sometime. Could have been worse. Maybe you can use it in your next book. You’re still the best source of super information out there on cybercrime. We who depend on you, salute you, and we’ll just send a 3rd-finger salute to the guys who breached your publisher. !!

  22. Ron

    Although I pre-ordered the book through Amazon, I also signed up for the autograph plate. I cannot remember with whom I signed up for the autograph plate but am wondering if any PII is at risk due to this breach and it’s impacting the autograph plate requests? Thanks!

  23. ADMIN33

    from what I have read banks are not going to have to fight harder for disputes….its the merchants…..or else the banks simply wont change to those cards….why would they have to fight harder for a repayment for fraud on a new product? no inspiration for upgrade there…

    if the merchants are NOT in compliance with readers and new card technology….they will pay for the fraud. funny part is visa and mc are moving away from paying for fraud through compliance….read those NEW card agreements closely.

    1. ADMIN33

      sorry that post was for the article..
      “Replay’ Attacks Spoof Chip Card Charges”

    2. Jonathan E. Jaffe

      Admin33 – regardless of whose pocket comes the money, in the end we consumers pay the bills.

      Some merchants have small profit margins and passing that expense on to consumers could drive them away. This is one of the reasons for the creation of MCX.

      Instead of making fancier and more expensive locks we need a change in approach to denying crooks their prize by keeping the confidential consumer credentials out of transactions transmissions to providers. What merchants don’t have crooks can’t steal.

      Jonathan @nc3mobi

  24. AnchorJack

    As of 9 a.m. today, Nov. 18th, Powell’s Books in Portland was sold out of “Spam Nation”. Advised them to order more ASAP.

Comments are closed.