SA credit cards hacking - PayGate accepts responsibility

The security breach occurred because the IT company, which processes credit card transactions for online retailers, including Woolworths, did not encrypt these details correctly.
Click to expand...

Ouch.

Makes me glad I don't work in financial IT...
 
Hope whoever was responsible for overseeing the project gets sacked.
Poor project management and planning, if you ask me.
 
Standard bank have called me twice this past week to double check card transactions on the internet (itunes and a British book store). I wonder how many people they're having to do this with?
 
Hmmm... will now be extra careful with any site that uses PayGate.
 
3WA said:
Standard bank have called me twice this past week to double check card transactions on the internet (itunes and a British book store). I wonder how many people they're having to do this with?
Click to expand...

Standard bank red-flagged all the current CCs and said they will check for suspicious payments.
Personally I prefer ABSAs method.... stop all those cards (for online purchases) and reissue the lot of them (those that appeared on the database).

ToxicBunny said:
Hmmm... will now be extra careful with any site that uses PayGate.
Click to expand...

I wonder if/when they will fix that booboo.
 
Avoid buying via Paygate i.e. Woolies, Yuppiechef until this is resolved. I'm still waiting to find out if this affects CCs that are not ABSA , FNB , STD or NEdbank
 
scud said:
Avoid buying via Paygate i.e. Woolies, Yuppiechef until this is resolved. I'm still waiting to find out if this affects CCs that are not ABSA , FNB , STD or NEdbank
Click to expand...

It will affect all VISA and MasterCard CC's..... (and probably whoever else PayGate accepts)
 
froot said:
Personally I prefer ABSAs method.... stop all those cards (for online purchases) and reissue the lot of them (those that appeared on the database).
Click to expand...
+1

Quite surprised that FNB did not react in the same manner as they are generally very quick to react on Fraud.
 
just stop using paygate .stop all card affected. problem solved?
 
And no-one is questioning why a payment processor like PayGate does not comply with PCI-DSS. They should have had a QSA as well as periodic security scans. Neither PASA nor any of the banks and card companies have an issue with this and just brush it under the table? No consequences for anyone at fault?

One of the many (but most important) PCI standards is that card holder information must not be stored unencrypted. The CVV must not be stored at all - can't get simpler than that, but yet credit card information is leaked in full and obviously with the CVV otherwise fraudulent transactions could not have taken place.
 
MagicDude4Eva said:
And no-one is questioning why a payment processor like PayGate does not comply with PCI-DSS. They should have had a QSA as well as periodic security scans. Neither PASA nor any of the banks and card companies have an issue with this and just brush it under the table? No consequences for anyone at fault?

One of the many (but most important) PCI standards is that card holder information must not be stored unencrypted. The CVV must not be stored at all - can't get simpler than that, but yet credit card information is leaked in full and obviously with the CVV otherwise fraudulent transactions could not have taken place.
Click to expand...

See my post as here:
froot said:
Hope whoever was responsible for overseeing the project gets sacked.
Poor project management and planning, if you ask me.
Click to expand...
I made emphasis on their lack of encrypted details in another thread somewhere too.

It's pathetic that they didn't secure the content...
 
froot said:
See my post as here:

I made emphasis on their lack of encrypted details in another thread somewhere too.

It's pathetic that they didn't secure the content...
Click to expand...

If memory serves, in the original post it said that the details were not encrypted to PASA's standards implying that they were not left unencrypted for all to see, but rather that they were encrypted using a possibly insecure method.
 
Messugga said:
If memory serves, in the original post it said that the details were not encrypted to PASA's standards implying that they were not left unencrypted for all to see, but rather that they were encrypted using a possibly insecure method.
Click to expand...

Could very well be, but PCI standards make it very clear how card details should be encrypted, what information should and should not be stored. So for example, it is not permitted to store the CVV and without it fraud can not be conducted.

Also server security and access controls are very well defined/regulated within PCI standards - it is really a "simple" checklist you tick off. So aside from not having encrypted details properly, stored the CVV and then also been slack on access controls to servers, all very questionable. I guess a simple aspect would have just been to have SSH access with secure keys and access to servers only from dedicated IPs / VPN.
 
MagicDude4Eva said:
Could very well be, but PCI standards make it very clear how card details should be encrypted, what information should and should not be stored. So for example, it is not permitted to store the CVV and without it fraud can not be conducted.

Also server security and access controls are very well defined/regulated within PCI standards - it is really a "simple" checklist you tick off. So aside from not having encrypted details properly, stored the CVV and then also been slack on access controls to servers, all very questionable. I guess a simple aspect would have just been to have SSH access with secure keys and access to servers only from dedicated IPs / VPN.
Click to expand...

I'm not saying that they were irresponsible and not to blame, because obviously they were. It's just unfair in my opinion, to accuse them of something as ludicrous as keeping credit card details as clear text if they didn't actually do that. They absolutely dropped the ball on other aspects though.
 
Messugga said:
If memory serves, in the original post it said that the details were not encrypted to PASA's standards implying that they were not left unencrypted for all to see, but rather that they were encrypted using a possibly insecure method.
Click to expand...

I used to have a client in a related field, and it was considered enough by one customer if we used XOR to "encrypt" the data. As long as it wasn't in plain text.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter