Security breach at ft86speedfactory.com

[PandaSPUR]

Quote:

Originally Posted by Ashikabi

Ft86 speed factory probably didn't know until the claims started rolling in

This. A lot of breaches go unnoticed until one of the credit reporting agencies, or the credit card companies notice that a bunch of people making fraudulent charge claims have made purchases at one common retailer.

At that point, the retailer gets notified and has a certain amount of time to investigate and remediate (usually hiring a third party consulting firm) as per PCI standards. They have to identify all affected customers, and then notify them AFTER they're confident they have all the names. At that point they also get fined based on how many card numbers were compromised.

Usually they're not allowed to, or are advised against, sending mass notifications that their site is breached immediately since that tips off the attackers as well and makes investigations harder.

[ScoobsMcGee]

Quote:

Originally Posted by PandaSPUR

This. A lot of breaches go unnoticed until one of the credit reporting agencies, or the credit card companies notice that a bunch of people making fraudulent charge claims have made purchases at one common retailer.

At that point, the retailer gets notified and has a certain amount of time to investigate and remediate (usually hiring a third party consulting firm) as per PCI standards. They have to identify all affected customers, and then notify them AFTER they're confident they have all the names. At that point they also get fined based on how many card numbers were compromised.

Usually they're not allowed to, or are advised against, sending mass notifications that their site is breached immediately since that tips off the attackers as well and makes investigations harder.

Sums up most of what I wanted to say. It is possible that they'll still respond to a post or two now that the word is out, but there are legal obligations to sending notification to the affected customers first. As for snail mail versus email, in addition to possibly compromising any investigation, street addresses are generally more reliable. Fake email addresses and junk mail filters can get in the way. The credit card companies have a valid mailing address or PO box.

[N1rve]

Good thing I use a proxy card

[Teseo]

Call me old school but i still use money order for that kind of crap

[KR-S]

I just now got my letter. Good thing I already have a new card.

[soulreapersteve]

Received the letter yesterday and went to the CU to request for a new card right after reading it.

That explains the weird call I received few months back that there was suspicious activity originating from France (even though these guys had a Russian IP address) regarding my first card - after 5 years of green pastures.

Will I stop buying from them? Things may have changed since I initially was looking into cyber security but the mantra goes: "places are more secure after an attack than before".

However, I'm done with major purchases for the car besides consumables.

[N1rve]

Quote:

Originally Posted by soulreapersteve

Received the letter yesterday and went to the CU to request for a new card right after reading it.

That explains the weird call I received few months back that there was suspicious activity originating from France (even though these guys had a Russian IP address) regarding my first card - after 5 years of green pastures.

Will I stop buying from them? Things may have changed since I initially was looking into cyber security but the mantra goes: "places are more secure after an attack than before".

However, I'm done with major purchases for the car besides consumables.

I think that's the illusion that places are more secure after an attack. If you look at Lockheed Martin's Cyber Kill Chain, the first step is reconnaissance. We don't know how much information that the cracker (Black Hat) collected. There could me even more attack vectors that they are unaware of and unexploited until later. Same goes for Chase, Target, Home Depot, Sony, etc.

Most cyber attacks are because of human error. That means opening E-mail attachments or clicking links. You can even be hacked by being sent a picture.

Besides, for a company like ft86speedfactory, they don't own their webserver which means they don't own the security of their site. Their web hosting is provided by 1and1.

Domain Name: FT86SPEEDFACTORY.COM
Registrar: 1 & 1 INTERNET AG
Sponsoring Registrar IANA ID: 83
Whois Server: whois.1and1.com
Referral URL: http://1and1.com
Name Server: NS-US.1AND1-DNS.COM
Name Server: NS-US.1AND1-DNS.DE
Name Server: NS-US.1AND1-DNS.ORG
Name Server: NS-US.1AND1-DNS.US
Status: ok http://www.icann.org/epp#OK
Updated Date: 21-mar-2015
Creation Date: 21-mar-2012
Expiration Date: 21-mar-2016

And I hope your password to this forum is different from your bank accounts. When you log in, it's using HTTP and NOT HTTPS, which means your password is NOT ENCRYPTED and can be viewed PLAIN TEXT.

[whataboutbob]

"And I hope your password to this forum is different from your bank accounts. When you log in, it's using HTTP and NOT HTTPS, which means your password is NOT ENCRYPTED and can be viewed PLAIN TEXT."

^this.

[KR-S]

Quote:

Originally Posted by whataboutbob

"And I hope your password to this forum is different from your bank accounts. When you log in, it's using HTTP and NOT HTTPS, which means your password is NOT ENCRYPTED and can be viewed PLAIN TEXT."

^this.

The question is, why are the passwords not encrypted in the first place? Is this a vBulletin issue?

And regarding the issue that FT86SF and possibly its sister site Subispeed don't own their own security, does that apply to their checkout page as well? If that's the case, then there probably wasn't much if at all that they could have been done on their end to prevent this.

[Ultramaroon]

Quote:

Originally Posted by N1rve

your password is NOT ENCRYPTED.

How did you get my password?! Damn!

[PandaSPUR]

lol alright.. calm down guys.

It is weird that passwords arent sent over HTTPS. Doesn't mean that they're not encrypted when stored in the forum's database though. Transferring data over HTTP makes it interceptable if you're on an unsecured network like public wifi hotspots. It is recommended to use separate passwords for your more sensitive accounts though. (i.e. some rando miles away cannot just intercept your password that was sent over HTTP)

And just because the webserver itself is hosted by another company, doesn't mean that FT86SpeedFactory doesn't have any control over the security. More often than not, the security vulnerabilities come from unpatched software being used.

1and1 provides all kinds of web hosting services ranging from turn-key pre-built websites to "here's a server with port 443 and 80 open, deploy whatever you want". I'm assuming a site like FT86SpeedFactory would go with the latter option, meaning they would have full control over their security posture. Even if they did not, I'm sure whatever third-party service they hired to fix this breach would have recommended it.

Shit like this isnt 100% preventable, which is why credit cards have such good fraud protection and you can usually dispute and drop a charge instantly with a phone call. The company will likely get fined for whatever mistakes they made and be required to fix it. Nothing else we can do.

[N1rve]

Quote:

Originally Posted by KR-S 86

The question is, why are the passwords not encrypted in the first place? Is this a vBulletin issue?

And regarding the issue that FT86SF and possibly its sister site Subispeed don't own their own security, does that apply to their checkout page as well? If that's the case, then there probably wasn't much if at all that they could have been done on their end to prevent this.

I'm not sure how exactly vBulletin works, but it's most likely because they don't own a SSL certificate.

Also, their sister site is hosted by GoDaddy.

D
Domain Name: SUBIESPEED.COM
Registrar: GODADDY.COM, LLC
Sponsoring Registrar IANA ID: 146
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.MEDIATEMPLE.NET
Name Server: NS2.MEDIATEMPLE.NET
Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Updated Date: 17-sep-2015
Creation Date: 09-oct-2011
Expiration Date: 09-oct-2016

Quote:

Originally Posted by Ultramaroon

How did you get my password?! Damn!

It wasn't me!!

[PandaSPUR]

Quote:

Originally Posted by N1rve

I'm not sure how exactly vBulletin works, but it's most likely because they don't own a SSL certificate.

Also, their sister site is hosted by GoDaddy.

D
Domain Name: SUBIESPEED.COM
Registrar: GODADDY.COM, LLC
Sponsoring Registrar IANA ID: 146
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.MEDIATEMPLE.NET
Name Server: NS2.MEDIATEMPLE.NET
Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Updated Date: 17-sep-2015
Creation Date: 09-oct-2011
Expiration Date: 09-oct-2016



It wasn't me!!

I just looked at both sites. The WHOIS information is taken from DNS registrars. Looks like they're just using 1and1 and godaddy for the domain name. The servers are hosted by singlehop, which is a IaaS provider. So FT86SF has full control over their servers.

EDIT:

Example for those who care:
Info for ft86speedfactory.com: http://www.tcpiputils.com/browse/dom...eedfactory.com
DNS info points to 1and1, IP is 65.60.44.147

Info for 65.60.44.147: http://www.tcpiputils.com/browse/ip-...s/65.60.44.147
ISP is SingleHop, Inc., WHOIS info for the IP itself points to SingleHop. The IP is also part of a whole block assigned to SingleHop. That page also states that "server2.subispeed.com" also resolves to this IP.

Blah blah blah light recon stuff.

[wtfrs]

i was literally about to order some parts from them :/