BookaTrack Scam
Discussion
I got a text from a random number, the link took me to a page with all my details on it, but asked for mother's maiden name, credit card numbers etc, which rang alarm bells. Got a warning text from the real BaT 2 hours later, saying it was a scam, email to follow, but no email yet. Guess their database has been hacked.
Safe to say that was one of the most stressful days of my life so far. 12 hours of solid emails and live-chat and still got a full inbox to face tomorrow.
Posted an update to our website for anyone who's interested/affected:- http://www.bookatrack.com/blog/view/89
Jonny
Sorry but sigs not allowed.
Posted an update to our website for anyone who's interested/affected:- http://www.bookatrack.com/blog/view/89
Jonny
Sorry but sigs not allowed.
Edited by Big Al. on Friday 15th May 22:22
jonnyleroux said:
Safe to say that was one of the most stressful days of my life so far. 12 hours of solid emails and live-chat and still got a full inbox to face tomorrow.
Posted an update to our website for anyone who's interested/affected:- http://www.bookatrack.com/blog/view/89
Jonny
BaT
Why were you storing old data on a site you apparently weren't using any more?Posted an update to our website for anyone who's interested/affected:- http://www.bookatrack.com/blog/view/89
Jonny
BaT
What have you put in place to make sure it doesn't happen again, you mention that passwords are encrypted using md5, how? Are they salted?
You mention penetration testing and PCI DSS compliance, what penetration testing have you done? What have you done to re-certify your PCI DSS compliance (PCI DSS being a fairly easily attainable standard which I presume your site already complied with, it's pretty hard not to.)
Are you still storing partial card details after processing, if so why? Why were you storing them before?
Eta. You mention you have previously done pen testing and PCI dss compliance so I take this to mean you've not done this since the hack?
I don't want to come across as difficult but your statement says very little and I'd like to understand what you've done now to make sure this doesn't happen again past saying our current site is secure so it won't happen again.
Edited by Silent1 on Tuesday 7th April 00:42
Got a text at 12:52 yesterday, and any email must have gone to an old email address anyway.
I went to the website - using a W7 VM on my Mac I use for plausible deniability - to see what it was about. Details showed a very old credit card number and was asking for me to update it, provide mother's maiden name and my bank details.
Contacted Jonny straight away and he mentioned he had his hands full.
I went to the website - using a W7 VM on my Mac I use for plausible deniability - to see what it was about. Details showed a very old credit card number and was asking for me to update it, provide mother's maiden name and my bank details.
Contacted Jonny straight away and he mentioned he had his hands full.
apologies all - posting to the numerous forums I frequent is not high on my list of priorities at the moment unfortunately but I am aware that forums are a two-way medium for us and will endeavour to update when I get a bit more time.
Many thanks to all those who have offered support (both moral and technical). Sarah and I have had 36 hours of utter hell and are now enjoying a quick glass of wine before heading to bed - ready to face another day of it tomorrow.
Jonny
Sorry but sigs not allowed.
Many thanks to all those who have offered support (both moral and technical). Sarah and I have had 36 hours of utter hell and are now enjoying a quick glass of wine before heading to bed - ready to face another day of it tomorrow.
Jonny
Sorry but sigs not allowed.
Edited by Big Al. on Friday 15th May 22:22
I didn't get a scam text (maybe because I didn't register on the old site?), did get a text from the real BaT but not an e-mail.
MD5 is no longer considered a good choice for password hashing.
http://security.blogoverflow.com/2013/09/about-sec...
There is plenty of other info out there about it too.
MD5 is no longer considered a good choice for password hashing.
http://security.blogoverflow.com/2013/09/about-sec...
There is plenty of other info out there about it too.
TypeRTom said:
I didn't get a scam text (maybe because I didn't register on the old site?), did get a text from the real BaT but not an e-mail.
MD5 is no longer considered a good choice for password hashing.
http://security.blogoverflow.com/2013/09/about-sec...
There is plenty of other info out there about it too.
Yes I'm afraid MD5 is no longer considered good enough. I've been involved in securing financial services websites recently and best practice is now to use something like SHA256 or better and, importantly, to "salt" the hash to defend against brute force password crackers, rainbow tables and the like.MD5 is no longer considered a good choice for password hashing.
http://security.blogoverflow.com/2013/09/about-sec...
There is plenty of other info out there about it too.
This article is illuminating for those of a technical bent https://crackstation.net/hashing-security.htm
Sorry to hear of your troubles, Jonny. I sincerely hate the hacking barstewards too. It sounds like you've done all you can.
Forums | Track Days | Top of Page | What's New | My Stuff