My Two Cents
Posted: Sun Jun 17, 2012 8:53 pm
Been doing a lot of reading and decided to finally put in my two cents.
A little about me first. I am an IT professional for 25 years. A web developer, client side programmer and database administrator to name a few. I have worked for Global Fortune 500 companies, mom and pop shops and mid-range companies. I have extensive knowledge of PCI Complaince and web security. With this in mind, I think I have some words to ease some concerns and shed some light.
With regards to Credit Card Data, all comments suggest VW was using a third party company to process credit cards. From a PCI Compliance standpoint (rules and testing standards for companies accepting credits cards) this is the most secure way. The third party company uses a reviewed and approved page/code to encrypt and transmit data to their servers. This does not allow the origin company such as VW to hold or retain that data. When the transaction completes, a company like VW would only be given last four of card number and a trans ID in the return message from the third party. This allows you to tie the credit card charge through the third party's website in case there was an issue or need to refund. In my experience, I have never seen the third party site ever display the CC number on their site but I know it exists on their servers. If Igor or VW had ID and Password to third party site and your trans ID, feel confident they can not see your CC Number. The last four allows Customer Service to confirm with you about the charge and card used in case you have more than one without involving the third party company.
With regards to everything else, here is what it all sounds like to me:
Igor, for planning and forthought, devised a fairly ingeneous plan well in advance of this shutdown. He took into account flaws in the VW management and oversight.
It sounds like in April he was able to use his position as webmaster to change a page on the site thus creating a legal loophole with regards to pictures and content. My comment about lack of oversight is evident because a change could be made to the website and posted without notice or knowledge of management or legal. In a small mom and pop this is plausable, but usually some customer reads the fine print and complains. Complaints should have gone to Igor's boss and not Igor as webmaster which I guess happened. Otherwise they would have caught on sooner.
Important point here is April. As many in the IT field will tell you, we maintain backups. Some will maintain permanent backups and some will use rolling backups (where they overwrite the old data with new). My guess is Igor controlled the backups on the SQL and had ability to ensure Login table was not backed up for the rolling period. When I was the webmaster for the small mom and pop, I controlled the web and SQL. It would be a simple change and not easy to catch until too late. Backup notices would read successul but not tell you that a certain table in the set was skipped. On way out, he could have corrupted the login table. This would make it so VW techs could not restore the data for Login's.
Like a lot of programmers, redundant code is often programmed into DLL's (complied code) on the site. They are registered on the server but not typically seen in the website but could be written in a way as to provide the basic constructs of the site. If Igor took the DLL's, he could effectively have taken down the site. Troubleshooting lost DLL's and trying to determine their source code is a royal pain and could explain why VW staff is working a lot of OT trying to fill the holes and get the sites backup. May also explain why they are modifying the site. Some holes so big they need to insert brand new code which changes the basic structure of the site. Don't envy them if true.
Here is the only case where I would be concerned. PCI Compliance is typically every quarter for a company of their size. I assume their compliance check was in March/April. The next check would be in June/July. See a trend? I would be concerned about any CC transactions made between April and June. Although you can not break the encryption easily (I think beyond Igor's skill), he could potentially modify the code to allow for buffering and pulling of the entered CC Number fields. This would not be caught until the next PCI Complaince or random check of the site.
If I were you, I would watch your online statements for your CC like a hawk. If I were VW and want to make brownie points with your members, I would suggest you do like other companies when there is a potential for CC or identity theft. Purchase 6mth or year protection for the clients who purchased in those months at least.
That's my two cents for what it is worth.
A little about me first. I am an IT professional for 25 years. A web developer, client side programmer and database administrator to name a few. I have worked for Global Fortune 500 companies, mom and pop shops and mid-range companies. I have extensive knowledge of PCI Complaince and web security. With this in mind, I think I have some words to ease some concerns and shed some light.
With regards to Credit Card Data, all comments suggest VW was using a third party company to process credit cards. From a PCI Compliance standpoint (rules and testing standards for companies accepting credits cards) this is the most secure way. The third party company uses a reviewed and approved page/code to encrypt and transmit data to their servers. This does not allow the origin company such as VW to hold or retain that data. When the transaction completes, a company like VW would only be given last four of card number and a trans ID in the return message from the third party. This allows you to tie the credit card charge through the third party's website in case there was an issue or need to refund. In my experience, I have never seen the third party site ever display the CC number on their site but I know it exists on their servers. If Igor or VW had ID and Password to third party site and your trans ID, feel confident they can not see your CC Number. The last four allows Customer Service to confirm with you about the charge and card used in case you have more than one without involving the third party company.
With regards to everything else, here is what it all sounds like to me:
Igor, for planning and forthought, devised a fairly ingeneous plan well in advance of this shutdown. He took into account flaws in the VW management and oversight.
It sounds like in April he was able to use his position as webmaster to change a page on the site thus creating a legal loophole with regards to pictures and content. My comment about lack of oversight is evident because a change could be made to the website and posted without notice or knowledge of management or legal. In a small mom and pop this is plausable, but usually some customer reads the fine print and complains. Complaints should have gone to Igor's boss and not Igor as webmaster which I guess happened. Otherwise they would have caught on sooner.
Important point here is April. As many in the IT field will tell you, we maintain backups. Some will maintain permanent backups and some will use rolling backups (where they overwrite the old data with new). My guess is Igor controlled the backups on the SQL and had ability to ensure Login table was not backed up for the rolling period. When I was the webmaster for the small mom and pop, I controlled the web and SQL. It would be a simple change and not easy to catch until too late. Backup notices would read successul but not tell you that a certain table in the set was skipped. On way out, he could have corrupted the login table. This would make it so VW techs could not restore the data for Login's.
Like a lot of programmers, redundant code is often programmed into DLL's (complied code) on the site. They are registered on the server but not typically seen in the website but could be written in a way as to provide the basic constructs of the site. If Igor took the DLL's, he could effectively have taken down the site. Troubleshooting lost DLL's and trying to determine their source code is a royal pain and could explain why VW staff is working a lot of OT trying to fill the holes and get the sites backup. May also explain why they are modifying the site. Some holes so big they need to insert brand new code which changes the basic structure of the site. Don't envy them if true.
Here is the only case where I would be concerned. PCI Compliance is typically every quarter for a company of their size. I assume their compliance check was in March/April. The next check would be in June/July. See a trend? I would be concerned about any CC transactions made between April and June. Although you can not break the encryption easily (I think beyond Igor's skill), he could potentially modify the code to allow for buffering and pulling of the entered CC Number fields. This would not be caught until the next PCI Complaince or random check of the site.
If I were you, I would watch your online statements for your CC like a hawk. If I were VW and want to make brownie points with your members, I would suggest you do like other companies when there is a potential for CC or identity theft. Purchase 6mth or year protection for the clients who purchased in those months at least.
That's my two cents for what it is worth.