Updated: 24.11.2002; 11:59:12 Uhr.
disLEXia
lies, laws, legal research, crime and the internet
        

Monday, March 5, 2001

USA - Stripped down cyber crime bill clears senate committee

(Newsbytes) The Senate Judiciary Committee approved a stripped down cyber crime bill that had money for education and research but left out many of the key enforcement and investigation powers that law enforcement groups wanted. [Quick Links Computercrime Cybercrime]
0:44 # G!

More on Bibliofind (RISKS-21.26)

Mere moments after sending my previous message, this landed in my mailbox. It still doesn't answer the question of why they were retaining any of this information in the first place; I've asked them why, but don't expect a response, since they'll presumably be deluged.

(Given that there seemed to have been no way, for example, to add or subtract a credit card [because there was no way to discover that Bibliofind knew about me as a particular user -at all-; it remembered my state on a couple of forms as I filled them out, but presumably forgot all about me as soon as the final form was submitted], and since not all booksellers accept all cards, one might have thought that Bibliofind wasn't keeping any of this information. This seems a great example of a site just hoovering up info for some ill-defined later purpose that they didn't need at all. When, oh when, will such sites learn that this behavior only serves as (a) a cracker target or (b) a way to waste money answering subpoenas?)

- - - Begin forwarded message - - -

Date: Mon, 05 Mar 2001 12:03:02 -0500
From: info@bibliofind.com
To: info2@bibliofind.com
Subject: Important Information from Bibliofind

Dear Bibliofind Customer:

Bibliofind has just learned of a security violation on its site that compromised the security of credit-card information used on Bibliofind's servers from last October through February 2001.

We have no information at this time to suggest that your credit card has been misused, but we wanted to notify you as a precautionary measure. We have been in contact with the federal law enforcement authorities on this matter, and we have also notified the appropriate credit card companies, so that they can take the necessary steps to protect the interests of any cardholders who may be affected.

If you have specific questions about your credit-card account, please contact the issuer of your credit card.

To ensure this doesn't happen again, we have removed all customer credit-card information, physical addresses, and phone numbers from Bibliofind's servers. We expect to bring the Bibliofind system back into operation shortly.

We apologize for any inconvenience this may cause you. You can contact us with questions at info@bibliofind.com.

Sincerely,

Bibliofind [Lenny Foner via risks-digest Volume 21, Issue 27]
0:00 # G!

Bibliofind exposes lots of credit card data they shouldn't have had

Bibliofind matches up people looking for used books, and book dealers who have them. Every time you use it to actually buy a book, you're forced to enter all of your name, address, CC info, etc, etc, and that's then sent to the book dealer. They didn't appear to actually keep any of this information around, given that it was never presented in the UI (e.g., as a pre-filled-in form, or something else useful).

So I'm especially appalled to have just read that my data, along with about 100K others' data, was perhaps being read for the last 4 months. See http://www.cnn.com/2001/TECH/internet/03/05/bibliofind/index.html

Not only did they -not- say they were keeping it (instead of just serving as a conduit), keeping it did nothing to make their customers' lives easier. So it looks like they got it wrong coming and going. Perhaps the press report got it wrong, and it was some sniffer-like attack instead, but it sure seems to imply that they had a big database hanging around that they didn't tell their customers about and which wasn't helping anybody, except to serve as a big fat target.

Feh. I guess we'll see if phantom charges appear on various cards. Not to mention perhaps enabling identity frauds of various sorts.

I can't get any info about this directly from Bibliofind at the moment, because their site is off the air. [Lenny Foner via risks-digest Volume 21, Issue 26]
0:00 # G!


Maximillian Dornseif, 2002.
 
March 2001
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Feb   Apr
Search
about this disLEXia thing
presentations
scientific publications
logner Texts
my old homepage
categories in this weblog
Subsections of this WebLog
bloging by me
german language content
hacks
computer investigations
computer incidents
going to court
events and conferences
statistics and the like
privacy
main page

Subscribe to "disLEXia" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.