
Delta: Data of ‘several hundred thousand’ customers exposed - kdazzle
https://www.seattletimes.com/business/delta-data-of-several-hundred-thousand-customers-exposed
======
jimktrains2
[http://time.com/5230288/delta-sears-data-breach-credit-
cards...](http://time.com/5230288/delta-sears-data-breach-credit-cards/)
"Hackers may have accessed names, addresses, credit card numbers, CVV numbers
and expiration dates for “several hundred thousand” customers during that
time, according to the airline." You're 100% not allowed to save CVVs. I
really hope this is just bad reporting and not true. In fact, I think you're
even supposed to scrub CVVs from call center recordings!

~~~
craftyguy
Why are CVVs, a 3 digit number that would be trivial to brute force, the key
to unlocking access to a user's credit? Why don't we start with that problem
first?

~~~
mrguyorama
AFAIU, you cannot check whether a CVV is correct without pinging the company
that manages the card, and attempting to ping them on average 500 times per
card with different CVVs is not normal activity and should be blocked/shut
down. This is CC fraud prevention 101

~~~
craftyguy
Ok, how about the fact that it's incredibly visible to begin with? It's being
used like a PIN, a PIN that's literally printed right on the card. Who writes
their debit card PIN on the back of their card?

~~~
dragonwriter
It supposed to be used as proof that you have physical control of the card,
which is why it is on the card and not supposed to be stored.

It's not used “like a PIN” as a second factor with the physical card as the
first factor, it is used to make online and certain other uses of a card
equivalent to card-present transactions with no substantive second factor.

------
guitarbill
> The software company said it discovered and fixed the breach in October.

Disgusting, how was this buried for 6 months?

> The Atlanta-based airline said that it wasn’t sure whether customers’
> information was actually compromised by malware that it believes was in
> software used by (24)7.ai, which provided the airline with online chat
> services for customers, for about two weeks.

Your website, your liability. This is Delta's fault. By letting third-party
Javascript execute on your webpage, that's basically a remote code execution
right there. That's like giving an outside company root on your database, or
domain controller. Maybe this will serve as a wake-up call for web devs,
instead of piling more and more terrible JS onto a page.

