
If you didn't cancel the credit card you used for linode.com, now is the time - ibudiallo
I have been a victim of procrastination. Since linode have been compromised, i promised my self i would cancel the credit card and get a new one. Well I didn't, eventually I just stopped thinking about it.<p>On May 28 checked my card account and I see multiple charges for large amounts. (cash converters, groceries, cheese, and so on). Note this is all done overseas.<p>How do I know this is from linode?<p>For my online transactions I use prepaid cards that are easy to dispose of, and this card was used solely for linode.<p>Advice: If you are still on linode and didn't cancel your credit card, well you should.
======
mbesto
Please provide a little more evidence than starting a flame war. Although it
could in theory be true, it's a fairly baseless claim until you present a
little more evidence.

 _For my online transactions I use prepaid cards that are easy to dispose of,
and this card was used solely for linode._

Couldn't the online card issuer be to blame? How do _we_ know you haven't
mistakenly used it for anything else? The fact that you use prepaid cards for
online purchases seems fishy to me in the first place (which is just as
baseless of a claim on my part as yours is here).

 _groceries, cheese_

How do you use a online generated CC for groceries and cheese??

From Linode:

 _Credit card numbers in our database are stored in encrypted format, using
public and private key encryption. The private key is itself encrypted with
passphrase encryption and the complex passphrase is not stored electronically.
Along with the encrypted credit card, the last four digits are stored in clear
text to assist in lookups and for display on things like your Account tab and
payment receipt emails. We have no evidence decrypted credit card numbers were
obtained._

<https://blog.linode.com/2013/04/16/security-incident-update/>

TL;DR - This is unfair to Linode and I think the community (who uses their
service quite frequently) would appreciate if you took it up with them first,
before you start a smear campaign.

~~~
FooBarWidget
Why is using prepaid cards for online purchases fishy?

\- Prepaid cards impose an upper limit on what can be spent, so that if the
card details leak out you are protected against losing more money than is on
the card. They can't plunder your entire bank account.

\- Some people don't like the idea of having debt. By using a credit card you
immediately have a debt whether you like it or not.

~~~
rosser
_By using a credit card you immediately have a debt whether you like it or
not._

Credit cards are only debt if you treat them like debt. I use the shit out of
mine, but pay the full balance pretty much every month. There's a lot of
convenience, I'm fully protected from fraudulent activity, and I have a stupid
amount of points/miles/whatever for free (or at least cheap) travel, to boot —
I flew to .au a couple years ago for free on that basis, for example.

~~~
jalons
Your balance is irrelevant - your available credit line is debt, as at any
moment you can be liable for up to that amount.

~~~
doktrin
Your available credit line is _not_ debt, and I can't recall ever hearing of
anyone being held accountable for fraudulent purchases made against their
account. Does this happen?

~~~
ahonhn
Credit card terms vary from country to country.

Here (Singapore) card conditions were recently changed so that you would only
be liable for the first $100 of fraudulent transactions (assuming you can
prove it wasn't you). I think the bank can still hold you liable for more if
they find you were negligent about guarding your card details.

Prior to these condition changes, I remember being told by the bank that you
would be liable for all charges incurred before you had reported the card
physically stolen or lost.

------
azinman2
To be fair, that still doesn't mean it's from linode 100%. I recently had a
fraudulent charge on a Chase Freedom card that I never once used anywhere
(their fine print when it arrived showed they mislead me in the rewards I was
promised). I had even shredded it when I got it so its not possible someone
took it from my place. When they called me about the possible fraudulent
charge, they guy explained that various government/creditor databases contain
these cards and sometimes malicious employees use them for fraud.

~~~
ibudiallo
You are right, i cannot say it's linode 100%, maybe 99%. however it is still a
good idea to cancel those cards.

~~~
ry0ohki
Maybe if they are debit cards, but the hassle of changing cards everywhere
combined with the protection against fraudulent charges banks give, I don't
plan on doing anything just for the heck of it. IE, lets say your correct and
I start seeing fraudulent charges? I call my bank and they reverse them all
immediately, it's not a big deal.

------
greenyoda
Signing up for on-line services is a good use for "virtual account numbers".
This is a feature offered on some Citibank and Discover credit cards (maybe
others) that allows you to generate a separate credit card number that's
billed to your original account. The nice thing about them is that once a
virtual account number has been billed by a vendor, it does not accept any
charges in the future except from the same vendor. So if the account is
compromised, the credit card number is useless to the person who steals it.

~~~
stock_toaster
I wish other banks offered that functionality. I am not a fan of Citibank.

~~~
encoderer
Get the Fidelity Amex from FIA (aka BofA). It's one of the few genuine 2%
cashback cards, has no annual fee, no forex fees iirc, and lets you create
"ShopSafe" numbers.

~~~
stock_toaster
Are you sure it is the amex card that supports shopsafe? I thought Amex
discontinued their similar product _years_ ago.

~~~
encoderer
It's not an Amex issued by American Express, it's a card issued by Bank of
America that is processed on the Amex network.

~~~
stock_toaster
Interesting. Thanks for the info.

------
WestCoastJustin
Linode stored the encrypted _credit card numbers in our [linode's] database_
... _we have no evidence decrypted credit card numbers were obtained_. [1] To
me, this implies that the attackers _did indeed_ get the encrypted data. This
would be a mighty juicy target to focus your decryption efforts on! In my
mind, it was only a matter of time. Regardless of whether OP's story holds
water.. get your card re-issued if this applies to you!

[1] <https://blog.linode.com/2013/04/16/security-incident-update/>

~~~
marshray
> This would be a mighty juicy target to focus your decryption efforts on!

In practice, either the Linode data was properly encrypted and keys properly
managed, or it wasn't, rendering the encryption worthless. There's very little
middle ground.

If you can break properly encrypted data, you have _way_ bigger opportunities
than carding.

~~~
thaumaturgy
Attackers claimed that the keys were stored in memory and that they retrieved
them: "We proceeded to breach Linode and acquire their in-memory keys."
<http://straylig.ht/zines/HTP5/0x02_Linode.txt>

------
maukdaddy
I just got an email yesterday from Amex about suspicious activity on my
account. The card was used to make purchases from at least three dating sites,
groupon, Microsoft, hidemyip, and a handful of others.

This card is tied to Linode, Amazon, and one or two other large merchants.
Sure looks like Linode CC numbers were breached.

------
xbryanx
Bank Simple actually reached out to me and asked me if I wanted to cancel my
card. I did. But I was impressed that they saw that I'd had charges from them
and knew about the security issues.

~~~
Osiris
I also use Simple and I've been very happy with their customer support. Not
having checks has been a pain in a few cases, but I definitely prefer it over
a brick and mortar. I have a few invitations on my account if anyone is
interested.

~~~
jervisfm
Hi Osiris would you mind sending me an invite ? Email is hn username at
google's mail service dot com. Thanks !

------
dkulchenko
I cancelled mine for an unrelated reason, but was about to anyway once news
about the Linode compromise got out. Linode themselves have admitted that the
only thing between HTP and the credit card numbers is a passphrase (of unknown
quality).

I no longer have any VMs on Linode. It's unfortunate that a company I trusted
behaved so oddly and non-transparently over the course of the incident.

~~~
Ramp_
The Linode write-up from HTP which may be relevant to this.

Scroll to the "Linode" section of course.

<http://www.exploit-db.com/papers/25306/>

------
cmsmith
Tangentially:

Why do merchants really need to store CC numbers? From the consumers'
standpoint, there would be no difference if, during the first transaction, the
merchant is issued some alterate key with which to charge the account. Each
merchant would be issued their own key, so there would be no risk of a
security breach spreading outside of the merchant.

~~~
wr0ng
Mostly they don't. The payment provider stores this and provides that and the
truncated PAN (the card number with digits masked by asterisks).

One of the things you pay payment providers for is for taking on the risk of
the higher levels of PCI compliance.

------
gee_totes
OP, I'm confused how your system for paying for things online works.

If it's a prepaid card, I'm assuming that you have to load it with money.
Since you're just using it for Linode, you couldn't have loaded that much
money on it (unless you're paying for huge Linodes). I'm wondering how large
these large amounts were and why they didn't simply empty out the amount on
the prepaid card.

Besides my confusion (if I were using your system, I would load $20 or
whatever onto the card each month and then the maximum I could lose if the
card was stolen was $20), I would also like to point out that while prepaid
cards are easy to dispose of, Credit Cards typically provide better fraud
protection.

With credit cards, there is normally a $50 liability if the card is stolen and
no time limits around reporting it. With debit cards, there are time limits
around reporting the card being lost or stolen. With prepaid cards, they are
not subject to the jurisdiction of the FDIC and consumer protections are
voluntary on the part of the issuer.

------
richardlblair
I would also like to add that the same thing happened to me. Except it
happened on May 30th.

I can't be 100% sure that my card was compromised because of linode, but there
is a good chance that it was.

Thankfully the transactions were not captured, so I'm not out any money, but
it still sucks.

------
mietek
FirstDirect cancelled my Linode card for me, after the first three fraudulent
charges. Luckily, they were easy to detect, as they were made in physical
locations in the US, while I was in the UK at the time.

Probably the only time in my life a bank actually helped me retain my money!

------
tzs
What do you mean by "cancel"? If you mean have your card issuer give you a new
card with a new number, and stop allowing charges using the old number, that
isn't necessarily sufficient. You may have to close your underlying account.

Visa and MasterCard both have updater services, which are available to some
(but not all--I'm not sure what exactly the requirements are for access)
merchants that accept their cards. The updater service allows the merchant to
inquire about a particular card number and receive back a status that can be
one of: no info available; card still valid; card replaced and here is the new
card number and expiration date; account closed.

~~~
encoderer
There is absolutely no risk that this would happen if you call and report your
card as stolen. None.

Now, if you've already had a charge authorized, then yes, the issuers has to
allow that charge to be captured, even if you cancelled the card in the
interim. But your issuer can certainly tell you if there are any valid
authorizations outstanding.

------
brink
I just had to cancel my card due to a large, unauthorized purchase at
Walgreens states away. I don't know that it was from Linode, but it was the
same card that I had when Linode was compromised.

------
maqr
WF opted to send me a new card out of nowhere, without explaining _why_
they're sending me a new card. I suspect it's due to the linode breach.

~~~
pavel_lishin
My bank does this to me from time to time, without bothering to notify me. It
seems incredibly insecure to me - I do have to call to activate it, but there
are no "secret" questions asked during this process, just the last four digits
of my social security number, and my zip code (and guess where the card gets
sent to?)

~~~
Encosia
I believe you only get that streamlined activation if you call from the number
they have on file for you, which makes it more secure than it seems.

------
ianmcgowan
I just got notified by my bank about a fraud notice, and they cancelled the
debit card I use for Linode.

It's a huge pain, but I'm inclined to give Linode the benefit of the doubt.
I've done enough stupid things in my life to not cast the first stone.
Hopefully they'll learn from this, and beef up both their approach to security
and their transparency. Strike one.

------
rapsourly
My credit card was recently reissued without my request. The accompanying
letter said it was being reissued to prevent fraud, as a merchant had recently
disclosed a compromise. It did not say which merchant, but not I suspect it
could have been linode. Has anyone else had this happen?

~~~
archon
I'm not positive that it was Linode, but I received this email from my bank
about the card I used for Linode (bank name removed):

"We were notified by a payment processor that your debit card information,
such as your name, debit card number and expiration date may have been
compromised. Unauthorized access to non-_____ systems may have occurred
through a merchant where you shopped or dined, or by other fraudulent
activity. Specific details about the compromise were not reported to _____."

------
madmaze
Thanks, I was thankfully canceled my card. Is there anyone else here that has
had their card compromised?

~~~
saryant
I haven't had anything odd yet.

Ironically, Chase _did_ flag my DigitalOcean charges last week.

~~~
adrr
Chase notified that a 3rd party was breached and my credit card was at risk.
They sent me a new card two weeks ago. Figured it was because of linode.

~~~
forgotAgain
Funny, that's about when I cancelled my Chase card. When they asked why I told
them an internet company I do business with had been compromised. I have a
monthly charge from Linode on the card.

------
rosser
Anecdata to the contrary, I've seen no suspicious activity on my Linode-
associated card.

~~~
ChuckMcM
Yet? One of the things I've learned by reading Danchev and other blogs on the
scourge of credit card fraud is that 'carders' seem to have waaaaaay more
cards than they need so the turnaround time between having it be made public
and having it used can be quite long. So far for me every time one of my cards
has been compromised there was a small charge that went through before the
bigger charges came in. And my bank has been pretty good about effectively
freezing things as soon as that small charge hits.

Given all the big data stuff on my 'work' cards (like gas card which is only
used to buy fuel) it should be instantly obvious if a charge is bogus coming
from a non-gas station. But I digress.

I wish someone would set up a 'whitelist only' type credit card where I could
first do a small test charge, then I could authorize that source with my bank,
and then their regular charges would go through. But if the number was
compromised any attempt to use it _anywhere_ that I hadn't pre-approved would
be rejected.

~~~
rosser
Fair enough. "Yet."

I've also noticed the same pattern with compromised cards: a couple of small
auths to test the waters, and then increasingly large charges coming from
decreasingly likely places. I regularly log onto my online banking and inspect
the recent activity looking for exactly that kind of activity.

I've long wished for the same, "whitelist-only card" type thing, too. I think
I might smell an opportunity...

------
lifeguard
It should be easy to prove you did not make the purchases and instantly have
your funds credited back to your account OP.

------
matthuggins
I canceled my card the day I saw the issue relating to linode.com. I'm glad I
did!

------
peterwwillis
Do you use Windows? If so, you are infected with Malware that stole your card
number and it finally got used.

I don't know why this is getting downvoted. This is a perfectly valid
explanation for why your card got charged that contradicts your reasoning that
Linode's encrypted card database got cracked.

~~~
ksmiley
The way you phrased it makes it sound as though, if you are a Windows user
that experienced fraudulent charges, then the _only_ possible explanation is
malware.

Your explanation is certainly possible, but it doesn't contradict the Linode
explanation. You might say that the former is much more likely than the
latter, but that doesn't rule linode out.

------
peregrine
I haven't seen anything yet, and I tend to keep pretty close watch on it.

~~~
will_work4tears
I haven't seen anything yet either. All of my accounts have some policy in
place where they call us. It actually got annoying when my wife was
"couponing" and we hit 5-6 stores in a couple hours. Always got a call.
Comforting. Any charge in another country is set to be a flag. When we travel
we make a call and let them know so it doesn't get flagged.

------
InternalRun
Guess they really did leave the private and public keys on the sevrer.

~~~
nwh
They admitted that at the time. They assured everyone that the _password_ on
the private key was secure, even boasted about how long it was on twitter.

------
par
BoA actually cancelled it for me, I didn't even have a choice!

------
tixocloud
Are there any other alternatives out there for VPS service?

~~~
notacoward
I've tested close to a dozen providers, mostly found via
<http://www.cloudorado.com/> or <http://serverbear.com/>, and there are _many_
who can match or exceed both Linode and Digital Ocean (who seem to be all over
every story here that even touches on VPSes) according to every possible
criterion. Personally I went with Host Virtual when I left Linode (shortly
after having left Rackspace), but the choice was largely dictated by physical
location. Another day it might have been Ramnode. There are others too. The
real point is that it's just _not hard_ to find a better VPS host. It's a
crowded space.

------
leeoniya
that card tied to a lot of things :(, probably a bad idea in general. but for
overseas charges at least, my bank will block transactions and notify me.

------
zachlatta
This isn't because of Linode. Both the hackers and Linode themselves have
shown that no credit card information was stolen.

