Loss of Sales

While the Hannaford Breach which resulted in 4.2 stolen credit cards and 1800 known fraud cases may not be a web hack, a Computer World article mentioned that the company's web site was off line following the breach. Even if the breach itself was not a result of web site issues, such issues where probably found in the security review to follow the Breach making the incident a worthy addition to WHID.

Update (April 19^th 2009) - A recent article in the Vancouver Sun further discuss the issue. While there are no new technical details, the discussion that follows the article is illuminating

Insufficient anti-automation is fast becoming a major, if not the major threat to web application. The reason is that it can be very profitable for the hacker, and on the other hand it is far from a simple vulnerability just requiring a quick fix.

TicketMaster on going combat with hackers line bypassing to buy event tickets to resell them for a high price is a very good example of the issue. In this specific example the hackers demonstrate that Captcha, a method of blocking automated programs by presenting a challenge supposedly difficult for a computer software, is not sufficient.

Seems that the there is a new trend to disrupt on line bidding using denial of service attacks. In this case, an auction for 37 very expensive watches was halted 20 minutes before the end as the site crashed, in what official sources describe as a hacker attack that did not result in a site compromise.

Additional information:

• Hacker halts Rivkin auction of 37 watches [Herald Sun, Nov 5 2007]

The site of the Rockies was taken down by a denial of service preventing fans from buying tickets for the World Series games.

Like any DDoS attack, it is very hard to know if it was an application layer or network layer attack, but since this attack had a very significant financial impact by crippling a web site, we think it deserve a place in WHID.

Additional information:

A hacker exploited a leftover admin function on eBay to block users and close sales.

Additional information:

• Hacker Breaks Into eBay Server, Locks Users Out [PC World, Oct 8 2007]
• eBay Explains Security Hole Used by Hacker [Action Bytes, Oct 9 2007]

A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.

Additional information: