57

Dude
The client has a giant database with all credit and debit cards

ALL INFOS IN FUCKING PLAINTEXT
THE CARD NUMBER
THE CVV
THE EXPIRY DATE

I'M SHAKING AF

Comments
  • 25
    This might actually be a crime. Unsure.
  • 6
    Time to buy nice things TM.
  • 3
    Is it a big brand?
  • 9
    @Demolishun I believe it is. You have to do a bunch of stuff to hold those details which is why a lot of people use a third party service just to get round it.
  • 14
    This serious
    Is the client PCI-DSS certified? If so, report this to their auditor
  • 2
    @Hazarth they aren't, but they have BACEN's (Brazilian regulator) authorization to act like a bank and be able to hold these types of information and receive transactions to be validated
  • 2
    @Crost yeah, I thought they used a third party, but no, they do themselves
  • 10
    @ChristoPy reporting it is the right thing to do but don't hold your breath. No one gives a shit until it's too late.
  • 3
    @Linux don't know, only that they are able to act like a bank

    But we gonna force them to protect the data
  • 3
    @Crost yep

    Those guys are fucking millionaires

    They don't give a shit to their app, they don't bother to protect the data, only to get money
  • 3
    @Demolishun in Brazil it is, but laws towards tech are so vague and regulators are old as hell
  • 3
    @IntrusionCM haha, time to get fucking mad
  • 5
    Oh goody, another prime candidate of ass hats doing what ass hats to best.

    If you were in any other nation, I'd say hit delete on all the cards and removing the logging code immediately.

    Otherwise report them to the auditor and find another job, unless your local auditor is a spineless fucker, oh that case go back to my previous statement.

    There is not one valid reason you could ever give me that you need the credit card information.
    If you need to reuse the cards for legitimate sales / subscriptions then you use tokenisation instead.
  • 3
    @C0D4 all responsible ones where in the call and are aware. We gonna force them to protect the data or we have the right to report
  • 5
    @ChristoPy

    Then they are.
    You should be a good citizen and report it.
  • 4
  • 4
    Save it to IPFS!
  • 7
    FFS.
    Just sell the data on the darkweb for shitcoin or something. Make sure it is not traceable to you. Then make sure the newspapers get a hold of the sale info, and where the data came from.
    Company goes flat broke, audited, and sued. Nobody buys from them anymore.

    Nobody cares about the worst case scenario, until the worst case secnario goes down.
  • 2
  • 3
    @magicMirror dude, today I'm not this type but if it was like 5 years ago I would do it without thinking twice
  • 1
  • 5
    I got three words to say,

    WHAT THE FUCK ?
  • 4
    @johnmelodyme I've got 2 words to say :
    First time?

    Tbh that kind of news doesn't even surprise me anymore.
    There was a dam control panel in france which was accessible on a freely accessible vnc connection a few years back.
    government and large Industry/businesses it in a nutshell:
    default passwords everywhere, vulnerable mission critical servers searchable on shodan up the wazoo, backups are probably an exotic dish...

    I'm currently working on a contract where they hard depend on a server which has no backups and is hosted somewhere, by some unknown business.
    Basically if it goes down, they close for a fairly long time and may not reopen.

    But yeah hitting a nest like that on your own is probably scary.
  • 1
  • 2
    @johnmelodyme they don't care
  • 2
    @satibel first time. (For someone store credit card info in RAW)
  • 2
    @ChristoPy seems like we both are virgins to this fuckery.
  • 2
    @ChristoPy wasn't the Brazilian credit bureau hacked like six months past and they sold the entire fucking base in the internet? And people still keep plaintext DBs?!?!?!?
    Damn. Backup the whole thing before the sleeper ransomware hatches. There is sure to be one by now.
  • 3
    @JsonBoa whole bureau, IDs and selfies holding IDs of a bank, the ministry of health, the FUCKING MINISTRY OF JUSTICE

    we are fucked up dude, no one cares
  • 3
    In EU this is a criminal offense.
  • 2
    Are they pci complaint? Then it’s illegal
  • 1
    @mukund don't know about that, but it is illegal
  • 2
    So I worked for a POS company for a bit and handled their IT for their own stores along with developing features within their POS. They were scumbags too.

    Some of the high level research I remember relating to PCI-DSS was each piece of the card must minimally live in separate C class subnets encrypted with separate keys.

    It doesn’t take a security expert to see this is fucked…
  • 4
    @AndroidFML I really like POS. Such a great acronym.
  • 1
    @superposition secret.com haha
  • 1
    @superposition I know
  • 3
    One month later, the database and the system are being abused: https://devrant.com/rants/5047721/...
Add Comment