Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Imperva Criticises Lush On Insecure E-Commerce Site And Poor Auditing

Imperva : 25 January, 2011  (Technical Article)
Multiple vulnerabilities and poor auditing of transactions indicating non-compliance to PCI data security standards blamed for cosmetic company customer card data leakage
The Web site of Lush, the natural ingredients cosmetic firm, has reportedly been cracked and subverted by hackers, with reports that customers' bank details have already been used by fraudsters.



Lush is urging all customers who bought products online as far back as October to check for fraudulent transactions. So far 43 customers have had their cards used by fraudsters. The thieves bought 02 top-up cards, probably in preparation for larger raids. Below is a comment from Noa Bar-Yosef, Imperva’s Senior Security Strategist, on the hack:



Looking further into the hack and what has happened, Noa Bar Yosef observes:



1 It seems that Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they’re taking the website down. So it’s not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.



2 The hacks occurred throughout a 4-month timeframe. Yet, they know the exact dates of start-finish of the hack, which means that they did have some sort of audit during the attack. Yet, there was probably no one responsible to constantly oversee the audits to alert in the case of abnormal behaviour.



3 In regards to the audit – Lush mentions that they are informing all “potentially affected” customers. This means that they do not have exact affected customers details. A good audit trail should also provide concrete details regarding who was affected and when.



4 The attack clearly shows that Lush was in breach of PCI DSS compliance.



5 Look at the “We Believe” statements. There’s no talk about belief in making websites secure for customers. They are blaming the attackers and talking about cooperation with law enforcement. However, they should also add a “We Believe” on making the website more secure for their customers.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo