IMPORTANT: Adobe Hacked

[Mike Farley]

This announcement from Adobe will be of more than passing interest to anyone who has an account with the company, especially if they have provided credit or debit card information.

http://www.dpreview.com/news/2013/10/03 ... =title_0_2

I have received an e-mail from Adobe stating that my account was one of those accessed and that the hackers might have accessed my encrypted credit card information. Which is not very reassuring, especially if the encryption is as vulnerable as the other measures Adobe has put in place to protect its systems.

There is further information on Adobe's website.

http://helpx.adobe.com/x-productkb/poli ... alert.html

[davidc]

Ouch, sorry to hear it. Are you going to change your card details?

Reading into it more I wouldn't be surprised if the info security guys at Adobe are in for the high jump, their approach is getting absolutely slated (quite rightly given these events).

[Mike Farley]

Ouch, sorry to hear it. Are you going to change your card details?

Reading into it more I wouldn't be surprised if the info security guys at Adobe are in for the high jump, their approach is getting absolutely slated (quite rightly given these events).

As it happens, my card is coming up for renewal shortly so I will have a chat with the issuer to see whether it is worth bringing it forward.

So far as I am aware, Adobe has not said anything about how the hackers gained access and there are any number of possibilities. I doubt if Adobe designed its own security system and most likely used a specialist third party provider. The fault could lie there, it could be a zero day exploit of the OS or webserver software, or perhaps use of social engineering to obtain a userid or password. Neither is Adobe alone in being so embarrassed and there have been a number of high profile hack attacks over the years. Unfortunately, nothing can be made 100% secure against someone who is sufficiently determined and I do not underestimate the capabilities of the gangs involved.

Like 2.9 million others, I cannot say that I am overjoyed by all of this, particularly Adobe's response to the question about exactly what data the hackers acquired. "We ... believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders." Just what is this "other information"? Do these guys now have my address and phone number, for example?

[Peter Boughton]

Simply getting a renewed card (i.e. new expiry date) isn't necessarily secure, because it's generally just adding a set period (like 40 months) to the previous date, which is simple maths. Ideally you want a new number too.

The safest assumption is that any information you've given to Adobe (or they've otherwise collected on you), is in the hands of "the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll", and of course has the potential to be sold on.

[Mike Farley]

Thanks, Peter. I must admit that I thought that getting another CV2 number on the new card would be sufficient, but that will only work if a vendor asks for it. Not something which can be guaranteed, unfortunately, if transaction acquirers (especially in other countries) do not specify it as a requirement for purchaser not present sales.

[Peter Boughton]

Well CV2 is not supposed to be stored at all, not even in encrypted form - so for subscription payments (like Creative Cloud) it's not an option to use it. (When it's used the vendor gets charged lower processing costs, and the transaction is less likely to be flagged as suspicious, so it is generally in the vendor's interest to use it when possible, but not something payment processors can enforce.)

If it was always required to provide CV2 that would require storing it in some fashion, which would ultimately just be another bit of data stolen along with the existing number/expiry/name - so whilst it would allow for not changing card numbers it wouldn't necessarily add any actual security.

[davidc]

Looks like it's getting even worse for Adobe...

http://www.bbc.co.uk/news/technology-24740873

[davidc]

Ouch.

http://petapixel.com/2013/11/07/number- ... ore-125453

I checked and I was affected (although not notified by Adobe) though I don't have any personal info bar my email registered with them.

[Mike Farley]

We still don't know, and almost certainly never will for definite, how the hackers got in. Weak password encryption might only be part of it. If Adobe could not get that right, what other parts of its system are/were ripe for exploitation by the miscreants of this world? Just about the only good thing I can see coming out of this is the hope that Adobe has now undertaken an extensive review of its security and implemented industrial strength protection. I cannot recall a statement along these lines by Adobe and improving its systems will take time, so it is entirely possible that vulnerabilities still exist.

With the ever increasing numbers of those affected, Adobe runs a considerable risk that it will never regain customer confidence and I just wish that there were some viable alternative to its products. This could be what ends up saving their bacon as ultimately there is no real option other than to continue doing business with them.

[Mike Farley]

I have now read all of the Naked Security blog post and coming as it does from Sophos, it does not make for good reading, especially the bit which says that credit/debit card details were possibly encrypted rather than hashed and salted. Can we hope that this was merely a figure of speech from Adobe for the benefit of those not initiated into the art of cryptology?

http://nakedsecurity.sophos.com/2013/11 ... c-blunder/