分享 請 Linode 用戶注意,緊急情況。

blacktulip · 2013年04月16日 · 最后由 Omegle 回复于 2024年03月18日 · 33795 次阅读

http://slashdot.org/firehose.pl?op=view&type=submission&id=2603667

駭客聲稱已經取得 Linode 所有信用卡信息。

Hacker News 已有多人聲稱信用卡出現被盜刷情況

有卡號在上面的請關注信用卡使用情況,或者直接換卡。我已經 order 了 replacement card .

駭客 irc 聊天記錄 以及證據截圖。

Linode 居然把加密信用卡使用的公鑰和私鑰放在了一起,簡直是....... 傻 X 都不足以形容!

This is an edited version of the linode.log file for 15th April.
'ryan_' is involved with HTP (a computer cracking collective).

TL;DR version:

05:10 < ryan_> https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc
05:11 < ryan_> if that's not proof I don't know what is

If you are a linode customer, I strongly suggest reconsidering.  And
changing your banking credentials.

* * *

05:05 < ryan_> Hey I can tell you
05:05 < ryan_> exact details of the attack
05:05 < ryan_> manager.linode.com was breached with a coldfusion exploit
05:05 < ryan_> it was compromised for a couple of weeks
05:05 < kyhwana> I hope they're using bcrypt/similar, etc.
05:05 < ryan_> we made a deal with linode staff not to share it
05:05 < ryan_> kyhwana: sha256crypt
05:05 < kyhwana> ryan_: god some proof?
05:05 < shmoon> "we"?
05:05 < kyhwana> s/d/t
05:05 < kyhwana> heh
05:05 < ryan_> they contacted law enforcement
05:05 < ryan_> broke the deal
05:05 < ryan_> kyhwana: the released database should serve as proof
05:06 < ryan_> We will also release the logs of the linode staff who participated in this deal
05:06 < shmoon> "WE"???
05:06 < shmoon> who is we?
05:06 < ryan_> of course they wouldn't have ever told you (customers) about it if we didn't tell them that we will release the data after we saw them contacting LE
05:06 < ryan_> does it matter who is "we"?
05:06 < ryan_> It's an entity I represent
05:07 < drclawski> of course it matters who you represent
05:07 < ryan_> you probably weren't targetted but doesn't stop us from releasing your credit card info since linode staff tried to fuck us over
05:07 < shmoon> hm
05:08 < drclawski> well, the way you talk right now I'm glad linode contacted law enforcement
05:08 < shmoon> :D
05:08 < gerryvdm_mbp> ah, could change back to my original password after intermediary one!
05:08 < Ruchira_> ryan_: got a link to that db where I can download it?
05:08 < Ruchira_> :*
05:08 < kyhwana> link 2 pastebin plz
05:09 < ryan_> Ruchira_: not yet
05:09 < mestri> this sounds so fishy
05:09 < shmoon> credit card details were leaked ? :o
05:09 < chesty> full of it
05:09 < ryan_> https://twitter.com/hacktheplanet
05:09 < ryan_> you can follow there
05:10 < ryan_> hey
05:10 < ryan_> lets prove it this way
05:10 < chesty> there's nothing there
05:10 < Ruchira_> ryan_: gimme the db or GTFO
05:10 < ryan_> https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc
05:11 < ryan_> if that's not proof I don't know what is
05:12 < mestri> hm i see.
05:12 < Ruchira_> wow someone can right click and view source O_o
05:12 < ryan_> Ruchira_: do you have the slightest idea on what you are talking about?
05:12 < Ruchira_> yup
05:12 < ryan_> well then, I wouldn't have the source code of any of those files, right?
05:13 < ryan_> and why would I have the y_key_57284cb2de704e02.html file name?
05:13 < ryan_> caker:{SHA}f6gtSn8vrtJfOr5BL73qur9pZjM=
05:13 < ryan_> mgreb:{SHA}Rs6+t2AmP8Zk9Tt2L8V6KoF/p68=
05:13 < ryan_> tasaro:{SHA}VX3HOGFij2T+vBPQsJziNeFih9s=
05:13 < ryan_> restelow:kO8AB7F2vGeTY
05:13 < ryan_> irgeek:{SHA}vB9kanV+A2b6YBHskkgrWPmDLhU=
05:13 < ryan_> sschwertly:{SHA}MhAwd561ZtgAH2NgXLltvmWlgfQ=
05:13 < ryan_> dariti:{SHA}qWfPCORks8jobCzOHX6BcX5FS+Q=
05:13 < ryan_> bkaplan:{SHA}npf7EGrBJVP/L70h830WZcjBMP8=
05:13 < ryan_> psandin:{SHA}tKrcBAD/mj25kX0MSrZKtWAbpRk=
05:13 < kyhwana> why would there be random AMI bios ROMS in that htdoc?
05:13 < ryan_> afolson:{SHA}udkD+S5jcqr66VDf6OgSxhHhbzQ=
05:13 < ryan_> cron:{SHA}FFwIAcaqmbdxfVGfpoCtd4pva4Y=
05:13 < ryan_> I wouldn't have those either
05:14 < ryan_> I don't know
05:14 < scottymeuk> kyhwana: even linode has random shit lying around like the rest of us :P
05:14 < ryan_> ask linode staff
05:18 < ryan_> kyhwana: I just pasted admin hashes
05:18 < ryan_> that should be enough
05:19 < ryan_> and manager is on the same box as the main website
05:19 < kyhwana> So what? anyone can make up hashes
05:19 < ryan_> See http://www1.linode.com/manager/
05:19 < AlexC_> The best thing to do is to wait for an official response from Linode, a follow up to their blog post
05:19 < ryan_> kyhwana: yes and I can get all the files in their wwwroot?
05:19 < ryan_> give me a name of a file which source you want
05:21 -!- mode/#linode [+b *!*[email protected].*] by akerl
05:21 -!- mode/#linode [+ntc ] by ChanServ
05:21 -!- ryan_ was kicked from #linode by akerl [ryan_]
05:22 < akerl> Sorry, I was busy nomming
05:24 -!- ssthormess [[email protected]] has joined #linode
05:24 < kyhwana> well, LEO involvement just imply CC breaches. If there's any chance of a CC breach, i'd like to know so I can change my CC number
05:24 < AlexC_> chesty: If they don't, they're stupid (and I don't like using that word to describe Linode after being with them for years!)
05:24 -!- ryan| [[email protected]] has joined #linode
05:24 < ryan|> quite rude of you
05:24 < Ruchira_> hi ryan!:
05:24 -!- azizur [[email protected]] has joined #linode
05:24 -!- mode/#linode [+b *!*@37.235.49.*] by akerl
05:25 < ssthormess> anyone works for linode here?
05:25 -!- ryan| was kicked from #linode by akerl [ryan|]
05:25 < chesty> and the cover up begins
05:27 -!- root__ [[email protected]] has joined #linode
05:27 -!- root__ is now known as ryan||
05:27 < chesty> http://seclists.org/nmap-dev/2013/q2/3
05:27 < ryan||> Quite rude out of you
05:27 < ryan||> To ban me like that
05:28 < ryan||> akerl: Mind sharing what motivated your bans on me?
05:28 < ryan||> Did I offend you by sharing the truth?
05:29 < ryan||> Hey, you didn't go by our deal. What did you expect?
05:30 < ryan||> I had a nice deal with linode staff that they don't share the fact htat they got owned with anyone and we won't release info on their hack
05:30 < ryan||> (including customer credit cards)
05:30 < ryan||> which will now be released
05:30 < AlexC_> ryan||: This is best sorted between you and Linode, if you could just let this channel get on to normalilty and support users that'd be great
05:31 < ryan||> AlexC_: oh, but it's users data at stake here
05:31 < scottymeuk> ryan||: if your going to release it, then why are you here? Nothing we can do to stop you.
05:31 < ryan||> scottymeuk: why can't I stop by and talk
05:31 < ryan||> Is that illegal?
05:32 < ryan||> ssthormess: you don't care about the fact that it took linode staff about two weeks to tell their customers about the breach?
05:33 < ssthormess> ryanll: no. I work with Citibank Chase and Bank of America and all three have zero customer liability.
05:33 < Ruchira> ryan||: give us the link to cold fusion vulnerability that you are talking about 
05:34 < ryan||> Ruchira: 0day
05:34 < ryan||> linode staff apparently failed to deduce it themselves and relied on chmodding CFIDE to 000
05:36 < ryan||> (It's surprising that anyone is still running coldfusion, that's like connection a windows 98 box to the internet without a firewall)
05:36 < ryan||> ssthormess: did you reset your instance api keys?
05:36 < ryan||> lish keys too?
05:36 < ssthormess> ryanll: how I do that?
05:37 < ryan||> Do you care about your data integrity?
05:37 < ryan||> would you mind if your linode was hacked?
05:37 < kyhwana> ohnoes, you have a public key!
05:37 < ryan||> kyhwana: lish passwords were stored in plain text
05:38 < ryan||> Last time I checked you couldn't disable password authnetication
05:38 < ryan||> and linode staff didn't properly secure the screen setup lish uses so it allowed breaking out of lish to the host environment
05:38 < ryan||> so someone using the same node as you being compromised would be enough for your server to be compromised
05:38 < kyhwana> and who leaves a login into their box logged in on lish eh?
05:38 < ryan||> Does it matter when you can break out to the host environment?
05:39 < ryan||> And unless you changed your api key, someone can just change your boot configs to init=/bin/bash
05:40 < gerryvdm_mbp> lish passwords were saved in plaintext?
05:40 < ryan||> Yep
05:40 < ryan||> so were the api keys (which could at least have been hashed)
05:42 < ryan||> credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security
05:42 < AlexC_> If this is true, which I'm guessing it is, it's like finding out a good friend of many years has betrayed you :P I deeply hope that Linode provide full transparency on this
05:42 < gerryvdm_mbp> are they hashed now?
05:42 < ryan||> AlexC_: did they provide any transparency on the previous hacks?
05:42 < ryan||> gerryvdm_mbp: probably not
05:43 < AlexC_> ryan||: Not entirely, which was just wonderful
05:43 < ryan||> I don't know, but seeing how long it took for linode staff to detect us. I doubt it
05:43 < gerryvdm_mbp> i can understand php script kiddies storing passwords as plaintext, but a hoster.... that would be quite shocking
05:43 < AlexC_> But if they don't give details this time, they are going to have to do something incredilble to keep me as a customer
05:43 < ryan||> Well linode also had terribly configured coldfusion
05:43 < Ruchira> ryan||: I dont think linode would ever store lish passwords on plain text. 
05:44 < ryan||> (adobe manuals tell you to not allow public access to /CFIDE/, which linode did)
05:44 < ryan||> Ruchira: oh but they did
05:44 < gerryvdm_mbp> ryan|| how do you know this?
05:44 < scottymeuk> gerryvdm_mbp: im pretty sure its one of the first things even script kiddles learn :P
05:44 < ryan||> Because I'm one of the people who hacked it?
05:44 < Ruchira> ryan||: proof?
05:45 < gerryvdm_mbp> you cant be a professional and not knowing how even hashing with salts is such a bad idea, but plaintext... that would be several levels of incompetence
05:45 < ryan||> The zine is scheluded to be released on the first of may which will contain the full database
05:45 < ryan||> Ruchira: I can get you the source code of the script that stores lish passwords
05:45 < ryan||> sec
05:45 < d-b> ryan||: which zine?
05:45 < ryan||> let me find it, coldfusion is horrible to read
05:45 < ryan||> d-b: htp5
05:47 < Ruchira> ryan||: first of the may? why?
05:47 < ryan||> Ruchira: due to other content
05:48 -!- ryan|| [[email protected]] has quit [autokilled: This host violated network policy. Mail [email protected] if you think this in error. (2013-04-15 09:48:28)]
05:48 < chesty> how has he violated network policy?
05:48 < shmoon> even i am wondering
05:49 < kyhwana> hacked box, obviously
05:49 < scottymeuk> Because they want to try and hide it?
05:49 < AlexC_> Not cool Linode, not cool
05:49 < shmoon> man even i am afraid now :S
05:49 -!- ryann [[email protected]] has joined #linode
05:49 < Ruchira> wow :D
05:49 < ryann> Why are people so rude nowadays
05:49 < ryann> glining me like that and stuff
05:49 < ryann> Well akilling, little difference
05:50 < chesty> someone doesn't want the truth to be known
05:50 < ryann> Generally having to ban users is a clear sign of incompetence by the staff
05:50 < AlexC_> Yep, which is *very* bad of Linode
05:51 < AlexC_> I understand they may not want someone to disclose details like this, but the details *need* to come out. If Linode don't do it them selves, then they are fools
05:51 < ryann> If linode had any way of proving that I'm not telling the truth they wouldn't be banning me
05:51 < ryann> they'd be calling me out
05:51 < chesty> ryann: so my linode has FDE, do you need to reboot in order to break in?
05:51 < Ruchira> all the staff should be eyeing on this chat right now lol 
05:51 < mikegrb> lulz
05:51 < ryann> chesty, not necessary
05:52 < AlexC_> Ruchira: I assume due to the lack of their presence, they are all huddled around a table discussing this
05:52 < ryann> FDE will make it significantly harder, but you can still access the memory while it's running
05:52 < rww> except for mikegrb, who is dilligently sitting here typing "lulz" every so often
05:52 < rww> (yes, I know)
05:53 < chesty> ah well, i made it harder, so I'm happy
05:53 < ryann> btw
05:53 < ryann> $dbhost = 'newnova.theshore.net';
05:53 < ryann> $dbname = 'linode_forums';
05:53 < ryann> $dbuser = 'linode';
05:53 < ryann> $dbpasswd = 'cfr41qa';
05:56 < ryann> gdi can't linode just use some normal language
05:56 < ryann> Their current source is horrible to read trough
05:56 < Ruchira> ryann: the shore was abandoned long time ago. Im wondering why would they use that host name for a db host 
05:57 < ryann> Ruchira, the forum is pretty old too
05:57 < ryann> phpbb2
05:57 < ryann> <cfif ListLen(cgi.script_name, "/") gt 2 AND ListGetAt(cgi.script_name, 2, "/") eq "linode" AND NOT ListFind("index.cfm,linode_edit.cfm,linode_resize.cfm,label.cfm,cancel.cfm,dc_choose.cfm,su.cfm,pastdue.cfm", ListGetAt(cgi.script_name, 3, "/"))>         <cfinclude template="/members/linode/common/dsp_topNav.cfm"> </cfif>
05:57 < ryann> this code
05:57 < ryann> It's so dirty I feel bad reading it
05:58 < AlexC_> ryann: People have been bugging them to upgrade the forums for a long time
05:59 < ryann> I like how linode does stuff like this
05:59 < ryann> manager/controllers/Signup.cfc:         var lsd = query("getLinodeSignupData", "SELECT FieldName, Fieldvalue FROM ln_LinodeSignupData WHERE LinodeSignupID = #ls.LinodeSignupID#").recordSet;
05:59 < ryann> var lsd
06:00 < AlexC_> ryann: So, are you saying CC details have also been compromised?
06:00 < ryann> Yep
06:00 < AlexC_> ryann: And you plan on releasing these?
06:00 < ryann> They did try to encrypt them, but using public key encryption doesn't work if you have the public and private key in the same directory
06:00 < AlexC_> Oh linode
06:00 < shmoon> please dont get me wrong, can you hack someone's box here? so that its compeltely proved or something, i need to ge tback to work too. dont hack mine.
06:00 < ryann> AlexC_, probably. Linode didn't hold on to their part of the deal
06:01 < AlexC_> ryann: Sure, but there is no reason to compromise so many people
06:01 < Ruchira> ryann: money deal?
06:01 < ryann> Ruchira, "We won't share if you don't share"
06:02 < ryann> But they contacted law enforcement, we were monitoring their communications and caught onto that though
06:02 < Ruchira> so whats the point of hacking linode then?
06:02 < ryann> Access to a couple of clients
06:02 < ryann> nmap was just funny
06:02 < Ruchira> bitcoin?
06:02 < ryann> If I wanted bitcoins, I'd have went after softlayer and got mtgox
06:02 < ryann> But money's boring
06:03 < scottymeuk> Money is boring, i agree.
06:03 < gerryvdm_mbp> bitcoin is money?
06:03 < ryann> Well, it's not
06:03 < scottymeuk> gerryvdm_mbp: naa
06:04 < ryann> But what would you do with it besides exchange it to money?
06:04 < scottymeuk> ryann: try to buy a linode on IRC
06:04 < gerryvdm_mbp> store it :)
06:04 -!- ryann [[email protected]] has quit [Quit: CGI:IRC]
06:05 -!- ryannn [[email protected]] has joined #linode
06:05 -!- brennannovak [[email protected]] has joined #linode
06:05 < ryannn> Bitcoins are quite useless, and besides storing bitcoins after stealing everything from mtgox would be pointless
06:05 < Ruchira> ryannn: for what kind of "content" that you are waiting for?
06:05 < ryannn> as bitcoin prices would permanently crash as the last bits of trust are gone
06:06 < ryannn> Ruchira, other targets
06:06 < Ruchira> to release it on may 1
06:06 < gerryvdm_mbp> only use i can think of it is exchanging pure services :)
06:06 < gerryvdm_mbp> but then again its an unnecessary layer
06:06 < scottymeuk> gerryvdm_mbp: if it ever got mainstream, governments would find a way to control it anyway, so its pointless
06:07 < gerryvdm_mbp> its a scheme, it cant get mainstream
06:07 < ryannn> Bitcoins are mostly a lie anyways
06:07 < scottymeuk> Regardless, if it got 'big', they would find a way
06:07 < ryannn> They say there's no 'central weak point'
06:07 < ryannn> Yeah there is, there's the developers
06:08 < ryannn> There's been bugs in the client that have allowed the blockchain to split previously
06:08 < ryannn> One could just backdoor the bitcoin client binaries, not the source.
06:08 < ryannn> Nobody would figure it out until it's too late
06:10 < scottymeuk> Id rather a bank control my money, so that if it all goes fucked up, there is atleast someone to blame.
06:15 < gkmngrgn> hello, i forgot my password and linode's email reminder service doesn't work. i checked spam box but there's no email from linode.
06:15 < shmoon> ryannn: can you give him the password?
06:15 < scottymeuk> shmoon: damn you, you beat me to it!
06:23 < ryannn> shmoon, sorry I only have the sources on my server
06:23 < ryannn> db is on my desktop
06:24 < scottymeuk> ryannn: so your not in this to do large scale damage, only after a few clients?

已准备换卡!

太操蛋了,HN 上贴切评论:

-- 别担心,门都锁好了 -- 钥匙呢? -- 插在锁上

明天换卡去...

国内申请的 Visa 发现盗涮可以立刻申诉吗?

哦去。怎么消除影响?linode 上面好像只能换张信用卡,不能取消吗?

已挂失。

😄 RP 啊,我买时用的卡刚好几个月前过期了,换了新卡,还没在 linode 上使用

当时填写的招行的卡,马上登陆招行网站,把这张卡的额度设为 1 元,同时申请换卡了

草,怪不得收到 linode 邮件通知密码过期重设

各位申请换卡是带卡号一样换吗?

招商银行申请换卡选这个就行吧?

我前几天确实收到莫名的信用卡消费信息,有几十美金。当时疑惑了一会,没太在意。现在想来可能是悲剧了

更换信用卡 会不会避免呢?已经修改了一个虚假的卡号。

md, 直接销卡了,挂失费用太高....

冻结或者销卡,换卡不知道背后的 cvv 会不会换呢

电话过了,目前还没盗刷,冻结帐号先

#14 楼 @quakewang 招行挂失会发新卡,号码都变得,但是手续费要 60,然后我就直接销卡了... 不过峰回路转,现在直接免费换一张了....

#14 楼 @quakewang 我看了一下,Linode 不需要 CVV... 所以号码不变很危险

换卡后卡号、cvv 都会变,至少建行是...不过过期时间不变

Linode 居然把加密信用卡使用的公鑰和私鑰放在了一起,簡直是....... 傻 X 都不足以形容!

每次出现这样的问题之后,总会有类似这样的吐槽话语出现..... 😄

一年前在 linode 绑定过的信用卡需要更换吗?后来换了个信用卡绑定 linode 了,这样的情况需要取消不?

从爆出截图的文件后缀名 cfm,和 irc log 里面提到的 coldfusion 漏洞和配置问题,这个问题看上是真的。另外 irc 提到 Linode 的信用卡信息是加密的,但是 public key 和 private key 放到了一起,所以...

#17 楼 @yedingding 我在 Linode 上用的是我老婆的信用卡,问过她,说是 1 月份到期,换了新卡,还好不用麻烦去换。

linode 已经被吹嘘的不行了

叉,我也中了...之前只是买过一个个月的 VPS ...

已打招行信用卡电话申请换卡,免费的,一周左右能收到,会更换一个卡号,目前的卡就不能用了,其他个人信息不变,顺便这卡要到期也同时延期了一下,同时目前的账单依然可以到期还进去。

体验非常好啊!

#26 楼 @fresh_fish 我给他们说:

“我的信用卡信息泄露了,之前在国外的一个网站上面用过,这家网站被黑客攻击导致用户信息泄漏,泄漏的信息包括 卡号、CVV、到期时间,我该怎么办?”

然后对方像是和上级讨论了一下,回答说给我更换卡

我想问信用卡还有分期欠款可以换卡吗?

#27 楼 @huacnlee 我说卡片信息泄露了,想换卡,然后客服说建议挂失,收 60 手续费,可能我没说太详细...

赶紧把钱从 checking account 转到 saving account 了~ 太不靠谱了

#28 楼 @reducm 我的招行的信用卡,换卡仅仅只是更换卡号,帐号信息,账单什么的统统不变,还款依然可以继续,拿到新卡开卡以后信息应该和以前是一样的,老卡应该是冻结消费

#25 楼 @huacnlee Cool~我也这样去试试。

信用卡已经到期。虚惊一场。

靠,我也去申请换个卡

已经打电话冻结换卡

#10 楼 @fresh_fish 你这个不对,你这是补卡,卡号不变的,不知道 CVV 会不会变

Don't panic. 我不换卡,如果被盗刷我会来报告的。

#36 楼 @chechaoyang 客服跟我说卡号会变得,她说补卡卡号不变,挂失卡号才会变

换卡了,一大早的。 猪一样的 Linode 啊,擦!

#25 楼 @huacnlee

同是招行卡,换卡很顺利,一周左右新卡到。

#37 楼 @ashchan 因为你不在天朝啊~~~~

#37 楼 @ashchan

那是因为你在万恶的资本主义社会啊,在天朝他要是给你来个特殊国情就死翘翘了。。。

#37 楼 @ashchan 你在国外,应该没问题。最近微博上热议的两起招行盗刷的事情,真的是对国内银行没信心了。

#38 楼 @fresh_fish 你是挂失了啊。我看截图写的补发,以为是补卡呢。

#31 楼 @huacnlee 刚打去广发冻结 35+ 换卡工本 15...

#40 楼 @fresh_fish #41 楼 @leondu 两位大哥,我 Linode 用了很多年了,信用卡绑的是。。。也是招行滴。

这种事情,一是机率问题,即真的暴露了你被搞的机会有多大。二是事情到底是不是真的,一听任何消息就买板蓝根不够冷静:)

当然我是赞赏大部分人马上采取措施保护自己的行动的。小心总是没错的。

唉,果断把信用卡挂失停掉了。

#42 楼 @chechaoyang 国外的卡钱被刷了,钱基本可以要回来。但是还是挺麻烦的~

#45 楼 @ashchan

哈,洋装虽然穿在身,卡还招行信用卡 ;-)

鉴于前两天 Linode 突然发邮件给我让我改密码,再加上微博上面招行卡被盗刷之后吐槽的博文,还是宁可信其有吧...

换卡要收 60 快,把卡先冻结了。考虑是不是注销卡,然后重新办一张。

#47 楼 @sundevilyang 正常情况下被盗刷确实可以要回来,不过看了这两件事儿,心里总会有些担心 http://www.vjianke.com/YPMP1.clip http://weibo.com/1810826550/zqrm4AKr8

#48 楼 @leondu 嗯,多留意一下,小心点不是坏事。

#43 楼 @chechaoyang 我又打电话给招行信用卡中心,对方说招行对信用卡信息泄露有不同的处理政策,换卡号是不收费的,但是挂失是收费的

看着很恐怖啊,好在信用卡刚刚到期换了新卡,省事了。

#47 楼 @sundevilyang 国外就是好啊 国内的卡 盗刷了 100% 拿不回来 政策是 已经消费的 算你的 冻结以后消费的 算银行的

已撸 已换

已联系招行,重做了一张,客服代表说明 卡号,cvv,到期日期都会变的,供各位参考

一直想买 Linode,犹豫了好多次,可每次总是感觉把卡号和 CVV 都告诉别人有点不靠谱,最后还是关了页面。。。。。。

另一个方案: 进入招商银行专业版,信用卡选项卡,卡片管理里有一个修改卡片额度。 将使用的境外支付卡的额度修改为 1CNY,然后确认。 然后再重新申请一张卡片即可。 等新卡片到了,打电话给银行要求注销旧卡片,确认身份信息即可注销。

EDIT:我已经测试过了,设置限额后通过 Paypal 支付失败: https://plus.google.com/u/0/108281241220294160411/posts/KrejKx5NxsT

难道 Linode 还在记录 CVV ...

歪楼 其实大家是不是要讨论下有没其他靠谱的支付方案或者 vps 什么的

#61 楼 @bhuztez 自动扣款的,记录了 CVV

#59 楼 @chenshaoju 直接电话联系招行,告知信用卡所有信息泄露,请求协助,客服代表会冻结该卡片所有支付,并冻结期间不影响还款,招行会重做一张卡,卡号,cvv,到期日都发生变化,开卡后旧卡自动失效。

这~~~ 赶紧换卡吧。

招行有 VISA/MASTER 验证服务,未经验证的网站是无法网上支付的,请问如何盗刷?

我重做了。。

#66 楼 @howiehu 微博上这两天招行已经有两起招行被盗刷事件了,可以搜搜看,而且在经侦科立案的情况下招行仍然支付了这些钱出去...

#68 楼 @huobazi 我现在有一个疑问就是,网站会记录你的 CVV 号码吗?如果不记录的话应该还是安全的。

#69 楼 @howiehu 记录的,不记录 CVV 怎么实现自动续费功能?

#69 楼 @howiehu Linode 每期自动扣款的,需要记录 CVV

招行答应免费帮我换一张新的卡号不同的卡了。

#71 楼 @luikore @huobazi 那就惨了,看来要换卡了……

另外,看过几个招行信用卡盗刷的帖子,里面都说到:信用卡不设密码的话,相对是比较好处理盗刷情况的。这些例子中被盗刷的貌似都是设了密码的。

#63 楼 @huobazi 私自记录 CVV,现在所有信用卡发卡机构都不会随便允许你这么干的吧。存个信用卡号就要你 PCIDSS 了。

recurring payment/billing,一般都是要求第一次先生成一个token,指定周期和金额,之后你要取消,你就拿这个token去取消就完了。

#74 楼 @howiehu 密码只对国内支付有效,信用卡本来是没密码的... 卡号 + 日期+cvv 已经保证乱输百亿次都撞不到一个对的了

#76 楼 @luikore 问题是,网站是否记录了完整的卡号、日期和 CVV?

#77 楼 @howiehu 没刷卡要扣钱必须用 CVV 的吧...

这事情太夸张了,我退款了我所有的 Linode VPS

#75 楼 @bhuztez CVV 没丢还放心点... 在 textmate, blizzard, alfred, riot 等各种地方都填过卡号了...

#80 楼 @luikore 那些网站都不存卡号的话,其实还好吧。存了,就等着被匹配了...

#64 楼 @huobazi 谢谢,可惜我已经申请了新卡了,等新卡到了再注销旧卡。

EDIT:还是打电话给了招行,要求取消新卡申请,并且作废了旧卡,重新发卡。

#50 楼 @chechaoyang 这个明显是当事人太聒噪了,信用卡盗刷确认肯定有处理周期的。 另外,当事人居然会给信用卡设密码,呵呵,就像一个程序都不会写的人,突然写文章告诉你 Ruby 的语法多操蛋一样 :-D

#50 楼 @chechaoyang 国内银行真你妈操蛋

#83 楼 @kgen 我看了那个微博,那个是借记卡,不是信用卡。

我刚打了招行信用卡人工服务,对方表示立刻将我卡冻结,一周后会寄给我新卡,全部免费

怎么免费换卡

打电话给招行的客服妹子,“我的信用卡在国外的网站上泄露了,存在被盗刷的风险,怎么办?”

对方会说:“麻烦你换张新卡吧,一周内寄到”

为毛我打过去提示说要先挂失呢,挂失要 60 元。 #87 楼 @xiaoronglv #86 楼 @edokeh

@openapi 你按 87 楼说的做,应该是免费的,注意要强调风险

#89 楼 @edokeh 我就是这么说的。。。看来要遇到特定的妹子。。。

国内银行绝对操蛋,换卡保平安。

#78 楼 @bhuztez 不一定需要的。Gateway 这边可以设置用不用 CVV

#92 楼 @yedingding 我是说如果都存了卡号的话,不然存屁个卡号啊,就一 token 么...

#88 楼 @openapi 看我 52 楼说的,然后说你信用卡信息泄露,想换卡号,而不是挂失

#77 楼 @howiehu 网站保存你的信用卡号的话要遵守 PCI compliance 相关规定的。卡号和有效期都是需要加密的。如果 Linode 真的象上面说的公钥/私钥放一起都被黑了而且流出了完全的用户信用卡信息,那它的 Payment Processing 肯定会被调查。

#95 楼 @ashchan 就是谁知道被调查了没,发卡机构也可以坑爹的...

#61 楼 @bhuztez 不然它下次怎么支付

#98 楼 @mebeta adobe 总是中枪啊,之前 ios 上面越狱也是 pdf 漏洞,这次又是 adobe 的 coldfusion 服务器,flashplayer 也被老乔批...

#98 楼 @mebeta 从它的声明来看,有这些数据被盗了:

  • 加密后的信用卡号(相信用效期也被拿到了),明文的卡号后四位
  • 用来加密的 public/private key(这个没有明确说明,但上下文读起来感觉有可能)
  • 部分用户的明文 Lish 密码
  • 用户的加密后的密码
  • API Key

我们比较关心的信用卡问题,拿到 public/private key,只要再拿到 private key 的 passphrase 可能就可以解密了。希望不要被暴力穷举出来。危险性应该还是非常高!

#100 楼 @ashchan 不懂啊,为啥要明文存 Lish 密码..

#100 楼 @ashchan 这个在未来的几周,几个月就很有可能了。

#101 楼 @blacktulip 可能是最早的时候做的时候没注意(大家都犯过这个的错误,当年学 ASP 上教材上教的都是明文保存的,哈),就象先前的 CSDN 事件一样。或是因为要它 Lish 自动在 web 上登录 console,为了方便没有采用不可逆的 hash 算法。

还好,上个月选 VPS,差点就选 Linode 了。。。。

#102 楼 @huobazi 嗯,所以方便换卡的就换一下吧。

#103 楼 @ashchan 和安全有关的代码,不定期审查就是跟客户耍流氓

#106 楼 @bhuztez 说的真好,非常同意。

#83 楼 @kgen 嗯,确实是不该设置密码,不过好多人都不知道这个事情,办卡的业务员也都不给你讲。上面发的那两个事情,当事人确实都有过失,金额小的那个,真实度高一些。金额大的那个部分存疑。我对比着看了招商银行发的官方声明(http://e.weibo.com/1653150224/zr4KvbjLh),可从字面上看就不够可信,后来当事人又公开了电话录音,进一步正式这个声明的虚假成分。虽然现在事情没有定论,但从能找到的信息来分析,招行责任很大。

哇,你也看 slashdot 啊

#108 楼 @chechaoyang 当事人连最基本的信用卡常识都没有,而且一会儿信用卡一会儿借记卡,基本可以确定当事人造假了。

好奇怪 Linode 怎么拿得到信用卡的信息啊

#111 楼 @iBachue 哥...你怎么给 Linode 付款的啊?

#112 楼 @sailtsao 之所以问这个是因为 做过相关的支付服务 有明确的法律规定我们没有权利存储用户信用卡信息,这些信息只能由专门的提供商管理 (我们用的是 Cybersource),而我们仅仅拿到的是提供商返回回来的一个 Token,我们的网页要把用户填写的信用卡信息直接上传到提供商而绝对不能经过我们自己的服务器去,因此不存在泄露的可能。

#113 楼 @iBachue 那就是 linode 违法了...告死丫的...跟 CSDN 一个德性...一个明文保存密码...一个违法保存用户信息而且锁门了还把钥匙留在锁上...刚想夸夸最近 linode 升级了是业界良心...现在就出这种幺蛾子...你妹啊...换 DO 去了

#114 楼 @sailtsao 233 一般来说不会啊 毕竟也是美国公司啊 而且这个著名 怎么敢做出这种事情来呢??

躺着也中枪呀,刚刚申请更换

#113 楼 @iBachue 你说的是 PCI 吧,这个是用第三方支付网关的情况,比如它对接 PayPal 的时候。 如果自己做支付,只要遵循相应的保密标准,是可以存信用卡信息的。

#115 楼 @iBachue

这个就是美国公司,做起来也不见得完全遵守,表面上看是一回事,我做过美国一些保险公司的项目,信用卡信息的确是不能保存,做法是保存入库,但是显示的时候打码,就留最后四位这样子

#117 楼 @kgen 这个要有 License 才能做的吧 不会乱来的吧。。

还好 linode 上的几个帐户都用一张卡购买的,换一卡就好。

還好還好,趕緊換成 虛擬運通卡 。。。不怕盜刷

按照官网的说辞,private key 本身也是自加密的,且 passphrase 没有被获取。所以没事。。。

Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.

#122 楼 @ghprince 本地爆破毫无压力

#123 楼 @blacktulip 长度足够,且不是弱密钥的情况下,本地爆破可能超过 10 年,到时候所有的信用卡都过期了。

#119 楼 @iBachue 我们给各种欧美客户也只做过通过各种第三方平台的支付集成。 如果要自己搞支付是不是要 License,的确不太清楚。

#124 楼 @kgen 是啊,问题把自己的钱押在别人的密码强度上靠谱么?

#126 楼 @blacktulip 我第一时间就很淡定地限制了可用额度,然后申请了一张新卡。 在这里,我是纯粹在讨论加密技术本身 :-D

#127 楼 @kgen 那是。不过 linode 说他们的私钥记在他们员工的脑子里,所以……强度恐怕一般

#128 楼 @blacktulip 他们只是没有用电子方式存储而已,我举个例子,用条形码存储,每次扫描枪输入,依然可以长度很长。

#129 楼 @kgen 他们说了「只记录在脑子里」。原话

#129 楼 @kgen 新闻说他们的服务器被劫持了比较久时间了,这期间只要他们用秘钥,就不排除会被嗅探到啊。

#128 楼 @blacktulip 其实,运行的时候密码总在内存里吧,ptrace 读一下内存就得了...

#132 楼 @bhuztez 是啊,其实他们能让人同时拿到公私钥这一点就让客户完全丧失信心了……

唉,中招也就算了,现在都不知道用哪个 vps 好了

#130 楼 @blacktulip 悲剧,那肯定短

Harker 世界的历史性事件。。。

还好最近才换卡啊

#130 楼 @blacktulip 原话在哪里?求原文。 我只 quote 到

the complex passphrase is not stored electronically

没提到员工记住了啊。

想知道 linode 新卡过来后还能在 linode 上购买 vps 吗 貌似目前也就 linode 的还可以

#119 楼 @iBachue 这个不是 license,而是规范,严格来说所有需要存储用户信用卡信息的都必须遵循这个规范,Linode 应该是 Merchant 这个角色,那么对应的规范就在这里: https://www.pcisecuritystandards.org/merchants/index.php

规范在那里,但是实现的如何又是另外一回事了...

换了张卡,发现不能绑定 google 钱包了。 好吧,好像又可以了。

这个是不是应该交给法律?刑事犯罪。

146 楼 已删除

@Omegle Take the necessary precautions to protect your financial information

需要 登录 后方可回复, 如果你还没有账号请 注册新账号