The web site of the cosmetics company Lush has been compromised and a number of credit card details stolen over a period of almost 4 months, including the busy Christmas shopping season, some of them have already been used to make fraudulent purchases. Customers in the Lush facebook page are far from happy.

The consequences of the hack were so grave, and the effect on the trust that Lush were able to place in their online store were so serious that the entire Lush website has currently been taken offline and replaced with a single page offering limited details of the attack.

A statement on the website says:

“Our website has been the victim of hackers. 24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website. For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.”

I was initially alerted to the attack by one of my own friends whose card, along with her husband’s have subsequently been used to make fraudulent purchases totalling almost £6000 from well-known online retailers.

The risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality.

For the most part shopping online is as safe as shopping in store, but when a compromise occurs at an online merchant often its consequences are far greater, affecting many more people than in store card cloning due to the centralised nature of online stores. If you feel you may have been affected, contact your bank immediately.

Consumers should be demanding more services such as one-time credit card numbers from their financial institutions to afford them more protection when shopping online. One-time credit card numbers were introduced back in 2000 by AmEx but have not been as widely adopted by consumers as I would have expected. Talk to your bank, find out what security they offer for online shopping.

Lush haven’t gone public over exactly how the information was accessed, but it’s never a bad idea to restate a few best practices for securing web applications:

  • Keep them patched.
  • NEVER store sensitive data in clear text (in fact this is a PCI requirement).
  • Get them regularly vulnerability scanned from the inside as well as the outside.
  • Use strong authentication (2 factor) if you are only serving a limited user population or if the data you are holding is particularly sensitive. Cookies can lead to session hijacking.
  • Bounds checking of input data helps to avoid buffer overflows and SQL injection type attacks.
  • Provide access to information on a Need to Know basis and always provide it with Least Privilege.
  • Don’t provide detailed error information to browsers, you don’t expect your customers to debug your application, so don’t give up that error message.