Secret Service, other agencies investigating Norm Coleman campaign credit-card leak

Source: twincities.com

Secret Service, other agencies investigating Norm Coleman campaign credit-card leak
Attorney general also receives complaint; team mum as criticism mounts
By Dave Orrick - 03/14/2009


At least three agencies are investigating whether someone stole donors' credit card numbers from the campaign of former U.S. Sen. Norm Coleman. And the state attorney general has been asked to look into whether the campaign broke any laws.

The campaign clammed up Friday, citing the inquiries, as criticism continued. A local law professor says he believes the campaign "clearly" broke two state laws, and a nationally recognized cyber-security guru called part of the campaign's explanation "idiotic" and straining belief.

Earlier this week, a campaign attorney said he believed the campaign broke no laws, and Coleman cast himself as a victim of data theft.

The data was exposed to anyone with an Internet search engine for part of Jan. 28.

On Tuesday night, the self-described whistleblower Web site WikiLeaks.org (http://wikileaks.org/) blew the story open by e-mailing more than 50,000 people — whose names were contained on two databases, one of which included full credit card numbers and security codes of some 4,700 people .....

Read more: http://www.twincities.com/ci_11910119

---

When will they investigate the pay-for-play money Coleman received even before being elected, and Karl Rove's role in funneling the Bajagua funds?
Also, what about the Big Oil money from the Corrupt Bastards Club?

Do most people process donations on their own site or do they use a secure service like Act Blue?

Because if they were there would be no reason to store the data in the public index folder.

except for Stephanie, LOL

sorry, former Senator Coleman: if you leave donor information and credit card numbers and expiration dates and codes on a website WITHOUT protection, and someone lifts it from cyberspace, you have failed to take adequate precaution to protect donor information and confidentiality. In other words, your people were stupid.

Probably some pasty-faced, self-described reconstructionist wannabe who works out of his mother's basement, using a Win 95 white box and 28k modem.

i thought that was the hot setup. ah memories! :hi:

:woohoo:

from my homebrew system.

back in the old days when microcontrollers (we called them computers), were built on perfboard from scrounged chips.

Most people don't realize how good they have it.

:hi:

They could not have made it more easier unless they posted a link "download cc info here" on the homepage.

and I'm far from a computer genius.



His people were so stupid they didn't put an index page in the directory. That's next door to not realizing that your computer isn't plugged in!

:crazy:
rocktivity

http://pcistuff.blogspot.com/2006/12/pci-fines-teeth-of-pci-dss-compliance.html

Wednesday, December 27, 2006
PCI Fines - The Teeth of PCI-DSS Compliance
In 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million.

This new program sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level 2 merchants. Additionally, Visa is adding new fines to acquirers whose Level 2 merchant customers retain full-track data, CVV2 or PIN data after the transaction authorization.

Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.

KNR

to be PCI compliant. Coleman's was not. Even I know enough not to keep credit card info on line. I wouldn't be surprised if Coleman doesn't get sued by the credit card processor or the credit card companies themselves.

zalinda

He is liable for hundreds of thousands in fines.

Rule number one (beyond PCI compliance) is that one never, ever, under any circumstances stores the 3-digit CVV code. They not only did that, but those were among the data that was revealed. This is a REALLY BIG DEAL. The penalties from the credit card consortium will likely be massive. Would not want to be in their position just now.

http://file.sunshinepress.org:54445/coleman-webster-ag-2009.pdf

The credit card comapnies have been notified as well.

The greedy cc companies versus a greedy pub.


Cannot wait to see how this turns out.

http://blogs.citypages.com/blotter/2009/03/minn_ag_should.php

Minn. AG should investigate Coleman, local web developer says
By Emily Kaiser in Franken vs. Coleman
Friday, Mar. 13 2009

..... one local Web developer has formally contacted the Minnesota Attorney General's office asking them to investigate Coleman's campaign for possible consumer protection violations. Will they take up this case?

Tony Webster has submitted a letter to AG Lori Swanson reviewing that issue and calling out the campaign for violations. CP has reported on similar concerns.

Here is an excerpt:

As a website that accepts payments via credit card, the Coleman campaign is bound by the Payment Card Industry Security Standards (PCI DSS), a unified set of rules agreed to by all major credit card companies, banks and card processing services. According to PCI DSS, Requirement 3, the storage of credit card numbers is permitted as long as it is "...required for business, legal and/or regulatory purposes." In any case, the card number must be protected by encryption. If the expiration date is stored, it must also be encrypted. In no case should the three or four-digit security code on the back of a credit card ever be stored, regardless of the reason and regardless of the protection or encryption used.

At this point, it's clear that the Coleman campaign took several negligent steps in the matter: (a) the improper storage and collection of full credit card numbers, expiration dates and card security codes, (b) the database contents being exported from the database to a database file, (c) the misconfiguration of the Coleman campaign website, and (d) the further publication of the database file to the internet. ..........

of Coleman's story. http://the-uptake.groups.theuptake.org/en/videogalleryView/id/1765/">LINK

Here is Coleman LYING, blaming others for their screw-up:
http://the-uptake.groups.theuptake.org/en/videogalleryView/id/1765/

http://www.flickr.com/photos/adriarichards/3234833407/
Go down the page to see the video countering his lies.

His aide is also lying, and obviously paranoid.
'We are under attack.' LOL, YEAH, by themselves!!

Consultant who exposed flaw on Coleman site fires back
'I did it for all the right reasons,' says Adria Richards
By Jaikumar Vijayan - http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129631&intsrc=news_ts_head


March 13, 2009 (Computerworld) A Minneapolis-based IT consultant is defending her decision to post details of a security weakness she found on former Minnesota Sen. Norm Coleman's campaign Web site in January, a flaw that later resulted in a donor database on the site being compromised.

The database contents were posted on the whistle-blower site Wikileaks on Tuesday, publicly exposing the names, phone numbers, street addresses and e-mail addresses of more than 51,000 Coleman supporters and donors. .....

Richards said she did not access the data herself, but instead posted screenshots and details of her discovery on her own blog, on Flickr and two other blog sites. In an interview, she said that the decision to publicize her discovery was not politically motivated nor was it done for malicious reasons. Coleman, a Republican, and Democratic contender Al Franken are locked in a bitter dispute over the recent Senate election results for Minnesota. Franken currently leads the disputed race by a razor-thin margin, and the dispute has polarized supporters on both sides.

Richards said she might have done the same thing if the flaw had existed on a Democratic candidate's Web site, noting that she simply wanted to document how she found the information, explain what the problem was and tell others how to protect themselves from potential breaches. "Some people may think I was being unprofessional," Richards said, referring to comments on her own Web site from upset readers.

One person who posted on her site, for instance, wondered why Richards felt "morally licensed to abet criminal action," while another accused her of a "complete lack of conscience."

Richards defended her actions and claimed that no one in the Coleman camp would have responded if she had approached them with the information. In the past, Richards said, she has tried alerting others to similar problems but is usually ignored.

In this case, the details of her discovery involving the Coleman site were largely ignored until Wikileaks posted the database ................

Coleman’s site wasn’t ‘hacked,’ says IT pro who discovered donor breach
By Paul Schmelzer 3/11/09 - http://minnesotaindependent.com/28748/colemans-site-wasnt-hacked-says-it-pro-who-discovered-donor-breach


Norm Coleman’s campaign spokesman Cullen Sheehan suggested in an e-mail sent to supporters this morning that Wikileaks.org’s publication of the campaign’s donor database — including donors’ credit card numbers and the three-digit security codes for those cards — is the work of politically motivated people who have “found a way to breach private and confidential information.”

Sheehan hinted that the leak might be a work of political sabotage: “We don’t know if last evening’s e-mail is a political dirty trick or what the objective is of the person who sent the e-mail.”

MinnPost’s Joe Kimball echoed Sheehan’s notion that the database was hacked, writing this morning that “some hackers (Web enthusiasts, calls them), apparently discovered that list.”

But the database was not revealed by hackers, according to IT professional Adria Richards, who was the first to share news of the unprotected file in late January.

“It’s not hacking,” she said. “I didn’t use any hacking tools. A browser was my tool.”

Richards said she discovered the database by entering normcoleman.com, into OpenDNS’ cache-check tool, which gave her an IP address where the Web site lived.

Simply copying that address into a Firefox browser revealed the Web site directories for colemanforsenate.com.

Coleman credit-card debacle: setback....or glorious opportunity?
http://www.citypages.com/slideshow/view/260902

HUMOR.

with Rachel Maddow, and to her own web site.

:headbang:
rocktivity