So you're unfortunate enough to be a customer who had their CC leaked. So you spend 5 minutes changing your password (you use unique, non-formulaic passwords, right?) and 15 minutes on the phone to CC company to ask for a new card. Then you use your backup card for 2 weeks (you have a backup card, right?)
A month later, spend 30 minutes on the phone with CC company only if strange transactions appeared.
Not the end of the world. The CC industry is set up well to handle this kind of thing.
To dismiss this breach seems odd to me. The tech community in general has placed a lot of trust and faith in Linode over the years. The shareowners at Linode have surely been great beneficiaries to that. Part of that "unspoken agreement", if you will, is that Linode be competent at what they do and that means keeping your data and information secure.
If even an iota of what I read in the abridged IRC log is true, Linode doesn't seem to care much about security or protecting Linode customer data. I mean, storing "encrypted" card numbers alongside private/public keys? Really.
Sigh, really? Ok, you typed your credit card number into a web browser at some point. If your sole reason for doing so was "I absolutely trust the people on the other end of this socket not to do what 99% of all people handling credit card data do whether they pretend otherwise or not", instead of something like "hmm that reminds me, I haven't scanned last month's statement yet", then the problem lies squarely with you, the uninformed consumer.
I will happily dismiss this breach, not because they didn't make some amateur crypto mistake, or because they weren't using freaking ColdFusion, or because they were storing data in some nice compartmentalized form, I reject because this happens every single day and has done for decades, and there is an entire sub-industry built around its after-effects. If you don't understand this you shouldn't own a credit card.
If you type a credit card number in online not expecting to recuperate any damage caused from your card company, call them up now for clarification or cancel the damn card. That's equivalent to stuffing cash in an envelope and posting it to Nigeria because some prince promises he'll keep it in a safe for you. It's 90% the reason you should be using credit cards in the first place. Think.
Linode should not be rubbished here. They've got one of the largest VPS installs around, so they most likely know their shit. They make an ultra-common CC mistake that has happened daily for almost 20 years now, by companies large and small, got pwned due to a bug in someone else's software, and you think I'm going to play along with the righteous indignation bullshit here? GTFO.
Let he without sin cast the first stone. Despite 20+ years' experience I still cannot cast that first stone. I make bullshit mistakes like this every day, and despite your grandiose delusions you probably do too.
As for whiners complaining about their data suddenly being insecure, well, data security 101: you're making the same bullshit mistake Linode are making, and despite that you're complaining about it. If you care about data security in the "cloud", hosting it on a freaking VPS is not the way to do things.
So because companies A through X are irresponsible with data, customers should regard that as acceptable and give company Y a free pass to do the same? I don't understand how a reasonable analysis of the situation can come to that conclusion.
You don't know the names of companies A through X, or supposedly safe Z for that matter. All you'll be doing is an enormous amount of work and bother to move from Y to, lets say, A, because you think you'll be more secure but unfortunately if anything its probably the other way around, its just that A hasn't been hacked... yet... so far as they know...
none of them get a free pass they all suck, but the one that just got busted is probably going to be a little more security focused in the near future.
Hmm stay at a place that just got burned, or expend lots of effort to move to a place that hasn't been burned yet...
"Because Nigerian princes A through X are irresponsible with your cash, budding lottery winners should regard that as acceptable and give Nigerian prince Y a free pass to do the same?"
Of course not, and this drives to the very core of risk management. I've signed up for some very shady online services in my time, doing so in the full knowledge that should a product or service not be rendered as advertised, I am guaranteed to be able to reverse the relevant charge. Even when I the consumer am doing something shady (in a case last month, attempting to import goods I knew weren't certified for the EU), the system still works for me. This is the sole reason I use a credit card rather than, say, my current account's Visa number.
It's not even about assessing the risk of whether or not you're going to get ripped off, but whether or not a particular company will cause you the inconvenience of the aforementioned phone calls.
If you work on the assumption that you card data is safe, you quite simply aren't safe enough to be in possession of a computer or card. Credit cards aren't built on that assumption, instead their entire motivation is based on risk profiling both the consumer and merchant, and terminating agreements when various thresholds are reached. In return the industry guarantees that in the minority of cases where things go wrong for the consumer, the problem can be corrected swiftly.
It's understandably upsetting that their customer database might have leaked, and I can genuinely understand peoples' concern over that. But as 4chan has taught us, there are very few people left in the west whose address and telephone number aren't available within even an hour's Googling.
As for locating confidential data on machines shared with other customers and managed by a piece of unaudited software, I have no sympathy for that. That's the price of a VPS, and why it's so heavily discounted compared to real hardware.
> If your sole reason for doing so was "I absolutely trust the people on the other end of this socket not to do what 99% of all people handling credit card data do whether they pretend otherwise or not", instead of something like "hmm that reminds me, I haven't scanned last month's statement yet", then the problem lies squarely with you, the uninformed consumer.
If your expectation when taking credit card numbers was "I'm confident in my abilities to keep this information safe, and if I get hacked I expect my customers not to move to another service and never, ever touch mine with a ten foot pole", then the problem lies squarely with you, the uninformed business.
You missed the step where you have to find all charges going to your old CC and then deal with moving every one of those accounts to your new one when it gets there. Hopefully you don't incur any late fees while you're going through the process!
Kind of sucks to have to spend hours doing that for someone else's oversight. It's not the end of the world, but it paints a clear picture about where a company's priorities are.
Maybe I'm weird, but I know exactly which binding credit agreements I'm in and how they're paid, and definitely none of them get paid using another binding credit agreement. :)
I mean, I know all that I'm in, but I can definitely see myself missing one or two if asked on the spot to recall all of them. Phone, cable, AWS, gym, power, garbage/etc, insurance,... I'm sure there are one or two others. Even if there aren't, I'd feel compelled to go through everything to make sure there aren't more.
Even just dealing with all of those is going to be a pain in the ass though. I'd probably end up spending hours all together just on hold with some of those people.
You don't pay for Netflix, Adwords, Amazon Prime, AWS, etc. using a card? If so, yes, I think you're weird. What do you do? Give them all your bank details?
I'm confused. The person you were replying to said:
> you have to find all charges going to your old CC and then deal with moving every one of those accounts to your new one when it gets there. Hopefully you don't incur any late fees while you're going through the process!
I've never been charged a late fee by a firm I didn't have a credit agreement with. Perhaps other parts of the world are more insane, but here that is definitely not commonplace.
I don't know who does and who doesn't, honestly. I try to avoid being delinquent. I know from the last time I had to change my card that my phone provider and ISP certainly do. Anybody who charges you on a recurring basis certainly can — they just add the amount to your next bill. They won't take you to court for it, but it will be added to the amount that you must pay or be disconnected.
Sorry, I should have said "fees". I've recently had to deal with this process, and I've found a few vendors who charge a penalty if the attempt to charge my card doesn't go through for any reason.
Its worth noting that charges can be credited to cancelled cards under certain circumstances. Happened to me and the bank said it happens regularly. True, its usually a painless process; but its not that simple.
