Metropolis hacked discussion thread.

[qualitycomix]

Any idea if the Comic Connect database was hacked also? A few weeks ago, shortly after I entered my CC information into Comic Connect to pay for an auction purchase my CC company canceled my card due to fraudulent activity. Paypal was the only other company I had used with this card. Nevertheless, I have a new card now.

 

You should contact Vincent directly / call Metropolis.

[metropoliscomics]

Yes. Please contact us directly with any questions you may have about this situation. Our # is 212-260-4147.

 

Vincent

[1koko]

We are still gathering information. We discovered the hack on April 22nd. The hack was delivered through a piece of 3rd party software. We care tremendously about this situation and that is why we made the announcement on the forum. If you have any further questions please contact us directly at 212-260-4147.

 

This is the first time we have made an official announcement on the forum. As per CGCs advice we had it put up just as an announcement with the full understanding that interested forum members would start their own posts. We didnt realize that our post would slip so quickly to the 2nd page. We contacted CGC and asked if they could maintain it at the top of the 1st page for the time being.

 

We apologize for this situation and want you to know, we have notified the proper authorities and credit card information is no longer held in our database.

 

Vincent Zurzolo

 

Sorry to hear about this Vinnie. And I'm more sorry for your customers right now which I'm sure includes myself.

 

As I'm sure you're addressing this now, we don't maintain any CC info on our website. It's all maintained by our gateway merchant authorize.net. They provide the security and we pay them for that privilege. It's still a matter of trust however.

 

+1

 

Problem is that hackers must have found a loophole in most systems and exploited it.

 

I don't think its a specific website's fault but a generic issue. Hence the multiple warnings.

 

I would advise everyone to check their statements. Not sure what the form is in the US but in the UK you are not protected from website fraud if you use your debit card. You are protected with most credit cards.

 

Check your card portetction status and don't use unprotected cards. If you have used cards that are unprotected I would recommend removing them from any internet sites if possible.

 

 

[cheetah]

We discovered the hack on April 22nd.

Zurzolo went on to add, "Through diligence we discovered the identity and location of the perpetrator. And on May 1st, with the help of Navy Seals and the CIA, we were able to eradicate him."

 

Totally pointless without pictures. I understand you will need a larger scanner.

[OldGuy]

Yes. Please contact us directly with any questions you may have about this situation. Our # is 212-260-4147.

 

Vincent

 

 

Yes, and once you've done that please report back here.

 

Brian

[Flaming_Telepath]

Yes. Please contact us directly with any questions you may have about this situation. Our # is 212-260-4147.

 

Vincent

 

 

Yes, and once you've done that please report back here.

 

Brian

 

[comicwiz]

I'm not a metro customer, so I may have a different perspective than those who are customers.

 

From what I've read, it seems they are doing a top-notch job managing the damage and safeguarding themselves and their customers from this ever happening again.

 

Posting the announcement on an external, hobby-focused, message board has earned them some reputation points in my books.

 

With all the online security issues that started cropping up last quarter 2010, and only picking-up more steam from that point onward, this year is going to be the year of Internet security, and a resulting holding pattern on moving sensitive data to the cloud.

 

And for all the foot stomping, whether you're a one or hundred-man operation, with P/T or F/T hobby dealings external to these boards, or include marketplaces dealings as part of your activity, realistically you're one major Facebook, PayPal and/or eBay breach away from being in Metro's shoes. Funny enough, each one of the companies I mentioned did have significant data breaches that ended-up being handled more through public relations and minimizing spin than anything accurate.

 

Conversely, Metro hasn't underplayed this situation and if anything, have announced with urgency and while attending to people's concerns. A little compassion amongst a community of collectors and dealers could go a long way in supporting what Metro did here, and if anything, their announcement as well as the recent string of large corporations which have had to make similar announcements should serve as a reminder of the way hackers and their nefarious schemes can bring online commercial Goliaths to their knees.

[otherworldsj33]

Agreed. Looking at their announcement and follow up posts, I can't see how they could have been more transparent. Reading their posts, It seems they have quickly mobilized, using whatever resources available to them. I don't know if the humongous multi-billion dollar companies could have reacted any better.

[Mark 1]

I called Metro to see if my CC info was possibly impacted and they don't have my CC on file so most likely I am fine. They were super nice about it on the phone and were working on a new system while this event occurred. I'm sure they will find a fix as best they can but any website can be hacked. I don't blame them and I commend them for asking CGC to post something for us to at least know there was a breach.

 

Smart business decisions.

 

 

[Logan510]

My Discover card was recently compromised, with the last non fraudulent charge coming from Comic Connect. Luckily Discover stopped all the bad charges and sent me a new card right away. I wouldn't let this deter me from using Comic Connent again as this could happen to anyone really.

[qualitycomix]

It's the price of doing business on the web. There is no truly "safe" website.

[brasseye]

Thats why most companies intent on not being hacked are NOT connected to the web.

 

Meaning to say critical information is maintained on a computer, not linked or aligned to any other computer, and any internet devices.

 

Essentailly a very large 'external hard drive'.

 

But this doesn't excuse metropolis from holding onto people's credit card information, such a rookie mistake right there!

 

It just isn't difficult for people to enter a 12 digit number each time they buy something!

 

They need they're azz kicked for this!

[Ares]

Doesn't Superman protect Metropolis?

[Cat-Man_America]

Doesn't Superman protect Metropolis?

 

He flexed his muscles for Metropolis a couple of times last year, but I think he's taking more of a world-view now.

[TheLiamSturgess]

Doesn't Superman protect Metropolis?

 

He flexed his muscles for Metropolis a couple of times last year, but I think he's taking more of a world-view now.

 

I heard he quit.

[esquirecomics]

Kudos for Metro for doing the right thing and handling this matter professionally, properly and expeditiously.

 

Alas, this is the cost of doing business over the Internet nowadays. It seems like no company, big or small, is immune to these perils.

 

 

[Cat-Man_America]

Kudos for Metro for doing the right thing and handling this matter professionally, properly and expeditiously.

 

Alas, this is the cost of doing business over the Internet nowadays. It seems like no company, big or small, is immune to these perils.

 

 

+1

[comicwiz]

Thats why most companies intent on not being hacked are NOT connected to the web.

 

Meaning to say critical information is maintained on a computer, not linked or aligned to any other computer, and any internet devices.

 

Essentailly a very large 'external hard drive'.

 

But this doesn't excuse metropolis from holding onto people's credit card information, such a rookie mistake right there!

 

It just isn't difficult for people to enter a 12 digit number each time they buy something!

 

They need they're azz kicked for this!

 

I sort of see where you're coming from, but this idea of keeping any data as an island in modern times is a fantasy. First off, the impact of outsourcing IT outside North America has put an enormous pressure to compete at a quicker and lower rate. It's far more common for IT work to be carried out by consultants than it is through in-house staff, and risks abound by carrying out work in this manner so this is where you should be banging your stick the hardest, and instead, at any company that doesn't have their own in-house staff to support their IT infrastructure.

 

In addition to the pressure and economic factors impacting the type of work being carried out, staging a server in a way that is completely disconnected from the Web to perform any update or hardware/software upgrade is a luxury that is practiced rarely, if ever, past the unboxing of that device.

 

The OS's and software running on everything from a desktop to a server is required to adhere to the protocols of keeping it up to date, and that could be both the standards set in place by the industry and of the software vendor. This isn't an across the board thing, but there are vendors that require an ability to communicate with the computer to even activate, or keep the software operational.

 

In a nutshell, you're complaint against Metro is a lot like being annoyed with the fact you were stuck in a line at the bank while it's being robbed, and rather than being frustrated at the robbers, you're blaming the bank for keeping money to provide a service and level of convenience to its customers.

 

The reality is that criminals are found wherever consumers go. Consumers want more online banking, the criminals go there. Consumer want to buy goods online, or use social networks, and so too will criminals be found at these places as well.

 

Again, this announcement should serve as a beacon, and I would take a good hard look at any other company that keeps your credit card on file for convenient payment and to authorize bidding and/or buying. I can think of a few off the top of my head which would need to stand in the same line of your scrutiny.

[brasseye]

Thats why most companies intent on not being hacked are NOT connected to the web.

 

Meaning to say critical information is maintained on a computer, not linked or aligned to any other computer, and any internet devices.

 

Essentailly a very large 'external hard drive'.

 

But this doesn't excuse metropolis from holding onto people's credit card information, such a rookie mistake right there!

 

It just isn't difficult for people to enter a 12 digit number each time they buy something!

 

They need they're azz kicked for this!

 

I sort of see where you're coming from, but this idea of keeping any data as an island in modern times is a fantasy. First off, the impact of outsourcing IT outside North America has put an enormous pressure to compete at a quicker and lower rate. It's far more common for IT work to be carried out by consultants than it is through in-house staff, and risks abound by carrying out work in this manner so this is where you should be banging your stick the hardest, and instead, at any company that doesn't have their own in-house staff to support their IT infrastructure.

 

In addition to the pressure and economic factors impacting the type of work being carried out, staging a server in a way that is completely disconnected from the Web to perform any update or hardware/software upgrade is a luxury that is practiced rarely, if ever, past the unboxing of that device.

 

The OS's and software running on everything from a desktop to a server is required to adhere to the protocols of keeping it up to date, and to that could be both the standards set in place by the industry and of the software vendor. This isn't an across the board thing, but there are vendors that require an ability to communicate with the computer to even activate, or keep the software operational.

 

In a nutshell, you're complaint against Metro is a lot like being annoyed with the fact you were stuck in a line at the bank while it's being robbed, and rather than being frustrated at the robbers, you're blaming the bank for keeping money to provide a service and level of convenience to its customers.

 

The reality is that criminals are found wherever consumers go. Consumers want more online banking, the criminals go there. Consumer want to buy goods online, or use social networks, and so too will criminals be found at these places as well.

 

Again, this announcement should serve as a beacon, and I would take a good hard look at any other company that keeps your credit card on file for convenient payment and to authorize bidding and/or buying. I can think of a few off the top of my head which would need to stand in the same line of your scrutiny.

 

I know of of much bigger companies than Metro that do it. If you want something protected, you don't have the computer attached to the net.

 

But the overall issue of maintaining credit card information certainly is the larger issue here.

[passion4comics]

Just finished reading their letter. Not impressed. They're basically doing now what they should have done before the compromise. This is a letter that any established company performing their due diligence should not have to send out. I've been doing this too many years to find these "occurrences" acceptable. My near 20 years of credentials back this too. There is no such thing as 100% secure, but closing the barn door after the horses ran out is not the best policy.

 

These huge companies that get hacked are prime targets. They are targeted by thousands of hackers daily. This is not the case here. At times we would have conference calls because the external firewalls were getting slaughtered just handling the incoming traffic from hackers and couldn't let legitimate traffic through. You keep a DMZ in between pairs of firewalls and keep your critical data behind them! Your front end store front is within the DMZ. There should be no way that your front end should be able to access stored credit card information. If the exploit came from within it should have been detected almost immediately on install. You pay top dollar for security! Always use SSL. Keep your certificates current. Whatever I just read that is being implemented should have been done long ago.

 

Forget about catching them. Make the appropriate police reports, but don't put too much confidence in finding some guy in Korea selling CC cards in bulk that may have been pulled from the site.

 

I'm on drink 4 guys and I'm a lightweight so try to follow me

 

This should NOT have happened.

 

-------

 

CISSP - CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL 2004/2007/2010

ENCE - ENCASE CERTIFIED FORENSIC EXAMINER – 2007/2009

CISA - CERTIFIED INFORMATION SYSTEMS AUDITOR - 2008

CEH – CERTIFIED ETHICAL HACKER - 2008/2010

CGEIT - CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT – 2009

SIX SIGMA BLACK BELT – 2009

CISCO CCNA/CCNA SECURITY/CCNP and CCDA/CCDP CERTIFICATIONS - 2001/2007/2010