Coleman Camp To Online Donors: Cancel Your Credit Cards After "Strong Likelihood" Of Breach
The Coleman campaign now has another headache to deal with: They are advising contributors to cancel their credits cards, The Hill reports, after an apparent security foul-up in late January.
Last night, Coleman's entire online donor list received an e-mail from a Wikileaks.org e-mail address, notifying them that their private information had been posted in a publicly accessible area of Coleman's campaign site this past January 28, and has circulated out of public view. The e-mail also contained a link to the Minnesota statute requiring organizations to disclose "in the most expedient time possible" to any Minnesotan if they reasonably believe their private information was illicitly accessed, and informed recipients that they were being notified as a courtesy by Wikileaks, in case the Coleman camp hadn't already.
The Wikileaks e-mail also includes a link to an Excel spreadsheet purported to contain all the donors' names, addresses, employers, and the last four digits and CSC security codes on their credit cards.
Coleman spokesman Cullen Sheehan told The Hill that they had contacted federal authorities at the time, and after reviewing the site logs they did not believe that any unauthorized party had downloaded private information. However, he is nevertheless urging some serious precautions -- encouraging supporters who may have donated to cancel their credit cards.
"Let me be very clear: At this point, we don't know if last evening's e-mail is a political dirty trick or what the objective is of the person who sent the e-mail," said Sheehan. "What we do know, however, is that there is a strong likelihood that these individuals have found a way to breach private and confidential information."
Josh
Elana
Matt
Eric
A political dirty trick eh? Like the kinds one would do to themselves and then try and pin on a Political opponent?
What would Franken have to gain from this? The insinuation is ridiculous. Coleman's team published the info on their own website for crying out loud, and then didn't report it to the credit card holders because "after reviewing the site logs they did not believe that any unauthorized party had downloaded private information". What about screen capping it?
March 11, 2009 12:08 PM | Reply | Permalink
Well, for someone to screen capture the data, they would have to have downloaded it; the webserver makes no distinction between viewing a page or saving a page to disk...it just sends the data and the browser decides what to do with it. As such, the logs show the same thing in either case, so Coleman is asserting that no one transferred the data from the site for either purpose.
Of course, that's the funny part; this assertion is ridiculous. Wikileaks sent them a spreadsheet of the data, along with a description of how they got it. And Coleman's going to admit that they were right about the vulnerability, but that no one (including Wikileaks) ever exploited it? Where'd they get the spreadsheet? Do they really think we're all that dumb?
March 11, 2009 2:12 PM | Reply | Permalink
Someone with knowledge could modify logs to falsely indicate that there was no intrusion.
March 11, 2009 2:30 PM | Reply | Permalink
and that's assuming Camp Coleman is telling the truth that they believe no "unauthorized party" had downloaded the data. [who were the authorized parties, I wonder?] of course, Camp Coleman contradicts themselves when they say, "there is a strong likelihood that these individuals have found a way to breach private and confidential information"
March 11, 2009 2:43 PM | Reply | Permalink
If it was private and confidential, what was it doing on a publicly accessible part of the web site, hmmmm? The Coleman campaign has no responsibility for securing confidential data? Did his e-mail to his donors contain no apology whatsoever for mishandling sensitive information?
March 11, 2009 4:27 PM | Reply | Permalink
Sure they do. Why not? They are typical tech-ignorant Republicans themselves. Surely you don't think they suspect their donors of understanding the Internet better than they do, do you?
Besides being tech ignorant, they (again being Republicans) are also insufficiently empathic to imagine that their supporters might know something THEY don't know.
March 11, 2009 11:07 PM | Reply | Permalink
Actually, Coleman has known about this for a while. He's just trying to make a stink.
Also, the issue was that Colman failed to protect his information. No hacking involved:
http://minnesotaindependent.com/24817/crashgate-reveals-unprotected-database-on-colemans-site
March 11, 2009 12:10 PM | Reply | Permalink
Yep. Coleman's people knew about the flaw in their security back in January. They say that their tests showed that no breach had occurred (yet), so they must have decided that receiving more donations was more important than the financial security of the doners.
Just let things continue as-is and pretend it won't blows up. Republican governance at work. Norm's is the 35W of political campaigns.
March 11, 2009 2:23 PM | Reply | Permalink
Either that or someone in their camp has stolen money and wishes to blame it on a hacker. It's cynical, but after reading about every thing else he has done, after awhile the benefit of the doubt does become stupid .
March 11, 2009 2:43 PM | Reply | Permalink
The FTC has levied large fines against a variety of entities that have failed to adequately protect their customers credit card information. There are a lot of rules that need to be followed such as maintaining adequate firewalls on your computer systems and destroying that 4 digit security code that allows charges to clear.
Maybe someone at the Commission will take a look at what Norm was doing here.
March 11, 2009 12:19 PM | Reply | Permalink
The CVV is a three digit code. I believe that what Norm had was the last four digits of the credit card in the spreadsheet.
March 11, 2009 12:48 PM | Reply | Permalink
AmEx uses a 4 digit code. Other credit cards use a 3 digit CCV code.
March 11, 2009 1:38 PM | Reply | Permalink
He has both. If you take a look at the xls file there is a column for "csc" and "card number" along with address information. I am wondering if wikilinks redacted the data to remove teh first digits of the credit card and only leave in the last 4. Possible.
March 11, 2009 3:19 PM | Reply | Permalink
That's my understanding from reading a diary on Daily Kos by a guy who received notification from Wikileaks. He said they had redacted the rest of the number but left the last 4 digits so people could see if it was true that their credit card number was out there.
March 11, 2009 4:29 PM | Reply | Permalink
Wow. That's just... Wow. I'm really happy that Norm won't be bringing that kind of competence back to the Senate.
March 11, 2009 4:45 PM | Reply | Permalink
If the Coleman people kept the CSC/CVC numbers after clearing the transactions, they have some "slpainin' to do". This really is the kind of thing that gets folks into a lot of trouble with the FTC. Just ask DSW - http://www.ftc.gov/opa/2005/12/dsw.shtm
March 11, 2009 4:37 PM | Reply | Permalink
Someone needs to infiltrate freerepublic, lgf and redstate to suggest that any donors sue the Coleman campaign.
I don't have the stomach. Sorry.
March 11, 2009 4:47 PM | Reply | Permalink
That last four digits and the security number almost totally gives the card number away. Here's how easy it is for a merely mildly competent programmer(no special expertise required) to reconstruct the rest from otherwise public information.
Of the 16 digits on a credit card (excluding Amex at 15 digits - but the first four digits tell the computer which card this is so the computer knows what to expect), the first 8 digits determine which card issuer issued the card and is standard. The first four tell the specific card (MasterCard, Visa, etc) and rest of that first 8 digits are the credit card equivalent of a bank routing number as found on your checks.
The last four digits are a specific id for the unique card itself. I think the remaining four (9 thru 12) are digits that identify the (internal) code block the card issuer has issued the number from. But if you know the last four digits and the first eight are essentially standard and public knowledge, the rest aren't too hard to determine. The last four digits are what makes the card unique (which is the reason for the security code.it ads three of four more digits, and Amex uses only three in the last block anyway, so four is obviously critical for them as a security code. It brings them up to par with the other cards.)
The remaining third four digit block should not be that difficult for a good programmer to quickly duplicate. One or more of the digits in the number in the third block of four is probably a security check number to verify that the rest of the number is a valid credit card number (there is one), and it is a fixed number that depends entirely on what all the rest of the numbers are. That algorithm is public knowledge. Ask any programmer. It gives you that error "invalid credit card number."
If the check digit is one of the final four, then knowing it eliminates 90% of all possible total digits for the others in the number in the remaining 15, and you already know most of the rest. The check digit is the sum of all the rest reduced to a single digit by a publicly known algorithm, a process easy to reverse (and quick on a computer.) Knowing the first eight digits (public knowledge) means the third block can only be a combination of 10% of the possible digits there. Logically, the check digit must be in a publicly known location (I just don't know it or want to try to find it. I'm not programming a business application.) Such limitations on what the digits can be make a brute force effort to try one combination after another remarkably simple. Social engineering (look up the term. The scams to get people to tell you classified information without knowing what they are telling you are myriad.) might reduce even that. I might use the rest of the information, get a phone number for a card holder, call them up, tell them there has been a breach that released their name and ask them to verify the third block of four digits because the last four are so critical no one should know that. The third four digits are generic and no one will know all 16. One in three will tell me to avoid a theft of their card number if I convince them I am an official of the card company trying to protect their card.
I know this, and I am merely a nonprofessional computer hobbiest who has picked this knowledge up over the years by accident, without even searching for it. (My education is economics, finance and statistics with a lot of computer user time logged.) This is all off the top of my head. How hard is it for a professional computer person, or a dedicated hacker, to identify that third block of 0000 to 9999? That four digits iss 10,000 digits, duck soup for someone who knows what they are doing and has a computer they can write a quick program on.
By the way, I'm not giving you any information the criminals don't already know and pass around. It's the same rational as publishing the Anarchists Cookbook. This is probably well-known in the professional criminal training academies we call state and federal prisons. If you are a prisoner they can trust, just ask.
Not much security there without those last four digits and the security code being secret, are there? Give those digits away and the entire card is relatively easy to decipher.
Cynical enough to suit you? Every bit is out there to be used against you. You'd better hope I never get foreclosed on. I'd have to make a living, and this stuff is duck soup. I'd sell the knowledge. (Conservative free enterprise, you know.) The gypsy families and other professional scam artists trade this info regularly, as do prisoners in America's criminal finishing schools called prisons. But this is nothing that any mildly competent programmer doesn't also know. You are the target!!
Back in the military I used to think the Security people were obsessional monomaniacal idiots working to justify their jobs. Today I can only ask their forgiveness. Security guys, I am really really, really am sorry. You were right! And more than I could ever have kmown!
March 12, 2009 1:54 AM | Reply | Permalink
Why would someone commit a political dirty trick against someone who, as far as I can tell, isn't a politician? He's a part-time litigant and a part-time lobbyist who holds no elected office and isn't a candidate for anything.
Everyone has moved on from last year's senate race but him.
March 11, 2009 12:31 PM | Reply | Permalink
Other political dirty tricks of course include Franken having Coleman's wife get paid huge sums for a job that she didn't show up for.
You have to wonder what other gross incompetence of Coleman that Franken is to blame for.
Given Ginsberg's rantings about database corruption in the court, they either seem to be about twenty years behind the time in tech saviness.
I expect Fox and their ilk will say "the site was hacked" as opposed to "Norm walked around all day with his fly unzipped and his schlong hanging out, then was upset he was photographed in a less than flattering light."
Ok, the last headline is a bit much to expect.
March 11, 2009 12:45 PM | Reply | Permalink
Slimy Norman - too dim to deserve to remain a Senator, apparently.
March 11, 2009 12:47 PM | Reply | Permalink
Jeebus! Wikileaks warns the asshat about his security problem and he blames them for the breach. How typical of what the party has become these days.
March 11, 2009 12:53 PM | Reply | Permalink
Part of a grand tradition of shooting the messenger.
March 11, 2009 1:02 PM | Reply | Permalink
255,547,925. That's a pretty big number. It is the number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 (source: Privacyrights.org). The truth is that data security in this country is a joke. I'm not surprised at all that this happened, and I won't be surprised when it happens again. Do a little digging into any of the measures and mandates that are supposed to protect our personal, confidential information in electronic form and they all have one thing in common -- virtually no enforcement. Even the police are not immune. Just last week, New York City police arrested the communications director of their own pension fund. He's accused of stealing data backup tapes containing the Social Security numbers and direct-deposit information for 80,000 current and retired cops. He is charged with computer trespass, burglary and grand larceny.
March 11, 2009 1:16 PM | Reply | Permalink
A quarter-billion here, a quarter-billion there, and pretty soon you get to significant numbers. But for now, nothing to see here, citizen, move on, move on.
March 11, 2009 2:38 PM | Reply | Permalink
The GOP: Minding Your Money and Keeping Us Safe
March 11, 2009 1:36 PM | Reply | Permalink
why would they even post data like that in the first place? was it so someone else could download it? who were they passing that info on to? not like they were just selling an email list to someone else, as it had personal financial data in it too
and not even password protecting that directory and having the directory list viewable, as seen in Minnesota Independent link above, well that's just pathetic
March 11, 2009 2:36 PM | Reply | Permalink
Presumably the Coleman campaign will be reimbursing their donors for the cost of replacing their credit cards? Most card issuers have instituted fees for replacements, regardless of the reason.
And presumably their card processor will be canceling their account, since it's obvious that they do not adhere to mandatory PCI standards for security.
What a bunch of amateurs.
March 11, 2009 2:59 PM | Reply | Permalink
It's why they're called Republicants. It is just pure and simple incompetense and irresponsibility. Aren't those usually just a way of saying they don't give a shit about anybody else?
Scarriest words in the english language:"I'm from the Republican Party and I want to run your government."
March 11, 2009 3:02 PM | Reply | Permalink
so coleman's team screwed up, and put all their donoers info online (inadvertently, i assume) didn't tell anyone about it, and they call it a "dirty trick" when someone actually DOES tell people their vulnerable for ID theft?
March 11, 2009 3:19 PM | Reply | Permalink
Yep. That's it in a nut shell.
March 11, 2009 3:52 PM | Reply | Permalink
"Dirty tricks." Wow. This is me clapping.
I'm sorry, but sometimes the chutzpah is so great that you can't help but admire it.
March 11, 2009 5:58 PM | Reply | Permalink
Norm's spreadsheet shows about three quarters of a million dollars in booty.
Gotta love the guy who donated a penny to Norm from Normsadick.com
March 11, 2009 5:59 PM | Reply | Permalink
Why do republicans have such a difficult time with technology? Coleman is right up there with Senator Droopy (I-Connecticut) crying "dirty tricks" to cover his own incompetence. Anything you don't understand you fear. Science. Technology. All that wizbang modern stuff.
March 11, 2009 6:37 PM | Reply | Permalink
None of this would have happened if Norman & the Repubs hadn't dragged this battle out so long. Think how many people were encouraged by the Party leaders to donate to Norm in his quest to delay Franken going to the Senate.
How many people donated in response to that RNC video with nearly every major Republican congressperson begging donations for Norm's effort to steal the election? How many of them are now going to have to cancel their credit cards?
Instant karma's gonna get you.
March 11, 2009 6:50 PM | Reply | Permalink
MN public radio ran the story this afternoon while I was driving home from work. Coleman's campaign did everything they could to make it sound like a federal case of breaking into their systems to commit crimes against the campaign and doners. First thing they did was call in the FBI (when they would have been better off calling The Geek Squad). Unfortunately, the MPR reporter lapped it up. The story was sadly one-sided. http://minnesota.publicradio.org/display/web/2009/03/11/colemandonors/
March 11, 2009 6:51 PM | Reply | Permalink