I think its funny that I revived this 5-month dormant thread to mention that C2's database had been compromised and everyone goes back to talking about the same old issues in the thread without skipping a beat...maybe I should have started a new thread about the break-in. Anyway, in case you missed it the first time or didn't grasp the magnitude of the problem: C2 database was stolen and apparently none of the data was encrypted. The hackers have all C2 customer info: username, password, credit card details (incl billing address) for anyone that provided that info, social security numbers for anyone that had to provide it (I assume if system sellers made over a certain amt it had to be declared) and brokerage account username/passwords for anyone that used auto-trading through C2. OpenECry and optionsXpress has frozen all accounts of customers who autotraded through C2. Not exactly small potatoes... Just saw this on the C2 forums too:
I joined collective2 a couple of years ago just to see what the fuss was about. Luckily all they got was a false name and address for me.
C2 is finished. and Mat will have hard time settling the coming litigation without going bust. i am pretty sure his defense will cost him more than he has made milking the poor system vendor wannabes. easy come easy go
Looks like. Being a programme rmyself I must say he is in for gross neglect - ignoring legal AND custom obligations he had. Among them: * It is considered utter stupidity to store unencrypted or normally hashed passwords - the only proper way, accepted by professional programmers, is to store passwords in salted hashed form. The fact that they stored readable or easily reconstructable passwords is gross neglect of standard and widely published basic security guidelines for programmers. "Incompetent Idiot" is what I would write on his termination, would he program that for me. Should take a basic course in safe programming before writing internet facing code. It is not that it is SO unknown that the internet is full of bad people. * He stored credit card info? He MAY be in for a strictly legal surprise. Storing full credit card information is bound by pretty tough legal requirements from the credit card companies. Unless his system fullfilled the requirements that HE AGREED ON WITH HIS CLEARING AGREEMENT, he is in for a world of pain. Depends a lot on his clearing arrangements, but I brutally remember the requirements a shop I developped some years back had to implement to be in line with the signed agreement. STORING card info was a HUGH no for us - too expensive to put in the precautions (multiple firewalls etc.) and get audited (required by I think it was MasterCard at that time). What we did at the end is keep things only in memory (While clearing) and storing the last 4 digits in clear text (to show the user), a one way hashed card (to identify multiple uses of the same card, with a VERY complex algorithm) and NO CVC code at all - so the data would be useless to anyone getting it. If he did not read his obligations here that may be... REALLY bad.... Given the first point - which points to really not knowing what he does, programming wise - means he will have a hard time prooving he did all "generally accepted precautions" for something his size, which will open him for ligitation. Well deserved. Onless he hired out a contractor.... to make the programming... who then better has a good insurance... otherwise he pays for the rest of his life. As much as I liked his service, it is sad to see yet another incompetent person dabble with critical information.
That's terrible. C2 exists to milk developers who have pie-in-the-sky hopes of supplementing their trading losses with the income of naive subscribers. The entire system favors the subscriber who can get an unconditional refund while the developer gets stuck paying listing fees.
I think I used paypal or maybe a CC 2 years ago to pay C2. The CC has since expired. I've received no email from either the CC Company or C2 regarding their data theft. You get the impression surfing their site that nothing happened.. though I think I've seen posts where it was admitted...
Ditto. Also one doesn't need to store the credit card to do repeat transactions for the customer, the CC gateway service API will send back a transaction key and that can be used for repeat purchases without having to store the credit card. Storing the credit card on the local DB is beyond amateur hour - it's gross negligence. If this was 1999 or 2000 I'd get it, but 2009?