Should I Cancel My Credit Card? HELP IMPORTANT

What is clear is that someone has access to my name, my email address, my home address and my (encrypted) credit card. What is also possible is that the same hacker has found access to the encryption keys (they are somewhere). Also some forms of encryption are hackable, which means that I am now a possible target for identity theft.

Questions:

1) Did the hackers gain access to keys? If you don't know, we must assume they have.

2) What strength of encryption is used? Even 128-bit encryption can be hacked.

This is a very serious question, as is not intended to be a flame: should I cancel my credit cards?

No, the earth will probably be destroyed before they buy nething on your card

I appreciate the intent of the response, but frankly that is not true, particularly if they have the possibility of accessing the encryption keys (after all, it MUST be on a server someplace), or if the encryption is weak.

Please any Linden, answer this question.

Please only respond if you have actual information, no disrespect intended, but my intention is not to flame, but to get quality information so I can protect myself.

ALL credit card information is on a separate server. All they have is your in-world stuff, potentially.

Lordfly, do you work for Linden Labs? Are you saying this because you know this, or because you think it should probably be so? Also, to the second question, what is the strength of the encryption used?

From Linden:
"Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised... along with encrypted account passwords and encrypted payment information"

Ok, why do they need to reset all of the passwords when they were encrypted when they are stolen? Does that imply I need to 'reset' my payment info, i.e., my credit card information?

Just want to know, please!

Well since the blog post was update to state that encrypted payment information was also comprimised, I don't see how you can state that ALL cc info is on a separate server. And even if it is a separate server, it was connected to the comprimised server, and attacked via that. Of course this is assuming the they do in fact try to keep the payment data separate. The simple fact that LL admitted that encrypted payment information was available during the hack means that we have every right to be concerned. They have not come forward with specifics as to what data specifically was available, or what type of encryption is used on the data in question. To assume that since encryption was used, the data is safe, is rather naive without knowing more about the data in question and the encryption methods employed. One could make the arguement that base 64 xor'ing strings is encryption, but we all know how easy that is to brute force.

That a Linden hasnt answered this most important question, alot of us have credit cards on file...this is not a trivial matter...

It is a very simple question LL :

IS OUR FINANCIAL INFORMATION WITH YOU IN ANY DANGER OF BEING HACKED AND USED TO STEAL (real) MONEY FROM OUR CREDIT/DEBIT CARD ACCOUNTS???????????

AND WE DESERVE AN ANSWER ASAP...

or do you even know ?

According to the original announcement, payment information (in encrypted form) has been compromised.

http://blog.secondlife.com/2006/09/08/urgent-security-announcement/

I don't know how strong the encryption is, nor if the attackers got the decryption key that would allow them to simply decrypt the information without performing a numeric attack.

I've asked this question to the hotline here:
/139/f7/136052/1.html#post1277694

Awaiting an answer.

That is untrue. LL blog announce ment specifically says that UNENCRYPTED CC info was not stored on that server...howver says in the same stamenet that ENCRYPTED CC info WAS stored on that server and may have been compromized, along with all other info ever given LL, includuing RL name, address, phone number, etc.

I'm not waiting. I've already alerted my credit card company. I'm not waiting for a hacker to sell that information to a whole network of thieves.

I am changing mine tomorrow when I visit the bank. There's no sense fooling with this when LL isn't being forthcoming with the needed details. What really pisses me off is the loss of 2 fucking days while they sat on their asses.

On the 1st Spetember, I received a phishing email (CC Co.). That in itself is not so unusual, although I have never received one mimicing my CC. What is unusual, is that it contained my full address and telephone number, something that I have never personally experienced.

I don't want to sound uneccessarily alarmist, and maybe it's nothing, but:

The email was sent to the registered email of avatar x.
The particular CC co. being mimiced was the one registered to avatar x.
I haven't used this particular card anywhere in nearly a year.
I have never ever received a scam email that contained my full address.

All these lead to me to worry. The email of course doesn't indicate that the CC no. is known, but that the scam artist knows the email + address + tel no. + CC company.

Am I clutching at straws here? It was a week ago.

Quite frankly I went to immediately remove my cc info and found no way to do that. The fact is we must assume all our information has been compromised and now raise a cry to have our information removed from the database. I guess WE better take the initiative here and be safe, cancel all cc related things ASAP before you get robbed blind.

No, I don't think you are being alarmist or clutching at straws.

In fact, the more I read the carefully worded statement LL released on the Blog, the more it becomes clear that this information was more than likely compromised days or weeks BEFORE LL even knew there even WAS a way to access it, and they only became aware of the exploit because they discovered that the database had already been compromised.

This means that the information could have been in the hands of criminal organizations for days, weeks, or more already. LL waited 2 more days AFTER they discovered that the information had been compromised before doing anything to notify their customers and investors of the security breach they know for a fact took place. That last fact is inept in the extreme at the best and potentially criminal in nature at worst.

Bump

Seems to me that anyone stressed out by the possibility of credit card info having been accessed by crooks should cancel the credit card that LL has on file, to eliminate the cause of their stress, whether doing so is actually needed or not.

If you cancel the card, you can stop worrying, if you don't, you will probably stay worried.

Posting in the general forum and asking for a response by a Linden is not likely to be as effective as posting in the Answers forum where only Lindens can answer.

Posting in the general forum and acting like non-Lindens shouldn't answer is just silly.

*puts down the laser death beam* Not yet i'm busy!

Called my bank customer service tonite, oh yes LL they were open and more than happy to help me, i have my debit card on file, they have put a watch on my account, emailing me on each purchase made on my card, and i have 48 hrs to report theft and all the money will be returned to my account.

FYI, thats how real customer service is handled

For those of you who haven't checked your e-mail or received the Security Bulletin yet I guess I have to revise my own thinking regarding this issue.



I had assumed from the original Blog post that payment information was no more than what is listed in our profiles, that there was no need to store the actual payment details in the same database. Since these payment details never need to be accessed from the client, an extra layer of security is usually used to protect this information, a deifferent linked database and more powerful encryption. Now that we know this was not the case it would certainly be best to watch your upcoming credit card statement for unknown charges if that is your payment method, andas SuezanneC recommends, change this information no if you need that immediate "security of mind".

I personally hope Linden Lab wiull now look at storing payment and personal details in a different database linked by key so that this information is only called upon when needed (usually only during billing cycles and payment use through secondlife.com or the cient). Ultimately this information is not important when logging in to the client. I would also recommend a much stronger encryption method be used on the actual card number and any other information that could be exploited. The use of this information is not routine enough to keep it linked within the login database and migrating it would at ensure dual connections being needed for outside access rather than internal joins.

about 45 minutes ago answered as much as they know about the hack, seems that very possibly the personal info files were breached as well, from what i can read into her answer...

added: it took the forums to get this answer by the way, as they closed the comment section on the blog about this, isnt it great we have that to look forward to ????

Call the credit card company and get a new card if you're worried. Otherwise, keep an eye on your credit card balance and report charges you didn't make, as usual. I can't believe people are panicking about this. Strangers get hold of your credit card info every time you use it.

From an email I got...

Q: What was the timing of the attack and Linden Lab's investigation?

A: Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006.

WTF...

They noticed it on the 6th. When they started looking into it, they found that someone had been attempting to access the system since the 3rd.

The seriousness of this issue could destroy Linden Lab and Second Life.

I don't have a great deal invested in this game more than perhaps $100 worth of land tied up... but knowing how some people make considerable amounts of cash and a good living from SL, I wonder how many of those are now seriously thinking whether the risk is worth it.

Lewis