E-mail hoax panics Canadian credit-card customers

Computerworld - A hacker who hijacked the server at a mass-e-mailing company this week e-mailed a bogus warning to 10,000 customers, warning their credit-card numbers had been compromised from the database of a major Canadian electronics dealer. The warning said customers should call their credit-card companies and get new cards and account numbers.
Fewer than 50 people actually canceled their cards, according to Future Shop Ltd., Canada's largest online consumer electronics retailer.
However, spokesperson Lori Decou said, some 2,500 customers contacted Future Shop to find out what to do when they got the fake e-mail last Wednesday. Others called their credit-card companies.
The reason that so few canceled their credit cards, she said, is because Vancouver, British Columbia-based Future Shop quickly announced the breach and contacted all the major credit-card issuers -- Visa International Inc., MasterCard International Inc., Discover Financial Services and Future Shop's own store credit card -- to tell them that the e-mail was a hoax.
In fact, the actual database containing credit-card information at Future Shop, wasn't compromised at all, Decou said.
The hacker sent a command to a third-party mass-mailing vendor to send the announcement. The e-mail appeared to come directly from Future Shop, which had hired the company to send e-mail announcements to Future Shop's online customers.
Decou said that Future Shop wasn't releasing the vendor's name because the issue is still being investigated, but added that Future Shop had cut all ties with that company.
"The first thing we've done is that we've ceased doing business with the third-party company in question," she said. "We have brought our e-mailing distribution in house, and any further contracts we may have with third-party companies to do such a service will not be entered into until we are confident that their database security systems are of our standard."
Other companies may be potential targets for a similar prank, said John Pescatore, research director for network security at Stamford, Conn.-based Gartner Group Inc.
"In the early days of the Internet, anybody could use anybody's mail servers to send mail, and you find that a lot of the servers are still in the default configuration," he said.
The solution is to make sure that a mail server can't be accessed from the Internet to be used as a spam relay, he said.
"One good source of information is the company Sendmail Inc.," he said. "But the bottom line on any Internet-connected server is to follow standard security guidelines and use firewalls and hardening of the operating system to only turn onthe absolutely minimal number of services that are needed."