Tuesday, August 11, 2015

Godsdammit!

I just received a mailing from RPGNow.com informing me that they suffered a hack on one of their two load-balanced servers, and that accordingly I stand a 50% chance of having had my email and credit card number swiped during a transaction I made with them a couple of weeks ago.

They pin down the intrusion as being between July 10th and August 6th (which probably translates to "we had cause to look on August 6th and the last time we are sure things were okay is July 10th").

If you are affected you are supposed to have been informed. If you haven't been informed but did make a purchase from RPGNow.com within those dates I'd contact your bank anyway.

On the one hand kudos to RPGNow.com for getting in touch before I saw any shenanigans. On the other it is really inconvenient to have to cut up my favorite credit card right now as I have some significant purchases looming.

The RPGNow.com spokesdrone claims that there is less chance a problem occurred if you stored your card details with them before the Dates of Death because the card number would be encrypted, so this does highlight a security risk one incurs when trying to avoid the security risk inherent in leaving your credit card details on someone's e-tail server where general experience shows they get harvested en masse by evildoers periodically.

However, one must realize that in order to enact a purchase the encrypted card details must be decrypted into memory and sent to a bank, at which point they become vulnerable to harvesting in plaintext. All in all I generally (but not always) prefer to minimize exposure by not storing card details.

Just another hazard of going pdf all the way I suppose. It just boils my spuds that those in charge spend so much time making sure *I* don't make fast and loose with the pdfs by watermarking them, then let my card details get snarfed by some git. At least there's no DRM lock-in to speak of in the downloaded works.

Fergit.