I am puzzled...
Someone I know of had their email hacked, and, of course, that means that the hacker could use email based password resets on various systems. They proceeded to do so, and thankfully left enough of a trail to work out what they did so the passwords could be sorted out. It does highlight the importance of email passwords being secure, but the puzzle is not that - it is what they did...
They reset passwords on a load of supermarket logins.
Now, I have only used tesco.com, but I imagine they are all much the same. You cannot order from them without using a card. Yes, tesco store my card but only display the last 4 digits and want the CV2 on every order - so if someone logged in to tesco as me they could not order anything on my card.
Even if they could, somehow, order, what then? I am not sure for collection but I assume they would want to see the club card and/or the bank card when you collect, so that is not going to work. And if they go for a delivery, they they create a log of where they had things delivered.
I suppose they could see my address, but why change multiple supermarket accounts - you only need one to see that.
So really, what is the point in "stealing" someone's supermarket logins?
Am I missing the bleeding obvious here or something?
Subscribe to:
Post Comments (Atom)
Fencing
Bit of fun... We usually put up some Christmas lights on the house - some fairy lights on the metal fencing at the front, but a pain as mean...
-
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us... -
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo... -
It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...
Most supermarkets have banking facilities (eg credit cards) these days - could it be something to do with that, eg changing the address and getting a new card posted out?
ReplyDeleteGood point, maybe I misunderstood - I was definitely under the impression it was just the shopping sites that had been done.
DeleteThey also all have their own mobile offerings. My bet is its related to that as its a lot easier to "cash out" a SIM quickly compared to a CC.
DeleteThink about it - the (virtual) mobile company has your CV2 number anyway so upgrade the account online & request a new (different size) SIM.
I bet sending that SIM to a new address for an existing customer doesn't attract anywhere near the same fraud checks sending a new phone would. Subscriber knows bugger all about it until new SIM is activated & they're disconnected. By the time they've sorted things out there's probably several hundred quids worth of calls to premium numbers outside the UK on their account.
Easy money, no?
Operator dependent but, in my experience, operators generally regard SIM fraud as just as problematic as handset fraud, even with the ability to withhold on suspected fraudulent usage / AIT.
DeleteSome might slip through the net, but definitely regarded by some (many?) as a known fraud vector, to be managed carefully.
My guess would be a foreign hacker thinking that perhaps they were store charge cards
ReplyDeleteYou can also get a lot of reward vouchers which can be spent anonymously like cash
ReplyDeletePerhaps they all hide different parts of the credit card number, so if you check enough sites you can stitch together the whole credit card number? That gives you a valid credit card number and the corresponding email, name and address.
ReplyDeleteThe PCI:DSS rules state you can show at most the first 6 and last 4 digits, so anybody PCI compliant should never show the middle digits of the card in theory...
DeleteI know it's a bit beside the main point but just FYI, I do click and collect with Tesco all the time and have never shown or been asked for proof of anything... I just tell them my name and away we go!
ReplyDeleteIf you're going to use stolen credit card details, it makes plenty of sense to steal a website account to use them in.
ReplyDeleteA friend of mine had a sudden flood of tens thousands of newsletter subscriptions/confirmation requests. Buried in the middle was an Amazon password reset notification and an order for some expensive electronics to be shipped to the other end of the country. The order was made using a newly added card, presumably stolen, and we think the fraudster socially engineered their way into the account.
Interestingly, the items in the Amazon order were identical to a legitimate one from a month or two back. We think that the flood of subscriptions was to hide the order and Amazon password reset notifications, and ordering the same items was camouflage in case the order notification was spotted in passing.
Amazon are somewaht unique in that they don't use the CV2 on orders - at least in the UK if you also have a Kindle/Prime account. Nor does it use the (totally useless) Verified by Visa crap.
DeleteSo Amazon eat 100% of the fraud costs on CC. I'd guess their merchant turnover means its insignificant compared to higher transaction costs where the CCC eats the losses.
tl;dr Amazon are "special" in that they have agreed to eat the losses associated with a cardholder not present and no CV2 transaction.
Clubcard (et al) points. Not new: https://conversation.which.co.uk/money/tesco-clubcard-account-points-stolen-fraud/
ReplyDeleteI usually use Sainsburys, and they don't seem to ask for anything (e.g CVV) to pay for an order using an existing saved payment card. So having access to my account might be enough. Then again, perhaps extra checks kick in if for example:
ReplyDelete- my account password has recently been reset, or:
- the order is for a new delivery address
Also, when I click "buy" then some kind of "verified by visa" thingy pops up, then goes away without asking me anything. Perhaps this is performing additional checks in real time, e.g reading a cookie stored on the device I normally use.