back to article This page is currency unavailable... Travelex scrubs UK homepage, kills services, knackers other sites amid 'software virus' infection

Foreign currency mega-exchange Travelex said on Thursday it was forced offline by a "software virus" infection, bring down a number of currency-exchange websites with it. In a statement shared on Thursday, the UK-headquartered biz said the digital nasty, first spotted on New Year's Eve, caused it to unplug its UK site and …

  1. Anonymous Coward
    Anonymous Coward

    I remember Travelex

    I was in the Folkestone EuroTunnel terminal last Easter and saw the Travelex Kiosk there offering to sell mug punters 0.90 Euros per £1.

    Then when I took a photo of all the other appalling currency rates they were publicly displaying on their board they complained that I was not allowed to do that for some nonsensical confidentiality reason.

    1. Anonymous Coward
      Anonymous Coward

      Re: I remember Travelex

      Oddly, I had a similar experience in Heathrow when I took a photo of the extortionate prices being charged by a certain coffee chain...

      1. zumbruk

        Re: I remember Travelex

        So buy your coffee/FX somewhere else.

        1. Anonymous Coward
          Anonymous Coward

          Re: I remember Travelex

          Usually, these rip-offs occur where there is a local monopoly, so the lucky consumer has no choice.

          Said monopoly is frequently artificially created and maintained by a larger local monopoly such as as the airport company / authority, thereby ensuring jumbo-sized profits all round (except, of course, for the aforementioned lucky consumers)

          Monopoly capitalism, red in tooth and claw

          1. asdf

            Re: I remember Travelex

            >Crony capitalism, red in tooth and claw

            FIFY.

    2. Gene Cash Silver badge

      Re: I remember Travelex

      Oddly, there's a station selling $7/gallon gas just north of the Orlando In'tl airport.

      They were rather put out when I started taking pictures of the gas pump prices.

      I seem to see a pattern.

      1. 0laf Silver badge

        Re: I remember Travelex

        That's about the same as a uk motorway service station near me (143p per liter). Which in the US must be biblically high. or designed to get the Brits who would probably just shrug at those prices.

  2. chivo243 Silver badge

    The days of the currency exchange

    I remember traveling through Europe back in the 90's looking for these and Thomas Cook, stopping at each currency exchange and making notes, then deciding which country to visit next based on return for the current country's currency.

    1. Danny 14

      Re: The days of the currency exchange

      Or pass through Italy so you could come home with millions of lira.

  3. macjules
    FAIL

    .NET 4.0.30319

    Using a version of .NET that was last updated in 2012? That's pretty close to Tesco still using .NET 1.1 in 2014. I know it is a stupid question but someone at Travelex must have known about this, wouldn't they?

    1. AndrueC Silver badge
      Facepalm

      Re: .NET 4.0.30319

      They had public facing RDP so I'm not sure we can assume any level of knowledge on their part above 'appalling'.

      1. Sgt_Oddball

        Re: .NET 4.0.30319

        The trick with RDP is to move the ports to something random, then to have whitelisted ip addresses that can access it or failing that something like ts_block - really neat ip address checker that blockholes an IP address after a set number of failed attempts.

        Stuff like taking off the admin account shouldn't have to be spelt out... And finally... Its 2020..... 2008 r2 went end-of-support 5 years ago... 5 YEARS AGO.... Maybe its time for them to look at getting some proper investment in IT or at least let the PHB/bean counter that blocked the migration (for it usually is someone higher up) face the music for such negligence.

        1. Anonymous Coward
          Anonymous Coward

          Re: .NET 4.0.30319

          "The trick with RDP is to move the ports to something random"

          It isn't a great trick - it just delays you appearing in port scans. And once you have been caught, its just a matter of time before the next RDP vulnerability comes along before you can patch it. Don't believe me? Check firewall logs and you will see almost every port on every public IP address you have scanned at least once a month with the high risk ports being scanned multiple times a day.

          Yes ts_block helps, but it still leaves you at the mercy of vulnerabilities and weak username/passwords. We have been though this with SSH in the 2000's (i.e. random ports, port knocking and fail2ban) and still had compromises. At least with SSH you get the option of disabling root access and forcing the use of keys instead of passwords.

          Use a VPN with 2FA.

          1. Anonymous Coward
            Anonymous Coward

            Re: .NET 4.0.30319

            While everyone else posts about moving the RDP port to something other than the default 3389, you have identified the actual correct solution. You win the internet today, sir.

            1. [VtS]Alf

              Re: .NET 4.0.30319

              We can all laugh, but having port 3389 exposed to the internet is just as dangerous as having your VPN port exposed to the internet. Just sayin’

              1. Anonymous Coward
                Anonymous Coward

                Re: .NET 4.0.30319

                I accept that both VPN and RDP solutions present a risk BUT the VPN solution should have methods to significantly mitigate some of those risks.

                The first question to ask is what stops any user accessing a VPN/RDP solution - if it is only the username/password then you have a problem.

                1. [VtS]Alf

                  Re: .NET 4.0.30319

                  And finally we DO have the right question to this thread! Thank you sir.

          2. Gene Cash Silver badge

            Re: .NET 4.0.30319

            I use port 22 as a sacrificial chicken. Password authentication is completely disabled, so anything trying to log in that way can be instantly banned by Fail2Ban for a year or so.

        2. John Brown (no body) Silver badge

          Re: .NET 4.0.30319

          "And finally... Its 2020"

          Maybe, finally, all those people running IT shops will get a clear vision of he future?

          (I'm still a little surprised I've not seen more marketing campaigns using the 2020 vision angle. Marketeers usually love those sorts of obvious tricks)

        3. schifreen

          Re: .NET 4.0.30319

          Moving away from port 3389 helps A LOT. As does enabling account lockout on Windows Server, to disable the account for 30 mins or so after 3 unsuccessful password attempts.

          Trouble is, you can't set a timeout for the administrator account. Or rather, the administrator account isn't subject to the timeout. So you also need to remember to rename the admin account to something else.

          Also, setting an account lockout can have other serious unintended consequences. For example, most SharePoint books suggest that you use sp_admin as your farm admin username. And lots of people do. So anyone who RDP's into a SharePoint server can bring it down by attempting to log in as sp_admin and getting the password wrong a few times. Because, chances are, that'e the account the SharePoint server uses to talk to its SQL Server back end.

          1. [VtS]Alf

            Re: .NET 4.0.30319

            But really it does NOT. Security by obscurity et al. If you, for example, provide a Cisco Anyconnect VPN for your clients at IP xxx.xxx.xxx.xxx:port_not_at_default, portscanners all over the world WILL discover your open port.

            With a few tools they might discover that you run an IPSec VPN solution straight from your ASA. There ARE holes in the ASA software (up to version xxx, but you did not get to update to just yet, because enterprise), thus a VPN connection can be hacked/initiated/abused with a brute force hack (often). The attacker can connect with VPN (our just hacked account) and can discover other servers in that network. Keep this in mind.

            Other situation:

            Now, I am a business that exposes (hopefully) a Terminal Server Gateway or an RDP server to the internet. Port 3389. People can brute force accounts to this server (they can’t because of MS’ software).

            Both situations provide an open port, which software do we need to hack?

            Either way, they are both equally dangerous and updated software/firmware from all vendors prevents this.

            I might not make myself popular with my statements, but I trust Microsoft more to mitigate these flaws than I do Cisco (at the ASA level).

            1. Anonymous Coward
              Anonymous Coward

              Re: .NET 4.0.30319

              "thus a VPN connection can be hacked/initiated/abused with a brute force hack (often)"

              If you can brute-force your VPN solution, it hasn't been configured correctly. IPsec VPN's require a shared secret/client certificate to proceed to the authorisation step and SSLVPN's can be configured with similar client certificate checks or some other pre-authorisation check to ensure brute forcing requires the pre-authorisation to be brute forced before attempting username/password attacks.

              "I might not make myself popular with my statements, but I trust Microsoft more to mitigate these flaws than I do Cisco (at the ASA level)."

              Assuming you patch both Microsoft and Cisco solutions, the Cisco solution allows you to adopt a higher level of security than is possible with Microsoft RDP solutions. If you are comparing a patched Microsoft solution with an unpatched Cisco solution you may have a point, but I suspect you might be missing the point of having infrastructure that you can support and maintain in order to ensure it is secure.

              1. [VtS]Alf

                Re: .NET 4.0.30319

                I think, my point still stands. I just checked the CVE database with a few searches (queried ‘Cisco ASA’, ‘Microsoft RDP’, ‘Microsoft Remote Desktop’, ‘Microsoft Terminal Server’ and the results for Cisco for 2019 were 28 and for MS the last CVE was from 2017.

                Also, the RDS server can be configured just as easily with certificates and 2FA (Who doesn’t remember our RSA tokens which generated a new code every x seconds?).

                And that should be the way to configure it when you’d expose 3389 directly to the internet. But just stating that it is unsafer to expose 3389 to the www, instead of a VPN port is incorrect I think.

                Ofcourse I don’t expose 3389 to the outer world and we use a VPN solution for our users. Seeing the CVE list, we might ask ourselves if it isn’t safer even.

                1. [VtS]Alf

                  Re: .NET 4.0.30319

                  After edit: I just saw a serious leak in the Metasploit db for 2019 on MS RDP (BlueKeep), however it has been patched already.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: .NET 4.0.30319

                  Looking at the CVE's, are you looking for remotely exploitable with remote code execution or authentication bypass?

                  Many of the ASA vulnerabilities result in DoS or device reloads, but do not allow remote access or remote code execution (i.e. the equivalent of the BlueKeep vulnerability in 2019 or CredSSP in 2018).

                  While I'm not disputing these are vulnerabilities, they result in "fail closed" scenarios from a risk perspective versus the "fail open" vulnerabilities with RDP which makes your statements around Microsoft being more secure than Cisco difficult to justify.

                  1. Giles C Silver badge

                    Re: .NET 4.0.30319

                    The simple solution is a robust patching policy. One a previous employer used was

                    Cve 6 to 8 2 weeks to patch estate - servers, switches, firewalls, application software etc

                    Cve 9 or above 24 hours and you got clearance to take priority over every other planned piece of work.

                    That was a control in the PCI documentation, to make sure we did everything possible to secure the systems

    2. Anonymous Coward
      Anonymous Coward

      Re: .NET 4.0.30319

      Windows 2008R2, RDP open to the Internet, no NLA

      With such policies, they've done pretty well to avoid ransomware/viruses etc so far. They must be lucky.

      Or just very unlucky because they were going to shutdown their Windows 2008R2 estate by the end of life deadline in 10 days time?

      1. macjules

        Re: .NET 4.0.30319

        I suspect that the intent was to be able to RDP from an AWS jumpbox running Windows 2008 Server and use a security group to prevent external access over 3389. Looks like that went wrong somewhere.

    3. diodesign (Written by Reg staff) Silver badge

      Re: .NET 4.0.30319

      Good spot, thanks. Added that to the story.

      C.

  4. Justin Case
    Windows

    Nice holding page

    Surely someone could have knocked up something a little more informative... these people employ competent web developers, don't they?

    1. rmason

      Re: Nice holding page

      Unpatched (for ages) public facing RDP?

      These people don't employ anyone who is competent at their jobs, and/or competent at managing upwards and getting these things sorted.

      1. julian_n

        Re: Nice holding page

        Well sometimes they do - but then fire them to save money.

    2. Anon
      Facepalm

      Re: Nice holding page

      Yeah, a file named App_Offline.htm will take care of it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Nice holding page

      They never planned for downtime or maintenance....

  5. Pascal Monett Silver badge

    "Travelex had public-facing Windows remote-desktop servers with no NLA enabled"

    Not acceptable. This is a professional company dealing in international currencies and with direct links to banks, there is no excuse for not having a properly secured environment.

    The CEO should be dumped without a parachute. The next one can go about firing the head of IT. Being hacked is one thing, but not doing one's due diligence on security when dealing in this kind of market means that heads should roll.

    1. prinz

      Re: "Travelex had public-facing Windows remote-desktop servers with no NLA enabled"

      Great point, but your final idea of dumping the CEO - not likely.

      You are looking at it wrong.

      IT are viewed as overhead - weird expensive nerdy people that non-technologists neither understand nor respect and sometimes hate.

      Therefore, in their minds, not having real IT or outsourcing it to some extremely cheap country (which amounts to the same) will save them massive amounts of money, but with a risk of something like this happening.

      As long as the cost of the outage is less than the money saved, they're still making money with the added bonus of not having to deal with those weird expensive nerdy people.

      So, unless this outage is super expensive in the final analysis, the CEO stays and in fact, proves the theory - the CEO can say "See, it cost less to take an outage than to prevent one with expensive nerdy IT".

      1. Anonymous Coward
        FAIL

        Re: "Travelex had public-facing Windows remote-desktop servers with no NLA enabled"

        You nailed it. IT failures are considered a cost of doing business. There's even insurance available to cover the cost. Do it right has been replaced by do it cheap. Management is rewarded, not sacked, for cutting costs, regardless of the consequences.

  6. SVV

    Flabbergasted

    To see the likes of Barclays and HSBC being dependent on a third party using unsecured Windows servers (also known as Windows servers).

    Brings a whole new meaning to the problem of poor change management procedures......

    1. Halfmad

      Re: Flabbergasted

      It's not change management if you don't change anything, ever!

    2. DJV Silver badge
      Pint

      "unsecured Windows servers (also known as Windows servers)"

      Excellent, I must remember that! Have a pint!

  7. adam payne

    Travelex could not say when it expected the services to be back online. The biz said it has "teams of IT specialists and external cyber security experts," working on the issue, but there's no reported progress so far.

    Sounds like Ransomware to me.

    Let me guess no patching?!?

    1. Halfmad

      Almost guaranteed to have no patching, no contingencies, poor backups (or limited) and potentially outsourced chunk of IT.

      The fact their external points were unpatched and poorly configured is a massive red flag, basically they don't test their own stuff, so that means realistically they now need to pay over the odds for someone to do all that for them, to tell them what they don't know - that they don't manage their systems or understand the risks they are running.

      Watch as Senior Management don't get sacked or resign over this.

    2. theblackhand

      Twitter has screenshots of Windows 2008R2 server logon screens - even minimal patching seems optimistic.

      Just to be clear, if this was the NHS, we would be lambasting them for poor practices. Instead, it's a financial services company almost 3 years after the NHS were hit and they have demonstrated none of the lessons have been learned.

    3. Danny 14

      thats ok, they can restore from backup overnight. In fact, just let veeam spool up from the latest backup while you are waiting for a proper restore.

  8. Anonymous Coward
    Anonymous Coward

    Compliance....

    Time for a PCI-DCC Audit methinks......Christ alone knows how they are handling their Card Data Environment if they can't even cope with basic RDP hardening and patching...

    1. wyatt

      Re: Compliance....

      The company I work for use to maintain asystem that worked within the PC-DSS 'area', from what I saw that side of things worked quite well. Old, but contained. Requirements from moving around in there were pretty stringent, I suspect this is separate from this issue (at the moment).

    2. katrinab Silver badge
      Paris Hilton

      Re: Compliance....

      If you have a bank card, use that for payments / cash withdrawals when you get there. Do use it to buy cash from Travelex.

      1. AndrueC Silver badge
        Meh

        Re: Compliance....

        Credit card would be better. That way it's not your money at risk.

        With a bank card the miscreant is draining your account and you have to wait/hope for a refund while your creditors send red letters. With a CC as long you check your statements carefully and inform the issuer of dodgy transactions you'll never have to fork out a penny. Just have the crap struck off and wait a day or two for a new card to arrive.

        1. djack

          Re: Compliance....

          Sadly not.

          Buying foreign currency is classed as a cash advance as far as credit cards go.

          That means you pay a charge on the transaction and the money is subject to interest charges immediately (unlike normal purchases which only accrue interest after the current statement period).

          I learned this the hard way.

          1. AndrueC Silver badge
            Meh

            Re: Compliance....

            Taking cash out on a CC is a bad idea wherever you do it. There's usually a handling charge even in your home country. Also since cash can be stolen you lose most of the protections of the CC since no issuer is going to refund you for cash stolen out of your pocket.

            But if you have a CC why would you want cash? There are some remote parts of the world where you need it but in most tourist destinations CCs are freely accepted. Certainly anywhere that accepts a bank card for payment (and most places within spending distance of an ATM) will accept a CC.

            1. katrinab Silver badge
              Paris Hilton

              Re: Compliance....

              Why would you want cash?

              Because in lots of not particularly backward countries such as Germany and Japan, card acceptance is pretty limited.

              In China, Visa/Mastercard acceptance is pretty limited.

              1. Danny 14

                Re: Compliance....

                I went through japan and had no issue with credit card. Only buying bento boxes from Kyoto station and topping up my suica necessitated cash - the wife used her apply pay and phone for her suica. All the 7-11, restaurants and shops accepted cards. even smaller gift shops around shrines had card machines. I know Japan is a a fairly cash heavy society, I planned to pull wodges of cash out the the 7 bank ATMs but didnt need to in the end.

          2. Danny 14

            Re: Compliance....

            There isnt a cash advance or atm charge on my halifax clarity credit card. The rate is standard rate of the day from mastercard too. No fees or otherwise so a great card for travelling.

            1. Dog Eatdog

              Re: Compliance....

              There is no fee for withdrawing cash. However "Interest charges apply to cash you take out, from the day the cash is withdrawn."

              And the rate is 20% pa (or even 28% if you are deemed a not-so-good credit risk).

              So if you withdraw , say, $1,000 at the beginning of a billing period, that could amount to $30.

              However, if they allow a positive balance on the card, you could work around that.

              1. TrumpSlurp the Troll

                Re: Compliance....Clarity credit card

                We got Clarity credit cards because we read that the interest paid until the balance was cleared (month or less) was less than the foreign transaction charge plus the unfavourable exchange rate on debit cards.

        2. katrinab Silver badge

          Re: Compliance....

          For retail purchases, yes, but not for cash withdrawals, because they are charges as cash advances.

          1. KBeee

            Re: Compliance....

            With some CC's used abroad for cash, you can be hit with triple charges. Cash Advance charge, Foreign Currency charge, and an awful exchange rate - quite often £1 = €1.

            1. katrinab Silver badge

              Re: Compliance....

              The exchange rate is always the Visa or Mastercard exchange rate. Both rates are pretty good, Mastercard's is slightly better. The third chage you can be hit with though is interest from date of transaction, as interest free period usually only applies to purchases.

      2. Anonymous Coward
        Anonymous Coward

        Re: Compliance....

        There are plenty of other Foreign Exchange Bureaux. There are some very good ones with very keen rates. There are even Comparison WebsItes that help you find them.

        Look for ones with physical shops where you can order online and turn up with your Id to collect your order.

  9. TheBorg

    Not surprised the banks are using a third party ... save them fucking it up themselves !

    These FX companies like Travelex are dinosaurs - unless you want cash use someone like Transferwise - App based, a debit card that can have multiple currency accounts to use from it with MUCH better rates than these crooks. If you need some cash then use the debit card to withdraw from standard cash points.

  10. alain williams Silver badge

    How much is this costing them ?

    How much more would it have cost to have done a proper job and secured their systems in the first place?

    I suspect that some bean counter decided that the cost of good security was not worth it -- after all "it will not result in any extra business - will it ?"

    Blame will probably be given to some lowly techie who was given neither the time nor the money to do it properly. If someone higher up the management chain is fingered they will get a nice golden parachute and told to keep quiet.

    1. Anonymous Coward
      Anonymous Coward

      Re: How much is this costing them ?

      Nail on head, any attempts to refresh, upgrade, mitigate lead to wails of "where is the revenue from this....."

      The questions should always be "what's the cost of NOT doing this in 1-2-5 years time?"

      Server 2008 / Win 7 zero day fun begins in 10 days lads and lasses!!

  11. Giles C Silver badge

    Well the message has been changed you now get a planned maintenance is happening and things will be back shortly...

    So a slight improvement over the error message from earlier

    1. Chris Evans

      Planned! Maintenance

      Calling it "Planned Maintenance" makes them look very very stupid.

      They should call it something like "Emergency Maintenance"

      Many big companies seem to make the same stupid mistake!

    2. JasonLaw

      "Funnel down"

      It was so well planned, it's still down 4 days later... (checked 12:30pm on 7-Jan)

  12. Winkypop Silver badge
    Coat

    Cash converters

    Haven't used one of those cash desks since the early 80s.

    And then only in an emergency.

    Pickpocket -->

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like