stupidity all around
I hate modern times
I must be getting passed a certain age and nearing another certain age.
"At the moment some stranger is in her account as they keep adding things to her basket and she keeps taking them out." A Reg reader last night spoke of the horrifying moment he realized an online store used by his wife was mixing up some of its online customers, allowing people to gain access to some strangers' personal …
Funnily enough, this actually happened to us. Someone got my wife's card details (skimming, breach, who knows...) and cloned the card. Fraud alert popped because someone tried a couple of small transactions - less than a dollar each - at a couple of places to verify the card, and they were geographically unlikely. The bank suspended the card and we went through the usual dance of confirming recent transactions and getting a new card issued.
This sounds familiar. Three were doing the same thing. I hate organizations who deploy systems without proper support or understanding of the pitfalls they maybe exposing their customers to . It's like giving an infant a box of matches and expecting not to get burned ! If you cannot make them understand try deleting accounts that would get their attention.
Sgned angry mob
When I used to pay my bill online by card it always gave me the amount paid by a random stranger paying their bill and their name on the final screen. They were obviously losing track of customers online sessions at the final page. Tried contacting BG about the issue but they weren't interested and this problem carried on for a year or more! Wouldn't surprise me if it was still doing the same thing, but I'm no longer with BG anyway. The issue wasn't too serious in terms of what was leaked but their site shouldn't be leaking or mixing up different users sessions at all.
The moment I see anything like this it's straight on the phone to my card provider to tell their fraud department that any transactions with that site did not come from me.
From that point on the Financial Services industry wheels will start to grind the site into oblivion. Which is how it should be.
Totally correct! I once suspected a legitimate company had been hacked, or had a rotten egg insider, that was using my information to buy 3 months of server space from a dodgy provider, so I knew it had to be likely an outsider, who was simply hiding his tracks to pay for bot herder server farms.
The next time I purchased from them, I used one of those cards that allows you to relegate a unique card number to each merchant you buy from; and sure as heck, it happened again, except VISA got wind of it without my intervention, and took the web site's card holding privileges away! I disrupted the company so bad they fired their foreign customer service, and sold out to a company that only used US service centers. I personally don't think that is anymore secure, but I haven't had trouble with them since.
I used one of those cards that allows you to relegate a unique card number to each merchant you buy from
Yeah. I've been using virtual cards from privacy.com for any card-not-present transactions for a while now, and I have to say I've been pleased. Create any number of cards, set various limits (per-transaction, daily/weekly/monthly), restrict to a single merchant, various options for being notified of any transactions, and you can use any name and mailing address you like. It's all tied to a bank account, so if you want an additional layer of security, you can open an account specifically for those cards.
They make their money off the merchant fees, so it's no additional cost to the consumer.
The web UI is fancier than I prefer, but it's not too obnoxious. Works fine with non-Chromium browsers.
I don't have any relationship with them beyond being a user of their service.
I do not use their online ordering / delivery service.
Imagine my surprise when a Walmart box shows up at my door, properly addressed. I opened it and found four large boxes of incontinence briefs. I'm getting old, but not that old!
Called Wally world and they had no idea how it was ordered and didn't seem to care that I had them... "just drop it at a store, or keep it"
Other boxes appearing from the void this past year: 4 large tubes of personal lube, a box of relatively edible food, and a box of junk food.
It's possibly some small seller sending stuff to random people so that they can qualify as a "confirmed purchaser" and thus be allowed to leave glowing reviews of themselves on the web site, IOW astroturfing.
Were the four large tubes of personal lubricant also relatively edible?
"Someone testing out stolen credit card numbers to see if they're still valid?"
I doubt it. They would still order something valuable and have it shipped to a vacant home or one where the owner is on holiday. Pwned cards can be caught fast so you'd want to make sure you get in some good fraud before it's turned off.
Here in Oz it's becoming a 'thing'.
They* are calling it 'brushing' and it's causing some biosecurity issues as folk receive random seeds in a small envelope from a supplier on eg Amazon complete with all their correct personal details.
Folks are being warned about ID theft but nobody takes much notice, except, of course, the biosec dudes/dudettes worried about dangers to our crops and stuff.
*The authorities, cobber.
I think there have been unexpected receipts of unknown seeds in the post in the UK too. Most appear to be to genuine gardeners, who fortunately have more sense than to plant seeds of unknown origin. The most sensible idea I heard was baking them at high temperature in the oven to ensure that are dead before disposal, but I'm no horticulturalist* so if you get some get advice from someone who knows about such matters.
*But, my Aspidistra ('Cleo') is currently sprouting its eleventh new leaf this year and is actually almost entirely green and healthy (as opposed to brown), so I must be doing something acceptable.
That happens when
1 someone logged in using that machine and selected ‘remain connected’
2 the web browser ‘remembers’ previously accessed pages.
Usually it also means that you logged in using the same account on the computer.
1 log in onto the computer using a different login ID
2 don’t let the browser remember previously used pages
3 don’t select keep connected
4 use the Outlook application instead of the web application.
I never ever leave my credit card details on shopping sites. If "don't remember" isn't an option, I simply delete it from my profile after my purchase. And if they really, really insist on having one, they get fed a dead credit card number instead (old, now blocked card), which obviously won't work if used. I change it back when/if I actually need to pay for something again.
Inconvenience? Not for me, my credit card details are in my password manager, and I can fill them back in in 2-3 clicks.
After you have placed an online grocery order and paid via credit card, the details are allways retained and any amendment to that order done 24 hrs before delivery slot just requires the 3 digit CSV. All the supermarkets I've used seem to do this.
Slots nearly always have to be booked around a week in advance. So how do you prevent the site remembering your card?
> So how do you prevent the site remembering your card?
Easy. You use a virtual credit card. Each card number generated has a fix amount that can be charged. You generate a new number for each payment. They can keep track of all the numbers, they can be used only once. So you don't care.
I had one of those, before the company quit using it; worked great! I see where it can be picked up again by almost any card company now, but signing up for it at a special secure website, and then you get a browser "app" that applies the special account number to each merchant you do business with online.
I should have wrote the URL down, as I've forgotten it already. Maybe a web search will put me back on track.
> the details are allways retained and any amendment to that order done 24 hrs before delivery slot just requires the 3 digit CSV
I expect that would be the payment processor, not the shop front itself, and I expect the payment processor to be less prone to stupid coding blunders (I said "less"!) than the shiny cool web storefront itself.
Which means that if the web store tries to place a new, fake order, it won't know which credit card to associate it with, and thus that order won't pass the tests and won't even reach the payment processor.
I admit this is based solely on my non-existing knowledge of how things work.
I do the same thing.
Payment card industry (PCI) agreement terms mean online retailers are not allowed to store enough of your credit card details after your transaction for another charge to be made to it. DSS section of PCI:
"PCI-DSS requirement 3.2 states that Sensitive Authentication Data (SAD) cannot be stored after authorization, even if it is encrypted." The only entities that can store this type of information are the issuers of the credit cards, e.g. banks.
Some retailers ignore the rules, but larger ones usually comply because the punishment is VISA and Mastercard refusing that retailer processing any payments until the problem is fixed and verified.
The situation is not like this. Sensitive Authentication Data (SAD) includes the magnetic track data off a card, the PIN block/details and the printed CVV (whatever) number on the rear of the card - this number is not recorded in the chip, strip or embossed form. A compliant retailer is prohibited from storing or recording any of this data except for the shortest time possible to perform the transaction.
If a retailer processes regular or repeat orders they may do this using the non SAD stored data and the CVV number is not necessarily required however by doing so this changes the balance of responsibility for fraudulent transactions very much in favour of the card holder compared to the retailer. Often a retailer will require than the CVV number is presented on the first usage of a card but not for following usage of the card. This provides a fair degree of accountability but does not require that the card holder type in the CVV for every purchase and is a reasonable enough compromise where the retailer, such as Amazon, has delivery and cardholder addresses and an ongoing relationship.
The use of the CVV number is optional. Supplying the CVV number shifts responsibility towards the cardholder, not using the CVV number shifts the responsibility towards the retailer. If you entered the CVV number once for Asda then they can reasonably assume that you have the physical card in your posession therefore don't need to ask for it again.
This is precisely why you should never let a website store your card details. Is saving a few seconds typing in some numbers when you want to buy something really worth the risk of letting all your payment details float around the internet on someone else's computer? Screwups and hacks happen all the time. You can't insulate yourself from them entirely, but you can at least take some very basic precautions to limit the damage
if when you're affected.
I don't know of a payment processors API that would even allow you to re-bill using saved card numbers rather than the reference.
In the vast majority of cases, the card numbers are taken directly by the payment processor - the shop has no visibility at all, either hosting a little widget on the page or redirecting to the processors website.
Firstly, that's obviously nonsense; you just need to look at the quite large number of hacks that manage to steal card details to know that. But more importantly, I don't see why you think it would be relevant. If your card details are stored anywhere in a way they can be seen or used to make purchases, then they are vulnerable to being abused or stolen. Whether the screwup is with the shop itself or a subcotractor they happen to use is entirely irrelevant. The only way to avoid problems like the one in this article is to not allow anyone to store your card details.
Actually, all of the credit-card breaches I can recall, or could find in a few minutes of searching, from the past couple of years were the result of one of:
- A skimming attack against POS terminals or backend systems.
- A web skimming attack (Magecart being the most common).
- An attack against an issuer, credit agency, or some other non-merchant.
All the breaches I found that included credit-card data retained by a merchant were from several years ago.
That doesn't mean no merchants retain CC data, but that particular class of exposure seems to have become much less common than physical or web skimming. The move to dedicated payment processors seems to have more or less have the effect claimed by disgustedoftunbridgewells.
Relatively recent (i.e. going back a couple more years) breaches against merchants that yielded stored CC data are mostly against hotels, most notably the big Marriott breach.
I still think we should recommend virtual cards and/or other payment options (I don't personally like Paypal, but it does provide some protection against card-data theft), but more as a defense against skimming. As for whether you let merchants retain payment-method information in whatever form: that's a different part of the attack tree. Some consumers feel it's worth the risk; others don't, or are willing to assume it only in particular cases. But it's not the same as a CC-data-exposing breach, which is a more serious failure because it lets the attacker clone the card and use it at multiple merchants.
Another good reason for not storing your card details is you have to do a little work to make the purchase. Even a few minutes of "cooling off" can be good. You might also suddenly remember an expense you need to cover or that if you want to upgrade the travel on your holiday booking, you will need a few quid of space on the card for that.
eTailers know that the easier they make it for you to make impulse buys, the more money they'll make. Do yourself a favor and self-impose so road blocks to spending money on stuff you probably don't really need. If you do need it, a couple of extra minutes of typing isn't going to end life on the planet.
The fine is up to €20m or 4% of global group turnover. There is no expectation of this being applied at the maximum except in the most serious of cases and/or flagrant malpractice - for example refusing to comply with audits, refusing to follow the investigation processes, and so on. Generally, repeat offenders.
One time I've seen this was where the company just used a "random" number in the query used to establish a session.
We demonstrated the failure several times - even to the point of being able to take over a managers web session and able to authorize whatever overtime we desired.
The number is essentially public information in a returned URL, thus allowing the client to replace the number with one of our own choosing.
Did they fix it by using an encrypted cookie value?
No - they just expanded the range of valid numbers... Made it harder to guess, but did not fix the problem.
Biting the hand that feeds IT © 1998–2020