back to article 'My wife tried to order some clothes tonight. When she logged in, she was in someone else's account ... Now someone's charged her card'

"At the moment some stranger is in her account as they keep adding things to her basket and she keeps taking them out." A Reg reader last night spoke of the horrifying moment he realized an online store used by his wife was mixing up some of its online customers, allowing people to gain access to some strangers' personal …

  1. Anonymous Coward
    Anonymous Coward

    stupidity all around

    I hate modern times

    I must be getting passed a certain age and nearing another certain age.

    1. Anonymous Coward
      Anonymous Coward

      Methinks

      Past do, past do...

      1. NoneSuch Silver badge
        Coat

        Re: Methinks

        My wife had her credit card stolen last month.

        I didn't report it. The guy who took it is spending a lot less than she did.

        1. Anonymous IV

          Re: Methinks

          Bah-boom. Tish!

        2. Anonymous Coward
          Anonymous Coward

          Re: Methinks

          Funnily enough, this actually happened to us. Someone got my wife's card details (skimming, breach, who knows...) and cloned the card. Fraud alert popped because someone tried a couple of small transactions - less than a dollar each - at a couple of places to verify the card, and they were geographically unlikely. The bank suspended the card and we went through the usual dance of confirming recent transactions and getting a new card issued.

    2. Anonymous Coward
      Anonymous Coward

      Nope, right the first time, stupidity all around

      Is there such a thing as unforeseen consequences if its never thought about or considered to begin with

  2. Anonymous Coward
    Thumb Down

    Matches.

    This sounds familiar. Three were doing the same thing. I hate organizations who deploy systems without proper support or understanding of the pitfalls they maybe exposing their customers to . It's like giving an infant a box of matches and expecting not to get burned ! If you cannot make them understand try deleting accounts that would get their attention.

    Sgned angry mob

  3. Andy Non Silver badge
    FAIL

    British Gas

    When I used to pay my bill online by card it always gave me the amount paid by a random stranger paying their bill and their name on the final screen. They were obviously losing track of customers online sessions at the final page. Tried contacting BG about the issue but they weren't interested and this problem carried on for a year or more! Wouldn't surprise me if it was still doing the same thing, but I'm no longer with BG anyway. The issue wasn't too serious in terms of what was leaked but their site shouldn't be leaking or mixing up different users sessions at all.

    1. Zarno
      Joke

      Re: British Gas

      Talk about gaslighting, they were trying to get you to think you weren't you!

  4. Tessier-Ashpool

    Someone refresh my memory

    Wasn’t there a UK government website quite a few years ago that got up to these kind of tricks? It got pulled sharpish. But damned if I can remember what it did.

    1. Anonymous Coward
      Anonymous Coward

      Re: Someone refresh my memory

      It was likely a caching error.

  5. tiggity Silver badge

    Cache at your peril

    Seen (and read about) caching go wrong so often.

    Obv it can give a big performance improvement, but needs great care on how its setup (depending how your website(s) work) and an awful lot of proper multi user testing on a test system before doing it live.

    1. David Lewis 2
      FAIL

      Re: Cache at your peril

      ... an awful lot of proper multi user testing on a test system before doing it live.

      No, they are just following the modern trend of using live users as their test environment.

      Well if it is good enough for Microsoft ...

  6. Mage Silver badge
    Coat

    Fabletics?

    Sounds like a title for a book about magical blood sucking insects?

    Apart from the incompetent server mangelment why do they think it's a good name for selling fashion sportswear aka athleisure?

    1. Steve Foster
      Facepalm

      Re: Fabletics?

      Because they thought that creating a portmanteau from fabulous and athletics was awesome?

      1. TonyJ
        Joke

        Re: Fabletics?

        "...Because they thought that creating a portmanteau from fabulous and athletics was awesome?.."

        Ohhhh, so it isn't supposed to be pronounced fable-tics?

    2. NeilPost

      Re: Fabletics?

      Many people have bought it, esp. with endorsements. UK (Solihull) based Gymshark is another newbie in the market place disrupting the big boys like Nike etc.

      For both what’s not to like in Gym-shorts/gym-leggings!!

  7. Cederic Silver badge

    step one: ring your card provider

    The moment I see anything like this it's straight on the phone to my card provider to tell their fraud department that any transactions with that site did not come from me.

    From that point on the Financial Services industry wheels will start to grind the site into oblivion. Which is how it should be.

    1. JCitizen
      Megaphone

      Re: step one: ring your card provider

      Totally correct! I once suspected a legitimate company had been hacked, or had a rotten egg insider, that was using my information to buy 3 months of server space from a dodgy provider, so I knew it had to be likely an outsider, who was simply hiding his tracks to pay for bot herder server farms.

      The next time I purchased from them, I used one of those cards that allows you to relegate a unique card number to each merchant you buy from; and sure as heck, it happened again, except VISA got wind of it without my intervention, and took the web site's card holding privileges away! I disrupted the company so bad they fired their foreign customer service, and sold out to a company that only used US service centers. I personally don't think that is anymore secure, but I haven't had trouble with them since.

      1. Michael Wojcik Silver badge

        Re: step one: ring your card provider

        I used one of those cards that allows you to relegate a unique card number to each merchant you buy from

        Yeah. I've been using virtual cards from privacy.com for any card-not-present transactions for a while now, and I have to say I've been pleased. Create any number of cards, set various limits (per-transaction, daily/weekly/monthly), restrict to a single merchant, various options for being notified of any transactions, and you can use any name and mailing address you like. It's all tied to a bank account, so if you want an additional layer of security, you can open an account specifically for those cards.

        They make their money off the merchant fees, so it's no additional cost to the consumer.

        The web UI is fancier than I prefer, but it's not too obnoxious. Works fine with non-Chromium browsers.

        I don't have any relationship with them beyond being a user of their service.

  8. Chairman of the Bored

    Walmart?

    I do not use their online ordering / delivery service.

    Imagine my surprise when a Walmart box shows up at my door, properly addressed. I opened it and found four large boxes of incontinence briefs. I'm getting old, but not that old!

    Called Wally world and they had no idea how it was ordered and didn't seem to care that I had them... "just drop it at a store, or keep it"

    Other boxes appearing from the void this past year: 4 large tubes of personal lube, a box of relatively edible food, and a box of junk food.

    1. IGotOut Silver badge

      Re: Walmart?

      Methinks it's someone that you've pissed off recently.

    2. Rustbucket

      Re: Walmart?

      It's possibly some small seller sending stuff to random people so that they can qualify as a "confirmed purchaser" and thus be allowed to leave glowing reviews of themselves on the web site, IOW astroturfing.

      Were the four large tubes of personal lubricant also relatively edible?

      1. Rustbucket

        Re: Walmart?

        Edit: I Just realized that Walmart may not have third part sellers like Amazon.

        Someone testing out stolen credit card numbers to see if they're still valid?

        1. MachDiamond Silver badge

          Re: Walmart?

          "Someone testing out stolen credit card numbers to see if they're still valid?"

          I doubt it. They would still order something valuable and have it shipped to a vacant home or one where the owner is on holiday. Pwned cards can be caught fast so you'd want to make sure you get in some good fraud before it's turned off.

      2. Chairman of the Bored

        Re: Walmart?

        Lube was relatively edible? Not sure, it was KY brand "warming liquid".

        Methinks that if you need chemical help getting that fire lit, your technique is not kwite right. Some things require time, patience, skill, and creativity...

    3. Aussie Doc
      Mushroom

      Re: Walmart?

      Here in Oz it's becoming a 'thing'.

      They* are calling it 'brushing' and it's causing some biosecurity issues as folk receive random seeds in a small envelope from a supplier on eg Amazon complete with all their correct personal details.

      Folks are being warned about ID theft but nobody takes much notice, except, of course, the biosec dudes/dudettes worried about dangers to our crops and stuff.

      *The authorities, cobber.

      1. Eclectic Man Silver badge

        Re: Walmart?

        I think there have been unexpected receipts of unknown seeds in the post in the UK too. Most appear to be to genuine gardeners, who fortunately have more sense than to plant seeds of unknown origin. The most sensible idea I heard was baking them at high temperature in the oven to ensure that are dead before disposal, but I'm no horticulturalist* so if you get some get advice from someone who knows about such matters.

        *But, my Aspidistra ('Cleo') is currently sprouting its eleventh new leaf this year and is actually almost entirely green and healthy (as opposed to brown), so I must be doing something acceptable.

  9. Flak
    Joke

    Credit Card theft

    So wrong when it comes to political correctness, but still makes me smile:

    "My wife's credit card was stolen a few months ago - I didn't report it because the thief is spending less than she did!"

  10. Manolo
    FAIL

    Even Outlook

    On two seperate occasions, arriving at work and logging in to my Microsoft 365 account, I found myself in a coworker's email.

    Notified Microsoft, never heard back from them. Must have been some caching issue as well.

    1. WolfFan

      Re: Even Outlook

      That happens when

      1 someone logged in using that machine and selected ‘remain connected’

      2 the web browser ‘remembers’ previously accessed pages.

      Usually it also means that you logged in using the same account on the computer.

      Fixes:

      1 log in onto the computer using a different login ID

      2 don’t let the browser remember previously used pages

      3 don’t select keep connected

      4 use the Outlook application instead of the web application.

      1. cynic56

        Re: Even Outlook

        5) Don't use 365.

  11. ThatOne Silver badge

    Credit card? What credit card?

    I never ever leave my credit card details on shopping sites. If "don't remember" isn't an option, I simply delete it from my profile after my purchase. And if they really, really insist on having one, they get fed a dead credit card number instead (old, now blocked card), which obviously won't work if used. I change it back when/if I actually need to pay for something again.

    Inconvenience? Not for me, my credit card details are in my password manager, and I can fill them back in in 2-3 clicks.

    1. Nifty

      Re: Credit card? What credit card?

      After you have placed an online grocery order and paid via credit card, the details are allways retained and any amendment to that order done 24 hrs before delivery slot just requires the 3 digit CSV. All the supermarkets I've used seem to do this.

      Slots nearly always have to be booked around a week in advance. So how do you prevent the site remembering your card?

      1. o p

        Re: Credit card? What credit card?

        > So how do you prevent the site remembering your card?

        Easy. You use a virtual credit card. Each card number generated has a fix amount that can be charged. You generate a new number for each payment. They can keep track of all the numbers, they can be used only once. So you don't care.

        1. JCitizen
          Go

          Re: Credit card? What credit card?

          I had one of those, before the company quit using it; worked great! I see where it can be picked up again by almost any card company now, but signing up for it at a special secure website, and then you get a browser "app" that applies the special account number to each merchant you do business with online.

          I should have wrote the URL down, as I've forgotten it already. Maybe a web search will put me back on track.

      2. ThatOne Silver badge

        Re: Credit card? What credit card?

        > the details are allways retained and any amendment to that order done 24 hrs before delivery slot just requires the 3 digit CSV

        I expect that would be the payment processor, not the shop front itself, and I expect the payment processor to be less prone to stupid coding blunders (I said "less"!) than the shiny cool web storefront itself.

        Which means that if the web store tries to place a new, fake order, it won't know which credit card to associate it with, and thus that order won't pass the tests and won't even reach the payment processor.

        I admit this is based solely on my non-existing knowledge of how things work.

    2. Richocet

      Re: Credit card? What credit card?

      I do the same thing.

      Payment card industry (PCI) agreement terms mean online retailers are not allowed to store enough of your credit card details after your transaction for another charge to be made to it. DSS section of PCI:

      "PCI-DSS requirement 3.2 states that Sensitive Authentication Data (SAD) cannot be stored after authorization, even if it is encrypted." The only entities that can store this type of information are the issuers of the credit cards, e.g. banks.

      Some retailers ignore the rules, but larger ones usually comply because the punishment is VISA and Mastercard refusing that retailer processing any payments until the problem is fixed and verified.

      1. LeahroyNake

        Re: Credit card? What credit card?

        How does Amazon get away with it then ?

        1. fireflies

          Re: Credit card? What credit card?

          Amazon, and similar sites store your payment details separate to the transaction. You are informed that your payment details will be stored and you have the option to delete/amend those details.

      2. Nick Ryan Silver badge

        Re: Credit card? What credit card?

        The situation is not like this. Sensitive Authentication Data (SAD) includes the magnetic track data off a card, the PIN block/details and the printed CVV (whatever) number on the rear of the card - this number is not recorded in the chip, strip or embossed form. A compliant retailer is prohibited from storing or recording any of this data except for the shortest time possible to perform the transaction.

        If a retailer processes regular or repeat orders they may do this using the non SAD stored data and the CVV number is not necessarily required however by doing so this changes the balance of responsibility for fraudulent transactions very much in favour of the card holder compared to the retailer. Often a retailer will require than the CVV number is presented on the first usage of a card but not for following usage of the card. This provides a fair degree of accountability but does not require that the card holder type in the CVV for every purchase and is a reasonable enough compromise where the retailer, such as Amazon, has delivery and cardholder addresses and an ongoing relationship.

      3. Nifty

        Re: Credit card? What credit card?

        Interesting, because today on amending an Asda order, the CSV wasn't even asked for, to authorise payment.

        1. Nick Ryan Silver badge

          Re: Credit card? What credit card?

          The use of the CVV number is optional. Supplying the CVV number shifts responsibility towards the cardholder, not using the CVV number shifts the responsibility towards the retailer. If you entered the CVV number once for Asda then they can reasonably assume that you have the physical card in your posession therefore don't need to ask for it again.

  12. Trollslayer
    Flame

    Cost is king

    By that I include the customers which means the sellers cut every corner they can.

  13. NiceCuppaTea

    But it was delivered within sprint right?

    Hey we delivered agile......

  14. Diogenes8080

    Encouraging diligence

    If the payment chain itself is not compromised but the merchant is slapping nonsense on customers' credit card accounts through auto-negligence, is the vampire PCI-DSS invoked?

    1. Richocet

      Re: Encouraging diligence

      Yes, they have not met their PCI obligations. They would fail an audit. I'm not sure how rapidly any action is taken when there is an emergency breach like that or what the consequences are for the retailer.

      1. JCitizen
        FAIL

        Re: Encouraging diligence

        I'd say less than a month, as it happened to a retailer I was doing business with, and VISA slapped then with the punishment of not allowing storage of card details after that. They ended up selling out to another company that didn't mind doing business that way.

    2. This post has been deleted by its author

  15. Cuddles

    Never store your card

    This is precisely why you should never let a website store your card details. Is saving a few seconds typing in some numbers when you want to buy something really worth the risk of letting all your payment details float around the internet on someone else's computer? Screwups and hacks happen all the time. You can't insulate yourself from them entirely, but you can at least take some very basic precautions to limit the damage if when you're affected.

    1. Anonymous Coward
      Anonymous Coward

      Re: Never store your card

      Nowadays firms don't store cards, their payment providers do.

      The firm just stores a reference to the card, last 4 digits and name.

      1. Throatwarbler Mangrove Silver badge
        Facepalm

        Re: Never store your card

        "Nowadays firms don't store cards, their payment providers do."

        Oh, indeed. I'm sure that this is universally true.

        1. Anonymous Coward
          Anonymous Coward

          Re: Never store your card

          I don't know of a payment processors API that would even allow you to re-bill using saved card numbers rather than the reference.

          In the vast majority of cases, the card numbers are taken directly by the payment processor - the shop has no visibility at all, either hosting a little widget on the page or redirecting to the processors website.

      2. Cuddles

        Re: Never store your card

        Firstly, that's obviously nonsense; you just need to look at the quite large number of hacks that manage to steal card details to know that. But more importantly, I don't see why you think it would be relevant. If your card details are stored anywhere in a way they can be seen or used to make purchases, then they are vulnerable to being abused or stolen. Whether the screwup is with the shop itself or a subcotractor they happen to use is entirely irrelevant. The only way to avoid problems like the one in this article is to not allow anyone to store your card details.

        1. Michael Wojcik Silver badge

          Re: Never store your card

          Actually, all of the credit-card breaches I can recall, or could find in a few minutes of searching, from the past couple of years were the result of one of:

          - A skimming attack against POS terminals or backend systems.

          - A web skimming attack (Magecart being the most common).

          - An attack against an issuer, credit agency, or some other non-merchant.

          All the breaches I found that included credit-card data retained by a merchant were from several years ago.

          That doesn't mean no merchants retain CC data, but that particular class of exposure seems to have become much less common than physical or web skimming. The move to dedicated payment processors seems to have more or less have the effect claimed by disgustedoftunbridgewells.

          Relatively recent (i.e. going back a couple more years) breaches against merchants that yielded stored CC data are mostly against hotels, most notably the big Marriott breach.

          I still think we should recommend virtual cards and/or other payment options (I don't personally like Paypal, but it does provide some protection against card-data theft), but more as a defense against skimming. As for whether you let merchants retain payment-method information in whatever form: that's a different part of the attack tree. Some consumers feel it's worth the risk; others don't, or are willing to assume it only in particular cases. But it's not the same as a CC-data-exposing breach, which is a more serious failure because it lets the attacker clone the card and use it at multiple merchants.

      3. Old Lady

        Re: Never store your card

        This is true, if you watch the screen it tells you this page belongs to your bank.

    2. MachDiamond Silver badge

      Re: Never store your card

      Another good reason for not storing your card details is you have to do a little work to make the purchase. Even a few minutes of "cooling off" can be good. You might also suddenly remember an expense you need to cover or that if you want to upgrade the travel on your holiday booking, you will need a few quid of space on the card for that.

      eTailers know that the easier they make it for you to make impulse buys, the more money they'll make. Do yourself a favor and self-impose so road blocks to spending money on stuff you probably don't really need. If you do need it, a couple of extra minutes of typing isn't going to end life on the planet.

  16. Eclectic Man Silver badge

    Compromise of personal details

    Under the GDPR aren't Fabletics due a hefty fine from some regulatory body? As I recall, 20Million Euros or 4% of global group annual turnover, whichever is the greater.

    1. Nick Ryan Silver badge

      Re: Compromise of personal details

      The fine is up to €20m or 4% of global group turnover. There is no expectation of this being applied at the maximum except in the most serious of cases and/or flagrant malpractice - for example refusing to comply with audits, refusing to follow the investigation processes, and so on. Generally, repeat offenders.

  17. Fruit and Nutcase Silver badge
    Coat

    "...from the not-strictly-safe-for-work dotcom."

    BETTER BUTT.

    BETTER PRICE.

    In other words, the prices are firm and holding

  18. oldcoder

    Just more sloppy security.

    One time I've seen this was where the company just used a "random" number in the query used to establish a session.

    We demonstrated the failure several times - even to the point of being able to take over a managers web session and able to authorize whatever overtime we desired.

    The number is essentially public information in a returned URL, thus allowing the client to replace the number with one of our own choosing.

    Did they fix it by using an encrypted cookie value?

    No - they just expanded the range of valid numbers... Made it harder to guess, but did not fix the problem.

  19. mego

    Hmm..

    The bank recognized the incorrect usage and was proactive in solving the problem. Seems like something did work in that pile up?

  20. Mike 137 Silver badge

    "Later at a similar web site in Bradford"

    With apologies to Monty Python, take a look at this only 24 hours later. It's about time we enforced standards of minimum competence in software development.

  21. EnviableOne

    CCPA - GDPR - PCI

    Man they gonna get fined and sued

  22. Old Lady

    For sites such as Amazon I buy gift cards & add them to my account. Apple always asks for a credit card number at first, do the same with them, add your gift card then delete you credit card number.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon