(In Michael Palin's voice as Ken) "Revenge!"
Australa's own Shovel hit the nail on the head;
"Ticketmaster Hacker Demands $500K Ransom (Plus $300K Ransom Processing Fee, $220K Ransom Handling Fee)"
Ticketmaster is believed to have had its IT breached by cybercriminals who claim to have stolen 1.3TB of data on 560 million of the corporation's customers – and are now selling all that info for $500,000. On Wednesday, Australia's Department of Home Affairs told The Register that government, at least, is "aware of a cyber …
To regain credibility, Ticketmaster should be transparent about the breach, its impact, and the steps to prevent future incidents ...
Whoa! Just saw some pigs fly past my window.
The British Library have set the gold standard in actually doing this with their recent and catastrophic breach. https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf
That means the last three digits of the (at least seven digit) account number and the checksum digit. So even supposing that the card issuer could be identified or inferred, it's still relatively hard to make fraudulent use of that information in the presence of adequate fraud monitoring. On the other hand one of my cards was compromised from South America a few years back, apparently by pure numeric trial and error against the PAN on card not present transactions, but the bank did pick them up quite swiftly. However, the entire card number system is a somewhat fragile legacy of pre-internet slow computer days, and should ideally be revised.
"That means the last three digits of the (at least seven digit) account number and the checksum digit. ..."
Which effectively means four of the (at least) seven digits, which starts to look a little weak at only a thousand combinations to try.
The four dollar padlock on my hundred dollar bicycle has more combinations than that.
"Which effectively means four of the (at least) seven digits, which starts to look a little weak at only a thousand combinations to try"
They also have to try against all the card issuer codes (some of which expect different account number lengths), so brute force will leave a pretty wide fraud alert footprint if banks are paying attention. However I did state that a I'd fallen victim to a brute force attack in the past, so yes, it can be done.
I stopped saving card details in websites for convenience a couple of years ago, even though some sites make it tedious and annoying (talking to you, ParentPay). I no longer trust any online retailer to be secure enough not to leak something at some point. Perhaps it was naive I ever did.
I think you're assuming that the provider wasn't recording the javascript entry of digits and has the card anyway. Or read it from a cache in the browser.
Theoretically impossible due to PCI. But, PCI is inadequate. Disposable cards are the only short term answer (and longer CC numbers with a more complex checkdigit algorithm).
This post has been deleted by its author
Never opened the message?
Assuming their message was an email, how did they know?
If you know anything about email, you know that if the recipient knows what it's doing, it's impossible to know whether or not an email has been read.
Or even displayed on a screen, or printed.
Or even received.
If the criminals didn't know this, it would make the fact that the dimwits managed to compromise their victim even more alarming than it already is.
I just tried to log into my account and got asked to reset my password. Is this really something they do regularly as they claim?
> It’s Time to Update Your Password
> To keep your account safe and secure, we periodically ask fans to reset their password, preferably to a new password that you haven’t already used with this account. Let’s Reset Password
Either way, my supply of sympathy in this particular case appears to be very limited for some reason.
" Mandatory password reset
I just tried to log into my account and got asked to reset my password. Is this really something they do regularly as they claim?"
I've never seen any sense in this sort of thing. The only time it would make sense is if some entity was trying passwords against my account and I change it to something they've already tried. I believe that I already have a solid approach to the passwords I use so changing them causes more problems for me than any protection I might gain. For people that just use one password for everything, they aren't going to change.