LUSH - Important News - UPDATED

BarntheBarn

chrissyxx wrote: »

Ive been reading all these posts with interest over the past few days. I've been a Lush customer for years, but fortunately always buy instore and dont order online, so I've not been one of the unlucky people who have had their details hacked. I fully intend to go on buying from Lush, and refuse to comment on the rights and wrongs of what happened for now, as I dont feel any of us are in full possession of all the facts at the present time. What I am grateful for, is that this matter of storing card details has now been highlighted. I always check for the 'padlock' verification when shopping online, but have never thought seriously about the consequences of having the company store my card details for next time, ie on Amazon and Play for example. I've always just considered it convenient not to keep putting in the details each time. I have now deleted my card details on Amazon, and I'm sure that maybe a lot of people will be more aware of this than before. I hope those affected manage to get their money back without too much trouble.

In the case of Amazon I really doubt it matters whether your card number is stored on the site where you can see it or not. Amazon know more about you than your family or bank...

StumpyPumpy

shikoku wrote: »

Don't the fraudsters have serious problems with their delivery addresses?

When my mum paid on-line for an item costing £300 + to be delivered to me (birthday present) both her bank and the retailer telephoned her to check if she had authorised the payment.

Often, the purchase can be a "virtual item" such as music bought in the Apple store, PAYG phone top ups and such like. Virtual worlds such as World of Warcraft, where you can spend real money for in-game items are also a target as they have an illicit trade in them where you can swap inline goods for real cash again.
Sometimes it depends on the sophistication of the thief. The original thief may have simply sold on the card details to other (sometimes many) criminal organisations - there are actually eBay style websites that offer "goods" like this for sale to the highest bidder. The larger organisations have access to counterfeit card factories who will then use or sell on cloned cards. Chip & Pin security helps but it is not in common use throughout the world and is not infallible. A list of card details may pass through several pairs of hands - at a price each time - before it reaches an end user. If a thief has 9 out of 10 transactions refused because the bank or vendor checks up on it but he has 10,000 valid cards, he is successful with 1,000 of them and if each transaction was for £500 - that's £1 million gained! That is quite an incentive.
These are just a few of the ways the thieves can "monetize" this breach and I hope offers some insight into why it is so important to cancel any cards you think may vulnerable as soon as possible rather than hope to avoid the hassle and wait to see what happens.

SP

Cheapchick_2

Sorry this isnt relevant to LUSH but i wanted to remind folk to check their statements again. Due to reading this thread I've been made more aware of things to look out for and tonight I noticed two O2 payments for £15 that are not mine. I have no idea how as I didnt buy online at Lush and thought I only used my card at trusted sites (this month I've used it at Dunhelm Mill, John Lewis, Book People, Boots, halfords and to pay my credit card online).

DansMum_2

Both my cards are confirmed as cancelled, but I have a nice letter from a photographic suppliers thanking me for my order of £5000 worth of camera :eek:

Have rung them and the order was requested the day after my cards were cancelled and the bank have confirmed that nothing has gone out....

Super....

CovSteve

yummy.scrummy.mummy wrote: »

ok im sure its impossible to crack into your government agencies even though there has been times when some nerd behind his pc has managed to crack into government files where they really shouldnt have been able to because they were said to be so secure. realistically the companies we are talking about arent going to be as secure as police or government files. databases online from companies get copied on a regular basis, half of the junk mail you get will be because of a company youve signed up to having their database replicated. you probably wouldnt even be aware of it because it wouldnt of done any damage but their databases can be copied and then sold onto other companies which pay just for details to send out junk. doesnt matter how secure you are, you can STILL be targeted. i cant wait for the day some little kid targets you behind his pc screen to get you to admit you are wrong..

working in internet security and you think you are unbeatable, you are ALWAYS beatable on the internet because what you set up can always be broken through with the right knowledge.

people who write anti virus software get paid a lot but the ones who can write programs to avoid it would benefit more. its not unheard of to have people who write anti virus software to write software to get around that software it because they can cash in on more of it, so yes it does have basis when i say that it pays more to crack things than code secure systems. QQ

The PCI-DSS standard for encrypting card details (if you do store them) is AES 256bit, which is also the standard for government encryption (if used, as we know, governments aren't overly conscientious at encrypting all their files anyway). AES 256 bit encryption has NEVER been broken (if you know better then please give us some examples). The only way you can get card details is to have the key to decrypt this and PCI-DSS places very strict conditions on access to this key. Even if someone did have it, the regulations also require companies to maintain logs on access to the card details anyway, so monitoring this would tell you who had access to what cards and when.