MSE News: Fraud risk for thousands after Lush website hack

2

Comments

  • Paul_Varjak
    Paul_Varjak Posts: 4,627 Forumite
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    A few years ago I discovered a security hole in the website of www.zonealarm.com. The flaw allowed anybody to view the name, and address of people who had placed orders with the company and also to view the licence codes of products purchased.

    And how could this be done? Simply by changing the order number in the URL!
  • danouk
    danouk Posts: 78 Forumite
    According the the BBC report they first found out about a security breach on their website on Christmas Day, but left the site open until 20th January. This is unacceptable and smacks of a company that doesn't actually give much of a toss about security, fraud or their customers.

    Lush should be ashamed of themselves and I hope that their card processor withdraws their merchant account. I also hope that the credit card companies invoice Lush for the cost of cancelling and re-issuing the thousands of compromised cards.

    Their attempt to portray themselves as innocent victims of evil hackers is a pile of tosh. Hackers are a fact of life when you run a website, and it's your responsibility to ensure it's locked down. If they left the doors of their stores and the drawers of their tills wide open 24/7 would we all be saying "poor Lush, innocent victims"?
  • haynrich
    haynrich Posts: 954 Forumite
    i have also been taken on this ride... my bank has cancelled my card and the fraud team will be getting back to me....o2 payments are showing on mine
    1. Tv2. Mobile phone3. Holiday/ break UK4. Ipad5. Cash or vouchers6. Toys7. Something for the kitchen8. beauty items/make up9. Hamper10. games console11. A huge unexpected suprise
  • spidystrider
    spidystrider Posts: 1,246 Forumite
    Mortgage-free Glee!
    I also had two fraudulent transactions on my card. Thankfully LloydsTSB spotted them straight away, money has been returned and card cancelled.
    Mortgage Free in 3-T2 : Started at £151,000 Nov. 2009 Mortgage Free Oct 1st 2015 :)
  • JohnG
    JohnG Posts: 477 Forumite
    Part of the Furniture 100 Posts Combo Breaker
    I would like to know how you can identify a particular website that's had their security compromised - presumably it's only when large numbers of customers complain based on their suspicions?
  • snaffler
    snaffler Posts: 190 Forumite
    Would it be wise to also change our email ? I phoned the security number on the lush website and they were not able to give me a direct answer as the issue is still under investigation. But they said yes it may be wise to do this. ?
    "Don't panic just chill out and smile"

  • Jesthar
    Jesthar Posts: 1,450 Forumite
    JohnG wrote: »
    I would like to know how you can identify a particular website that's had their security compromised - presumably it's only when large numbers of customers complain based on their suspicions?
    It's not what anyone wants to hear, but the simple truth is: you can't.

    Well, not reliably, anyway. And pretty much the only two ways are 1) Lots of customers noticing and talking together about it, and 2) the company in question publicly admitting it.

    Neither situation is particularly common. Some places (indeed, like Lush) have forums frequented by customers, which makes it easy for customers to find people in similar situations, and therefore the first scenario is more viable. Many vendors, though, don't, so unless there are well known fan sites for a brand it is a lot harder to establish a pattern of fraud other than by trawling Google to see if anyone else is affected.

    Scenario 2 is rare for different reasons. Announcing to the world your site has been compromised is invariably bad for business, so where possible a company will simply pass the responsibility on to the card holder. Even if you (or, indeed, a large group of customers) are certain a particular site is responsible for the compromise, unless you use the card exclusively for that site a company can simply deny responsibility - another site/ATM skimmer/restauraunt waiter must have done it. Or if it spots a problem before you do, it is simple for them to claim an individual account hack, or just pass the account details on to the card provider and let them contact you.

    It's not just the small sites either - the big sites are equally evasive. I had fraudulant activity on my PayPal account a couple of years ago, which I spotted before their automated software did thanks to the transaction e-mail - not only had I NEVER bought anything in dollars, but I certainly not at 4am! However, the account had of course got my credit card tied in to it, so I had a worrying day or two, but to their credit PayPal did sort it out quickly.

    The most interesting part, though, was that I had not used that account in an age, as I only had it for my very rare purchases on eBay. So, given my virtual paranoia when it comes to unguessable passwords and security on such accounts, the only logical conclusion is the information used to carry out the fraud had to have originated from the compromise of one of those two sites - personally, I suspect PayPal. But you won't find them admitting that. Oh, no... ;)

    @snaffler - you should certainly change your e-mail password to something long, 'strong' and unguessable, yes. And probably your security question too. It may not be 'necessary', but better safe than sorry :)
    Never underestimate the power of the techno-geek... ;)
  • JohnG
    JohnG Posts: 477 Forumite
    Part of the Furniture 100 Posts Combo Breaker
    Thanks Jesthar, you rather confirmed my thoughts, I guess with the "Lush" situation there must have been something that clearly linked the site?

    I've recently contacted a website on this issue, one that I used for the first time just before Christmas, I never got the goods ordered as it happens, due to a "Data base error" though I did get a prompt refund after I contacted them about the delay (I wasnt offered the chance to wait a bit longer for the goods to arrive strangely enough?).
    Then shortly after this and just over Christmas, someone made two attempts to use my Credit Card so putting two and two together, i.e. First time I used this particular site, my order not being processed for some vague reason, two attempts at using my credit card within three weeks of my original transaction, rather made me suspicious of this particular outfit or persons therein.
    I have since rcvd their rather unsympathetic response which states they "Process payments through secure server SagePay" and that details are "Encoded as soon as soon as you click pay" so therefore they say no one is able to access credit card details. They also say they havnt heard of any other such problems from anyone else.

    Does this stack up? Does using SagePay provide the security they claim? I'm not convinced, besides, as you point out, they are not going to admit the possibility of potential credit card fraud if they can posibly help it.

    How I'd love to find out who and where these two transactions were made :mad:.
  • PhiltheBear
    PhiltheBear Posts: 269 Forumite
    100 Posts
    How people can say that Lush have acted well over this defeats me.

    Apparently they knew they were being attacked back in OCTOBER.

    And, funnily enough, they didn't tell their customers until 3 weeks into January.

    Now - spot the coincidences:

    1. October to January is peak shopping time (think Christmas presents).
    2. The couple that founded Lush received honours in the New Years Honours list. (Think - what would have happened had this story broken in November?)

    They've been absolutely disgraceful. To hold customer details unencrypted is stupid. To hold customer credit card details unencrypted is against the rules of the credit card companies (look up PCI DSS for details).

    They are now taking payments by Paypal only. Is that because the credit card companies have cut them off?

    Perhaps it's because their IT department is rubbish. I've seen ads they've put out for staff - barely paying trainee salaries for web developers. Oh, and many years ago I looked at their internal computer system when they were called "Cosmetics to Go" (they went bust and reformed after selling off their assets). It was, at best, amateur and had no security at all.

    Lush is a tinpot operation that's succeeded simply by selling products that are very high mark up and trumpeting their green credentials. Shame they don't invest any money looking after the basics of their business and looking after their customers.
  • corbyboy
    corbyboy Posts: 1,169 Forumite
    Part of the Furniture
    PhiltheBear wrote: »
    They've been absolutely disgraceful. To hold customer details unencrypted is stupid. To hold customer credit card details unencrypted is against the rules of the credit card companies (look up PCI DSS for details).

    I think the unencrypted credit card details is the main problem for me. They could be in some serious trouble here.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.1K Banking & Borrowing
  • 252.8K Reduce Debt & Boost Income
  • 453.1K Spending & Discounts
  • 243K Work, Benefits & Business
  • 597.4K Mortgages, Homes & Bills
  • 176.5K Life & Family
  • 256K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture