MSE News: Fraud risk for thousands after Lush website hack

13»

Comments

  • Jesthar
    Jesthar Posts: 1,450 Forumite
    corbyboy wrote: »
    I think the unencrypted credit card details is the main problem for me. They could be in some serious trouble here.
    It depends if that is actually the case. If it is, then yes - big trouble. But although that would be by far the easiest way to get the information, it's certainly not the ONLY way. The forensic investigation will hopefully give an answer to that, but until then it would be unwise to automatically assume the card data must have been unencrypted.

    JohnG: Yes, with the Lush situation they run forums, which are very active. I haven't had time to read everything there, but I believe people posting on the forum first supected a corrolation with a number of them experience CC fraud and having bought things from Lush online, which in turn brought it to the attention of the site staff. Without the forums, the site may have continued to be compromised for some time - some merchants have been compromised and constantly feeding data to hackers for years before it has come to light, and we're not necessarily talking small name merchants, either.

    I can't comment on SagePay, as such systems lie outside of my areas of expertise, but to keep any payment system secure is a constant battle (StumpyPumpy has posted some very good stuff on this in the equivalent thread in the Grabbit section). You can test software in every which way you can think of, but errors can still creep in (even software coders are human - honest! :rotfl:). Sometimes those errors are inconsequential, sometimes they are dangerous. You can also get added problems when sites customise the basic software to better suit their needs. Either which way, hackers devote their time and energy to finding and, where possible, exploiting any vulnerabilites for as long as possible
    Never underestimate the power of the techno-geek... ;)
  • PhiltheBear
    PhiltheBear Posts: 269 Forumite
    100 Posts
    Jesthar wrote: »
    It depends if that is actually the case. If it is, then yes - big trouble. But although that would be by far the easiest way to get the information, it's certainly not the ONLY way. The forensic investigation will hopefully give an answer to that, but until then it would be unwise to automatically assume the card data must have been unencrypted.

    It's not an assumption. They've apparently admitted it.

    Even so - if they knew they were being attacked in October why did it take them so long to prevent this? The answer that they were trying to trap the hacker doesn't wash. You simply don't compromise thousands of customers in order to 'trap the hacker' - even if they had the expertise, which they plainly don't. They are now saying that they will have a new web site up shortly but a 'proper' website won't be done in house - they are likely to outsource it.

    If I were a Lush customer and I'd been defrauded and my bank wouldn't accept that this was related I'd sue Lush for damages. They've plainly been negligent - and admitted it.
  • Jesthar
    Jesthar Posts: 1,450 Forumite
    PhiltheBear wrote: »
    It's not an assumption. They've apparently admitted it.
    Hmm, if they have, any chance of a link to their statement? :) I've been keeping up as best I can but must have missed it, as the only comments from Lush I recall have said they won't be making public comments on those details until the forensic investigation is completed.
    PhiltheBear wrote: »
    Even so - if they knew they were being attacked in October why did it take them so long to prevent this? The answer that they were trying to trap the hacker doesn't wash. You simply don't compromise thousands of customers in order to 'trap the hacker' - even if they had the expertise, which they plainly don't. They are now saying that they will have a new web site up shortly but a 'proper' website won't be done in house - they are likely to outsource it.
    Sadly, hacking attempts aren't the rarity online, the are the norm. And some of them are very good at what they do, unfortunately. We tend to think of hacking as a sort of virtual ram raid, but a good hacker is more like a cat burglar, and may also get away with leaving cybernetic bugs behind. Some breaches can go undetected for years, and it's only reasonable to assume that there may well be a significant number which are never noticed (perhaps getting unwittingly ended by a site revision), or are fixed on the quiet by the site owners as and when they do notice.

    The actual specifics aren't my area of expertise, so I won't try and elaborate, but if you have a business web site that allows people to purchase things online, you are a target. We won't know details until the forensic report, but personally I would be very surprised if there had been a game of 'trap the hacker' - "stop the hacker", definitely, but trapping hackers is a very difficult (and often fruitless) activity, and certainly not one usually attempted by anyone outside the realms of anti-hacking organisations.
    PhiltheBear wrote: »
    If I were a Lush customer and I'd been defrauded and my bank wouldn't accept that this was related I'd sue Lush for damages. They've plainly been negligent - and admitted it.
    And as Lush have admitted the breach, the chances of a bank refusing to accept it thankfully should be minimal - the only scenario I can think of off the top of my head is if someone had been warned their details may have been compromised, didn't notify their CC provider for whatever reason, and then subsequently had fraudulant activity on the card. In that case, they would likely be held liable for any activity incurred after they were warned due to the failure to alert the provider.

    Whether or not the breach was due to negligence on the part of Lush is something we again won't know until the forensic report is available. If CC details have been stored in the clear, then yes, that is negligence. As would be not applying security patches etc. But there are a good number of ways in which a site can be compromised without the customer database ever being accessed at all - cross site scripting, code insertion etc. Or it may have been a problem with the 'basket' software, not the website coding. It will be interesting to eventually find out.
    Never underestimate the power of the techno-geek... ;)
  • PhiltheBear
    PhiltheBear Posts: 269 Forumite
    100 Posts
    Jesthar wrote: »
    Sadly, hacking attempts aren't the rarity online, the are the norm. And some of them are very good at what they do, unfortunately. We tend to think of hacking as a sort of virtual ram raid, but a good hacker is more like a cat burglar, and may also get away with leaving cybernetic bugs behind. Some breaches can go undetected for years, and it's only reasonable to assume that there may well be a significant number which are never noticed (perhaps getting unwittingly ended by a site revision), or are fixed on the quiet by the site owners as and when they do notice.

    The actual specifics aren't my area of expertise, so I won't try and elaborate, but if you have a business web site that allows people to purchase things online, you are a target. We won't know details until the forensic report, but personally I would be very surprised if there had been a game of 'trap the hacker' - "stop the hacker", definitely, but trapping hackers is a very difficult (and often fruitless) activity, and certainly not one usually attempted by anyone outside the realms of anti-hacking organisations.

    My area of expertise is advising financial companies about credit card fraud. You can't insert trojan type coding into a web site without updating the site. You can't update a site without passwords (unless you host your own and even then I'd expect systems open to the world to be password protected). Both these things should trigger alarms if not authorised.

    You can't catch credit card numbers 'in transit' without trojan software. You can read credit card numbers, if unencrypted, from a database if you employ some fairly simple techniques - all of which a competent web designer can thwart easily. If you encrypt credit card numbers using a reasonably simple and readily available encryption method it's basically impossible to crack them.

    I run several websites which take money. I know immediately if anyone tries anything untoward and I can immediately block their access. It's really not difficult.

    It's about 100% certain that Lush simply kept open details on file and someone was able to read the database. What would be really interesting is to see how dumb they really were and whether or not they stored the CVS number too (a really strict no-no). In the UK and the US part of the card check for online sales is matching the CVS number and the postcode. If cards have been compromised then where did the hackers/criminals get the CVS numbers from?
  • jimbo24168
    jimbo24168 Posts: 91 Forumite
    Part of the Furniture 10 Posts Combo Breaker
    And sadly reports are coming in that their Australian/New Zealand websites have been hacked.

    One would have thought that after the UK debacle that someone would have checked all their other websites to ensure they were watertight.

    I wonder if the UK was the first?
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350K Banking & Borrowing
  • 252.7K Reduce Debt & Boost Income
  • 453.1K Spending & Discounts
  • 243K Work, Benefits & Business
  • 619.9K Mortgages, Homes & Bills
  • 176.5K Life & Family
  • 256K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture