Warning John Lewis Credit Card is insecure

malc_b

I've been left with no alternative but to warn others about how insecure the John Lewis Credit Card is.  The card is operated by New Day so this could apply to other cards that New Day runs.

When you register for the JL credit card they ask for a user name and suggest you use your email address, and they also ask for a 6 digit pass number, and that's it.

When you login on the app or website you are first asked for your user name and only if you get that right are you are then asked for 3 digits from your pass number.  Straight away this is a security hole.  With a list of uk email addresses, legally obtained even, then you can run these against the website to filter out which have JL credit card accounts, opening up these to phishing attacks.

Also with these valid user names you can attack the pass number.  Since only 3 digits are asked you the probability is 1:1000 (1 in 1000) because 3 digits is only 1000 possibilities.  It is not the 1 million as JL and ND seem to believe.  This is the way probability works.  The chance of winning the lottery (6 numbers) is 1 in 45 million but people still win it.   With just 1:1000 then with 10,000 user names a random guess should crack around 10 users, on the first pass, try each 10 times and that's 100, etc..  This is pathetic security but it gets worse with a bit of obvious social engineering.

Let me ask you to think of a 6 digit number you can remember.  I'll reckon most people will think of date.  ND clearly think so too as they ban the user from using their birthday, but that leaves plenty of other dates.  A date would be a format of [01-31][01-12][00-99].  Hence if we wait until the web site asks for digit 1, digit 2 and digit 4 this will be [0-3][01-12], just 48 possibilities, i.e. a 1:48 probability of guessing the right answer or for 480 users about 10 right answers, first time.

Waiting for a specific sequence of digits is not a long wait either.  The number of combinations for selecting 3 digits from 6 is 6x5x4 = 120.  But that is if order mattered and it doesn't, that is a selection of digit 3, 2, 1 is the same as selecting digits 1, 2, 3.  The combinations of 3 digits are 3x2x1 = 6, hence the number of unique 3 digits from 6 is 120/6 = 20.  So you only have to try around 20 times to get the 1:48 condition which again is not that hard.  And reverse date and American date are no help.  These would be reject conditions for a strict uk date policy so you may as well guess these if asked for them, it makes no difference to the average time to crack it.

Now some people may think that posting this helps the hackers but as I said at the start, I've tried the proper way, reporting to JL and ND, then going to the FOS, they are only interested if I've lost money from a hack, not if someone might have access to my account.  And BTW since JL/ND don't tell me when I lasted logged in I wouldn't know if anyone else had access.  I've even tried the ICO as they are meant to enforce the Data Protection Act which says companies should take adequate steps to protect users data.  The ICO is only interested when the company/user has been hacked, they are not interested in enforcing the Data Protection Act before the company/user has been hacked.  I'm not sure what the point of the ICO is, but clearly it is no wonder the recent news is all about M&S, Co-op and JLR hacks.  If a credit card company is this stupid why would other companies be any better?  All I have left is warn users and maybe help someone who has been hacked and been told it was their fault. 

 

 

flaneurs_lobster

Whenever a (sensitive) site allows you to use your own user Id then take the option rather than the easy mail address default. 

Any decent password manager will let you generate 30 random characters to register with and store it for use when logging in subsequently. 

Emmia

malc_b said:

I've been left with no alternative but to warn others about how insecure the John Lewis Credit Card is.  The card is operated by New Day so this could apply to other cards that New Day runs.

When you register for the JL credit card they ask for a user name and suggest you use your email address, and they also ask for a 6 digit pass number, and that's it.

When you login on the app or website you are first asked for your user name and only if you get that right are you are then asked for 3 digits from your pass number.  Straight away this is a security hole.  With a list of uk email addresses, legally obtained even, then you can run these against the website to filter out which have JL credit card accounts, opening up these to phishing attacks.

Also with these valid user names you can attack the pass number.  Since only 3 digits are asked you the probability is 1:1000 (1 in 1000) because 3 digits is only 1000 possibilities.  It is not the 1 million as JL and ND seem to believe.  This is the way probability works.  The chance of winning the lottery (6 numbers) is 1 in 45 million but people still win it.   With just 1:1000 then with 10,000 user names a random guess should crack around 10 users, on the first pass, try each 10 times and that's 100, etc..  This is pathetic security but it gets worse with a bit of obvious social engineering.

Let me ask you to think of a 6 digit number you can remember.  I'll reckon most people will think of date.  ND clearly think so too as they ban the user from using their birthday, but that leaves plenty of other dates.  A date would be a format of [01-31][01-12][00-99].  Hence if we wait until the web site asks for digit 1, digit 2 and digit 4 this will be [0-3][01-12], just 48 possibilities, i.e. a 1:48 probability of guessing the right answer or for 480 users about 10 right answers, first time.

Waiting for a specific sequence of digits is not a long wait either.  The number of combinations for selecting 3 digits from 6 is 6x5x4 = 120.  But that is if order mattered and it doesn't, that is a selection of digit 3, 2, 1 is the same as selecting digits 1, 2, 3.  The combinations of 3 digits are 3x2x1 = 6, hence the number of unique 3 digits from 6 is 120/6 = 20.  So you only have to try around 20 times to get the 1:48 condition which again is not that hard.  And reverse date and American date are no help.  These would be reject conditions for a strict uk date policy so you may as well guess these if asked for them, it makes no difference to the average time to crack it.

Now some people may think that posting this helps the hackers but as I said at the start, I've tried the proper way, reporting to JL and ND, then going to the FOS, they are only interested if I've lost money from a hack, not if someone might have access to my account.  And BTW since JL/ND don't tell me when I lasted logged in I wouldn't know if anyone else had access.  I've even tried the ICO as they are meant to enforce the Data Protection Act which says companies should take adequate steps to protect users data.  The ICO is only interested when the company/user has been hacked, they are not interested in enforcing the Data Protection Act before the company/user has been hacked.  I'm not sure what the point of the ICO is, but clearly it is no wonder the recent news is all about M&S, Co-op and JLR hacks.  If a credit card company is this stupid why would other companies be any better?  All I have left is warn users and maybe help someone who has been hacked and been told it was their fault. 

 

 

Have you closed your account with them? 

I tried Monzo several years ago and was so unimpressed with their security, and their response to my email about the flaws, I decided not to do business with them.

Peter999_2

malc_b said:

I've been left with no alternative but to warn others about how insecure the John Lewis Credit Card is.  The card is operated by New Day so this could apply to other cards that New Day runs.

When you register for the JL credit card they ask for a user name and suggest you use your email address, and they also ask for a 6 digit pass number, and that's it.

When you login on the app or website you are first asked for your user name and only if you get that right are you are then asked for 3 digits from your pass number.  Straight away this is a security hole.  With a list of uk email addresses, legally obtained even, then you can run these against the website to filter out which have JL credit card accounts, opening up these to phishing attacks.

Also with these valid user names you can attack the pass number.  Since only 3 digits are asked you the probability is 1:1000 (1 in 1000) because 3 digits is only 1000 possibilities.  It is not the 1 million as JL and ND seem to believe.  This is the way probability works.  The chance of winning the lottery (6 numbers) is 1 in 45 million but people still win it.   With just 1:1000 then with 10,000 user names a random guess should crack around 10 users, on the first pass, try each 10 times and that's 100, etc..  This is pathetic security but it gets worse with a bit of obvious social engineering.

Let me ask you to think of a 6 digit number you can remember.  I'll reckon most people will think of date.  ND clearly think so too as they ban the user from using their birthday, but that leaves plenty of other dates.  A date would be a format of [01-31][01-12][00-99].  Hence if we wait until the web site asks for digit 1, digit 2 and digit 4 this will be [0-3][01-12], just 48 possibilities, i.e. a 1:48 probability of guessing the right answer or for 480 users about 10 right answers, first time.

Waiting for a specific sequence of digits is not a long wait either.  The number of combinations for selecting 3 digits from 6 is 6x5x4 = 120.  But that is if order mattered and it doesn't, that is a selection of digit 3, 2, 1 is the same as selecting digits 1, 2, 3.  The combinations of 3 digits are 3x2x1 = 6, hence the number of unique 3 digits from 6 is 120/6 = 20.  So you only have to try around 20 times to get the 1:48 condition which again is not that hard.  And reverse date and American date are no help.  These would be reject conditions for a strict uk date policy so you may as well guess these if asked for them, it makes no difference to the average time to crack it.

Now some people may think that posting this helps the hackers but as I said at the start, I've tried the proper way, reporting to JL and ND, then going to the FOS, they are only interested if I've lost money from a hack, not if someone might have access to my account.  And BTW since JL/ND don't tell me when I lasted logged in I wouldn't know if anyone else had access.  I've even tried the ICO as they are meant to enforce the Data Protection Act which says companies should take adequate steps to protect users data.  The ICO is only interested when the company/user has been hacked, they are not interested in enforcing the Data Protection Act before the company/user has been hacked.  I'm not sure what the point of the ICO is, but clearly it is no wonder the recent news is all about M&S, Co-op and JLR hacks.  If a credit card company is this stupid why would other companies be any better?  All I have left is warn users and maybe help someone who has been hacked and been told it was their fault. 

 

 

If you are not happy with the responses and the security they use then you need to close the account and go with someone who does have the security to your satisfaction.

I've had a branded credit card for about 6 years that is administered by NewDay and I am happy with their security (I'd have left if I wasn't).

My (now ex-wife) did forget her passcode for the app and after three attempts it locked the account.   To recover the account I had to receive a text to my mobile with a code in it to reset my passcode.

Therefore, if I have three attempts to guess a 3 digit code then the odds are 333 to 1 (I think but I'm not a mathematician).  I'm comfortable with those odds.     You've got to remember, if people were able to compromise accounts on a large scale things would change with the app immediately and due to the fact it has been this way for years and hasn't happened is telling in my eyes.     It's all about balancing security with convenience - it's a fine line.      

[Deleted User]

My mother got a JL card briefly and was always locking herself out so it can't be that easy 

That said, this isn't a deposit account; it's a credit facility so the loss would almost certainly be borne by New Day and they're not concerned enough to update it.

malc_b

Olenna - Or New Day would claim it is your fault, you must have let someone see your pass number.

Emmia - Not yet but all I use it for it the odd JL purchase for the points I get.  In any case JL would have to bear the cost in my case because I've warned them and they did nothing.

Peter999_2 - no you are not a mathematician.  This is not about breaking a  specific account it is about easily finding JL user names and then taking 1 or 2 guesses on multiple accounts.  Like with the lottery, the odds for you winning are massive but people do win because there are a lot of guesses, just it's one (ish) per person.  If you like, it's not 333 guesses on one account but 1 guess each on 333 accounts.  It's the same thing.

Peter999_2

Even if you had 1 guess on 333 accounts you would only have a 63.2% chance of getting in.   However, you would be blocked pretty quickly if you attempted to do this.