Kitz Forum

Announcements => News Articles => Topic started by: sevenlayermuddle on September 07, 2018, 07:58:15 AM

Title: BA website breach
Post by: sevenlayermuddle on September 07, 2018, 07:58:15 AM
Seems BA have owned up to some kind of breach, leaking transaction details...

https://www.bbc.co.uk/news/uk-england-london-45440850

Interestingly, I did book a BA flight via the website during the period it was leaking, but I have not had any notification from BA (they say affected customers were notified last night). 

As always, I used the Ďguestí checkout, to avoid registering.  If I did escape the breach, I wonder if that was relevant?  :-\

All the same, I think Iíll be keeping a close eye on the card account that I used.   :'(

PS:

Over morning cuppaí, I started to worry more, I also figured out that bank call centre queues are just going to grow today as this news spreads.   So I decided to get in early, gave my bank a call.   

Good news is there are no unexpected transactions. :)
Bad news is theyíve cancelled the card as a precaution. :(



Title: Re: BA website breach
Post by: sevenlayermuddle on September 07, 2018, 06:51:34 PM
And (with apols for replying to my own post), email from BA mid afternoon...

Quote
... Weíre deeply sorry, but you may have been affected. ...

So much for the BBC reports this morning, that said everybody affected had been contacted yesterday.  I certainly had not.    :o

But feeling smug that I jumped the starting gun anyway, without waiting for BAís notification. Iím willing to bet Iíd have faced a long call centre queue if Iíd waited til afternoon before calling the bank, competing with the 380,000 others.   And great to have had an early chat with the bank, confirming no untoward transactions. :)

A 2nd email from BA, received a bit after 6pm, gives more details...
Quote
The personal information compromised includes full name, billing address, email address and payment card information. This includes your card number, expiry date and CVV. Unfortunately this information could be used to conduct fraudulent transactions using your account. We recommend that you contact your bank or credit card provider immediately and follow their advice.

Better late than never.  But still a pretty bad show, the scumbags could have enjoyed a whole dayís spending spree, in the time it took BA to send that email. :'(
Title: Re: BA website breach
Post by: kitz on September 07, 2018, 06:58:27 PM
 :no:

I wonder if they send out batches?


I know with the PCWorld/Dixons breach I thought I may have escaped that as I got notification from them about my father's details being breached.    Then I got a notification about 5 days later saying I had been affected too :/
Title: Re: BA website breach
Post by: sevenlayermuddle on September 07, 2018, 07:51:12 PM
:no:

I wonder if they send out batches?

That would make sense, and would be an understandable  constraint, but they should not lie about it.  From the  BBC link in opening post...

Quote
BA said all customers affected by the breach had been contacted on Thursday night.
Title: Re: BA website breach
Post by: pooclah on September 07, 2018, 10:09:11 PM

Quote
The personal information compromised includes full name, billing address, email address and payment card information. This includes your card number, expiry date and CVV. Unfortunately this information could be used to conduct fraudulent transactions using your account. We recommend that you contact your bank or credit card provider immediately and follow their advice.

My bold.  Surely they shouldn't be storing that?  My limited knowledge tells me that's wrong.

I know with the PCWorld/Dixons breach I thought I may have escaped that as I got notification from them about my father's details being breached.    Then I got a notification about 5 days later saying I had been affected too :/

I had an email from Dixons/Carphone last Wednesday notifying me that I the data they hold about me may have been accessed in 2017.

Who's policing these things?
Title: Re: BA website breach
Post by: sevenlayermuddle on September 07, 2018, 10:31:13 PM
Re CVV, my understanding is they are not allowed to store it, and safe to assume that rule was observed.

Conclusion would be therefor it was some kind of Ďdata sniffingí exploit, capturing card details in flight (pun intended).  Maybe a man in the middle capturing traffic, or maybe a malicious script on the website, copying data to home.

I do recall, when making my booking, two wierdnesses..

1. Firstly it reported that I had entered invalid card details.   On closer inspection, I had seemingly quoted the wrong expiry date.   I was surprised, but assumed that was my mistake, and corrected it.

2. Following that correction, the transaction took an enormous time to complete.   Probably 60 seconds or more.

I have no reason to think either of these was relevant, though who knows, they might have been. :)
Title: Re: BA website breach
Post by: tickmike on September 08, 2018, 02:35:54 PM
I booked with BA before the hack date but I am keeping a watch on my card and bank details, just in case.
BA have not contacted me.
I was talking to there 'Indian' call center yesterday and they did not say anything about it.
BA freephone number I use 0800 408 00 09 this goes to the main menu.
We fly to Murcia Spain on the 29th with BA from LHR, We should have flown last September from our local airport EMA but thanks to 'Ryanair' sending me an email 12 hrs before we flew saying it was cancelled  >:D, they were very good paying us the flight cost back, but a year later they have only last night told me they are going to pay my car hire and car insurance back.
Title: Re: BA website breach
Post by: j0hn on September 08, 2018, 03:59:24 PM
Quote
The personal information compromised includes full name, billing address, email address and payment card information. This includes your card number, expiry date and CVV.

Just wow...

Quote
Unfortunately this information could be used to conduct fraudulent transactions using your account. We recommend that you contact your bank or credit card provider immediately and follow their advice.

(https://pbs.twimg.com/profile_images/965616540690284545/aB32Ib4w_400x400.jpg)
Title: Re: BA website breach
Post by: Bowdon on September 11, 2018, 03:53:03 PM
Data storage protection needs to have some laws introduced to make it more damaging to companies who lose it.

These breaches are going on all the time and I've never seen the company make any improvement. It seems to just be "oh lets change some details and hope we don't get hit again" idea.
Title: Re: BA website breach
Post by: kitz on September 11, 2018, 04:10:54 PM
Whilst I'm not saying it's any excuse, new exploits are being found all the time.

What I find highly unusual about this particular case,  is that like 7LM says would appear some sort of live sniffing going on.   I don't see how they could have got the card CVV number otherwise and BA had confirmed they don't store this data.   Yet I thought TLS/SSL were supposed to stop MITM attacks? 
Thus the only alternative I can think is someone placing a targeted script on their server which was capturing data and forwarding it elsewhere.  :-\
Title: Re: BA website breach
Post by: sevenlayermuddle on September 11, 2018, 04:53:12 PM
Not that I understand it fully (or even slightly) but article on BBC website today may shed more light.   Seems the bad guys used a valid SSL certificate.  I guess they must have lied to obtain that, maybe pretending they were good guys?

https://www.bbc.co.uk/news/technology-45481976

Still feeling smug as my replacement debit card arrived today, thatís just 3 working days.  If Iíd waited for BAís notification before calling the bank Iíd have been in contention with up to 380,000 other requests for new cards and, Iíd imagine, it may have taken rather longer. :)
Title: Re: BA website breach
Post by: kitz on September 11, 2018, 09:00:16 PM
Thank you for that link, so within the past 9hrs more info is emerging that this was a very clever targetted attack  :(

Quote
RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.

Andrew Dwyer, a cyber-security researcher at the University of Oxford added that the attackers appeared to have gone to "extraordinary lengths" to tailor their code to the BA site.

I'm also beginning to wonder if these 2 points were relevant

1. Firstly it reported that I had entered invalid card details.   On closer inspection, I had seemingly quoted the wrong expiry date.   I was surprised, but assumed that was my mistake, and corrected it.

2. Following that correction, the transaction took an enormous time to complete.   Probably 60 seconds or more.

Finally this concerns me a lot.   The average consumer it constantly told that the SSL cert is what provides them with safe knowledge that the site they are entering their card details in at is fully secure.   

Quote
According to RiskIQ, they also acquired a Secure Socket Layer (SSL) certificate - which suggests to web browsers, not always accurately, that a web page is safe to use.

How the heck did that happen?  I'm no expert on SSL, so don't have a clue how what must have occured, but the even the official  SSL.com (http://info.ssl.com/article.aspx?id=10241) states
This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
:'( :'(

Title: Re: BA website breach
Post by: d2d4j on September 11, 2018, 09:29:04 PM
Hi

I hope you donít mind and maybe talking me I need my tinfoil hat sorry but thereís a few things

Do you remember about a year ago, there were a massive DNS attack which no one could work out for what purpose. I suspected at the time it was for mim attack for future use

Also, ssl does encrypt end to end, but if details are taken from hosting server at time, or code used transferred to a bad site, then it offers no protection. You could say use ba-online.url and grab a letís encrypt ssl for free, which would show padlock

Also, there is a new dns record called CAA, which if used, designates which SSL (CA) could provide the SSL, so you could lock the SSL to a single or multiple CA provider. This offers better ssl protection to customers if setup/used properly

As I said though, I do believe the big DNS attack was to place code into systems and then when ready, to divert data.

Iím off for my tinfoil now to make a hat sorry

Many thanks

John
Title: Re: BA website breach
Post by: kitz on September 11, 2018, 10:33:13 PM
I'm afraid I don't recall the DNS attack, but you could well be right with your theory.   After seeing 7LM's latest link, I also looked at a few other news/report sites..  and it would appear this particular attack had quite a few people wondering how it could have actually happened....  and it's only within the past few hours more details are beginning to emerge.

Quote
Iím off for my tinfoil now to make a hat

It does make you think that at the end of the day, that no matter what steps are put in place, then if someone really does want to get info, then there's a good change they can.     Over the last 5 yrs or so, I've lost track of just how many breaches there have been whereby my various email addresses have been disclosed.   I'm also a bit concerned that within the past week I've started to receive spam to my personal paypal email address (this is entirely separate from the site one...  and is hardly used)  - yet that too has now somehow been disclosed :(

Title: Re: BA website breach
Post by: d2d4j on September 11, 2018, 10:52:21 PM
Hi kitz

Many thanks, but itís only my thoughts and no evidence whatsoever apart from look at the big data breaches since the attack

I think this was the attack and it was 2016 https://en.m.wikipedia.org/wiki/2016_Dyn_cyberattack

I think myself it is indirect attack as in public facing host passes to secondary systems, where an intercept was included. Given the size of companies they would not use just a single server, but be divergent and hence the ssl failure

Sorry if Iím wrong as it is just my thoughts as to why/how

Many thanks

John
Title: Re: BA website breach
Post by: kitz on September 11, 2018, 10:58:42 PM
>>  just my thoughts as to why/how

No probs at all.   Very interesting discussion.

By all accounts, this particular attack has even had some 'experts' scratching their heads.   I haven't seen mention of it elsewhere as they seem to think users didn't see anything unusual..  but I can't help but think 7LMs observation of the transaction taking longer to complete than usual may have something to do with it. 
Title: Re: BA website breach
Post by: Weaver on September 11, 2018, 11:06:50 PM
A law should be made that requires BA et al to notify every customerís bank immediately. (And to keep all the info required to do so, somewhere separately in a WORM, offline location so that that cannot be erased by malefactors.) Relying on a customer to do so is not good enough: customer could be away, or ill, or who knows what; and email can fail, email addresses can change, stuff can get junked, email simply cannot be relied on for this.
Title: Re: BA website breach
Post by: burakkucat on September 11, 2018, 11:07:21 PM
. . . but I can't help but think 7LMs observation of the transaction taking longer to complete than usual may have something to do with it.

I agree, that is very suspicious.
Title: Re: BA website breach
Post by: sevenlayermuddle on September 11, 2018, 11:43:05 PM
A law should be made that requires BA et al to notify every customerís bank immediately. (And to keep all the info required to do so, somewhere separately in a WORM, offline location so that that cannot be erased by malefactors.) Relying on a customer to do so is not good enough: customer could be away, or ill, or who knows what; and email can fail, email addresses can change, stuff can get junked, email simply cannot be relied on for this.

Interestingly, that card was just a few months old.   It had previously been renewed after Visa reported to the bank it had been used (without fraud) on some other compromised website.    The bank was unable to tell me which website, apparently Visa do not tell them, or how long it had been Ďat riskí.

But as regards that or other Ďautomaticí detection process, it seems to me it would not be practical to instantly cancel and renew 380,000 cards.    It would probably overwhelm royal mail, let alone the banks and their card printers.     I assume the banking industry just plans to live with the calculated risk, renewing cards gradually at a pace they can sustain, unless the customer explicitly reports it.
Title: Re: BA website breach
Post by: Weaver on September 12, 2018, 12:00:25 AM
I just suggested that an affected bank should be notified. What the bank then does is up to them, but the accounts need to be monitored if the cards are not cancelled.
Title: Re: BA website breach
Post by: sevenlayermuddle on September 12, 2018, 08:09:56 AM
I just suggested that an affected bank should be notified. What the bank then does is up to them, but the accounts need to be monitored if the cards are not cancelled.

Then I suspect that does already happen, based on my earlier experience.
Title: Re: BA website breach
Post by: sevenlayermuddle on September 12, 2018, 08:46:15 PM
I just had another email from BA...

Quote
Dear Customer
<much deleted>
To help you to monitor your personal information for certain signs of potential identity theft, we are offering you a free 12 month membership to Experian ProtectMyID. This service helps detect possible misuse of your personal data and provides you with identity monitoring support, focussed on the identification and resolution of identity theft.

In order to activate the free gift, I am instructed to click on a link in the same email, and enter a code that appears later in the email.   How quaint, that an organisation recently caught out by unparalleled lack of security, should now be encouraging their customers to click on links in unsolicited emails, and enter all sorts of personal details, especially when addressed simply as 'Dear Customer'.   :D

I suspect the email is genuine of course, and I may explore this  'free gift', though I'd do so by entering Experian's URL manually into my browser's address bar.  First impressions are not good.  From Experian's privacy policy, linked on the signup page,  "How we use your information"...

Quote
<much deleted>
Administration of prize draws, competitions, membership offers, surveys and other promotional activities
From time to time we will run prize draws, competitions, promotions and surveys and, we will use the personal data you provide to us, to run such activities and to do what we agree to do as part of them.
<much deleted>
Tracking activity
We will use your information to track your activity on our apps and on our websites to help us better understand your interests and how you interact with us. We may also use this information to help us detect if someone else is trying to access your account or use the services you take from us. We will also use this information to better engage with you and to ensure that you get the best service we can provide and improve the products in the future.
<much deleted>

Wow, what an offer.  First my card is skimmed on the BA website, now BA are passing me onto Readers' Digest style spammers, and Google style lifestyle trackers.  I wonder if Experian are actually paying BA for sucker referals?   ???