Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: BA website breach  (Read 4082 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
BA website breach
« on: September 07, 2018, 07:58:15 AM »

Seems BA have owned up to some kind of breach, leaking transaction details...

https://www.bbc.co.uk/news/uk-england-london-45440850

Interestingly, I did book a BA flight via the website during the period it was leaking, but I have not had any notification from BA (they say affected customers were notified last night). 

As always, I used the ‘guest’ checkout, to avoid registering.  If I did escape the breach, I wonder if that was relevant?  :-\

All the same, I think I’ll be keeping a close eye on the card account that I used.   :'(

PS:

Over morning cuppa’, I started to worry more, I also figured out that bank call centre queues are just going to grow today as this news spreads.   So I decided to get in early, gave my bank a call.   

Good news is there are no unexpected transactions. :)
Bad news is they’ve cancelled the card as a precaution. :(



« Last Edit: September 07, 2018, 08:38:13 PM by sevenlayermuddle »
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: BA website breach
« Reply #1 on: September 07, 2018, 06:51:34 PM »

And (with apols for replying to my own post), email from BA mid afternoon...

Quote
... We’re deeply sorry, but you may have been affected. ...

So much for the BBC reports this morning, that said everybody affected had been contacted yesterday.  I certainly had not.    :o

But feeling smug that I jumped the starting gun anyway, without waiting for BA’s notification. I’m willing to bet I’d have faced a long call centre queue if I’d waited til afternoon before calling the bank, competing with the 380,000 others.   And great to have had an early chat with the bank, confirming no untoward transactions. :)

A 2nd email from BA, received a bit after 6pm, gives more details...
Quote
The personal information compromised includes full name, billing address, email address and payment card information. This includes your card number, expiry date and CVV. Unfortunately this information could be used to conduct fraudulent transactions using your account. We recommend that you contact your bank or credit card provider immediately and follow their advice.

Better late than never.  But still a pretty bad show, the scumbags could have enjoyed a whole day’s spending spree, in the time it took BA to send that email. :'(
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: BA website breach
« Reply #2 on: September 07, 2018, 06:58:27 PM »

 :no:

I wonder if they send out batches?


I know with the PCWorld/Dixons breach I thought I may have escaped that as I got notification from them about my father's details being breached.    Then I got a notification about 5 days later saying I had been affected too :/
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: BA website breach
« Reply #3 on: September 07, 2018, 07:51:12 PM »

:no:

I wonder if they send out batches?

That would make sense, and would be an understandable  constraint, but they should not lie about it.  From the  BBC link in opening post...

Quote
BA said all customers affected by the breach had been contacted on Thursday night.
Logged

pooclah

  • Reg Member
  • ***
  • Posts: 151
Re: BA website breach
« Reply #4 on: September 07, 2018, 10:09:11 PM »


Quote
The personal information compromised includes full name, billing address, email address and payment card information. This includes your card number, expiry date and CVV. Unfortunately this information could be used to conduct fraudulent transactions using your account. We recommend that you contact your bank or credit card provider immediately and follow their advice.

My bold.  Surely they shouldn't be storing that?  My limited knowledge tells me that's wrong.

I know with the PCWorld/Dixons breach I thought I may have escaped that as I got notification from them about my father's details being breached.    Then I got a notification about 5 days later saying I had been affected too :/

I had an email from Dixons/Carphone last Wednesday notifying me that I the data they hold about me may have been accessed in 2017.

Who's policing these things?
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: BA website breach
« Reply #5 on: September 07, 2018, 10:31:13 PM »

Re CVV, my understanding is they are not allowed to store it, and safe to assume that rule was observed.

Conclusion would be therefor it was some kind of ‘data sniffing’ exploit, capturing card details in flight (pun intended).  Maybe a man in the middle capturing traffic, or maybe a malicious script on the website, copying data to home.

I do recall, when making my booking, two wierdnesses..

1. Firstly it reported that I had entered invalid card details.   On closer inspection, I had seemingly quoted the wrong expiry date.   I was surprised, but assumed that was my mistake, and corrected it.

2. Following that correction, the transaction took an enormous time to complete.   Probably 60 seconds or more.

I have no reason to think either of these was relevant, though who knows, they might have been. :)
« Last Edit: September 07, 2018, 10:38:17 PM by sevenlayermuddle »
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: BA website breach
« Reply #6 on: September 08, 2018, 02:35:54 PM »

I booked with BA before the hack date but I am keeping a watch on my card and bank details, just in case.
BA have not contacted me.
I was talking to there 'Indian' call center yesterday and they did not say anything about it.
BA freephone number I use 0800 408 00 09 this goes to the main menu.
We fly to Murcia Spain on the 29th with BA from LHR, We should have flown last September from our local airport EMA but thanks to 'Ryanair' sending me an email 12 hrs before we flew saying it was cancelled  >:D, they were very good paying us the flight cost back, but a year later they have only last night told me they are going to pay my car hire and car insurance back.
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

j0hn

  • Kitizen
  • ****
  • Posts: 4093
Re: BA website breach
« Reply #7 on: September 08, 2018, 03:59:24 PM »

Quote
The personal information compromised includes full name, billing address, email address and payment card information. This includes your card number, expiry date and CVV.

Just wow...

Quote
Unfortunately this information could be used to conduct fraudulent transactions using your account. We recommend that you contact your bank or credit card provider immediately and follow their advice.

Logged
Talktalk FTTP 550/75 - Speedtest - BQM

Bowdon

  • Content Team
  • Kitizen
  • *
  • Posts: 2395
Re: BA website breach
« Reply #8 on: September 11, 2018, 03:53:03 PM »

Data storage protection needs to have some laws introduced to make it more damaging to companies who lose it.

These breaches are going on all the time and I've never seen the company make any improvement. It seems to just be "oh lets change some details and hope we don't get hit again" idea.
Logged
BT Full Fibre 500 - Smart Hub 2

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: BA website breach
« Reply #9 on: September 11, 2018, 04:10:54 PM »

Whilst I'm not saying it's any excuse, new exploits are being found all the time.

What I find highly unusual about this particular case,  is that like 7LM says would appear some sort of live sniffing going on.   I don't see how they could have got the card CVV number otherwise and BA had confirmed they don't store this data.   Yet I thought TLS/SSL were supposed to stop MITM attacks? 
Thus the only alternative I can think is someone placing a targeted script on their server which was capturing data and forwarding it elsewhere.  :-\
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: BA website breach
« Reply #10 on: September 11, 2018, 04:53:12 PM »

Not that I understand it fully (or even slightly) but article on BBC website today may shed more light.   Seems the bad guys used a valid SSL certificate.  I guess they must have lied to obtain that, maybe pretending they were good guys?

https://www.bbc.co.uk/news/technology-45481976

Still feeling smug as my replacement debit card arrived today, that’s just 3 working days.  If I’d waited for BA’s notification before calling the bank I’d have been in contention with up to 380,000 other requests for new cards and, I’d imagine, it may have taken rather longer. :)
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: BA website breach
« Reply #11 on: September 11, 2018, 09:00:16 PM »

Thank you for that link, so within the past 9hrs more info is emerging that this was a very clever targetted attack  :(

Quote
RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.

Andrew Dwyer, a cyber-security researcher at the University of Oxford added that the attackers appeared to have gone to "extraordinary lengths" to tailor their code to the BA site.

I'm also beginning to wonder if these 2 points were relevant

1. Firstly it reported that I had entered invalid card details.   On closer inspection, I had seemingly quoted the wrong expiry date.   I was surprised, but assumed that was my mistake, and corrected it.

2. Following that correction, the transaction took an enormous time to complete.   Probably 60 seconds or more.

Finally this concerns me a lot.   The average consumer it constantly told that the SSL cert is what provides them with safe knowledge that the site they are entering their card details in at is fully secure.   

Quote
According to RiskIQ, they also acquired a Secure Socket Layer (SSL) certificate - which suggests to web browsers, not always accurately, that a web page is safe to use.

How the heck did that happen?  I'm no expert on SSL, so don't have a clue how what must have occured, but the even the official  SSL.com states
This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
:'( :'(

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: BA website breach
« Reply #12 on: September 11, 2018, 09:29:04 PM »

Hi

I hope you don’t mind and maybe talking me I need my tinfoil hat sorry but there’s a few things

Do you remember about a year ago, there were a massive DNS attack which no one could work out for what purpose. I suspected at the time it was for mim attack for future use

Also, ssl does encrypt end to end, but if details are taken from hosting server at time, or code used transferred to a bad site, then it offers no protection. You could say use ba-online.url and grab a let’s encrypt ssl for free, which would show padlock

Also, there is a new dns record called CAA, which if used, designates which SSL (CA) could provide the SSL, so you could lock the SSL to a single or multiple CA provider. This offers better ssl protection to customers if setup/used properly

As I said though, I do believe the big DNS attack was to place code into systems and then when ready, to divert data.

I’m off for my tinfoil now to make a hat sorry

Many thanks

John
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: BA website breach
« Reply #13 on: September 11, 2018, 10:33:13 PM »

I'm afraid I don't recall the DNS attack, but you could well be right with your theory.   After seeing 7LM's latest link, I also looked at a few other news/report sites..  and it would appear this particular attack had quite a few people wondering how it could have actually happened....  and it's only within the past few hours more details are beginning to emerge.

Quote
I’m off for my tinfoil now to make a hat

It does make you think that at the end of the day, that no matter what steps are put in place, then if someone really does want to get info, then there's a good change they can.     Over the last 5 yrs or so, I've lost track of just how many breaches there have been whereby my various email addresses have been disclosed.   I'm also a bit concerned that within the past week I've started to receive spam to my personal paypal email address (this is entirely separate from the site one...  and is hardly used)  - yet that too has now somehow been disclosed :(

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: BA website breach
« Reply #14 on: September 11, 2018, 10:52:21 PM »

Hi kitz

Many thanks, but it’s only my thoughts and no evidence whatsoever apart from look at the big data breaches since the attack

I think this was the attack and it was 2016 https://en.m.wikipedia.org/wiki/2016_Dyn_cyberattack

I think myself it is indirect attack as in public facing host passes to secondary systems, where an intercept was included. Given the size of companies they would not use just a single server, but be divergent and hence the ssl failure

Sorry if I’m wrong as it is just my thoughts as to why/how

Many thanks

John
Logged
Pages: [1] 2
 

anything