Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2]

Author Topic: BA website breach  (Read 4079 times)

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: BA website breach
« Reply #15 on: September 11, 2018, 10:58:42 PM »

>>  just my thoughts as to why/how

No probs at all.   Very interesting discussion.

By all accounts, this particular attack has even had some 'experts' scratching their heads.   I haven't seen mention of it elsewhere as they seem to think users didn't see anything unusual..  but I can't help but think 7LMs observation of the transaction taking longer to complete than usual may have something to do with it. 
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: BA website breach
« Reply #16 on: September 11, 2018, 11:06:50 PM »

A law should be made that requires BA et al to notify every customer’s bank immediately. (And to keep all the info required to do so, somewhere separately in a WORM, offline location so that that cannot be erased by malefactors.) Relying on a customer to do so is not good enough: customer could be away, or ill, or who knows what; and email can fail, email addresses can change, stuff can get junked, email simply cannot be relied on for this.
« Last Edit: September 11, 2018, 11:29:19 PM by Weaver »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: BA website breach
« Reply #17 on: September 11, 2018, 11:07:21 PM »

. . . but I can't help but think 7LMs observation of the transaction taking longer to complete than usual may have something to do with it.

I agree, that is very suspicious.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: BA website breach
« Reply #18 on: September 11, 2018, 11:43:05 PM »

A law should be made that requires BA et al to notify every customer’s bank immediately. (And to keep all the info required to do so, somewhere separately in a WORM, offline location so that that cannot be erased by malefactors.) Relying on a customer to do so is not good enough: customer could be away, or ill, or who knows what; and email can fail, email addresses can change, stuff can get junked, email simply cannot be relied on for this.

Interestingly, that card was just a few months old.   It had previously been renewed after Visa reported to the bank it had been used (without fraud) on some other compromised website.    The bank was unable to tell me which website, apparently Visa do not tell them, or how long it had been ‘at risk’.

But as regards that or other ‘automatic’ detection process, it seems to me it would not be practical to instantly cancel and renew 380,000 cards.    It would probably overwhelm royal mail, let alone the banks and their card printers.     I assume the banking industry just plans to live with the calculated risk, renewing cards gradually at a pace they can sustain, unless the customer explicitly reports it.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: BA website breach
« Reply #19 on: September 12, 2018, 12:00:25 AM »

I just suggested that an affected bank should be notified. What the bank then does is up to them, but the accounts need to be monitored if the cards are not cancelled.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: BA website breach
« Reply #20 on: September 12, 2018, 08:09:56 AM »

I just suggested that an affected bank should be notified. What the bank then does is up to them, but the accounts need to be monitored if the cards are not cancelled.

Then I suspect that does already happen, based on my earlier experience.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: BA website breach
« Reply #21 on: September 12, 2018, 08:46:15 PM »

I just had another email from BA...

Quote
Dear Customer
<much deleted>
To help you to monitor your personal information for certain signs of potential identity theft, we are offering you a free 12 month membership to Experian ProtectMyID. This service helps detect possible misuse of your personal data and provides you with identity monitoring support, focussed on the identification and resolution of identity theft.

In order to activate the free gift, I am instructed to click on a link in the same email, and enter a code that appears later in the email.   How quaint, that an organisation recently caught out by unparalleled lack of security, should now be encouraging their customers to click on links in unsolicited emails, and enter all sorts of personal details, especially when addressed simply as 'Dear Customer'.   :D

I suspect the email is genuine of course, and I may explore this  'free gift', though I'd do so by entering Experian's URL manually into my browser's address bar.  First impressions are not good.  From Experian's privacy policy, linked on the signup page,  "How we use your information"...

Quote
<much deleted>
Administration of prize draws, competitions, membership offers, surveys and other promotional activities
From time to time we will run prize draws, competitions, promotions and surveys and, we will use the personal data you provide to us, to run such activities and to do what we agree to do as part of them.
<much deleted>
Tracking activity
We will use your information to track your activity on our apps and on our websites to help us better understand your interests and how you interact with us. We may also use this information to help us detect if someone else is trying to access your account or use the services you take from us. We will also use this information to better engage with you and to ensure that you get the best service we can provide and improve the products in the future.
<much deleted>

Wow, what an offer.  First my card is skimmed on the BA website, now BA are passing me onto Readers' Digest style spammers, and Google style lifestyle trackers.  I wonder if Experian are actually paying BA for sucker referals?   ???
Logged
Pages: 1 [2]