Jump to content

ASAP - Data Breach


system 4-50

Featured Posts

1 minute ago, Alan de Enfield said:

Phew - I'm glad I did it over the phone (but I guess ASAP could still have stored my card data) and not filling in the 'boxes' on the website.

Should I be safe ?

It would all depend on how they do transactions offline.

If it was a brick and mortar retailer then, in THEORY, they should enter the credit card info into a handheld terminal which has nothing to do with the site. On the other hand, they might have a page on the site backend where they enter credit card details as though you were online. So your details MIGHT get scooped up and sent elsewhere.

In short: maybe.

Link to comment
Share on other sites

They are using the payment services provider Sagepay, so the ASAP site should never have had your card details. Sounds like the malware is a keystroke logger, copying your input to a third party site. I got the email even though I’ve never ctually bought anything from the site and they don’t have my card details.

 

I guess there’s a fair amount of panic going on (with the prospect of a hefty ICO fine) hence less than perfect management.

Link to comment
Share on other sites

1 hour ago, ronnietucker said:

Do you have any source links for that?

Sounds like the malware was diverting people to a compromised payment page.

This al ASAP are sharing at present

https://www.asap-supplies.com/security-incident

however it shows there as malware added to their page.

 

added - something like this is possible. https://www.theregister.co.uk/2018/09/12/feedify_magecart_javascript_library_hacked/

Edited by Chewbacka
Link to comment
Share on other sites

9 hours ago, ronnietucker said:

But wouldn't their site save the card details when you tick the 'save for later' box?

The Sage Pay site would hold your card details, not ASAP. The whole idea of a Payment Services Provider is that the merchant doesn’t know your card details, leaving that up to the PSP who can invest a lot more money on defences. It doesn’t look good for the way the link to Sage Pay had been set up if a malicious key logger could go on recording your input or if the ASAP site still saw your card details.

Link to comment
Share on other sites

12 hours ago, ronnietucker said:

 

As do most online retailers, but my question to ASAP is: was the stored payment details encrypted? (If not, why the hell not?!) If it was, did the hackers also have access to any keys/data that might help them unencrypt the data?

At some point they have to be unencrypted, even when stored encrypted you type them in unencrypted.

Link to comment
Share on other sites

23 hours ago, alan_fincher said:

I’m now wondering if the person(s) attempting to use my card could have got details via the malware on the ASAP site.  I guess probably not, because of the longish period since I last placed an order with ASAP.

The most common place for card details to be stolen is at a restaurant. They have your card in their hands, with the security number on the back. Or telephone ordering anything... 

 

You simply need to check your statements every month. I had two occasions where transactions totalling a few thousand were fraudulently made with a business card. I spotted the transactions when going through the statement and in both instances the bank refunded the money instantly (after I filled in a form). 

Link to comment
Share on other sites

2 minutes ago, WotEver said:

The most common place for card details to be stolen is at a restaurant. They have your card in their hands, with the security number on the back. Or telephone ordering anything... 

 

You simply need to check your statements every month. I had two occasions where transactions totalling a few thousand were fraudulently made with a business card. I spotted the transactions when going through the statement and in both instances the bank refunded the money instantly (after I filled in a form). 

Agreed,

 

The additional security code has become somewhat of a joke, given we regularly supply it verbally to people over the phone, along with all other card details.
 

It has been suggested to me that if you are supplying it to someone on very poor pay in an outsourced facility, that there are actually people hanging around outside such centres offering incentives to those working in them to record and sell on details.  I've no idea how commonplace this is, but it sounds a plausible way that your details can end up in wrong hands.

 

When you got fraudulent transactions refunded, what happened to stop it continuing, please?  In our case our card was instantly revoked, and we had to wait several days without one until a new one with a different number arrived. (It would have been quicker had I had a "platinum" or "black" card apparently, but now I'm just a pensioner I am without anything fancy like that!

Link to comment
Share on other sites

42 minutes ago, WotEver said:

The most common place for card details to be stolen is at a restaurant. They have your card in their hands, with the security number on the back. Or telephone ordering anything... 

 

You simply need to check your statements every month. I had two occasions where transactions totalling a few thousand were fraudulently made with a business card. I spotted the transactions when going through the statement and in both instances the bank refunded the money instantly (after I filled in a form). 

I must admit I log into my back account every day to look for anything suspicious. Having had my card details cloned twice in the past ( a few years ago now) I am perhaps a bit over cautious.

 

On line banking and banking apps. make it so easy to do that to me it's a no brainer not to check every day.

 

The trick scammers used to employ was to do a a small insignificant transaction to test the card's validity and then hit with a bigger one later on if that went through. I think though now banking security systems a more geared to picking these up as triggers when looking for 'suspicious activity' on your account.

 

 

Edited by MJG
Link to comment
Share on other sites

56 minutes ago, WotEver said:

The most common place for card details to be stolen is at a restaurant. They have your card in their hands, with the security number on the back.

 

 

Absolutely. I guy I worked with had his credit card 'cloned' (we'll call it) in some place he bought a carpet from. Next thing he was getting a call from his bank querying a sale on the other side of the country. The carpet place was one of the very few times he ever handed over his card which they took into the back shop to 'process the payment'. Probably jotted down his numbers.

 

48 minutes ago, alan_fincher said:

Or telephone ordering anything... 

I work in hospitality and it never ceases to amaze me how often people are quite happy to give out all their credit card info over the phone to pay for something. And I mean all: card numbers, security numbers, expiry date, etc. We do, genuinely, shred the info after it's used, but I dread to think how many places probably just toss the paper in the bin. Only to be found by some nefarious ragamuffin.

 

I also don't understand why the banks spent so much time and money drumming home the old 'chip and pin' thing to then move to contactless. Which is just asking for money to go missing!

 

I, personally, had someone use phone banking to transfer money from my ISA to my bank account and then take the money from my account. I got my money back from the bank, but it was a performance to get there. My point to the bank was that even I didn't know the phone banking codes as I've never used it! Aren't the calls recorded/logged in some way? Seems not. But, then again, it is the TSB.  :rolleyes:

Link to comment
Share on other sites

16 minutes ago, ronnietucker said:

But, then again, it is the TSB.

The 3rd September this year was my 50th anniversary of banking with the "Toytown Savings Bank", prior to that I was with the National Provincial Bank. The bank merged with the Westminster in 1968 (and became the National Westminster) and was never the same again.

 

No complaints about the TSB (except closing branches, but they are all doing it)

Link to comment
Share on other sites

Just now, Alan de Enfield said:

The 3rd September this year was my 50th anniversary of banking with the "Toytown Savings Bank", prior to that I was with the National Provincial Bank. The bank merged with the Westminster in 1968 (and became the National Westminster) and was never the same again.

 

No complaints about the TSB (except closing branches, but they are all doing it)

TSB..... Don't talk to me about TSB...... Nothing but trouble all year since their computer mayhem earlier in the year.

 

I finally gave up with them last week and closed all my accounts, which is probably what they wanted me to do. Save them responding to my numerous complaints! 

Link to comment
Share on other sites

3 minutes ago, Alan de Enfield said:

No complaints about the TSB

I've been with them since I was in Primary school (many moons ago).

 

I can only assume you never use online banking? The entire TSB online infrastructure went completely pear-shaped when they did their recent IT move. Thankfully I rarely use online banking so had a bit of a giggle at their expense...

Link to comment
Share on other sites

1 minute ago, ronnietucker said:

I've been with them since I was in Primary school (many moons ago).

 

I can only assume you never use online banking? The entire TSB online infrastructure went completely pear-shaped when they did their recent IT move. Thankfully I rarely use online banking so had a bit of a giggle at their expense...

It wasn’t just on-line banking tho was it.  It was everything.

Link to comment
Share on other sites

7 minutes ago, ronnietucker said:

I've been with them since I was in Primary school (many moons ago).

 

I can only assume you never use online banking? The entire TSB online infrastructure went completely pear-shaped when they did their recent IT move. Thankfully I rarely use online banking so had a bit of a giggle at their expense...

I only use online banking.

Accounts are not normally checked from one year to the next.

I get cash paid to me quite frequently so never need to go to the bank or cash machine.

Banking is only used for transferring from account to account and for paying bills. 

Pension goes in the bank to pay the bills.

More goes in than comes out so everyone is happy.

Ebay buying & selling all goes via Paypal and the bank account

 

We "live" on cash, from diesel, to the weekly shop to a bar of chocolate.

Link to comment
Share on other sites

5 minutes ago, Alan de Enfield said:

We "live" on cash, from diesel, to the weekly shop to a bar of chocolate.

I also use cash-only in the real world. I obviously use Amazon, eBay, etc, but I never use my card for paying in the real world. I don't see the need to whip out my card to pay £5 for something. If it's more than that? I'll get the cash out of an ATM beforehand.

 

I think the cards are now the cheque of the modern era. Queue hold-ups a-plenty. With a gasp of 'it should work' when it's rejected.  :rolleyes:

Link to comment
Share on other sites

5 minutes ago, ronnietucker said:

I also use cash-only in the real world. I obviously use Amazon, eBay, etc, but I never use my card for paying in the real world. I don't see the need to whip out my card to pay £5 for something. If it's more than that? I'll get the cash out of an ATM beforehand.

 

I think the cards are now the cheque of the modern era. Queue hold-ups a-plenty. With a gasp of 'it should work' when it's rejected.  :rolleyes:

I thing that cash is fast becoming the cheque of yesteryear, it’s now cheaper for a shop to take cards than cash and there is even a ‘no cash’ pub.  https://www.thesun.co.uk/news/7281194/first-cashless-pub/

 

 

Link to comment
Share on other sites

7 minutes ago, Chewbacka said:

it’s now cheaper for a shop to take cards than cash

That is a fair point. It means that shops aren't sitting with a bundle of cash in their till drawers. But...

 

3 minutes ago, Chewbacka said:

nobody apart from me used cash.  Much too easy to spend too much.

With no continual look at finances (cash in the wallet/purse) it's too easy for people to end up with nothing (while, inevitably, drunk) or in an overdraft.

Link to comment
Share on other sites

3 minutes ago, mrsmelly said:

I will use one of the forty eight thousand other pubs that do take money. What realy suprised me that this numpty is not in London!! The south of course but still, not London.

Give it 5 years and cash will be all but gone.  I used to go to an atm weekly, I doubt it’s even monthly now, apart from drinking sessions which are still cash, everything else I do is card.

 

added - and that includes the bus which is contactless.

Edited by Chewbacka
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.