Or my company has. I'm a bit stunned... and embarrassed to be entirely honest, as I (rather arrogantly) always put myself above that kind of nonsense.
It sounds like it's been used online, so it hasn't been physically cloned in person - so they must have the front 16 digits, rear 3, my address and name. The cheeky bastards verified the card details were correct by making a minor (sub £1) payment to a charity, when that went through they upped the stakes and got an Uber and attempted to purchase £99.99 of furniture online. This was declined and Santander rang me up.. whilst Santander was on the phone they informed me the fraudster had tried again, and this time successfully. Seriously, nice one Santander - don't lock the fucking card whilst you're investigating it or anything.
Here's the interesting bit though, I've done my business banking with Santander since March - and have very few places I've used the card at. Google and Amazon for servers and stuff, some online software subscriptions, Ikea and.. to pay for some information security certification exams. (The irony is the delicious on that one.) So how the hell did they get my details?
2
Comments
It's entirely possible it's not down to anything you did. Financial systems are getting hacked all the time, so it could have been just about anywhere you used your card. Here in the states, we have a massive series of chain stores called "Target" (kind of like Argos, but good, I can't really think of a UK equivalent) and they had a huge systems breach exposing hundreds of thousands of credit card numbers. It turns out their systems were tied to their unprotected WiFi, and that they weren't storing last three digits separately, or, if I remember correctly, salting the information. This is a multi-billion dollar company and one of the largest employers in the US. There was also the Sony Network hack, and a couple others I'm blanking on.
I very intentionally do not work on the financial side of cybersecurity, but from everything I read breaches are relatively common and often down to sloppy/lazy practices of companies.
Really sorry to hear about this. I've heard that paying very small amounts is the way that fraudsters check to see if they can get away with it. Here in the states, the credit card companies/banks are very aggressive in pursuing fraud, so hopefully Santander will go after them. And also, since they caught it, hopefully they'll refund your account.
Do you use free WIFI? Are your emails/files encrypted?
When my card was done they donated to the Alberta Ballet school.
The list goes on. There are sites to check to see if your email address is potentially compromised.
https://haveibeenpwned.com
Did you know Mark Zuckerberg was hacked and his password was dadada!
More recently someone tried to buy 14p worth of petrol with my card but it was declined.
It's interesting to me that they used Uber, because on the Uber thread I mentioned that some bastards used my Uber account to take a trip in Bristol (while I was in the garden in Prague).
When I reported this to Uber, this was their reply. I told them that it was unsatisfactory, (seeking to pin the blame on me and other 'less secure' sites) but would be interested in what some of you guys - who clearly know your stuff - make of it. I havent experienced any other fraud since this happened in mid May
Thanks for your reply.
The issue here is that no one stole your card information - the trips were taken on your account, which was logged into using your email address and password. While they accessed your account illegitimately, whomever did so used a legitimate means to do so (i.e. through the use of the password). There was no breach to the Uber systems.
In cases like this, it is usually where someone has used the same email address and password across a number of websites (both secure and not secure) and their details may be compromised through these sites.
I've added some extra security measures to your account which I am confident will help to prevent this kind of unauthorised use in the future.
For example, if someone logs into your account using a device that has not previously been used, they will be forced to verify your payment method and phone number before requesting a ride (which they will be unable to do unless in possession of your card and mobile phone).
If you would like to report this incident to the police, I encourage you to do so; we are happy to help in any investigation.
I hope that this makes you feel more at ease - your account security is really important to us. If you have any further questions or concerns, please don't hesitate to contact me. I'm just an email away.
This is likely the reason in most cases. I see this on a daily basis. Details are sold on the dark web for less than a dollar. Corporate email accounts are sold for less than $15. Usable cards with various increments of limit are sold as a percentage of said limit. Legitimate websites sell information that can be used to scam for a pittance. A weak operator in a call centre is all it takes with some key info and they are in.
Great, if slightly daunting, advice. I used that site to check my email address and indeed it came up re the Linkedin hack, although all passwords were Ok. What a brilliant tip. Thank you.
That said, the right thing to do business wise was to refund you the $12 or whatever it was. It's a no brainer, you keep your customer happy and it costs a multi-million dollar business next to nothing.
Uber is notorious for having the douchiest of the Silicon Valley douches. The way they treat their employees (at least here), as contractors is ridiculous. It means that they can operate liability free, whilst picking up the profits, also ridiculous. Various cities and states are looking at cracking down on them and forcing them to have liability, both in terms of insurance and culpability, for when things go wrong. Lastly, and this isn't necessarily their fault, the latest, and in my humble opinion most vomit-inducing business speak cliche is "The Uber or Something" as a way to describe a product or business model. Technically, this isn't Uber's fault.
Personally, I think they'll be either out of business or operating in a very different way within three-five years. But that's an eternity in Silicon Valley and investors and founders will have made their fortunes by then. Sorry, I know this is for the Uber thread, but I couldn't bear to open it because I knew an outburst like this would happen.
With regards to my own security, I wouldn't say I'm paranoid but I always thought I was a pretty tough target:
- I use generated passwords for everything I use (held in a KeePass file on a USB drive);
- I rarely use public WiFi, but if I do then I'm generally connected via VPN to either a client location, or to my house (makes work a tad easier);
- I have full disk encryption enabled on both my PC and my MacBook, but if someones installed anything nasty then that's not very useful sadly;
- I don't click links in emails or buy from anywhere I don't trust, I even rang Satander back after they rang me - just to check it was a legit phone-call;
- I have Sky internet, and the SkyHub is rubbish - so nearly everyday I have to access the maintenance page; I'd probably realise if there was an unknown device;
- Any malware infection on my PC would have to be targeted, I can't see many people randomly posting malware aimed at Linux boxes online;
- Despite this, I have ClamAV on my Linux PC and Avira on my MacBook
The problem is, I've only ever used my card for 9 places; 3 high street shops (WH Smiths, Sainsbury's, Ikea) and 6 places online (Amazon, Google, DigitalOcean and a few subscription tools which are pretty common). All of which you'd expect to be pretty good security wise. Which surely leaves the blame on me.. I just can't see how I would've let this happen. If it was my personal debit card then I could definitely understand it, but the usage of my business one is pretty damn minimal.
On another note, with regards to what @SDAddick has said to @PragueAddick - I got an email from Uber requesting it's users kick up a fuss to TfL, as TfL are bringing in things like English tests and requesting the correct insurance is held by all drivers. Shock horror, Uber things this is unacceptable and points towards their money given towards some of the Mayor's initiatives.. That's all you need to know about Uber sadly, they think gifting Johnson/Khan is enough for them to operate with impunity whilst thinking that having drivers speak English whilst holding the correct insurance is also too much to ask. It's disappointing to think that people will read the email and think "Wow, what about my cheap journeys!?", before rallying behind them.
As for your situation Prague, I can't remember if I posted my thoughts at the time - but I remember feeling pretty pissed off on your behalf. I would suggest that the fact your card details were not stolen actually makes it a bigger issue for them, as it was your Uber account itself which was compromised. Specifically, I seem to recall you mentioned tracking the journey on your own phone whilst you were in Prague and the journey was in the UK. Two things that hit me were:
- The Uber app clearly makes no attempt to verify that the client handset belongs to the account holder (i.e via associating the IMEI number of the handset with the Uber account);
- The Uber app doesn't deem two concurrent authentications from two different countries as being suspicious;
Which I find quite surprising, as Uber are pretty generous in the Bug Bounty programmes. (i.e Where they pay people if they can identify bugs and/or security vulnerabilities in their app)
My situation has got worse tonight, to the point I've had to flat out tell them I've got no other option but to take my business elsewhere.
Until I tried to log in this evening to see if an invoice had been paid... and I couldn't log in. I rang Santander up and was told my account had been locked due to too many failed attempts; I've never failed before and even got my girlfriend to check the details I was entering tonight. I asked the lady on the phone when the failed login attempts were; and she said yesterday. Uh oh..
I was told I'd have new security details sent out as soon as possible, and they should arrive within 6 working days. Until then I can't use online banking and I still don't have a debit card; so I can't even check my balanace and view recent transactions from an ATM. I asked if I could do banking in person, and was informed that "No - as a business account holder you don't have a branch, so can't maintain your account in branch.".
I asked about telephone banking: "No, to authenticate with Telephone Banking you need the details that we're sending you by post.". I asked about closing the account: that takes 3 working days.
In short I told her I'd most likely have to leave Santander, as in the words of their security team - I needed increased visibility on my account at the moment to ensure there were no other dubious transactions. Here she is, telling me that someone has tried to log in to my account but that I'll have no visibility for up to another 8 days. I have no way of paying anyone, I have no way of ensuring invoices are paid, and I can't even service the account in branch. Ultimately, I'm locked out at the one time I need to keep an eye on it.
I totally understand that from Santander's point of view, they have to take measures in circumstances to prevent this getting any worse with whoever is trying to fraud you. However, as its a business account you have with them, I am very surprised that there isn't a way in their protocol for you to go into a branch, in a room which deals with these things, with proof of who you are, for you to at least see what's going on with your own money and situation.
Unfortunately, as has been said, fraud online is growing everyday no matter how much people and companies do, there is always new things people are coming out with of compromising any personal data that they can get their hands onto.
It's a lesson to us all that we must take extra caution with things in future. The world is becoming more and more techonology based, and with that becomes more opportunities for these people. I am just sorry it's happened to you in this way that's ultimately going to make you even more security cautious.
Good luck and I hope it gets properly sorted out soon.
If not, why not- you tight git.