 Poster: A snowHead
|
@mgrolf, I've noticed one dodgy transaction on a stored card. I haven't booked with BA in about a year, but the night before this was announced I spotted a strange transaction and called AMEX straight away, who were oddly relaxed (and even more oddly wanted to wait, very unusual as they normally spot these before I do)!
So in short I cancelled the card and already have the new one in my possession!
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
|
I booked BA flights in the key period but haven't noticed anything abnormal on my account. Santander now has a banner when I log on to my banking basically saying they're aware of the breach but don't do anything yet.
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
| Quote: |
Hmm. Asking you to do anything time limited, with rewards for acting quickly or penalties for non-response? Tread carefully as the spam/scam emails quickly follow publicised breaches...
|
This.
If you are concerned, the best action is to contact your card issuer and let them cancel/reissue your card. Your issuer can mark your account to be watched for evidence of suspect transactions.
As of about 11 o'clock this morning, Visa were apologising to us that they didn't yet have the list of all affected cards from BA and it's acquirer. Usually, and in the recent cases of Ticketmaster and Dixon's, we get the list of affected cards before the incident hits the news and can begin identifying affected customers before they hear about it on the news.
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
| jedster wrote: |
| You know I normally don't leave CC details on a website. Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons. |
Yes, I too was asked but declined. It is something I rarely do.
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
[quote="tomj"][quote]
If you are concerned, the best action is to contact your card issuer and let them cancel/reissue your card. Your issuer can mark your account to be watched for evidence of suspect transactions.
I asked Lloyds to flag my card and got a negative response. Not something they do. Gotta watch my account myself!
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
"Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons.
Hate to say it, but they were correct. It appears that only newly-input data was hacked.
|
|
|
|
|
|
|
|
@mitcva,
| Quote: |
"Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons.
Hate to say it, but they were correct. It appears that only newly-input data was hacked.
|
Not quite, I haven't bought flights for around a year with BA and mine appears to have been compromised 
|
|
|
|
|
|
|
|
@mitcva,
| Quote: |
It appears that only newly-input data was hacked.
|
No, mine was already input (or, at least, I got the email from BA implying that mine was at risk).
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
|
I had the warning email. Twice. I had paid a balance of a BA holiday booking in the time period quoted. It was using a stored card, so only thing entered was CVV number. Have rung bank and they ( RBS) just told me to monitor. I think it will be a bit yet until we know what really got compromised.
|
|
|
|
|
|
|
|
|
|
|
snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
|
|
Interesting to note that if you used Apple Pay to make your booking via the BA app your data was not compromised. Lesson for the future.
|
|
|
|
|
|
And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
|
| rob@rar wrote: |
| Interesting to note that if you used Apple Pay to make your booking via the BA app your data was not compromised. Lesson for the future. |
Only because the hackers didn't get to it this time.
PayPal accounts are also ok, but address details may have been lost.
No reason to presume Apple Pay would be any safer in another event.
|
|
|
|
|
|
|
|
| nelly0168 wrote: |
| No reason to presume Apple Pay would be any safer in another event. |
I'm no expert, but I thought that Apple Pay payments (same for Google Pay?) replaced credit card information with a one-time token, so even if that token was intercepted it wouldn't be any use.
|
|
|
|
|
|
You know it makes sense.
|
|
Yeah apple pay uses tokens instead, no card details are transmitted.
|
|
|
|
|
|
Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
|
| rob@rar wrote: |
| nelly0168 wrote: |
| No reason to presume Apple Pay would be any safer in another event. |
I'm no expert, but I thought that Apple Pay payments (same for Google Pay?) replaced credit card information with a one-time token, so even if that token was intercepted it wouldn't be any use. |
I have to confess, I knew nowt about Apple / Google Pay until your post - had a good look last night and I retract what I said.
I have now set up my google pay account and will use it soon - cheers !
|
|
|
|
|
|
Poster: A snowHead
|
How does Google Pay - at the same time - issue tokens and give you the ability to use your phone as a touch card? 
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
Seems a few weeks before the hack started, BA had informed their Cyber security teams that the majority of their roles were being outsourced to IBM.
So either their CySec team wasn't up to snuff, or was so swamped with issues that this slipped through the net... Or perhaps its a disgruntled tech turned from white hat to black hat.
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
|
@Richard_Sideways, discussing this very fact round the lunch table yesterday, as BIL works for BA. As he booked flights through staff travel and paid airport taxes for them, he has also been affected by the hack. Someone did venture this theory. As he said 'you may think so, I couldn't possibly comment'.
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
| jedster wrote: |
| You know I normally don't leave CC details on a website. Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons. |
There's no need to call people morons. It appears that the card details have been leaked while they were being entered into BA website. Customers who have previously stored their card details with BA don't need to re-enter them, and therefore would not have had their card details compromised by this breach.
If the attackers had instead used a different attach and targeted stored card details then the opposite would be true (stored details would have been compromised, non-stored cards might have been fine). It's hard to say which of storing or not storing you details is more secure because they are vulnerable to different attacks, and you don't know how good the defences are against each attack.
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
@rob@rar,
have you thought about switching to SPG amex?
Now the merger with Marriott, the travel package offers might suit you
7 nights accommodation + 55k airmiles start at 255,000 points.
You collect 3 points per £1 on the card.
Another offer is 5 reward nights for the price of 4.
Off to Austria in December. 5 nights for 60,000 points. Flights are £65 each. Parking at the airport £40. Cheap trip!
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
| Mr.Egg wrote: |
@rob@rar,
have you thought about switching to SPG amex?
Now the merger with Marriott, the travel package offers might suit you
7 nights accommodation + 55k airmiles start at 255,000 points.
You collect 3 points per £1 on the card.
Another offer is 5 reward nights for the price of 4.
Off to Austria in December. 5 nights for 60,000 points. Flights are £65 each. Parking at the airport £40. Cheap trip! |
At the moment the BA-Amex card works well for us. I have looked at the SPG version, but the BA-Amex Premium Plus is a better fit with how we earn Avios. We get 1.5 Avios per £ spent, and a Companion Voucher (valid for 2 years) issued when we cross the £10K spending threshold. Add in some Avios points from our Tesco Clubcard and we have enough Avios to book business class or first class flights each summer, usually to the USA. I've just booked for next summer, First Class to LA, Club World back from San Francisco. Doesn't involve much of a change in our spending behaviour and makes the start and end of our holiday a bit more luxurious just for the cost of the taxes (typically half the price of an economy ticket).
|
|
|
|
|
|
|
|
| Hurtle wrote: |
| How does Google Pay - at the same time - issue tokens and give you the ability to use your phone as a touch card? |
When you hold your phone over the merchant's terminal it knows that you're using your phone, so it can treat the transaction slightly differently. Your phone doesn't pass on your actual card details, it creates a virtual card and passes that on instead. If the merchant is compromised, then it is the virtual card that gets leaked, but it can't be used by the hackers.
|
|
|
|
|
|
|
|
|
@thelem, thank you.
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
@rob@rar,
its worth checking - even if its just a case of hitting the easy bonus targets.
Got 2 nights in SF Westin Central Square on reward rooms & paid for the other 2.
Prices was different on all 4 nights! So the 2 most expensive nights was paid for by points & saved us over £500 + a free room upgrade (because of the card) & breakfast through status.
(yes you can save more on miles - but this was purely done on just hitting the bonus targets).
30,000 points + an extra 9 if you recommend yourself + 1000 to hit the spend limit = 40k points. (always self refer - you can choose a different card if you wish!)
Wash & repeat for the other half = 80k points. Enough for 1-3 nights depending on hotel of choice!
Im already sitting on 200k avios with no plans to use them for a while! Will start card recycling soon. Ive not had BA for a while & still a few months to wait before I recycle for gold bonus again.
|
|
|
|
|
|
|
|
|
If you’re concerned about entering credit card details Revolut (only premium at the moment I believe), allows you to generate a disposable virtual card. Every time you use it the card number gets binned and a new one is generated, so anyone intercepting your card details can’t use them.
|
|
|
|
|
|
snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
|
| Mr.Egg wrote: |
its worth checking - even if its just a case of hitting the easy bonus targets.
Got 2 nights in SF Westin Central Square on reward rooms & paid for the other 2.
Prices was different on all 4 nights! So the 2 most expensive nights was paid for by points & saved us over £500 + a free room upgrade (because of the card) & breakfast through status.
(yes you can save more on miles - but this was purely done on just hitting the bonus targets).
30,000 points + an extra 9 if you recommend yourself + 1000 to hit the spend limit = 40k points. (always self refer - you can choose a different card if you wish!)
Wash & repeat for the other half = 80k points. Enough for 1-3 nights depending on hotel of choice! |
That doesn't work for us. Not much interested in getting free hotel nights. We need to have a card which offers a companion voucher as we normally save 100,000 to 150,000 Avios per year which isn't enough for two business class tickets for our summer holiday. If it's Avios you're interested in to use for flights the BA-Amex card is the best option right now.
|
|
|
|
|
|
And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
|
| rob@rar wrote: |
| Mr.Egg wrote: |
its worth checking - even if its just a case of hitting the easy bonus targets.
Got 2 nights in SF Westin Central Square on reward rooms & paid for the other 2.
Prices was different on all 4 nights! So the 2 most expensive nights was paid for by points & saved us over £500 + a free room upgrade (because of the card) & breakfast through status.
(yes you can save more on miles - but this was purely done on just hitting the bonus targets).
30,000 points + an extra 9 if you recommend yourself + 1000 to hit the spend limit = 40k points. (always self refer - you can choose a different card if you wish!)
Wash & repeat for the other half = 80k points. Enough for 1-3 nights depending on hotel of choice! |
That doesn't work for us. Not much interested in getting free hotel nights. We need to have a card which offers a companion voucher as we normally save 100,000 to 150,000 Avios per year which isn't enough for two business class tickets for our summer holiday. If it's Avios you're interested in to use for flights the BA-Amex card is the best option right now. |
just pointing out some options. I flip my cards regulary between the various Amex on offer & hotel/airline cards (you can hold 2x Amex cards at once). Easy to trigger bonuses, etc.
fwiw virgin atlantic CC also now does 2-4-1 vouchers. Can sometimes be cheaper in miles & taxes.
|
|
|
|
|
|
|
|
| Hells Bells wrote: |
| @Richard_Sideways, discussing this very fact round the lunch table yesterday, as BIL works for BA. As he booked flights through staff travel and paid airport taxes for them, he has also been affected by the hack. Someone did venture this theory. As he said 'you may think so, I couldn't possibly comment'. |
When I became aware of the B.A issue v early on, I mentioned it to cabin crew offspring immediately. She said she was already aware and that staff travel wasn't affected (she has booked me on a trip coming up and done it within the stated period).
Might get her to revisit that statement in light of above as it wouldn't surprise me if she got it wrong. I might be doing her a disservice mind.
|
|
|
|
|
|
You know it makes sense.
|
| Mr.Egg wrote: |
| fwiw virgin atlantic CC also now does 2-4-1 vouchers. Can sometimes be cheaper in miles & taxes. |
I'd like to try Virgin's Upper Class, haven't flown with them for years and years. But I have a legacy conversion rate Tesco -> Avios, so I get a better deal (25% better) if I convert to the BA scheme rather than Virgin. From what I understand, the Virgin companion voucher gives you an additional seat if you pay for one, rather using miles? With BA the companion voucher works if you use Avios to book your seats, so much cheaper than paying for one with Virgin and then getting another for free. I'm also on a legacy rate for the BA-Amex card (£60 rather than £190) because I've been with them for a long time and I have a couple of other Amex cards, so changing from that wouldn't make much sense for me. Appreciate the info, though.
|
|
|
|
|
|
Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
|
| thelem wrote: |
| jedster wrote: |
| You know I normally don't leave CC details on a website. Bought flights recently from BA and they made a point of telling me that it was safer to leave my details in their system than enter it each time. The absolute morons. |
There's no need to call people morons. It appears that the card details have been leaked while they were being entered into BA website. Customers who have previously stored their card details with BA don't need to re-enter them, and therefore would not have had their card details compromised by this breach.
If the attackers had instead used a different attach and targeted stored card details then the opposite would be true (stored details would have been compromised, non-stored cards might have been fine). It's hard to say which of storing or not storing you details is more secure because they are vulnerable to different attacks, and you don't know how good the defences are against each attack. |
They are morons for claiming it's SAFER to leave card detail in their system! It's extremely unlikely to be any safer!
Unless of course, if they KNEW their company's defense in stored data is excellent but leaves large hole of known vulnerability undefended.
|
|
|
|
|
|
Poster: A snowHead
|
|
@Cinsha, BIL (who is in IT) was told otherwise.
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
|
@rob@rar, virgin upper us fab. Lounge is much better at Heathrow...well compared to ba business never been in first class.
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
@Little Martin, wow.
These boys seem to know their stuff.
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
@Mr.Egg, yeah, your man there is/was suggesting a token system as mentioned above which is more secure than a direct card transaction but they are a PITA to implement and get adopted by customers who are, as seen above, inherently mistrustful of storing banking details on the ol' interwebs.
@Little Martin, that new info on the breach method and the deep knowledge you'd need to inject it that clearly reeks of insider.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@Little Martin, I have zero understanding of these things, but I’m shocked that they don’t have a way of checking whether their pages have been modified as you suggest. Is that something which is easy to implement?
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
|
Well it seems that the state of infsec inside BA was pretty rough and that's before they announced they were being outsourced.
|
|
|
|
|
|
|
|
@rob@rar, from a basic point, it's a hash/checksum of the file compared with a known hash of a file - the known hash could be generated on file deployment, a script would then just look at the files, get the hash and compare it. Notify of any differences. This is basically how some rootkit hunters run on linux, so it wouldn't be that difficult to add the web files in, imho, or script your own code.
Something more complicated could be looking at the differences in the code itself vs a copy of the code held elsewhere - this could be in source control or another dir.
Something like the library file they used in the hack, chances are it wouldn't change that often unless you needed to support a particular feature, so both these methods would have picked this up I would have thought.
|
|
|
|
|
|
|
|
FAQ
