UK National Lottery data breach: Fingers crossed – it might not be you Cyber criminals appear to be using passwords and email addresses from previous breaches to gain access to 26,000 online UK National Lottery accounts. Camelot, the company behind the National Lottery, detected the scam and subsequent attempted frauds and responded by locking down accounts, triggering compulsory password resets …
I don't think we can really say that Camelot/National Lottery have suffered a breach or hack. There was no vulnerability in their system that's allowed access. This is down to user error for using the same password in two places, and potentially in a way the fault of the company who suffered the original hack elsewhere for not locking things down.
I've seen a lot of the media referring to this as a breach on the National Lottery side in their headlines which I don't think is quite accurate.
@ cmannett85 "Use a bloody password manager!"
This is the core of the problem, only emphasised by this FTA, "Ollie Whitehouse, technical director at NCC Group, added: “This latest hack is yet another example of why people should use different and strong passwords for all online accounts due to the lack of transparency with regards to how they are held."
Every site expects people to register before they can use it (it's unusual to find a website that allows express checkout without registering as that would stop their data harvesting impair the user experience), you're expected to use a completely different password for each site, and every password must contain a capital, a lower case, the number you first thought of, a punctuation, an emoji, and what you did last summer. People are looking at 50-100 passwords just for the regularly used parts of their online time (possibly much more) all of which are near impossible to remember so is it any wonder they pick one "strong" password (as determined by the misguided password policy on the most cantankerous site they use) and reuse it elsewhere. It may help using a different email address for each site but that is a lot to manage for many people and strays into security/obscurity territory.
Password managers are helpful and I believe most of the major browsers offer some kind of "remember my password" functionality (Safari, Firefox, IE, not sure about others) but one breach on the password manager exposes the whole bloody lot. Perhaps the most secure password manager is a small notebook in a kitchen drawer?
My concern is that these kind of things push people towards third party authentication e.g. login with your Facebook account. The idea that Zuck becomes the password gatekeeper to the interwebz is just too horrific not just because it also concentrates the target into one place - crack a Facebook account and get access to everything. Facebook only keep things private if it suits them and telling them you log into Amazon, your mobile provider, your telly provider and your utility on a regular basis would be music to his wallet.
I'll leave it to someone else to dig out a link to the XKCD cartoon about passwords.
From what I've read so far the accounts weren't hacked into. The problem is the original company who were hacked in conjunction with users not having a unique password for each site. Looks like Camelot just had the right checks in place to look for suspicious behaviour (such as logins from multiple countries etc.)
The statement said "We do not hold *full* debit card or bank account details". Which implies partial is held and has probably been accessed. Not enough in itself to take money from your account but easily enough, combined with other info, for a social engineering attack ("your credit card, last four numbers 1234? Postcode xy12 6zx? Can you give us your PIN number to confirm?" (well probably more subtle than that but I am not a phisher))
I call BS on Camelot on this one. They must store all the card data they're allowed to because it's possible to register a card for all future deposit/withdrawals of money to/from a NL account. They have all the details except the CVC (I think PCI DSS forbids them from storing this in any way) so they just ask the amount and the CVC then process the transaction.
... all the data which will now be collected on your Internet Browsing Habits and all the Age Verification records collected by porn sites to prove that you are over 18 will be *entirely* secure because the Government says they will be and we know we can trust them, can't we, boys and girls...?
"We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed."
You can cancel and get a new credit card or bank account, but you get one DOB and mothers maiden name, that can never be changed, it takes a while to change address, and its on file for years, and although you could change your name, no-body really wants to be called Princess Consuela BananaHammock
Personal data is more sensitive than payment info!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
