back to article Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards

Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records. In a statement (PDF), Dixons Carphone said that "unauthorised access" of data held by the company had prompted an investigation, the hiring of external security experts and efforts to shore up …

Devil

Re: Useful fallbacks

I always use anon@y.mo.us I don't think I've had any sites reject that email address.

1
0

Re: Useful fallbacks

spamgourmet.com

1
0
Silver badge

Re: my domain has as many addresses as I want

Same here. I've set up a special account for that kind of situation : spam@mydomain.net

I use that in response to any question and for online subscriptions that I do not intend to follow but have to sign up to get what I'm looking for.

Needless to say : all mail going into that account is immediately trashed.

4
0
Silver badge

Re: Me feeling happy ...

"I do that as well - for the instances where they, reasonably, do need an email address. Running my own MTA means"

Well, technically, I do run my own MTA. The fact that almost all the email that I *WANT* to receive ends up in a bog-standard commercial webmail account is neither here nor there (and anything addressed direct to that account only that didn't come from my MTA? Spam).

The fact is that I can switch it out any time I like to ANY destination, I can give people addresses (e.g. myfriend@mydomain.com, which forwards to his weird ISP-specific email), and I can filter at a level above what those providers do (e.g. all my email is greylisted for 5 minutes, etc. all the "misused" addresses go straight to the bin, and I can do tricks like "this is a valid email because it fits my rules on how many vowels each of my emails should have / what the number in the email should checksum to" so that even being able to make up emails doesn't give OTHER PEOPLE the ability to just make them up and spam me - I get a surprising amount of usernameusername@mydomain.com and even partial /corrupted usernames where the database obviously didn't line up correctly in their mailshot).

But once set up, the personal effect is "log into my normal webmail, have no spam, can tell if an email was GENUINELY from paypal in seconds because only paypal know what the paypal address they have this year actually is".

1
1
Silver badge

Re: Useful fallbacks

root@warez.bofh.org.uk is always a good one. That particular domain registration thing was done several times in the past for comic effect, but warez.bofh.org.uk is the only one left that I know of.

0
1

Re: my domain has as many addresses as I want

I use company@mydomain.net, e.g. register@mydomain.net, or dixons@mydomain.net. Then if I get spam to a particular address I know who to blame.

2
1
Silver badge

Re: Me feeling happy ...

I've had this several times, the most recent was at a Jurys Inn where they said I had to give an email. I asked them why, and she said they needed it incase they had to contact me while I stayed in the hotel. So I told her I'm in my room all night to sleep, so if you need me knock on the door. You know what room I'm in.

I own my own domain too and give out unique email addresses to individual companies that ask for one and that I deem worthy. I made a stay at a hotel in the UAE who did need my email because there was an issue that remained unresolved as we were checking out. I made damn certain that I indicated that I did not want to be contacted by third parties or have my details sold. I received an email from some business in the same country to that address and I was unimpressed. Called the hotel and spoke to the switchboard and had a nice girl there explain that whilst I might think that I'd received it because it was from the same country it probably wasn't anything to do with the hotel.

Her: "Loads of people have your email address right?"

Me: "No only you have that particular address"

Her: "We wouldn't pass on your details if you told us not to. Are you sure?"

Me: "Yes because the email address is yourhotelchain@mydomainname.com, it is unique to you and I haven't given it to anyone else because I've never stayed at your chain before!" (and won't again after this).

Her: "Oh, I'm not sure who to transfer your call to."

Me: "Well as I made sure I told you I don't want any contact from you and I've been sent something maybe your head of (IT) data security?"

Her: "I'm not sure I know who that is, why them?"

Me: "Because if you really haven't sold/passed on my details then I would suspect you've got a problem somewhere with your computers/data."

Her: "I think all the IT people have gone home can you call back tomorrow?"

3
1

Re: Me feeling happy ...

I have my own domain

I give each "requester" their own email address composed from their domain [theregister@mydomain.com]

From then on it's trivial to identify "requesters" who have been compromised - their emails are also usually flagged by my provider's spam detection software and:

- cease dealing with them

- blacklist any email using the compromised details

Easy peasy

0
1
Silver badge

Heart of our business?

"The protection of our data has to be at the heart of our business"? Who do they think they're fucking kidding!? At the heart of their business is conning people into buying shit they don't need when they buy a laptop, such as the laptop itself, norton virus, ms office etc. and persuading people to buy an insurance policy that costs half as much as the original item. Also right in the fucking dead centre of their business is refusing to honour said warranties and refusing to refund for faulty items. There Dixons Carphone Group - fixed that for you.

21
0
Anonymous Coward

Yet another Charles Dungstone data breach, you would have thought he might have learnt by now but evidence points to the contrary. The only way to teach him is by fining him personally.

2
0
Silver badge

The only way to teach him is by fining him personally.

He's got so much money any feasible fine wouldn't hurt. I say strap the pudgy faced public schoolboy into a device with his legs apart, and administer a public kick to the bollocks for each item of data lost. Obviously that's a lot of kicks, so each individual whose data was lost would have the right to place their own kick, or to "kick by proxy", nominating somebody like Johnny Wilkinson to do it for them. Mr Wilkinson's fee could be stuffed to Dunstone.

0
0

Timing is interesting for me

I had two spear phishing phone calls last week, never happened before. Knew my name and address, avoided saying who they were, tried to get me to confirm my ID.

How can we find out if we were pwned?

1
0
Meh

Re: Timing is interesting for me

I'm not sure, Pat, what's your number?

16
0
Bronze badge

Re: Timing is interesting for me

There are a small but annoying number of genuine corporate callers who are so paranoid about data breaches they don't identify themselves until you pass their DPA checks.

Theory is that if they have the wrong number, they don't reveal that you have an account with who-ever they are. It's painful to deal with, and teaches people to give up their personal details to unidentified callers.

1
0

Re: Timing is interesting for me

I take the view that any phone call, email, text, IM etc is utterly ignorable. If I'm wrong and it's important, they'll keep trying and find a better way to reach me, ideally by a hand-written letter.

I've always felt phone calls are very one-sided arrangements; one person somewhere else decides it's time for me to have a conversation with them. Very often they are wrong.

I am Ron Swanson.

8
0
Silver badge

Re: Timing is interesting for me

Them: "Can I get some security information before we proceed?"

Me: "Can I ask you a question first?"

Them: "Well ..."

Me: "If I did have an account with you, what would be your advice about sharing security information with unknown people?"

They: "Oh, you should never do that"

Me: "Thought so. Goodbye"

7
0
Silver badge

How do I find out if i’ve been pwned?

https://haveibeenpwned.com/

1
0
Silver badge

Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores

Why are you storing card details?

"We are extremely disappointed and sorry for any upset this may cause,"

We are extremely disappointed in your company too.

The one question is why did it take you so long to announce the breach? Did you just forget?

7
0
Silver badge
Facepalm

How did the ne'er-do-wells manage to gain entry in order to milk the data?

My reasoning - if the system is properly secured at the perimeter, then only three ways -

1. Email with malware attachment

2. Disgruntled employee

3. Bad field technician

1
1

Front door of building? They're unlocked most of the time.

1
0
Anonymous Coward

I can think of a half dozen other ways

starting with their online shop but most breaches are staff or former staff related.

1
0

Define properly secured at the perimeter. And bear in mind I was reading a paper today about how to bypass the akamai waf during a exploitation (I'm a offensive security bod before the mob tries to lynch me). The point being, that info is freely available on the net if you know where to research and both sides of the game have it. If you've evaded the waf, your attack will look like normal web traffic anyway if you get it to dump out via the same web server as a response unless you set off a sensor getting it to throw a reverse shell via a port or similar.

0
0
Silver badge

How did the ne'er-do-wells manage to gain entry in order to milk the data?

How does any director gain access to the building he works at? We should consider that the attackers were doing what they do best, finding a weakness and preying on it. As such we should consider that they might qualify as "professionals". Dixonscarphonedoghouse on the other hand were screwing up as usual, so the term "ne'er-do-wells" is probably best applied to their bungling management.

0
0

Perhaps I need a forwarding email address for every shop

As an interesting long term experiment, it would be good to setup a forwarding email address for every shop that insists an email address. e.g. Mountain Warehouse, Go Outdoors, PC World, etc.

Then when I get some of those spam emails or emails appearing on pwned, I know where the leak came from.

4
0
Anonymous Coward

Re: Perhaps I need a forwarding email address for every shop

If you have a... yes, Yahoo email address you can set up disposable addresses based on a common id, for example, your common id is abcdef, so an email address would be dixons-abcdef@yahoo.whatever. You can then set that address (up to 100) for each place you shop at then drop it once comprimised.... I did the above several years ago and only have about 10 left now our of the 40 or so I ended up creating. I does take some patience though.

1
1
Silver badge

Re: Perhaps I need a forwarding email address for every shop

Aren't yahoo accounts compromised on creation?

8
0
Silver badge

Re: Perhaps I need a forwarding email address for every shop

A lot of web forms incorrectly reject it but a "plus form" address (RFC2822) is what you are looking for.

yourname+anythingyoulike@yourdomain.com will be delivered to yourname@yourdomain; but you can still see the originally used recipient name, so when you get spam/phishing to, for instance, yourname+CW@yourdomain you know who leaked it.

4
0
Silver badge

Re: Perhaps I need a forwarding email address for every shop

Did not know about that - thanks!

0
0
Silver badge

Re: Perhaps I need a forwarding email address for every shop

"

A lot of web forms incorrectly reject it but a "plus form" address (RFC2822) is what you are looking for.

"

Doesn't seem to work on either my company email address or my gmail address. :-(

0
0
Silver badge

Re: Perhaps I need a forwarding email address for every shop

Should definitely work at Gmail, it's explicitly mentioned in the documentation.

Not foolproof though, we had to scrub the plus suffix from a load of addresses when migrating them to a new CRM that had broken email address parsing.

0
0

Re: Perhaps I need a forwarding email address for every shop

"yourname+anythingyoulike@yourdomain.com will be delivered to yourname@yourdomain; but you can still see the originally used recipient name, so when you get spam/phishing to, for instance, yourname+CW@yourdomain you know who leaked it."

Except that is so well known that I would expect any malicious spam merchants to sanitise the email address by removing the +anythingyoulike so that your sorting/spam rules don't work.

1
0
Silver badge

Bah!

Not to worry.

The data was encrypted and un-aggregated so mo-one will have their ID spoofed, stolen or sold-on by non-Dixons un-business partners.

What?

1
0
Silver badge
Terminator

Retailers not adopting appropriate cybersecurity strategies

"Despite the well-publicised Target data breach, it seems that other retailers are still not adopting appropriate cybersecurity strategies"

That's because there is no real penalty for not implementing appropriate cybersecurity strategies.

3
0
Silver badge

Ha Jokes on Them

I've lost* all my credit cards and had them replaced since I last shopped there** so it's all useless information.

*Lost, fell out of my pocket while motorcycling across France, same difference.

**2016, I needed a new hard drive fast and they were actually the same price as Amazon.

2
0
Silver badge

Re: Ha Jokes on Them

Get a wallet with a chain on it.

1
0
Silver badge

Re: Ha Jokes on Them

'Get a wallet with a chain on it.'

That was learning point #2!

Learning point #1 was that it's actually quite handy having a contact less card saved on your phone so you can at least pay for accommodation before you cancel everything. Learning point #3 is to leave that card at home next time.

2
0

Re: Ha Jokes on Them

Don't you have to have leather trousers with no bum in them to have a wallet on a chain?

Personally I put my wallet and phone in the big inside pocket inside the jacket, then by the time you've fell off and burst the main zip and slid far enough further to drag it inside out and abrade the liner away, dropping your phone is the least of your worries. Also stops it getting too wet. Soggy money is no fun.

3
0
Anonymous Coward

I advised them of a breach in May 2016 when an email address that I used specifically for contacting them started being used for spamming purposes out in the wild.

Yet they were only breached in July 2017 .. apparently.

4
0
Silver badge
Coat

FTA: "Retailer Dixons Carphone has gone public about a hack attack involving 5.9 million payment cards and 1.2 million personal data records."

Oh, do try harder, Dixons Carphone - if you want to compete with the big boys, you need to have much bigger breaches than that.

3
0
Bronze badge

Advice ?

'We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.'

I'm guessing that they will tell you to use a credit reference agency... sounds like a great idea :/

0
0
Silver badge

How about cookies?

If a company puts your CC details in a cookie that it sends to you (then forgets), it could retrieve those details by grabbing the cookie next time you place an order. However the details will then only be kept on *your* computer, not the company's servers, so I assume GDPR considerations will not apply.

The cookie could be encrypted, with the company using a different (random) encryption key for every customer. Then even if the company is hacked and all the keys stolen it would cause limited damage.

Of course, customers who place a new order using a different computer would have to enter their CC details again.

0
1
Silver badge

Re: How about cookies?

There is no reason to go to such obscure lengths, there are already perfectly good mechanisms by which a customer can have a token stored for future use which do not need card details or CVVs to be retained.

Dixon Carphone obviously thought they could do it their own way.

0
0

Fatigue?

Another breach and only 69 comments 12 hours later. Even @Reg folk are getting fatigued and bored by these.

0
0
Bronze badge

Attack Vector Warranty - 2 Year Cover.

Might start selling these on the forum. #thespreadsheetislegal #howzat #strike

0
0
FAIL

Communication preferences

I received a text from Currys PCW yesterday stating that 'Important information from Currys PC World concerning data security' was to be found at a shortened URL. A check of the URL results in a long, tech-style address ending in cpwplc.com. Checks on that reveal this it's probably OK but I'm not minded to try it out.

So in short - and assuming it's valid link - lets warn our customers by sending them a text that looks like an invitation to be phished!

Sounds to me like an early recipient of of a GDPR 'Right to be forgotten' instruction.

1
0

Re: Communication preferences

Good luck!

I tried the "right to be forgotten". Seems they will only action this if I prove that I am who I say I am. For this they need me to send in a copy of my passport and official letter showing my address. Unsurprisingly I'm not willing to do this so they are going to retain all my personal information.

0
0
Bronze badge

OK so they had simillar hapen and ICO hit them with a £400k fine

this is their second breach with Credit card data

I can see two potential consequences:

the ICO hit them with a BIG GDPR fine (last years t/o £10,580m makes max fine £211.6m/£423.2m)

PCI suspend their payment processing rights (no card transactions - All their online business and presumably most of there in store)

1
0
Anonymous Coward

Honest

At least they admitted to it. Page up people an very nasty company that filters job aplacants by asking up t 60pages of questions was recently hacked with loads of people's data stolen, did page up people notify any one, no , one of their clients contracted me to let me know and that they would not be using them any more

0
0
Silver badge
Unhappy

Well aware?

As a multinational organisation, Dixons Carphone would have been well aware of the Target breach.

As an infosec grunt toiling in the trenches, _I_ am well aware that this is absolute bollocks. i nearly fell off my chair when our CIO mentioned Maerk, but that was a week or tweo after the post-mortem "how we covered from having our entire estate bricked" was publicised.

I bet if you took 100 CIO, COOs, CSOs etc - let alone the line management - and asked them to name 3 big hacks from the last decade off the top of their heads,85% would struggle.

0
0
Anonymous Coward

I find that my details are on the Dixons Carphone list of customers whose information they have inadvertently shared. I tried to use my right under GDPR to have my personal details deleted. I am told that this is possible but only if I send further personal detail including a copy of my passport! They must be joking (but apparently not)

Methinks the company isn't really interested in meeting their data management responsibilities but is interested in maintaining as large a list of customer details as possible!

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018