InvestorsHub Logo
Followers 5
Posts 2404
Boards Moderated 0
Alias Born 09/06/2006

Re: None

Tuesday, 09/11/2018 7:36:03 PM

Tuesday, September 11, 2018 7:36:03 PM

Post# of 248557
How Hackers Compromised 380,000 British Airway Customer Payments

https://gizmodo.com/how-hackers-compromised-380-000-british-airway-customer-1828968523

A British Airways data breach that exposed as least 380,000 card payments was caused by a card-skimming malware that customers were inadvertently exposed to through the airline’s website and mobile app, according to research from security firm RiskIQ.

British Airways announced last week that hackers had breached the company’s system, compromising hundreds of thousands of card payments. The statement, from the airline’s parent company IAG, said the attack on the site and app began on August 21 and was stopped on September 5. The company said passport and travel information were not included in the hack.

A company spokesperson told Gizmodo at the time that a third-party first discovered the concerning activity and alerted British Arlines, prompting a response and investigation. RiskIQ told Gizmodo that when it discovered the breach, it shared its findings with FBI and the UK’s National Crime Agency, which then alerted British Airways.

Tuesday morning, RiskIQ released a report on its investigation into the breach. The analysis, written by threat researcher Yonathan Klijnsma, shows that hackers compromised the company’s website and app with a card-skimming malware in late August. After this breach, customers who bought plane tickets online had their credit card information scanned and sent to a fraudulent site operated by a server in Romania. This data included email addresses, names, billing addresses, and bank card information.

Similarities between this breach and the Ticketmaster breach in June led RiskIQ researchers to believe that British Airways was attacked by the same group—Magecart. Since Magecard formed in 2015, the collective has been accused of installing card-skimming malware on thousands of sites. “Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK,” the RiskIQ report reads.


British Airways would not provide comment for Gizmodo on RiskIQ’s report, citing the criminal investigation.

“Magecart had direct access to the [British Airways] server,” Klijnsma told Gizmodo. “While they only performed skimming, it could have possibly gone further with the access they had.”

================================================================
Law firm seeking leak victims to launch £500m suit at British Airways

https://www.theregister.co.uk/2018/09/11/ba_lawsuit/

Prosecutors rub their hands with glee

British Airways faces a £500m lawsuit over its recent mega-breach that exposed payment card details of 380,000 customers.

The airliner last week apologised and offered to compensate customers for any direct financial loss for the attack that took place between 21 August and 5 September via its website and app.

However, an group-action suit* led by SPG Law contends BA has not gone far enough and should be paying travellers for the "compensation for inconvenience, distress and annoyance associated with the data leak".

The action points to compensation rights in the European General Data Protection Regulation, which came into effect in May.

SPG Law, the Brit limb of US firm Sanders Phillips Grossman, set up a dedicated micro-site to get victims to sign up to the case.

The firm, which cynics might dismiss as an ambulance chaser, is recruiting participants on a "no win, no fee" basis. It has suggested its offer is the best and most straightforward way passengers might be able to secure up to £1,500 compensation.

SPG Law said it would cap its fees at a maximum of 35 per cent including VAT.

If the case goes to court, SPG Law acknowledged the possibility that the airline may win and might even be awarded legal costs.

"In the event that it is necessary to litigate, we will arrange insurance on behalf of all Claimants who sign up with us," it said. "This will protect you against having to pay BA's costs in the unlikely event that the claim is lost."

British Airways is yet to respond to a request for comment from The Register. ®

Bootnote

*A group-action lawsuit is the English law equivalent of a class-action lawsuit. SPG Law is also "campaigning" to mount a group-action lawsuit over the VW emissions scandal on behalf of affected drivers. The firm is acting just days after the breach was disclosed and before the dust has settled and the facts are known.
=================================================================
If only Wave and Bell Id was being used before this British Airways breach. It seem that this 4 year old press release has relevance today and the product could save a lot of money for consumers and companies going forward. imo.
=================================================================
Wave and Bell ID Partner to Combat Online Payment Fraud

https://www.wavesys.com/buzz/pr/wave-and-bell-id-partner-combat-online-payment-fraud

Lee, MA -

July 31, 2014 -

Wave Systems Corp. (NASDAQ: WAVX) announced it is partnering with chip lifecycle management solutions company, Bell ID, to offer a joint solution aimed at reducing online payment fraud. The solution will be marketed primarily to card issuing banks, as well as online merchants, governments, and enterprises worldwide.

Using Bell ID’s Trusted Service Manager and Secure Element in The Cloud (SEiTC) server, alongside Wave’s ERAS for TPM management and Wave’s endpoint identity and monitoring expertise, the combined offering provides robust protection for transactions and stored payments. The companies have executed a letter of intent and anticipate the signing of a definitive agreement in August.

The incident rate of card-not-present (CNP) fraud has been growing steadily over the past several years. According to a recent FICO Banking Analytics Blog, CNP fraud now accounts for close to half of all credit card fraud. Countries that have already adopted the EMV® card specification have seen CNP fraud rates increase. In the United States, CNP fraud is expected to rise significantly over the next eighteen months, as the EMV standard is put into effect. The EMV directive, which implements a global standard for a secure chip-based payment application, will make merchants liable for any fraud resulting from transactions on systems that are not EMV-capable.

“Wave’s robust product portfolio is very complementary to Bell ID’s strongly positioned solution set in the financial services market,” said Bill Solms, CEO, Wave Systems. “We see the EMV transition creating high demand for more secure transaction capabilities, and are confident that together we can provide financial institutions with a comprehensive solution for payment authorization and storage.”

“Bell ID has been a pioneer in developing and delivering cloud-based payment platforms,” adds Pat Curran, Executive Chairman at Bell ID. “We also have extensive experience in delivering EMV solutions globally and have witnessed fraud transition online as point-of-sale terminals in face-to-face transactions become more secure. We are therefore delighted to extend our offering with Wave to provide a secure online transaction and storage payment solution, which will mitigate against an expected rise in online fraud and provide a trusted link between device identity and internet services.”

Join the InvestorsHub Community

Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.