Hacked

[Bechet]

In order to spend my money, a hacker needed to log-in to my Sainsbury's account using a password known only to me and then supply three letters from my credit card security code, also known only to me. They then spent £186 and had the goods delivered to an address in Sheffield.

How did they get into my account and past the credit card security?

It's taken half a day to sort that out, open new accounts, de dah, so I'm not best pleased.

Sainsbury's insisted I open a new account rather than just change my password (so I lost my Favourites List - curses) because my email address was compromised, they said. That last sounds like horse-shite to me as I send email every day to all sorts of peple and companies.

Then they aren't set up to transfer the Delivery Pass to a new acccount. So refund and buy a new one.

I'd just like to say to whomever did this hacking - Arsehole!

Any clues as to how it was done? All I can think of is that Sainsbury's has been hacked, data theft.

 

[Johnus]

Agree with you that the data theft of Sainsbury's data is a possibility. Also if you used an unsecured WiFi, such as one at a coffee shop, is another possibility.

 

[PhilD]

What a PITA. Was the Sheffield address unoccupied or something?

 

[mattyb240]

Re used password taken from another site leak? phishing email?

 

[SuperChrome]

That's a weird one. I'd understand maybe Sainsbury's but not your credit card digits. By 'three letters from security code' do you mean the additional card vendor window that pops up and asks you for 3 random letters of your password? If so, then it points to a key logger.

When you submit data for your login, it's encrypted by you and can only be decrypted by the recipient (Sainsburys). I just checked their site and made sure their security certificate is valid! The only way this can be intercepted is from within your network or 'a' network (insider jobs can't be done 'live' beyond your connection to the outside world) and even then the encryption can't be bypassed without the key from the recipient. Web standards these days are top notch as long as you are on the right track to begin with.

Even if you logged on in a Costa and somebody was running packet sniffing software, the encryption rules it all out. Therefore I can only imagine a key logger of some form. A dodgy Sainsbury's employee could get into you account but they wouldn't have access to your payment authorisation as that's between you and your card vendor. Nothing is impossible but it certainly points towards the data being recorded somewhere rather than 'hacked'.

 

[ravey]

How was the payment made? You mention an account being hacked and a credit card. Very unlikely to have both compromised.. never bought anything from a store using online banking (don't you need a card reader for setting up new payments?) that's what credit/debit cards are for. So if the payment was on a card it sounds like they're spinning you a load of shite to make out you were to blame.

I had a load of payments appear on my debit card once and I'd only used the card once, which was pay at pump at a petrol station, and I always check for card scanners, so it must have been a leak from the bank's side.

 

[Bechet]

Thanks for your comments guys.

I never use unsecured wi-fi, have good retail security at home (from where I shop on-line exclusively) and scan my computer daily for malware. I'm fairly sure I'm secure at home - would put money on it, in fact.

Whoever was at fault, I got a whole bunch of work landed on me to set it all up again and Sainsbury's sounded very concerned so I think they have work to do as well.

Why Sainsbury's didn't arrange a van full of cops to make the delivery I don't know - maybe they did but weren't making those sorts of noises to me. I just happened to stumble on the theft fairly soon after it was made.

A key stroke logger sounds like a good suggestion except my computer is clean. I fancy an inside job more and more.

I had only just set up the credit card security code and maybe their computers had not up-dated - so once inside the Sainsbury's site, there was my card, sitting un-protected. All says 'insider' to me.

 

[Griffo]

I feel for you.

I had this a few years ago and it's a total pain and just when you think you've sorted it something else happens.

I think mine was down to a keyboard logger as at the time these weren't being picked up by a lot of security/virus software, after all your OS will translate what's typed at the keyboard into hex for the computer to understand it so something else sat there sometimes doesn't get detected. It's very clever.

I was quite lucky as the person had done some minor transactions out of my usual spending pattern and Barclays phoned me up to see if it really was me.

I had my ebay account hacked, my email account hacked and both were a nightmare to deal with to the point I gave in.

I subsequently pay now to have my details protected and get alarms when people do credit checks against me and when it's not me.

Keep an eye out as this may not be the end of it - or certainly cancel your card and get a new one.

 

[Northam Saint]

I'd really recommend anyone with a PayPal and/or an Ebay account to get the additional protection of Verisign. This gives an additional level in the sign on process using a six digit pin code. The code changes every 30 seconds and is linked to a serial number. They supply dongles with an LCD screen and also there is an app for the Iphone.

A while ago I had an idea someone had got I to my ebay account. It was quickly resolved and nothing happened but I did change my passwords straight away, contact them and my bank / credit card company. Soon after I found out about Verisign.

Good luck with resolving this, hope everything is sorted out a.s.a.p.

 

[Bechet]

I subsequently pay now to have my details protected and get alarms when people do credit checks against me and when it's not me.

May I ask who you pay? Please PM me if you wish to keep it private.

---

I'd really recommend anyone with a PayPal and/or an Ebay account to get the additional protection of Verisign.

That looks like serious overkill for a private individual! Managing SSLcerts? I know nothing!

I'm convinced that my computer has not been hacked but the Sainsbury website has - by whatever means.

Verisign also looks very expensive as well as complicated.

 

[Johnus]

Idea. I had a situation where my electricity supplier had their records hacked. When asked, they supplied the credit check with all of the above mentioned service(alerts, etc) free for a year.
You may want to check if Sainsbury has the same service.
After the year free, it's your option to renew.

 

[Northam Saint]

I subsequently pay now to have my details protected and get alarms when people do credit checks against me and when it's not me.

May I ask who you pay? Please PM me if you wish to keep it private.

---

I'd really recommend anyone with a PayPal and/or an Ebay account to get the additional protection of Verisign.

That looks like serious overkill for a private individual! Managing SSLcerts? I know nothing!

I'm convinced that my computer has not been hacked but the Sainsbury website has - by whatever means.

Verisign also looks very expensive as well as complicated.

---

No it's a free app on os all you do is link the serial number in PayPal and Ebay. Dead simple check out the VIP Access app if you have an iphone. Also available for Android.

When you log in with your password it goes to another pop up prompting for the six digit pin which is displayed in the app.

No set up fees, no fees whatso ever.

I've used it for years now with no problems whatsoever.

---

Little more about PayPal and this

https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o

 

[Nishy]

Just heard on the news several thousand Gmail users have had accounts hacked, Gmail themselves have let those users know and to change details.

 

[Telephonebox]

Just heard on the news several thousand Gmail users have had accounts hacked, Gmail themselves have let those users know and to change details.

I always use 2 step verification with Gmail, stops this from happening. Oddly though at about this time, my Amazon account got hacked which uses my gmail address so maybe this was why!

 

[michaelg]

Just heard on the news several thousand Gmail users have had accounts hacked, Gmail themselves have let those users know and to change details.

I always use 2 step verification with Gmail, stops this from happening. Oddly though at about this time, my Amazon account got hacked which uses my gmail address so maybe this was why!

I use the same after my account was hacked previously apparently by someone in Chicago. Similarly someone also tried hacking my FB too. 2 step verification whilst initially is a pain is much more secure - highly recommended.