BA:s app och hemsida hackade
- Thread starter Homer
- Startdatum
AABack2ARN
Medlem
Heter det CCV eller CVV?
Hursomhaver, eftersom CVV verkar ha hamnat i orätta händer tolkar jag det som att det är kommunikationen mellan websidan/appen och PSPn (?) som på något sätt avlyssnats och troligen då genom att injicera kod i steget innan allt betalningsdata skickas ut på nätet (för det lär vara krypterat). Det torde också förklara varför de kunder som haft sitt data sparat på siten men inte nyttjat den inte fått några varningar (som jag tolkar det).
Hursomhaver, eftersom CVV verkar ha hamnat i orätta händer tolkar jag det som att det är kommunikationen mellan websidan/appen och PSPn (?) som på något sätt avlyssnats och troligen då genom att injicera kod i steget innan allt betalningsdata skickas ut på nätet (för det lär vara krypterat). Det torde också förklara varför de kunder som haft sitt data sparat på siten men inte nyttjat den inte fått några varningar (som jag tolkar det).
Känns som att de har felprioriterat alla sin resurser på att så effektivt sätt nedgradera sin ptodukt över åren när de uppenbarligen hade lite andra områden som behövts mer fokus.
Homer
Medlem
The Times har en intervju med en Ben Oguntala som påstås ha arbetat på BA Waterside head office fraund prevention...
“Oguntala, 44, founder of the card security company Payments & Co, said he was hired to help improve card payment security. But he discovered the airline had failed the international standard for card payments, called the payment card industry (PCI) data security standard, last year. The failure was not reported in the airline’s annual report.
One internal document presented at a BA meeting in April this year states: “British Airways holds a lot of sensitive payment card data. BA are subjected to the international security standard — PCI data security standard.
“By achieving compliance BA are proving to themselves, their customers and their supervisory bodies that BA are suitably protecting payment card data from malicious attack . . . In December 2017, BA failed to achieve PCI compliance.”
The document warned that an outdated system, ArcSight, was being used to store security data relating to card transactions. It is described in the document as “redundant”, “severely undermined” and “prone to failure”. The document is marked IAG GBS, which is the global business services division of BA’s parent company IAG.
Oguntala said he was shocked at the lax security surrounding credit and debit card payments at BA. “The security was woeful,” he said. “There was card data everywhere and there were no proper controls on where it was going and who was getting access.”
Oguntala, who worked for a team that reported to BA’s information security and compliance manager, considered the entire payment system needed to be radically overhauled — with a new security protocol known as tokenisation. He said he left after his advice was rejected.”
British Airways hack was ‘a disaster waiting to happen’ | News | The Sunday Times
“Oguntala, 44, founder of the card security company Payments & Co, said he was hired to help improve card payment security. But he discovered the airline had failed the international standard for card payments, called the payment card industry (PCI) data security standard, last year. The failure was not reported in the airline’s annual report.
One internal document presented at a BA meeting in April this year states: “British Airways holds a lot of sensitive payment card data. BA are subjected to the international security standard — PCI data security standard.
“By achieving compliance BA are proving to themselves, their customers and their supervisory bodies that BA are suitably protecting payment card data from malicious attack . . . In December 2017, BA failed to achieve PCI compliance.”
The document warned that an outdated system, ArcSight, was being used to store security data relating to card transactions. It is described in the document as “redundant”, “severely undermined” and “prone to failure”. The document is marked IAG GBS, which is the global business services division of BA’s parent company IAG.
Oguntala said he was shocked at the lax security surrounding credit and debit card payments at BA. “The security was woeful,” he said. “There was card data everywhere and there were no proper controls on where it was going and who was getting access.”
Oguntala, who worked for a team that reported to BA’s information security and compliance manager, considered the entire payment system needed to be radically overhauled — with a new security protocol known as tokenisation. He said he left after his advice was rejected.”
British Airways hack was ‘a disaster waiting to happen’ | News | The Sunday Times
Mer läsning för den intresserade
Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims
The British Airways Breach: How Magecart Claimed 380,000 Victims
Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims
The British Airways Breach: How Magecart Claimed 380,000 Victims
