Discussion in 'Article Discussion' started by bit-tech, 7 Sep 2018.
I actually read this article solely because I saw CVVs were stolen, and I wanted to know how that happened.
Of COURSE British Airways isn't going to answer that question.
I'm guessing as Mr H didn't mention encryption neither has BA, I'm also guessing if they were using it then the ne'er-do-wells wouldn't have gotten, either directly or via MITM, away with easily usable payment details, maybe when the government said they should be allowed access to information BA just thought why bother with encryption.
I bet the fines for this are going pretty big.
Encryption - in the case of TLS - only works from browser to web server. Now, a database full of payment details should also be encrypted, it's true, but there's a gap there: between the web server and the database, the payment details are unencrypted. (I mean, they have to be, 'cos you need to use 'em to take the payment...)
My guess would be: attackers got into the server and sat for two weeks sniffing the traffic betwix the web server and the payment processor. That means that the data was encrypted in transit, and encrypted in storage, but they still got it in the clear - and would explain how they also got CVVs, assuming BA wasn't stupid enough to break PCI DSS.
Honestly with some of the stupid things some companies do with regards to IT and specifically security it wouldn't come as a surprise if something comes out that causes a facepalm.
Presented without comment.
Huh. Made a card payment to BA on Aug 20th. Fancy that.
Ditto credit card cancelled and new one ordered. Pity there is no class action lawsuit in the UK....
Wonder if this will be the first high-profile post-GDPR case/fine...
Booked a BA flight about a month or so ago but bought it through budgetair.nl.
I think the most important question is WHY was the CVV records retained when the internet standard is not to record them after use? It's a common sense thing, you do not retain them, ever. This has to be one the ICO.
They weren't retained (by BA, anyway; obviously they were retained by the attacker, who you'll be amazed to hear doesn't have to adhere to PCI DSS): They were captured during the transaction by injecting a modified version of an existing script into the payment portal page.
That RiskIQ blog post was interesting read, at least for a layman like me it was, thanks.
Separate names with a comma.