Login

Register

Login

Register

Boots yanks loyalty card payouts after 150K accounts get stuffed – Naked Security


Boots, a UK pharmacy chain, has suspended payments on the loyalty cards of 14.4 million active customers after its security team spotted “unusual” activity on a number of Boots Advantage Card accounts.

It wasn’t hacked, the company said in a statement, and this isn’t what you’d classify as a breach. Intruders didn’t get into its systems during the attack, Boots said on Thursday. Nonetheless, for the time being, it’s suspended payments made with the loyalty points cards.

This wasn’t our fault, the company said in its statement:

We would like to reassure our customers that these details were not obtained from Boots.

If Boots wasn’t hacked, then where did crooks get the credentials that they’ve evidently used to try to get into people’s Advantage Card accounts so they can make fraudulent purchases on what we refer to in the States as “somebody else’s dime?”

(Or, in this case, on somebody else’s penny: The loyalty cards award shoppers with four points for every £1 they spend. One point will get you one penny’s worth of spending power, so if your card has a balance of, say, 199 points, you could use it to buy something that costs £1.99 at a store or online at boots.com… which, of course, means that anybody who gets access to your account can do the same, regardless of where they’re located. That’s why Boots shut down the program, so nobody can shop with points at either stores or online.)

Boots suggests that the suspicious activity spotted in customers’ accounts is coming from crooks trying to get at their accounts by using credentials that were exposed in some other breach – credentials that those customers have used, reused, re-reused and re-re-re-diculously refused to let go of.

It’s called credential stuffing. Sticking (reused!) passwords into every online place you can think of is a simple way to get into somebody else’s account without permission: just go online and look for lists of breached credentials, often available for sale or for free, then try them out until you hit the jackpot. Or the pennies on people’s loyalty cards, as the case may be.

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW