Store cards

I am puzzled...

Someone I know of had their email hacked, and, of course, that means that the hacker could use email based password resets on various systems. They proceeded to do so, and thankfully left enough of a trail to work out what they did so the passwords could be sorted out. It does highlight the importance of email passwords being secure, but the puzzle is not that - it is what they did...

They reset passwords on a load of supermarket logins.

Now, I have only used tesco.com, but I imagine they are all much the same. You cannot order from them without using a card. Yes, tesco store my card but only display the last 4 digits and want the CV2 on every order - so if someone logged in to tesco as me they could not order anything on my card.

Even if they could, somehow, order, what then? I am not sure for collection but I assume they would want to see the club card and/or the bank card when you collect, so that is not going to work. And if they go for a delivery, they they create a log of where they had things delivered.

I suppose they could see my address, but why change multiple supermarket accounts - you only need one to see that.

So really, what is the point in "stealing" someone's supermarket logins?

Am I missing the bleeding obvious here or something?


  1. Most supermarkets have banking facilities (eg credit cards) these days - could it be something to do with that, eg changing the address and getting a new card posted out?

    1. Good point, maybe I misunderstood - I was definitely under the impression it was just the shopping sites that had been done.

    2. They also all have their own mobile offerings. My bet is its related to that as its a lot easier to "cash out" a SIM quickly compared to a CC.

      Think about it - the (virtual) mobile company has your CV2 number anyway so upgrade the account online & request a new (different size) SIM.

      I bet sending that SIM to a new address for an existing customer doesn't attract anywhere near the same fraud checks sending a new phone would. Subscriber knows bugger all about it until new SIM is activated & they're disconnected. By the time they've sorted things out there's probably several hundred quids worth of calls to premium numbers outside the UK on their account.

      Easy money, no?

    3. Operator dependent but, in my experience, operators generally regard SIM fraud as just as problematic as handset fraud, even with the ability to withhold on suspected fraudulent usage / AIT.

      Some might slip through the net, but definitely regarded by some (many?) as a known fraud vector, to be managed carefully.

  2. My guess would be a foreign hacker thinking that perhaps they were store charge cards

  3. You can also get a lot of reward vouchers which can be spent anonymously like cash

  4. Perhaps they all hide different parts of the credit card number, so if you check enough sites you can stitch together the whole credit card number? That gives you a valid credit card number and the corresponding email, name and address.

    1. The PCI:DSS rules state you can show at most the first 6 and last 4 digits, so anybody PCI compliant should never show the middle digits of the card in theory...

  5. I know it's a bit beside the main point but just FYI, I do click and collect with Tesco all the time and have never shown or been asked for proof of anything... I just tell them my name and away we go!

  6. If you're going to use stolen credit card details, it makes plenty of sense to steal a website account to use them in.

    A friend of mine had a sudden flood of tens thousands of newsletter subscriptions/confirmation requests. Buried in the middle was an Amazon password reset notification and an order for some expensive electronics to be shipped to the other end of the country. The order was made using a newly added card, presumably stolen, and we think the fraudster socially engineered their way into the account.

    Interestingly, the items in the Amazon order were identical to a legitimate one from a month or two back. We think that the flood of subscriptions was to hide the order and Amazon password reset notifications, and ordering the same items was camouflage in case the order notification was spotted in passing.

    1. Amazon are somewaht unique in that they don't use the CV2 on orders - at least in the UK if you also have a Kindle/Prime account. Nor does it use the (totally useless) Verified by Visa crap.

      So Amazon eat 100% of the fraud costs on CC. I'd guess their merchant turnover means its insignificant compared to higher transaction costs where the CCC eats the losses.

      tl;dr Amazon are "special" in that they have agreed to eat the losses associated with a cardholder not present and no CV2 transaction.

  7. Clubcard (et al) points. Not new: https://conversation.which.co.uk/money/tesco-clubcard-account-points-stolen-fraud/

  8. I usually use Sainsburys, and they don't seem to ask for anything (e.g CVV) to pay for an order using an existing saved payment card. So having access to my account might be enough. Then again, perhaps extra checks kick in if for example:

    - my account password has recently been reset, or:
    - the order is for a new delivery address

    Also, when I click "buy" then some kind of "verified by visa" thingy pops up, then goes away without asking me anything. Perhaps this is performing additional checks in real time, e.g reading a cookie stored on the device I normally use.


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

TOTSCO moving goal posts, again!

One of the big issues I had in initial coding was the use of correlationID on messages. The test cases showed it being used the same on a se...