Tuesday, 10 February 2009

Woolworths Credit Card Blunder

I have been quoted (more like misquoted!) in several national newspapers in relation to the Woolworths Credit Card Blunder, where I understand a batch of payment card details were found in a bin.



The important points which didn't make it into these articles were...

1. Concerned former customers of the Woolies store should not panic about losing money!  Where a merchant (Woolies) are found to have been sloppy in their protecting their customer payment card details, which results in fraud against the card holders, the card issuers/banks normally fully reimburse all the fraudulent transactions. This is especially so when fraud occurs on mass, as it is a lot easier to trace back to the original merchant responsible. Therefore customers would be protected against fraud transactions even though Woolies are out of business. Technically we all pay for card fraud through higher interest rates on cards anyway, by the way card fraud cost the UK around £600M last year, with 1 in 4 UK citizens being inconvenienced. UK Card Fraud is on the increase too, going up 14% in the first six months of 2008. Because of the state of economy at the moment, I am expecting payment card fraud to rise even further when new figures are released. http://blog.itsecurityexpert.co.uk/labels/global%20credit%20crunch%20cyber%20crime%20uk%20card%20fraud%20trend%20malware.html

2. If you are concerned you might be a victim of card fraud, be extra vigilant with your credit and bank account statements, and check every transaction. Fraudsters tend to test whether stolen card details are active by trying a transaction for a small amount, or going for a mobile phone top-up credit.

Also credit card issuers and banks are very good at detecting fraud on your behalf, so if they alert you about potentional fraud or unusual transaction(s) on your account, get in contact as soon as you can in case it is fraud, which will allow you to limit the damage.

3. I have put together a "Reducing your Risk of Identity Theft" guide http://itsecurityexpert.co.uk/downloads/ITSE-Reducing_your_Risk_of_Identity_Theft.pdf , which can really help reduce your risk of payment card fraud, there are also plenty of other good guides on the internet to search for.

1 comment:

Dave Whitelegg CISSP said...

Sure it's a big deal whether the CVV2 (3/4 digit) security code was included in the Woolworth payment card details, but even if the security code isn't there, there is still enough information to commit fraud.

Not all retail websites request or are properly checking the security digit code. In July 2007 a report stated around half of the top online retailer weren't asking for the security code, http://www.getelastic.com/ecommerce-checkout-report/credit-card-verification/ while I've heard some online retailers which do request the code aren't even checking it's valid.

Sure the numbers of online retailers checking the security code has increased in the last 18 months, however it's still possible to find and buy at online retailers (esp. sourced from other countries) just using full credit card number (PAN), expiry date, name and perhaps the address.

Another angle fraudster takes, is to use the existing information they have to "phish" the the CVV number from the cardholder.