Hacker News new | comments | ask | show | jobs | submit login
UK’s Dixons Carphone admits huge data breach (bbc.com)
90 points by escapologybb 8 months ago | hide | past | web | favorite | 60 comments

These pieces of information seem important (quotes from article):

1) It is investigating the hacking attempt, which began in July last year.

2) Dixons insists that it only discovered this latest hack a week ago

3) "The hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores, the firm said."

4) here was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked

5) The good news is that nearly all of them were protected by good old chip and pin - and there is no evidence of any fraud relating to the 100,000 non European cards which didn't have that protection.

All of this suggests that rather than an attempt to breach a database or storage system, the attack was persistent and similar to that which occurred to Target where attackers breached the POS card terminal payment processing system.

Altogether a more 'worrying' type of attack given the length of time it was in place.

From what I’ve read, this is exactly what I was thinking too - this has POS/till malware written all over it. I look forward to getting some of the more technical details (if they get realised) to see exactly how widespread this issue was.

Last time I looked their POS systems ran Windows XP. I wonder if this is still the case?

Some parts of it seem to go through an old school terminal emulator, but others seem to be custom Windows apps and webpages using Internet Explorer. For a company selling the latest tech they seemed woefully out of date.

I worked there around the time of end of support for XP and there was no reason to suspect they were upgrading. What's weird is that it was clearly written in Java so in theory it shouldn't have been too difficult to upgrade the platform. Probably it was a driver issue with the receipt printers or touchscreen monitors.

1 Its a mobile company

2 Its really a big box store with even less grasp of security than real Mobile operators who are not as serious about security as traditional telco's

I worked at a large UK mobile operator around the end of 2015.

The "security" there was a nightmare. They were inputting customer data into Windows XP machines with Internet Explorer (probably 7 or 8), Flash and Java.

For credit checks they were also swiping card's magstripes into the same machine (I no longer remember if they were also manually typing the CVV).

The staff could and did also use the machines for web browsing like resetting a customer's Apple or Google account password, etc.

I’m going to assume you are talking about retail since you describe card-present transactions.

Retail is hard. Surprisingly genuinely hard. When you have hundreds or thousands of outlets, some of them are special, you have wacky hardware, stuff is potentially updated over WAN, you often have a varied hardware fleet, retraining hundreds or thousands of operators is damn near impossible, your stuff was stuck together with sticky tape in the first place and meanwhile the customer is in the reps face tapping their feet or walking out on a sale because “the new system is acting up”.

There are a lot of orgs eating a ton of risk on the retail end just because the problem is so messy and expensive to fix.

Yep I am talking about retail!

> you have wacky hardware

They were using standard desktop PCs, not sure what you mean by that.

> stuff is potentially updated over WAN

They had a Cisco router in the shop that VPN'ed back to the mothership, so as far as the computers are concerned they were all on one big LAN and don't have to worry about its security (as long as the VPN is configured correctly - which for such a company is a quite a big if).

> retraining hundreds or thousands of operators is damn near impossible

Make the web app intuitive enough to not require any training? Strangely, I never hear people needing any "training" to use the latest Facebook or Snapchat - maybe the real answer is to actually hire a competent UX designer?

> your stuff was stuck together with sticky tape in the first place

True, but then again this problem needs to be solved. Putting tons of customers at risk and praying that they don't get compromised is unacceptable.

> the new system is acting up

I am not sure if they can do worse than the old system. It was routinely throwing Java stack traces all over the place (from the server) filled with confidential info.

Not to mention, none of this excuses having outdated IE, Java & Flash, and unrestricted outbound internet access on those machines.

> Make the web app intuitive enough to not require any training? Strangely, I never hear people needing any "training" to use the latest Facebook or Snapchat - maybe the real answer is to actually hire a competent UX designer?

Facebook has a terrible UI and I'd wager the majority of people who use it aren't aware of half the hidden features on there. In fact I can think of 4 occasions just off the top of the head where that's happened (wife couldn't find the option to share a FB group URL, people not finding options to subscribe or unsubscribe from a particular discussion, I can never find the damn "report this comment to a moderator" option in FB groups when I need it).

As for Snapchat, that app hardly compares to the level of complexity that a typical POS system would need.

Most importantly though, I don't really want to be the unlucky guy who has to wait there patiently while a member of staff guesses their way through a transaction. Let alone deal with the hassle of escalating things to a manager when said staff inevitably makes a mistake due to a lack of training.

In UK it's still standard to give people the full card number + expiry date + CVV number from the back of your card over the phone when trying to do literally anything that requires a remote payment(which I am sure they are just typing into a form on a computer in front of them). It's mind boggling.

What alternatives are used elsewhere?

Every card terminal in the world supports a "card not present" payment which only needs the long card number. I suspect most places don't do it this way because it's potentially more expensive, and they need to have a terminal instead of a simple web form that can be used anywhere. It's probably easier for you to reverse a "card not present" payment compared to a full web payment where all details are entered too, so companies taking deposit/payment over the phone don't want that.

As far as I know the Stripe API lets you submit transactions without a CVV (if you accept the risks), so the card terminal requirement isn’t even a valid excuse.

Are you sure it wasn't running Windows Embedded POSReady 2009, which is based on XP SP3 and supported by MS until next year?

Didn't seem to be any different than normal XP from what I saw. Could be completely incorrect though!

I have no actual knowledge here; it's just worthwhile remembering there are XP-derivative OSes that are still supported!

Last I looked Carphone Warehouse were using DOS

I know what you mean but that actually seemed to be some sort of remote terminal rather than dos.

"No evidence of..." means "We have no idea, and now way of checking if..."

Note that this is the second hack in 3 years they've had to disclose and they were fined £400k for that hack [1], which was obviously not enough to incentivise them to invest further in their security. Wonder what the ICO will do this time.

[1] https://techcrunch.com/2018/01/10/uks-carphone-warehouse-fin...

Sorry, no. It seems to have happened before GDPR came into force, and the law isn't retrospective.

It will however be the first time since GDPR that some of the difficult questions are asked and answered by the regulators with their new GDPR mentality. So no doubt the response will be informative.

If they discovered it last week, it's notifiable under the terms of the GDPR. Given the £400k fine they had last time was ~80% of what is allowed under the DPA, I think they can expect something more substantial this time.

Given they also were out of compliance with PCI-DSS, they can expect an industry "fine" as well.

I'm not sure I mentioned GDPR? I merely said it would be interesting to see what the ICO do.

The main problem is that a £400k fine was not sufficient to make them invest in their security, even after they knew they were definitely a target (having been hacked before).

Now if the ICO's hands are tied and they can still only fine them based on the DPA limits then hopefully the ICO will fine them the full £500k and tell them the next breach they have will incur the maximum GDPR fine. That should light a fire up them.

Yes, I did notice that the comment looked different after I replied.

The GDPR is just a replacement for the old data protection directive. Carphone Warehouse is very much still in trouble; just not as much as it would otherwise have been.

The questions won’t change at all in the UK as the DPA was in effect, what can change is the punitive damages.

It doesn't matter when the leak happened, it only matters when it was formally discovered.

I think by now governments should have a service that gives citizens placeholder personal-information. So you could go to a shop and say: my name is X1, my address is X2, and my phone number is X3. If they want to send you a letter, they use the X information. The postal office has a special contract with the government, and can ask it to translate the information to real information.

It sounds cumbersome, and it is, but companies have shown they can't handle the information.

Isn't this just PO Boxes? I don't know if they exist elsewhere, but they're very much a thing in the UK:


Yes, but PO Boxes are somewhat fixed, so companies can still fingerprint you. Your PO Box suggestion is like a cookie that's the same for all companies. Instead, you want to generate PO Boxes as you encounter new companies, or perhaps even as you place orders with those companies.

UK PO Boxes are not a privacy tool. Anyone can find out the name and address of the owner.

For online payments, Revolut have done something similar, I think: https://blog.revolut.com/introducing-disposable-virtual-card... -- I get what they're doing, it's just the stuff I'm mostly likely to get caught by is the subscription payments I don't want to have to deal with daily (domain names/netflix/spotify for instance).

Governments have done as poorly, if not worse.

Especially in the UK: " Lost in the post - 25 million at risk after data discs go missing" (https://www.theguardian.com/politics/2007/nov/21/immigration...). There's even a dedicated Wikipedia page for the UK government data loss incidents: https://en.wikipedia.org/wiki/List_of_UK_government_data_los...

Currently we have the company data losses and the government data losses. Only having the government data losses would still be preferable.

I like the idea, but I don't think government needs to get involved. Seems to me to be a perfectly reasonable service for a commercial entity to provide ..

Why not have the post office itself provide that service? And how would it work for phone calls? And how do you prevent the phone company itself from having and selling that data?

Also, some banks already offer virtual credit card numbers, which work much like that system, yet as far as I know they're not widely used. Why would that system be?

"Luckily for Dixons, the incident happened before the new GDPR rules, which promise much bigger fines, came into force."

I wonder how many hacks we're going to hear about in the next few months which fall into the same category... [rolls eyes]

I asked our in-house data protection legal teams, and their understanding is that because they _reported_ the breach after GDPR, they will be bound those rules and potential fines.

Problem is, they were coordinating with the National Cyber Security Centre. To quote Wikipedia:

> The National Cyber Security Centre is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats

Unfortunately, it remains to be seen how competent the NCSC is, what exactly the goals of the NCSC are. It's an arm of GCHQ, and so far doesn't seem interested in fast disclosure.

Anyway, this might give them a way out. I'm sure NCSC/GCHQ are very capable of exerting a lot of political pressure on ICO.

Once the personal data is out, it is out, we can do nothing about it. It is not only credit card number that matters, our personal information matters the most. Unfortunately, we haven't seen any exemplary punishment for the responsible parties, nor have we seen any solid step taken in general to prevent data breach. It seems regular data breach is just to make us comfortable without a tail (reference to Aesop's fable: THE FOX WITHOUT A TAIL)

IT happened that a Fox caught its tail in a trap, and in struggling to release himself lost all of it but the stump. At first he was ashamed to show himself among his fellow foxes. But at last he determined to put a bolder face upon his misfortune, and summoned all the foxes to a general meeting to consider a proposal which he had to place before them. When they had assembled together the Fox proposed that they should all do away with their tails. He pointed out how inconvenient a tail was when they were pursued by their enemies, the dogs; how much it was in the way when they desired to sit down and hold a friendly conversation with one another. He failed to see any advantage in carrying about such a useless encumbrance. “That is all very well,” said one of the older foxes; “but I do not think you would have recommended us to dispense with our chief ornament if you had not happened to lose it yourself.” “DISTRUST INTERESTED ADVICE.”

I noticed this warning on the Talk Talk direct debit details page, two weeks ago: https://twitter.com/lexburdusel/status/1001994580672344064?s...

Given they say this only affects cards without chip-and-pin, this is probably of interest to people from the US who have flown in to British airports, as Dixons operate electronics stores selling things like portable USB chargers, headphones, kindles, SD cards, etc in most large UK airports.

I don't think that's quite clear yet. I think what they are saying is anybody/any country not using chip-and-pin is basically asking to be defrauded at this point. If you post your card to Instagram, you'd expect to get defrauded, magstrip/swiping is pretty much that but in a computer readable format. (Yeah, it's not usually public but that doesn't make it secure.)

"The good news is that nearly all of them were protected by good old chip and pin". - So what data is usually stored for chip and pin users? - Does that mean non-chip and pin users' entire card data was stored in DB?

I would suggest it reveals that the breach wasn't an attempt to breach a database or static record of details but an attack on the processing of cards during payment in their POS card machines.

Sounds similar to that attack on Target a few years back that targeted the POS electronic card readers themselves.

>"The good news is that nearly all of them were protected by good old chip and pin"

I assume this means that they didn't store the CVV (CVC2)? It's hard to tell right now, there isn't a huge amount of reliable information. They may have kept CVC1 info from magstripe cards.

Should go without saying though that chip and pin isn't really bulletproof security, and the last four digits of card numbers can be enough for identity fraud if the attacker is capable, especially in conjunction with other leaked information like addresses and DOB.

I don't believe that chip and pin data is stored locally. Assuming that the payment records were from point-of-sale equipment then the entire transaction, including customer information is end-to-end encrypted and wouldn't (couldn't) be stored by the retailer [0]. I guess this either means that mag-stripe transactions do involve storing the card number locally, or there's something else at play here.

[0] https://sumup.com/emv-credit-card-chip/

(My knowledge of this is limited, so I'd be very interested if I've misunderstood this).

POS terminals transmit data back to the computers they're attached to unencrypted, so they can definitely store it if they wanted to.

Everything is speculation at this point, I assume they just kept CC and personal info in a db somewhere for no good reason like a lot of companies do but it's really hard to tell as Dixons haven't told the media too much currently.

The data stored is always the same.

The point is that for Chip & PIN cards, the banks don't expect any magstripe transactions at all (for markets where EMV is in effect, like the UK), which means the card data would be pretty useless as anyone attempting to use them would trip all kinds of fraud alerts.

I would not worry about the card data. What's much more important is the other stuff like loyalty cards, etc.

Last time I bought something from currys, they wanted to know my postcode and name. SW1A 2AA (number 10), so good luck using the personal information of "Larry Felixton" who lives there.

Unsurprising, TalkTalk also has been breached badly. TalkTalk was spun out of Carphone a while back. Seems something very rotten with their approach to infosec.

There is a really good podcast episode about the TalkTalk hack https://darknetdiaries.com/episode/4/

5.9 is not huge. What about the hundreds of millions that leaked from Equifax. That's huge.

Carphone, Stagecoach, these Brits really seem to like naming their companies after obsolete technology.

Strange that, considering the companies were founded and named when the technology was still current.

Of course "Carphone Warehouse" (the trading name of the company that merged with Dixons to become Dixons Carphone) probably does sound incredibly strange to anyone who wasn't alive in the carphone era, but they were a strong high street brand so I can see why they stuck with it.

Very different examples:

Carphone Warehouse originally sold carphones; Stagecoach only came about a long time after stage coaches were obsolete.

Funny thing last year this time I was picking up a camera and the till next to me was some guy buying SIM with some ID or proof of address requirements.

He was like "Sorry I don't have ID with me ...bla bla bla..., I have it on my e-mail, can I use your computer?"

And staff was like OK here you go, and they let him behind the counter to use their PC.

I was there good 5 minutes and the guy was still using the staff computer when I was leaving.

And I was in my head like "WTF?"

I was the victim of identity fraud at a Carphone Warehouse branch. Someone set up 2 new contracts on 2 different networks using nothing but my address, bank account details and a fake id (paid cash for the upfront payment). Their incompetence is mindblowing. This company is going to £0.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact