Breach of online security at HMFC

[Jack Torrance]

Hi all

 

Just wanted to point something out in case you have an issue with this.

 

In a marketing email I just recieved from the club telling me it's time to come home, if you read the foot it tells you they're trialling a new email system. It then goes on to clearly display your username (account number) and password. You can then use this to access all your online personal details. Address, telephone number etc. And most worringly you can access credit card details you have stored online with the club.

 

If this had been intercepted, fraudsters would have had a field day. I've emailed the club to tell them.

 

It would appear it's time for fraudsters to come to my home also.

[Dazo]

You think if someone wanted your home address and phone number they would go to the bother of trying to intercept emails ?

[siegementality]

You think if someone wanted your home address and phone number they would go to the bother of trying to intercept emails ?

 

If you had read all his post you would see he mentions that it could give someone access to credit card details held by each user, that's not a worry then?

[Jack Torrance]

You think if someone wanted your home address and phone number they would go to the bother of trying to intercept emails ?

 

Ok, so you're happy with the fact that someone, and there are lots out there with the ability to get hold of other people's emails, can then steal your identity and spend money on your credit/debit card.

 

Just posting to make people aware in case they have an issue with this.

[Jack Torrance]

If you had read all his post you would see he mentions that it could give someone access to credit card details held by each user, that's not a worry then?

 

Absolutely, however it can also cause years of misery if someone steals your identity. I'm particularily concerned as i've seen the problems this can cause. I'm very careful with my own details, even my telephone number that is x directory.

 

The email they've sent out even provides a link so a baddy doesn't even have to look for the site to access. They just click on it and het presto then they have

 

Your name

Address

Date of Birth

Telephone (Landline and mobile)

Credit/Debit card details

 

 

Just brilliant.

[Cow]

Absolutely, however it can also cause years of misery if someone steals your identity. I'm particularily concerned as i've seen the problems this can cause. I'm very careful with my own details, even my telephone number that is x directory.

 

The email they've sent out even provides a link so a baddy doesn't even have to look for the site to access. They just click on it and het presto then they have

 

Your name

Address

Date of Birth

Telephone (Landline and mobile)

Credit/Debit card details

 

 

 

 

Just brilliant.

 

please let us know when you get (if at all) a response , thanks

[Gards]

Thanks for the heads up - just checked the email and I can see the username and password at the bottom too.

 

Luckily I don't have any CC's stored against my account - but changed my password right away.

 

Pretty poor show that - don't know if it's Hearts or Ticketmaster to blame on this one.

[boabyarsebiscuit]

Very unhappy. Mr Romanov has missed a big opportunity. After all, he could have sold our details to online criminals and raised money to pay players wages rather than divvying out our details for free.

[Rodge]

Looks like the mails are actually coming from Ticketmaster - my one also has my details splashed all over it :xmasunsure:

[Cow]

I have just logged on to hearts rewards and removed my card details(they dont actually display all the card numbers but why take the risk)

 

I was going to do the same for hearts world but the card has now expired .

 

I would suggest anyone in doubt should do the same , i have also emailed the club and have asked for a rapid response.

[Guest JamboRobbo]

same email received here. again with username and password, giving access to all my details. incompetent muppets.

 

name, address, home phone number, mobile number, 4 digits of card number, card expiry date etc etc. Utter incompetence.

[Jack Torrance]

Very unhappy. Mr Romanov has missed a big opportunity. After all, he could have sold our details to online criminals and raised money to pay players wages rather than divvying out our details for free.

 

Maybe he already has comrade...:xmasgrin:

[Tom Heaney]

Absolutely, however it can also cause years of misery if someone steals your identity. I'm particularily concerned as i've seen the problems this can cause. I'm very careful with my own details, even my telephone number that is x directory.

 

The email they've sent out even provides a link so a baddy doesn't even have to look for the site to access. They just click on it and het presto then they have

 

Your name

Address

Date of Birth

Telephone (Landline and mobile)

Credit/Debit card details

 

 

Just brilliant.

 

BJ, I agree with your points, however there is an easy way to keep these details private....Dont store them on the site, you dont have to, I certainly dont have a credit or debit card # stored in there

[Dazo]

If you had read all his post you would see he mentions that it could give someone access to credit card details held by each user, that's not a worry then?

 

 

 

I would imagine existing credit card details if any are encrypted.

 

And no its not a worry for me personally. Does not matter how clever an email interceptor is they can do ****all with 4 digits of a credit card.

[Jack Torrance]

BJ, I agree with your points, however there is an easy way to keep these details private....Dont store them on the site, you dont have to, I certainly dont have a credit or debit card # stored in there

 

I also agree with your points. I've never stored card details online, too risky for the very reason we are seeing here.

 

I provided my personal details because I bought tickets online. I gave my details in good faith trusting that they would be held securely. My trust has now been broken.

 

Picture the scenario. Someone goes in, changes your mailing address and intercepts the email that I imagine will be sent to you to tell you this has been changed. Then they buy loads of stuff and you get charged but you don't find out until you get your statement through by which time the baddy is long gone.

 

or

 

Someone opens a bank account somewhere with your name, DOB and address along with other details they've been able to find elsewhere online. And guess what, you just happened to use the same password for an account elsewhere that they got hold of your username for so now they've stole more stuff from you.

 

Before you know it the police are investigating but no one know's who the real Dazo is. All your cards get cancelled, you've no access to dosh over Christmas and the New Year. Your match tickets for the 3rd Jan have went missing in the post, there's Sheriff Officers at the door because you haven't paid for something that was sent somewhere else

 

Then you've got to prove to the courts you didn't buy all that stuff. You have to write countless letters to credit agencies because the banks won't lend you money for that new house you set your heart on and now someone else has bought it. Your Bank is now arguing that you're liable for a ?2000 bill because you didn't keep your details secure.

 

By the time you've sorted all that out it's Christmas all over again.

[Dazo]

I also agree with your points. I've never stored card details online, too risky for the very reason we are seeing here.

 

I provided my personal details because I bought tickets online. I gave my details in good faith trusting that they would be held securely. My trust has now been broken.

 

Picture the scenario. Someone goes in, changes your mailing address and intercepts the email that I imagine will be sent to you to tell you this has been changed. Then they buy loads of stuff and you get charged but you don't find out until you get your statement through by which time the baddy is long gone.

 

or

 

Someone opens a bank account somewhere with your name, DOB and address along with other details they've been able to find elsewhere online. And guess what, you just happened to use the same password for an account elsewhere that they got hold of your username for so now they've stole more stuff from you.

 

Before you know it the police are investigating but no one know's who the real Dazo is. All your cards get cancelled, you've no access to dosh over Christmas and the New Year. Your match tickets for the 3rd Jan have went missing in the post, there's Sheriff Officers at the door because you haven't paid for something that was sent somewhere else

 

Then you've got to prove to the courts you didn't buy all that stuff. You have to write countless letters to credit agencies because the banks won't lend you money for that new house you set your heart on and now someone else has bought it. Your Bank is now arguing that you're liable for a ?2000 bill because you didn't keep your details secure.

 

By the time you've sorted all that out it's Christmas all over again.

 

Identity fraud does happen but I think your being a touch dramatic.

[Jam Tarts 1874]

I would imagine existing credit card details if any are encrypted.

 

And no its not a worry for me personally. Does not matter how clever an email interceptor is they can do ****all with 4 digits of a credit card.

 

 

An interceptor would also need to know the 3 digit security code, I suppose they could always guess it.

[Darth Sidious]

I removed my cards from Hearts Rewards. I pay by card for Hearts TV, will I have to remove it from there? Or anywhere else?

[JamboJen]

An interceptor would also need to know the 3 digit security code, I suppose they could always guess it.

 

It's like when people come into my work and contort themselves into weird positions to conceal their PIN.

 

It's only of any use to someone if they have your card (or a cloned version), too.

 

I'm not sure what people are worrying about. Sending your password when you;ve not asked for it is rather stupid, but the card info is the exact same as you get on your Visa receipt when you buy anything on it.

[Jack Torrance]

Identity fraud does happen but I think your being a touch dramatic.

 

Yeah, agree, it's artistic license but it could happen.

 

It's a weak spot in their security and I only wanted to highlight it in case anyone else was concerned.

[redjambo]

Yeah, agree, it's artistic license but it could happen.

 

It's a weak spot in their security and I only wanted to highlight it in case anyone else was concerned.

 

There seems to be some debate here BJ as to how much a security breach this actually is. Can you post the original email that you received, complete with the personal information that you are talking about, so we can determine how bad this is? :xmasbabe:

[Ibrahim Tall]

Correct me if im wrong but upon registering do you not recieve emails telling you your username and password anyway? Would be just as easy to intercept them.

[Jack Torrance]

It's like when people come into my work and contort themselves into weird positions to conceal their PIN.

 

It's only of any use to someone if they have your card (or a cloned version), too.

 

I'm not sure what people are worrying about. Sending your password when you;ve not asked for it is rather stupid, but the card info is the exact same as you get on your Visa receipt when you buy anything on it.

 

I imagine they must look quite funny.:xmaswoot:

 

What I would say though, I bet you wouldn't be happy if someone gave your receipt along with your name adress DOB and phone numbers to a complete stranger.

 

Here's some websites if anyone on here is concerned. Some useful tips and info. If you're not bothered then that's fine too. I don't mind either way.

 

http://www.identity-theft.org.uk/default.asp

 

http://www.getsafeonline.org/

[Guest JamboRobbo]

It's like when people come into my work and contort themselves into weird positions to conceal their PIN.

 

It's only of any use to someone if they have your card (or a cloned version), too.

 

I'm not sure what people are worrying about. Sending your password when you;ve not asked for it is rather stupid, but the card info is the exact same as you get on your Visa receipt when you buy anything on it.

 

alog with name, address, mobile and home telephone numbers?

[Jack Torrance]

There seems to be some debate here BJ as to how much a security breach this actually is. Can you post the original email that you received, complete with the personal information that you are talking about, so we can determine how bad this is? :xmasbabe:

 

[JamboJen]

alog with name, address, mobile and home telephone numbers?

 

Info that you'll get in an email when you buy anything online. As i said, sending your password when you've not asked for it is stupid, because if someone did happen to get into your emails they could log onto your account and read all that info anyway.

 

My point was that with the card details in the email there is little (nothing as far as I know) anyone could do with that without either getting their hands on the card or guessing.

[Delboy1998]

100% wrong, only sent to the supporters e mail address for ease of log in.

 

Also no access to any card details as they're not held by the club.

 

Anyone in the wrong account would need to key in payemnt details to buy anything.

[Tott]

100% wrong, only sent to the supporters e mail address for ease of log in.

 

Also no access to any card details as they're not held by the club.

 

Anyone in the wrong account would need to key in payemnt details to buy anything.

 

Not the point.

Passwords should not be sent out unless there requested by the user.

[JamboJen]

Not the point.

Passwords should not be sent out unless there requested by the user.

 

IMO, that is the only mistake, so if people are concerned they should change their passwords.

[WalterEgo]

An interceptor would also need to know the 3 digit security code, I suppose they could always guess it.

Not necessarily. Not all systems require it, particularly foreign systems.

[redjambo]

IMO, that is the only mistake, so if people are concerned they should change their passwords.

 

Sending out an automatic logon link is pretty dodgy too. Although I have seen these used elsewhere, they have been for less critical sites (i.e. less personal information stored) - in this case it should be a no-no.

[JamboJen]

Sending out an automatic logon link is pretty dodgy too. Although I have seen these used elsewhere, they have been for less critical sites (i.e. less personal information stored) - in this case it should be a no-no.

 

Didn't see that mentioned before. That is also stupid. Am I right in thinking these emails are form ticketmaster and not Hearts? Think it'll be a long wait til ticketmaster reply to any complaints or do anything about the system unfortunately.

 

Seatbooker was better anyway, but that's another thread!

[redjambo]

Didn't see that mentioned before. That is also stupid. Am I right in thinking these emails are form ticketmaster and not Hearts? Think it'll be a long wait til ticketmaster reply to any complaints or do anything about the system unfortunately.

 

Seatbooker was better anyway, but that's another thread!

 

BJ mentioned it in post 5, if I didn't misinterpret what he said.

[K1874M]

It may have been said but your first point of call should be the club and left it with them instead of blabbing on a forum.

 

This is the club you support isnt it?

[Jack Torrance]

Yes you are correct. There's a link there too.

 

Look, I don't want to get into a debate as to how serious, or otherwise this is. I'm fairly up to speed and reasonably switched on when it comes to online security.

 

My concern is that someone else might not be and may for instance use a password that they use for something else. Fraudsters phishing for stuff don't just use one source, they collate stuff from a variety of sources and can also hide programs in your PC to gather this info.

 

I only wanted to make folk aware, so i'm going to step away from the debate as i've achieved that and we all now know. Individuals can then make their own risk assessment and take action if they wish.

[Jack Torrance]

It may have been said but your first point of call should be the club and left it with them instead of blabbing on a forum.

 

This is the club you support isnt it?

 

My first port of call was the club I support. Thanks for the advice though. As I haven't recieved a reply from them, I felt it was worth making others aware.

 

Definition of Forum:

fo?rum (f?rm, fr-)

n. pl. fo?rums also fo?ra (f?r, fr)

1.

a. The public square or marketplace of an ancient Roman city that was the assembly place for judicial activity and public business.

b. A public meeting place for open discussion.

c. A medium of open discussion or voicing of ideas, such as a newspaper or a radio or television program

[redjambo]

It may have been said but your first point of call should be the club and left it with them instead of blabbing on a forum.

 

This is the club you support isnt it?

 

The OP was rightly concerned about this issue. We are all adults and have the right to discuss the problem at hand. If you want to go and live in a nanny state, try Cuba.

[wibble]

Bad move by the webotrons who are supposed to be "experts" emplyed by the club.

 

Cue bad press galore.:xmaseye:

[Jack Torrance]

Bad move by the webotrons who are supposed to be "experts" emplyed by the club.

 

Cue bad press galore.:xmaseye:

 

True. Maybe I should have waited until after the Smelltic game.:xmassick:

[brownkg]

so were the 4 digits of your credit card the last 4? which would include the modulus checksum? how do you extrapolate back to full 16/19 numbers with any degree of certainty

[Guest JamboRobbo]

so were the 4 digits of your credit card the last 4? which would include the modulus checksum? how do you extrapolate back to full 16/19 numbers with any degree of certainty

 

full name, address, mobile and home telephone number also on there. Breach of Data Protection by Hmfc/Ticketmaster.

[Guest S.U.S.S.]

so were the 4 digits of your credit card the last 4? which would include the modulus checksum? how do you extrapolate back to full 16/19 numbers with any degree of certainty

 

You dont, unless your a super villan.

[brownkg]

full name, address, mobile and home telephone number also on there. Breach of Data Protection by Hmfc/Ticketmaster.

 

Dunno didn't get one of the emails so to be unkickback like can't comment. Must attend too many matches to qualify as a potential customer.:xmastongue:

[Guest JamboRobbo]

Dunno didn't get one of the emails so to be unkickback like can't comment.

 

So I noticed. :xmascrazy::xmasgrin:

[Captain Canada]

Unlike many others on here, I'm grateful the O.P. for pointing this out. I think ridiculing someone for trying to help his fellow supporters is pathetic.

[brownkg]

So I noticed. :xmascrazy::xmasgrin:

back to your usual Pot-kettle style of debate I see. As ever on here an issue grows arms and legs with a wholesale rush to jump on the bandwagon

[Guest S.U.S.S.]

Unlike many others on here, I'm grateful the O.P. for pointing this out. I think ridiculing someone for trying to help his fellow supporters is pathetic.

 

I think ridiculing someone for ridiculing someone is pathetic.

[K1874M]

Unlike many others on here, I'm grateful the O.P. for pointing this out. I think ridiculing someone for trying to help his fellow supporters is pathetic.

 

Thanks.

[The Don]

Have checked my email and the source code and can confirm the emails are sent from Ticketmaster NOT Hearts. Complaints should be made to Ticketmaster, however the club should be made aware of this also.

 

Sending out unencrypted passwords can be deemed a breach of security. There are hundreds of possible ways a 3rd party can obtain these details either direct from the source or from a users pc. I wont bore you all with the hows and means to do it, but it is incredibly easy.

 

My advice to everyone who has recieved this email is to log on immediately and change your password.

[Guest JamboRobbo]

back to your usual Pot-kettle style of debate I see. As ever on here an issue grows arms and legs with a wholesale rush to jump on the bandwagon

 

just pointing out you were happy to comment earlier in the thread, then suddenly you felt this apparent obligation to not say anything cause you hadn't received the email.

 

And it was a light hearted point - did you not see the smiley. :xmasgrin: