Breach of online security at HMFC

[Jack Torrance]

I think ridiculing someone for ridiculing someone is pathetic.

 

Yeah, I agree. Beat it! Away and ridicule someone yer' own size.

 

 

 

 

 

 

 

But thanks for sticking up for me before you ridiculed him....

[Rawrrrrrrr]

Have checked my email and the source code and can confirm the emails are sent from Ticketmaster NOT Hearts. Complaints should be made to Ticketmaster, however the club should be made aware of this also.

 

Sending out unencrypted passwords can be deemed a breach of security. There are hundreds of possible ways a 3rd party can obtain these details either direct from the source or from a users pc. I wont bore you all with the hows and means to do it, but it is incredibly easy.

 

My advice to everyone who has recieved this email is to log on immediately and change your password.

 

 

Hearts employ ticketmaster to act as agents, this information was given to Hearts to use and not ticketmaster in many cases, therefore, hearts have as much responsibility for it as ticketmaster.

 

The chances of someone actually doing anything from the email is minimal, but,as said it is a breach of DPA and is utter incompetence.

 

Why should fans trust the club with their information when they have such shoddy practices or agents in place.

 

The OP had every right to post this.

[ChemicalJambo]

If someone could intercept your emails they could see your email address and see all your mailshots from Hearts, Amazon etc

So not too difficult to go to the websites, put in the email address and ask for a password reset. Intercept that email and log on

 

So this is not a security breach at all IMO

[brownkg]

just pointing out you were happy to comment earlier in the thread, then suddenly you felt this apparent obligation to not say anything cause you hadn't received the email.

 

And it was a light hearted point - did you not see the smiley. :xmasgrin:

 

Beep Beep Beep Beep (just in case you were not spotted reversing!)

[Guest JamboRobbo]

If someone could intercept your emails they could see your email address and see all your mailshots from Hearts, Amazon etc

So not too difficult to go to the websites, put in the email address and ask for a password reset. Intercept that email and log on

 

So this is not a security breach at all IMO

 

 

lol. you should get a job as a spokesperson at the mod mate. :xmasgrin:

[Guest JamboRobbo]

Beep Beep Beep Beep (just in case you were not spotted reversing!)

 

Just to be clear, the fact you didn't get the email doesn't prevent you from commenting that giving out the last 4 digits of a credit card is acceptable?

 

But does preclude you from commenting on whether giving out names, phone numbers and addresses is acceptable?

 

:xmasgrin:

[ChemicalJambo]

lol. you should get a job as a spokesperson at the mod mate. :xmasgrin:

 

:xmasgrin: Or maybe I should be a hacker!

[Guest JamboRobbo]

:xmasgrin: Or maybe I should be a hacker!

 

or maybe you are a hacker, and you're post is a double bluff........:xmasgrin:

[redjambo]

If someone could intercept your emails they could see your email address and see all your mailshots from Hearts, Amazon etc

So not too difficult to go to the websites, put in the email address and ask for a password reset. Intercept that email and log on

 

So this is not a security breach at all IMO

 

That depends of course on what security questions are asked for a password reset. :xmascrazy:

[redjambo]

lol. you should get a job as a spokesperson at the mod mate. :xmasgrin:

 

What does a festival of Gaelic culture have to do with it? :xmasbabe:

[brownkg]

Just to be clear, the fact you didn't get the email doesn't prevent you from commenting that giving out the last 4 digits of a credit card is acceptable?

 

But does preclude you from commenting on whether giving out names, phone numbers and addresses is acceptable?

 

:xmasgrin:

 

JUST to be clear what kind of mathematical genius would it take to extrapolate backwards the remaining 12-15 digits of a number from the last 4? I am assuming you are last throws of an enhanced PhD in theoretical maths and just waste time on here to give you something else to distract you from your proper job?

I was , as I have had to point out, querying the usefulness of 4 digits in creating a number.

 

Serious question :- do you have a real job as you seem to do nothing but post on here?

[ChemicalJambo]

That depends of course on what security questions are asked for a password reset. :xmascrazy:

 

They don't ask any :xmasoh:

[Rawrrrrrrr]

JUST to be clear what kind of mathematical genius would it take to extrapolate backwards the remaining 12-15 digits of a number from the last 4? I am assuming you are last throws of an enhanced PhD in theoretical maths and just waste time on here to give you something else to distract you from your proper job?

I was , as I have had to point out, querying the usefulness of 4 digits in creating a number.

 

Serious question :- do you have a real job as you seem to do nothing but post on here?

 

 

Did I miss the post were it said only 4 numbers were listed?

 

I think the OP's comment was that the email gave opportunity if intercepted to access the online account and see the full number.

 

Therefore your squabble with Jamborobbo is irrelevent and pointless from both sides.

[redjambo]

They don't ask any :xmasoh:

 

Nice one. I sometimes wonder about the quality of some of the people who work in IT. :xmaswoot:

[makateer]

Did I miss the post were it said only 4 numbers were listed?

 

I think the OP's comment was that the email gave opportunity if intercepted to access the online account and see the full number.

 

Therefore your squabble with Jamborobbo is irrelevent and pointless from both sides.

 

The full number is not stored on the ticketmaster site. The only thing you can see is the last 4 digits.

[Dazo]

Did I miss the post were it said only 4 numbers were listed?

 

I think the OP's comment was that the email gave opportunity if intercepted to access the online account and see the full number.

 

Therefore your squabble with Jamborobbo is irrelevent and pointless from both sides.

 

 

Like this and oh so many of your posts. :xmasgrin:

[brownkg]

The full number is not stored on the ticketmaster site. The only thing you can see is the last 4 digits.

 

Beep Beep Beep prancer joins the reversing team:xmasgrin: engage smug mode

[Cow]

No need to be concerned, we have used this method since June 2007.

 

When we send promotional mail we include for ease of use the reference

and login details of that particular customer.

 

The details we hold there are last 4 digits of card number and this

cannot be used to buy, any transaction needs a 16 digit card number

keyed in.

 

 

 

Thanks

Derek.

 

This is the response from hearts, seems acceptable to me.

[Jack Torrance]

No need to be concerned, we have used this method since June 2007.

 

When we send promotional mail we include for ease of use the reference

and login details of that particular customer.

 

The details we hold there are last 4 digits of card number and this

cannot be used to buy, any transaction needs a 16 digit card number

keyed in.

 

 

 

Thanks

Derek.

 

This is the response from hearts, seems acceptable to me.

 

 

 

Thanks for posting. No one's returned to me yet unfortunately.

 

The Card details would appear to be less of an issue.

 

What does concern me though is that your personal details are available and your password is on display to anyone who can view your email.

 

Sight of the password wasn't requested. For someone less au fait with online security, they may have copied from passwords they used elsewhere that could allow a fraudster access to something more of a concern/risk for the individual.

 

That's all. Don't want to start a fight. I see it as a weak point and i'm concerned.

[redjambo]

Thanks for posting. No one's returned to me yet unfortunately.

 

The Card details would appear to be less of an issue.

 

What does concern me though is that your personal details are available and your password is on display to anyone who can view your email.

 

Sight of the password wasn't requested. For someone less au fait with online security, they may have copied from passwords they used elsewhere that could allow a fraudster access to something more of a concern/risk for the individual.

 

That's all. Don't want to start a fight. I see it as a weak point and i'm concerned.

 

It is a weak point. Passwords should never be transmitted or stored in clear text, nor should auto login links be used. It should be up to an individual user to manually enter their password when accessing any site which contains sensitive personal information. They need to get their act sorted out.