Scam watch: fake verification pop-up

Impressive. A very subtle scam and W? deserves plaudits for publishing it. A similar (though not as subtle) scam is doing the rounds with regard to the new Coop membership card.

Patrick Taylor says:

It seems curious that this new subtle attack has been attributed to spy-ware on the members computer rather than a man-in-the middle attack, or possibly the vendors site has been hacked. Has Which? spoken to the other parties?

I have checked the normally well-informed [i}The Register[i/] and can find nothing on this particular form of attack which is indeed a very subtle.

John Ward says:

My first thought was that the butcher’s website had been attacked. If it was the customer’s computer it would happen each time they made an on-line payment via Mastercard or Visa.

Lloyd says:

A MitM attack can only occur if the ‘man’ in the middle is able to successfully impersonate both endpoints, something that two sites communicating over TLS using certificates from a trusted Certificate Authority render a virtual impossibility. So assuming this was over HTTPS using a modern Web browser I would suggest the issue is most likely on the client endpoint, e.g the victim’s PC

User 66219 says:

This comment was removed at the request of the user

william says:

Don’t agree with you’re experts. More like someone has definitely hacked the butchers website to place the new popup. The new code probably captures all the personal info that the host website displays about you to save you having to enter it. Which is how the fraudster had your name/phone number and know which bank card you’d used.

User 66219 says:

This comment was removed at the request of the user

User 66219 says:

This comment was removed at the request of the user

JoeBloggs says:

24 October 2016

If you trust the internet for financial transactions then expect to lose money at some point. Trust no-one. and sorry Duncan but there is no such thing as free that’s why github gets blocked. 99.9% of computer users don’t know how they work or what they are capable of and the other 0.1% are criminals who do and people trying to stop the criminals. Even the police are too far behind the criminals.

User 66219 says:

24 October 2016

This comment was removed at the request of the user

DerekP says:

As regards “free software” there are two kinds of “free”.

“free” as in free beer or as in a free lunch: no charge is made for the use of the software, but you don’t get to own the copyright of the version you download and the free version may be there to encourage you to spend money in other ways, e.g. free antivirus software may be there to encourage you to upgrade to a paid-for version.

“free” as in free speech. You can download the software and all of its source code, so you can know exactly how it works and what it does (and see if it contains any malicious code). You can (usually) also modify and distribute copies, so long as you continue to honour original licence conditions, including the ones about releasing your modified source code. You may have to pay for this kind of software – or it may also be free, as in free beer.

Those of us who have to write software as part of our day jobs, do like to take a pay packet home each month. So we generally don’t work for free, even though we may sometimes be able to release free software, when this is consistent with our overall objectives.

User 66219 says:

This comment was removed at the request of the user

User 66219 says:

This comment was removed at the request of the user

User 66219 says:

31 October 2016

This comment was removed at the request of the user

DerekP says:

31 October 2016

Actually Duncan, I did not express any views on github.

All I did in my post above was reply to JoeBloggs, to contribute what free software meant to me – both as an author and as a user.

Regarding open source software I did find a gov.uk webpage that said:

“Where appropriate, government will procure open source solutions. When used in conjunction with compulsory open standards, open source presents significant opportunities for the design and delivery of interoperable solutions.”

and also some 2015 press releases highlighting the acceptance of LibreOffice for use in UK government projects.

bestwaytaz says:

24 October 2016

A pharmacy rang me to advise I had been over charged . They asked for my most recent CC details so they could give me a refund, then they billed me for a further supply of over priced tablets . Fortunately the Natwest cc were on the ball and charged back immediately, but never take for granted that all cc companies are on your side or that you will get redress from the FSA.

Patrick Taylor says:

28 October 2016

“So, if malware is injected into a process which is already running in the context of the current user, it is easy to access those passwords in plain text.
Moreover, by injecting code into a web browser, attackers can modify the content shown to the user.
“For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens,” said Tal Liberman, Security Research Team Leader of enSilo.
“However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount.”

thehackernews.com/2016/10/code-injection-attack.html

And it affects all Windows machines. How secure is online commerce?

Zouk says:

As a user who is not a technical computer expert am I wrong to trust Barclays Bank online safeguards? I use the card reader to log on along with other security requirements designed by Barclays. Are their methods insecure?

User 66219 says:

This comment was removed at the request of the user

Ian says:

Key pads (as opposed to card readers) are possibly more secure, since they have on-chip algorithms which calculate a prime number based on the time you use it, the number of times you’ve used it previously and the prime base number in question. Because the internal chronometer on the card is synchronised with the bank’s clocks, you should get a unique code each time that will only work at the time you choose it, or close to that time. But, as Duncan sagely notes, nothing digital is ever 100% foolproof.

MLD says:

The same thing happened to me a few days ago, buying Virgin train tickets. I started filling in the info asked for by what looked like the bank’s card verification box, but thought I’d not seen so much detail asked for previously, so I aborted the sale. When I subsequently tried again, several times, to buy tickets, the Virgin website kept saying there was an error and payment failed. I phoned and Virgin said they were trying to fix website problems. After a day of this I bought through Trainline. I didn’t get a phone call though.
Should I now worry that I have something nasty lodged in my laptop? I’m not techy – most of the comments above mean nothing to me.

User 66219 says:

This comment was removed at the request of the user

User 66219 says:

This comment was removed at the request of the user

Ron Thornton says:

This happened to me when buying premium bonds from the National Savings and Investments web site. I was purchasing a large amount of bonds so presumed Lloyds (my bank) were being more careful than usual. I have up to date F-Secure protection installed on my computer and have not seen this bank verification request appear with any other on line purchase before or since. Is it feasible the NS&I website has been illegally accessed?

User 66219 says: