Cybercriminals tap Lush website for card fraud

Lush officials said on Friday that anyone who has used a card on its website between October 20 and January 21 should contact their bank, to check their card details have not been compromised.

The Facebook site of Lush has been filled with comments from angry customers, whilst Trend Micro security researcher Rik Ferguson said over the weekend that he was initially alerted to the hack by one of his friends, whose card - along with that of her husband - had been misused to the tune of almost £6000.

"The risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality", he said on his Countermeasures security blog.

According to Ferguson, for the most part, shopping online is as safe as shopping instore, but when a compromise occurs at an online merchant often its consequences are far greater, affecting many more people than in store card cloning due to the centralised nature of online stores.

"Consumers should be demanding more services such as one-time credit card numbers from their financial institutions to afford them more protection when shopping online", he said.

"One-time credit card numbers were introduced back in 2000 by AmEx but have not been as widely adopted by consumers as I would have expected. Talk to your bank, find out what security they offer for online shopping", he added.

The Trend Micro security expert went on to say that, whilst Lush has not gone public on what actually happened, it is never a bad idea to restate a few best practices for securing web applications:

  • Keep them patched.
  • NEVER store sensitive data in clear text (This is a PCI requirement).
  • Get them regularly vulnerability scanned from the inside as well as the outside.
  • Use strong authentication (two factor) if you are only serving a limited user population or if the data you are holding is particularly sensitive. Cookies can lead to session hijacking.
  • Bounds checking of input data helps to avoid buffer overflows and SQL injection type attacks.
  • Provide access to information on a Need to Know basis and always provide it with Least Privilege.
  • Don't provide detailed error information to browsers, you don’t expect your customers to debug your application, so don’t give up that error message.

The BBC, meanwhile, quotes Hilary Jones, Lush's ethical director, as saying the problem was spotted at Christmas, when hackers were discovered to have penetrated the site.

The site, says Jones, was taken down and did little trade between Christmas and New Year while Lush investigated to see if the hackers were merely mischievous or out to make money.

"It became obvious that the hackers were after cash as European customers began reporting small purchases made with credit cards that had been used on Lush and other web shops", she said.

Jones told the BBC that the small transactions were test purchases that thieves carry out to see if a card is still live.

The Lush website, Jones went on to say, has been "retired" and a new online shop is set to appear that will initially only accept payments via Paypal.


What’s hot on Infosecurity Magazine?