Where was the breach?

Firefox Monitor

I'm not recommending this - https://support.mozilla.org/en-US/kb...a-known-breach but it is available.

The problem with a site checking to see if you've accessed a site which has had a breach is that it may also present an opportunity for an attack - though whether it will in practice I can't say. There are two (at least) aspects, which are (a) technical - is the software secure enough?, and (b) trust - do you trust the monitoring site (or its owners) sufficiently to want to try this software?

I have accessed the monitor on one or two occasions, but I've not done a permanent installation on my machines.

Yes, Firefox is my default browser and I've had notifications about it. Lockwise tells you whether any of your stored passwords are vulnerable too. There is also the Have I Been Pwned? website. Both show up compromised email addresses connected with sites I've visited, and presumably the hacked sites had been accessed routinely before the hack took place so one has confidence in them. Anastasius has also given me something to mull over.

I had a letter from my university this week saying the (American) company which manages their database system, and that of many other universities and organisations (with personal details, academic record - but fortunately not financial details), suffered a ransomware attack in May.

The company paid a ransom to ensure that all the details were destroyed. So that's all right

exactly, only idiots would believe this.

I retired some years ago + opted out, I thought, from all communications with my previous employer University of Surrey but apparently they still kept a record on an American server - no permission on my part was asked for by them to keep this record - this itself should be a warning as the US has no data protection laws worth having in most states + an 'ethical' stance held by most companies that treat customers as suckers.

I'd be interested to learn of the mechanism thought to have been used to link two distinct cards as this might give a warning to others as I believe the banks are hiding the high cost of online fraud which the police have not bothered to investigate for years.

I recently applied for a loan - government backed. Because of Covid all the people working this are working remotely. The loan has been approved, but there is still paperwork to be provided and checked. I was asked to provide the following:

1. A signed copy of the agreement.
2. Proof of my identify, such as a copy of my passport or driving licence.
3. Separate proof of my address, which could be my driving licence if not used at 2.
4. Details of the account to send the loan to.

I have so far refused to do this, as the suggestion was to get all of this together, then email it in.

What Anastasius suggested was two hacked sites, one linked to my Lloyds credit card/contact details (narrowed down to the New York Times or booking.com), the other to, possibly, the Amazon merchant rather than Amazon, who had transaction/contact details. So the contact details were electronically matched up connecting the Amazon transaction details with my Lloyds credit card, via my home address. It makes sense.

assuming the merchant is in the UK then this would appear to be worthy of a police investigation as unless they too were hacked then some criminal behaviour must have occurred - matching a list of names to take £28 is only worthwhile if it is done on a wholesale basis - matching lists between hacks to extract a large number of small sums that might well not have provoked alarm indicates to me a rather sophisticated criminal operation.

Just looked for the details - it actually says Dispatched from and sold by Amazon in spite of the reference AmazonMktPlace. Can't find anything about a third party seller.

It's no big deal to run the match between two databases but your point is well made. The police won't be interested.

I attempted to buy a house through PurpleBricks last year. Same sort of thing: they needed ID of various sorts - of course - but couldn't provide ANY sort of secure means for me to upload it to them. I ended up sending it to the agent's personal email (PB was rejecting mine as spam, for some reason) as an encrypted zip file or some such, and sending the password via the secure online message service (which doesn't allow attachments). How on earth PB manage to operate with such a totally pathetic system I don't know. I hope I never have to use them again.

Not responding to the particulars of FF's incident - it has occurred to me that I should change the card/account number of the credit card I use for online purchases more frequently than the card issuer would require - say yearly. I've become a bit guarded about retailers who handle the transaction themself - so no Sage, WorldPay or paypal process available. On the basis that I suspect my card details remain on their IT system which might not be well protected.

So I suppose I should "lose" or end up with a "faulty" credit card on a regular basis. I'm extremely reluctant to pay using my bank debit card - fraud there takes my money from my account and I have to prove innocence and argue to get it back. On a credit card there is a debt I can query and not pay.

I agree the police have no resources to pursue quite significant fraud losses. They pursue large scale operators, the most egregiouus examples (exploiting the particularly vulnerable) maybe very large losses and the rest goes into statistics from which they pick up the data to decide which ones would reward investigation. I've become really very guarded with my information, in responding to 'phone calls and emails and where necessary I make contact by independent routes to establish others' bona fides...

There was a case in the (Sunday?) Times where a person had invested thousands into an investment firm only to find the internet site used was a convincing clone of the real one. Similar stories can be found :


The advice is to go to the Financial Conduct Authority register and check the firm/institution is authorised for the activity, and use the internet address from the register to make contact and organise the investment. If it were me, where large amounts are involved I would be taking screenshots (timed/dated) of that register and the linked company to prove I had followed that advice.

I used to work in a regulatory organisation and we received summaries of trends in fraud. The ingenuity and determination of fraudsters is extensive. Not wishing to unnerve you, but just show this, there is an instance of a fake FCA Register itself!

Let's hope nobody posts a link to a fake FCA here!

I recently spoke to two people - one an accountant with a major global firm, and one a computer specialist in a firm dealing with very large sums of money.

The view seems to be that at the moment there has been a very significant recent spike in computer fraud activity, partly due to changes in the way people and other firms are operating, and partly due to criminals noticing new opportunities as a result.

Uber cautious as (I hope) I am, I would go to the Gov.UK website, and on its home page search for "Financial Conduct Authority" and follow the links from there (always moderated by looking at what is before my eyes). Taking images of the screens along the way.
If you can't trust Gov.uk.........

(I'm forever saying to Mrs CS "what is this website?" "how did you find this?" "Let's check this website" - flights, holidays (those were the days), house improvements etc. Mostly its alright but there can be no reliance on something just because Google threw it up on a search).

Finally, I would say I've found subscribing to "Computeractive" over the years useful in many respects. They always run a page or two on Consumer rights which informs situations like Makrupoulos's where his CD player didn't play CDs as we would reasonably expect. Also they run features on computer security (and to diverge, a regular page on Family History). Admittedly, it also gives mostly information useful to me generally as PC user in protecting, fixing and enhancing the systems for which I am appointed 1st line maintenance man. I know its not an issue for Apple users........Apple computers and devices fix themselves. I'm sufficiently enamoured to buy the yearly DVDs after which I can bin the hard copies of the magazine..

A week or so after I made the first report, I got an Action Fraud personal email (i.e. to me personally, though not from a person), saying there had not been a lead they could follow up, but to update the report if I had anything further to say. So I added on the bit about not realising that the card I used for Amazon not being the one scammed, but I could narrow down the Lloyds credit card use to the New York Times site or booking.com. Amazon accounts have been reported as hacked and shipping details and contact details accessed (but clearly Amazon had stored the bank card details securely). Knowing how booking.com encrypts information, it would be more likely that any breach would be at the hotel end. So that's likely to prove a dead end too.

Regarding the request for copies of and transmission of documents which I've previously mentioned (msg 19), it just occurs to me that normally I would scan these and retrieve copies on my computers, before encrypting them and sending them further. However, that process would require tranmission over my local network, which I suspect could be hacked - via the router or via a wireless link. I'm not operating a local VPN or anything like that, and I don't think my scanning equipment will link directly to my computer (actually one may - via a USB cable - I'll need to check), so in order to get digital copies set up I may have to resort to taking photographs, importing them on SDHC cards, then exporting the files back to a USB stick and deleting them from the computer, having encrypted them suitably.

More trusting people might just use their iPhones or similar for photos, but I'm not that trusting. Even printing copies of confidential paper documents documents can be a source of leaks, so sometimes it might be better to just use a scanner/copier in copy mode without transferring any data via a router or wireless link to a computer. The computer should be disconnected from a local network, and Bluetooth and Wifi turned off, and the router powered off while doing this. Other people may not be so cautious, but some awareness of the dangers would probably not go amiss.

Do not even think of writing down the procedures to use in a file which may exist on your computer - use pen or pencil and paper!

This thread is making me question my whole attitude to risk!

We have a choir committee meeting tomorrow, to discuss the possibility of resuming rehearsals, and I'm very much on the cautious side.

But I've recently applied for solar power generation registration, which, in addition to photographs of meters and readings, included signing a form and sending some sort of confirmatory ID (I chose a scan of my photo driving licence and a copy of our council tax demand), which we clagged together as a single attachment and sent by email.
At least it didn't include bank details, I suppose.
They'll already have them from the direct debit details, but I think they actually pay for the generation by sending a cheque!
We shall see.

Maybe I should have sent the material by regular mail, asking for proof of delivery, instead.