Wiggle investigating suspected cyber attack on customers' accounts

I'm curious about this as when I went to change my password, I saw that my existing password was an extremely weak one that I know has been compromised in the past (through other websites - might have been XKCD). However, my Wiggle account hasn't been abused (by anyone else) so that seems to me like there's some other route that the crims have used to get credentials.

I can also confirm that Wiggle store card details and I can happily order without putting in the CVV. As I understand it, the credit card companies have found it cheaper to push most of the security details onto the retailers. If a retailer accepts orders and ships out expensive parts to a different country, then it'll be the retailer that's left with the bill as the credit card company will just reverse the charge.

hawkinspeter wrote:

my existing password was an extremely weak one that I know has been compromised in the past (through other websites - might have been XKCD)

https://haveibeenpwned.com might be able to tell you where.

Actually, it was Kickstarter (changed password since) and MyFitnessPal (which I haven't used in years).

srchar wrote:

This sounds like a simple case of credential stuffing.

Wiggle can't do anything about this, short of implementing two-factor authorisation.

This is the fault of people who re-use passwords.

Get a password manager and use it!

Yes, it appears to be that emails and passwords lifted from elsewhere have been used. Common password across multiple sites are an absolute no-no (and far too many people use really dumb passwords).

A password manager isn't 100% safe but it's far, far better than reusing a password, even a complex one.

But not retaining your card data is just as vital.

Merchants are not allowed to store CVVs. I'd be very sutprised if Wiggle were doing so.

Ok then: Should Wiggle store CVVs and allow critical account details to be updated without confirmation from the existing email address on file? Absolutely not. 

But somehow, orders are being placed without any secondary authorisation. There is no 3d-secure or 2FA.

Regardless the technicalities are kind of secondary at this point to the fact they still haven't informed everyone with an account that they need to change their password. 

I've just deleted my card details from Wiggle so I can't test this anymore, but I'm pretty sure last time I ordered from Wiggle (using saved card details) I was able to complete the order without entering the CVV - indeed as far as I can remember the only security was logging on to my account (thankfully using a unique password from LastPass).

Isn't the point of the CVV that you have to enter it each time you make a purchase, thereby demonstrating that you physically have the card and avoiding this very situation? 

That might seem sensible but I don't think that's how it works. Once a merchant has verified your card once using CVV I don't think they have to repeat for successive transactions. But if the card number was stolen somehow and used elsewhere that should be foiled by lack of CVV.
I'm surprised merchants don't validate new/additional delivery addresses different than the cardholder address.

Other retailers (including Amazon I think) will store card details and not require CVV to be re-entered when you're having a delivery sent to an address you've used previously. Request delivery to a new address and you have to re-enter the CVV. Seems like a sensible approch. I've got a feeling that changing email address also requires you to re-enter CVV next time you make a purchase.

Nothing more than a hunch, and don't have anything to back it up, but it's possible that someone has identified that as a weakness with the Wiggle ordering process and, as others have suggested, used details gained from another source (ie not from hacking Wiggle) to exploit it.

OnYerBike wrote:

Isn't the point of the CVV that you have to enter it each time you make a purchase

No. CVV prevents theft of card details using card skimmers - it's not stored in the magstripe. There's no requirement for a merchant to ask for CVV at all and card providers do not require it in order to authorise a transaction, hence why the likes of Wiggle can store your card details and allow you to complete purchases without re-entering your CVV.

Wiggle have made the decision that asking for CVV on first use is sufficient to protect them and their customers against fraud. Or they've calculated that the resulting fraud costs less than the lost sales resulting from forgetful people having to go and find their physical card every time they want to make an impulse purchase...

Don't forget that no website forces you to store your card details.

I'm not an expert, but my understanding is that, while card skimming is one way to obtain someone's card details, it's not the only way. And CVV should provide the same additional protection whether your details were compromised because someone skimmed your card or because someone logged in to your account (or because your card details were obtained in another way).

While no website forces you to store your card details for future purchases, all online shops will store your card details somewhere in their records - and there have been numerous occassions when such websites have been breached and card numbers have been obtained by hackers.

And yes, it does appear that retailers aren't required to request your CVV each time you make a purchase. Personally, I would think that requiring that small additional step would noticeably increase security with minimal loss of revenue.

...because e-tailers still have this habit of using the same password system they 100% know will lead to such behaviour amongst a good proportion of paying customers.

And yet people still use the same passwords. Sorry, what's your point here?

I think the point is that by making the shopping process as easy as possible, e-tailers get more custom. But the cost of this is lower security. 

By not requiring strong or unique passwords, and by not requiring any additional verification - even re-entering the CVV - shops make it very easy to click through and complete an order but leave themselves open to this sort of attack.

Online stores make it as easy as possible for people to place orders, because if the order process is difficult (like having to re-enter card details, 2FA etc) then a lot of people will go somewhere else. People are lazy and like things to be as easy as possible, until something like this happens. And then it's the retailers fault for not doing more to protect them.

Just changed my password now, though I'm wondering if I should remove my card details. Maybe the crims will spend less than I do.

hawkinspeter wrote:

Just changed my password now, though I'm wondering if I should remove my card details.

Yes.

Never allow a site to store your card details if you have the option.

Tbf I hadnt realised with my account I actually had,so id add & dont assume you havent stored card details , but fortunately only my own ridiculous spending sprees shows up