Credential Stuffing Attack on Dan Murphy’s, Event Cinemas and Guzman Y Gomez Accounts

try2bhelpful on 17/01/2024 - 11:53
Last edited 17/01/2024 - 22:10 by 2 other users

Thousands of Australians hacked in ‘credential stuffing’ credit card scam

Just thought I would highlight this as a reminder so people can check their various accounts and fix up password issues and ensure they remove credit card details from sites.

  • A while ago I deleted my CatchoftheDay account because I couldn’t find a way to keep it without a credit card attached.
  • I use gift cards for my Apple account so my credit card isn’t attached.
  • I found BWS had my credit card on file so I deleted that.
  • I remove Amazon credit card payment details after each use.
  • check credit card details regularly for suspicious payments.

I will need to go through my password details to get rid of duplicates and remove old accounts.

I realise this is probably “duh” to a lot of people but I didn’t realise about Catch or BWS having my card details until I checked.

Internet

Related Stores

Dan Murphy's
Dan Murphy's
Event Cinemas
Event Cinemas
Guzman y Gomez
Guzman y Gomez

Comments

    • try2bhelpful on 17/01/2024 - 12:04
      +3

      Yeah, mostly it is me too. The “what the hell was that”, when further investigation shows “oh yeah”. However, the article is talking about buying high end stuff and that wouldn’t be me :) Ya think this sort of thing would trigger suspicions from the retailer.

      • Sye on 17/01/2024 - 12:38
        +5

        I noticed a purchase of a lifetime supply of condoms made last month on my credit card. Upon further investigation I realised it was a hacker as I still had my one and only condom that I ever purchased in 2001 still in my wallet. I mean why would I have purchased more?

    • BillyStm on 17/01/2024 - 14:17
      +4

      Know someone who very recently had what they believed to be a suspicious business taking $10-20 per day on average from their account which was adding up quite quickly, they'd called the bank after hours and they advised them to go in to the bank the next day so it could be investigated. Went in the next day and after finally getting served the business was identified as their local coffee shop!! Hahaha!!

      • Jimothy Wongingtons on 17/01/2024 - 14:19
        +2

        bank staff about to call in the forensic boys to get stuck into tracking work: well alls well that ends well…

        $20 a day though…$20 flat out getting a big breakfast these days.

      • try2bhelpful on 17/01/2024 - 14:44
        +2

        Just going through my transactions and went “what is this semi regular payment”? Our usual breakfast place has a takeaway subsidiary only open on weekends. They have different names but appear on the statement as the same organisation. Fortunately twigged before we embarrassed ourselves

        It gets even worse when the billing name has almost no connection to the store, especially if the address is head office. Checking the statement is stepping back through your last month.

        • BillyStm on 17/01/2024 - 14:55
          +1

          I've also done this from time to time, always google the company name and can generally find out their registered ASIC details of who they are 'trading as' which can also narrow it down

      • samfisher5986 on 19/01/2024 - 12:26

        I recently went to a Ramen restaurant and it came up on my credit card as Facebook

        • try2bhelpful on 19/01/2024 - 15:31

          Is it run by old fashioned influencers?

    • JownehFixIT on 18/01/2024 - 10:22

      Some days I wish I was that Accountant.

      • Jimothy Wongingtons on 18/01/2024 - 10:36
        +2

        The autism thing
        The highly skilled accountant thing
        Or the badass 1 man army thing?

        • JownehFixIT on 18/01/2024 - 13:57
          +1

          It was a bit of everything honestly. But I'm glad you asked for clarification :-)

  • ozbs25 on 17/01/2024 - 12:00
    +4

    I do it for a lot of places including Costco, but I'm not going to remove my credit card details from Amazon. It would be too much of a hassle to add it every time.

    • try2bhelpful on 17/01/2024 - 13:39
      +1

      Just deleted Costco payment as well. I don't do a lot of online transactions so it isn't that much of a hassle. Besides if I have to get up and get my card I might come to my senses and not buy something :)

    • askbargain on 17/01/2024 - 21:15

      you can't order to a new address without confirming card details

    • mhz on 18/01/2024 - 12:07

      Just use a password manager to input your credit card details each time

      • ozbs25 on 18/01/2024 - 12:10

        I do that too but I purchase so often from Amazon that I'm not going to go that far. Also, sometimes a few seconds matter.

  • jugsy on 17/01/2024 - 12:02

    Quiet day at The Age….

    • try2bhelpful on 17/01/2024 - 12:05
      +1

      Perhaps but a reminder to be a tad careful doesn’t go astray.

    • JimB on 17/01/2024 - 12:11
      +2

      He/she is just trying to be helpful.

      • noelhoi on 17/01/2024 - 12:35

        Username checks outttt

  • ihfree on 17/01/2024 - 12:13
    +8

    If you don't already:

    • Use a password manager (eg: Bitwarden)
    • Use a strong and unique password for each website
    • Enable 2FA where possible

    Frequently review and remove:

    • Sites that store credit card information
    • Sites Authorised for automatic payments through Paypal
    • try2bhelpful on 17/01/2024 - 13:01

      I do have a password manager.

    • conork on 17/01/2024 - 13:04

      Google knows and creates all my passwords
      I certainly don't

    • KangaDrew on 17/01/2024 - 16:05

      Somewhat of an off-topic question, but is there any reason you suggest Bitwarden over other password managers? Genuinely interested to get some real-life feedback vs paid-for reviews. Thanks.

      • ihfree on 17/01/2024 - 16:14

        The main one would be it's free. I also don't have any issues with it.

        1password is also free if you use it at work. https://support.1password.com/link-family

        • KangaDrew on 17/01/2024 - 16:57

          Yeah I have an option to use 1P Family through work but it only stays active while you remain in employment, so I'd rather get something separate. Might look into Bitwarden then, cheers.

      • SBOB on 17/01/2024 - 18:29
        +2

        Relatively full featured for the free tier level.
        Paid for level is reasonably priced if you want those features.
        Open source.

        Really any password manager is infinitely a better choice than using none/repeated passwords/memorising etc.

      • Juggernauto on 18/01/2024 - 18:09

        I found that from the free options, it has the best features/experience, if you pay you get a bit more QOL stuff but the free version suits my needs perfectly

    • mattmel96 on 18/01/2024 - 08:50

      Get a copy of the receipt for all transactions (paper or electronic) and validate against statement each month, or more regularly if desired.

      My wife runs an Excel spreadsheet that she cross references against bank records weekly. I give her the copies of all receipts.

      We do this because MIL used to work in a bank and would regale in horror stories of scammed people. Those with good records had much higher chances of being recompensed. Also wife works in accounting, so not a lot of additional work for her.

  • snapper17 on 17/01/2024 - 12:14

    you can get amazon gift cards as well but if your amazon account is hacked they will take those too
    another thing you can do is put an alert on your cards. In the app of each card is an option. to have a notification for credits and debits you can turn it on
    also turn off purchases coming from international countgries if you are not travelling. you can still purchase items from overseas but people from overseas cannot use your card.
    you can also turn off gambling transactions if you dont use the card at gambling places. This may block tattslotto but you can turn it off and on when you want to purchase.
    This will stop some sneaky apps from charging you

  • Muzeeb on 17/01/2024 - 12:15
    +4

    I remove Amazon credit card payment details after each use.

    How do you snag the Amazon limited quantity deals then? If you can't check out in 2.6 seconds there is no way you will get anything.

    • djones145 on 17/01/2024 - 12:39
      +1

      memorise credit card details
      practice speed typing at 400 words a minute

      check out in 2.5 seconds

      • Muzeeb on 17/01/2024 - 12:45
        +2

        That saves cents. Cheers

  • SBOB on 17/01/2024 - 12:38
    +7

    Credential Stuffing Attack

    Which is such a poor explanation/name of what the 'hack' is.
    It's credential reuse attacks. Bots working through lists of previously compromised account details and trying the same user/pass combos on other sites.

    If you don't use the same password at multiple sites you have very very very minimal chance that any leaked credential reuse attacks would impact you.
    Unless they came from the site being hacked in which case they wouldn't need to use your credentials as they are already 'in' the network/system.

    Password manager, long unique per site passwords, 2fa on any important or financial based sites.

    • lint on 17/01/2024 - 12:45
      +2

      Yeah, I hate the term that's become attached to it. It doesn't say anything to the layperson what the problem is and how to prevent it.

      The Age article says "Customers who use the same login details for multiple online accounts are especially vulnerable to abuse."

      It does a poor job explaining that customers who do that are the only ones vulnerable to this attack. Stop using the same login details across different accounts and enable 2FA wherever possible.

  • lint on 17/01/2024 - 12:41
    +2

    Always choose not to let merchants and payment processors remember your credit card details. They want them on file because it spurs impulse purchases when you can buy in a few click.

    Choose to pay by Apple Pay or similar where available as merchant won't have your card details and you don't have to enter it.

    Other options are to use PayPal or BNPL services as a proxy to your credit card, but make sure you have 2FA enabled for those services. Disable their quick checkout options that don't require authentication.

    Many banks allow you to turn on app notifications whenever a transaction occurs. Definitely do this for outgoing transactions for all accounts that have credit or debit cards attached.

    • Mechz on 17/01/2024 - 12:57

      All good until they compromise Apple Pay or PP etc.

      • lint on 17/01/2024 - 19:18

        How do you suppose they’ll compromise Apple Pay?

        • try2bhelpful on 18/01/2024 - 11:24
          -1

          How they compromise most things, some internal idiot gets careless and clicks on the wrong thing. Or some low paid person on an outsourced contract gets offered money.

          • askbargain on 18/01/2024 - 19:55
            -1

            @try2bhelpful: oh wow you really know what you're talking about

            • try2bhelpful on 19/01/2024 - 00:07

              @askbargain: Have a look at the compromises in security and that is usually what the problems are. I’m just telling it like it is.

  • KangaDrew on 17/01/2024 - 12:50

    A while ago I deleted my CatchoftheDay account because I couldn’t find a way to keep it without a credit card attached.

    Do you have OnePass? That might be the reason why you can't get rid of the card details, as it needs them for DD. I don't have my CC details in my Catch account and it's active. I suggest you contact their customer service to have them removed if you can't do it online yourself (that is, if the OnePass sub isn't applicable in your case).

    • try2bhelpful on 17/01/2024 - 13:32

      I don't use it much anymore so not really an issue. If I buy from them again I will create a new account. However, thanks for the info.

  • Muzeeb on 17/01/2024 - 13:06
    +3

    Guzman Y Gomez Accounts

    It has also hit an ozbargain member

  • try2bhelpful on 17/01/2024 - 14:48
    +2

    The other thing I do is move my birthdate year out by one unless it is absolutely imperative it is correct. Places like Myers dont need my exact birthdate and it makes identity theft harder.

    • KangaDrew on 17/01/2024 - 16:05
      +2

      I do the same thing. 1st of the 1st and a year later. Easy to remember if they're always the same mock DOB :-)

      • StingyBritches on 18/01/2024 - 09:31

        I have a different birthdate on every account which is easily tracked with 1Password.
        Bonus: I get lots of Birthday wishes in vendor emails! 🥳

        • try2bhelpful on 18/01/2024 - 11:22

          Love it. A new present every month.

  • Drakesy on 17/01/2024 - 16:11

    Best way around this.

    Churn and burn cards.

    • Preet on 17/01/2024 - 16:50

      Totally read that as chum and bum!

      • Drakesy on 17/01/2024 - 16:56

        That works as well.

Login or Join to leave a comment
Login Join