UK Gaf: Boomerang rentals (possibly) hacked.

Just been on phone to bank as they don't display pending transactions, and I knew I used my card after the latest transaction. The woman advised there wasn't been any activity other than the one transaction I did make, but she did say something interesting.

I asked if I should be pro-active, cancel the card anyway and she said that this actually wouldn't help as they could still take money because they can create a tie to the account and so actually what you would need to do is close the account or account tie and cancelling a card wouldn't do that.

Something to be aware of maybe?
 
mangochutney said:
Just been on phone to bank as they don't display pending transactions, and I knew I used my card after the latest transaction. The woman advised there wasn't been any activity other than the one transaction I did make, but she did say something interesting.

I asked if I should be pro-active, cancel the card anyway and she said that this actually wouldn't help as they could still take money because they can create a tie to the account and so actually what you would need to do is close the account or account tie and cancelling a card wouldn't do that.



Something to be aware of maybe?
Click to expand...

AFAIK they are talking about recurring payments. You can't cancel a card to get out a contract you signed up to. However if a card is blocked then they set the credit limit to zero and you can't make new purchases on it. Any valid recurring payments can be linked to the new card. In fact I just tried my old, now cancelled, card by accident. It was still linked to paypal. Sure enough the transaction was refused and I was promoted to update it.

Chittagong said:
Taking just the front page down when a serious breach is ongoing, while leaving other pages up? Sounds like a professional operation.
Click to expand...

Or they want to stop anyone new from signing up while they investigate, while leaving the back end accessible for current customers.

They have not exactly covered themselves with grace but it is the weekend and they seem to have been caught somewhat with their pants down. If they are still denying an issue next week then I will be the first to fetch the tar and feathers.
 
Chittagong said:
Taking just the front page down when a serious breach is ongoing, while leaving other pages up? Sounds like a professional operation.
Click to expand...
Well they don't develop their own site, so I guess I'll half let them off, but yeah bit of a noob-move.

popo said:
AFAIK they are talking about recurring payments. You can't cancel a card to get out a contract you signed up to. However if a card is blocked then they set the credit limit to zero and you can't make new purchases on it. Any valid recurring payments can be linked to the new card.
Click to expand...
I think that was the jist of what she was trying to explain, she mentioned how some people would cancel cards thinking it would stop payments going out rather than cancelling properly only to discover that they were still taken.

She said the fraud team would do extra things (the blocking you mention I guess) but if you just rang up and said 'yo gimme a new card', that potentially wouldn't help much.

She did actually say 'is this the PlayStation thing' without me even mentioning what it was I was concerned about, all I said was a website may have been compromised. I don't know if she meant PSN itself or just said PlayStation thing as an uneducated viewpoint of Boomerang renting out PlayStation games, but I've not used my card on PSN in years and Boomerang took payment recently so probably saw the transaction and assumed that is why I was calling, so might have been a few calls about it - and this was just to general customer services not the fraud team.
 
It is always the little guys (shops) that get hit & does the most damage to, they should be more proactive on the security side, they just do not have the time, skills & resources to invest unfortunately & the hackers know this so they target them :(

You shouldn't run away from this little shops though.

This is why you should always use a credit card & NOT a debit card!

I have not used this site/shop/retailer but i have been hit before, last year both my cards got hit, one was used to buy a £800 British Airways ticket, i only found out as i check my balance once a week, BarclayCard never even alerted me :@ but i got it all taken off.
 
70s Style Pimp said:
I would just like to say I hope this doesn't have a major negative effect on them.

Their service is fantastic and while this is concerning lets not get the pitchforks and torches out.
Click to expand...

Maybe we should see how they handle this before praising their "fantastic service."

If it's true that they're responsible for this, and the evidence is piling up, then they're going to need to accept that rather than continuing to issue flat out denials while insisting that it's impossible it could be anything to do with them.
 
B1G_A1AN said:
It is always the little guys (shops) that get hit & does the most damage to, they should be more proactive on the security side, they just do not have the time, skills & resources to invest unfortunately & the hackers know this so they target them :(

You shouldn't run away from this little shops though.

This is why you should always use a credit card & NOT a debit card!

I have not used this site/shop/retailer but i have been hit before, last year both my cards got hit, one was used to buy a £800 British Airways ticket, i only found out as i check my balance once a week, BarclayCard never even alerted me :@ but i got it all taken off.
Click to expand...
Do you mean credit over debit because of protection?

Both credit and debit cards have fraud protection for occurrences like this.

What credit cards have over debit cards is better protection for purchases you willingly made, like say you bought a TV and it turned up in bits and the retailer didn't want to know - though even then they now often have similar levels of protection but is offered by the bank/card issuer, rather than law.

toythatkills said:
Maybe we should see how they handle this before praising their "fantastic service."

If it's true that they're responsible for this, and the evidence is piling up, then they're going to need to accept that rather than continuing to issue flat out denials while insisting that it's impossible it could be anything to do with them.
Click to expand...
Their service is good though! In fairness they only 'denied' it, they said it was likely it wasn't them but other means wasn't what I'd call a flat out denial, at the start - but it could have been worded a lot better. They've since said they are going to investigate fully, and at the start it was only a handful of people and stuff like this happens alllll the time so it can be easy to say well our data is encrypted I can't see how they'd get the details you five people must have just been phished or whatever.

If we don't get an email tomorrow then they've mishandled this situation very badly.
 
Last night I had a call from my bank to say that my card has been used in an attempt to transfer £400 via Western Union, a service known for being popular with fraudsters and one I have never used.

Transaction was stopped, and my card has been cancelled. Slightly inconvenient, but really glad the bank caught it so quickly.

I used Boomerang a couple of years ago. This really can't be a concidence...
 
mangochutney said:
Do you mean credit over debit because of protection?

Both credit and debit cards have fraud protection for occurrences like this.

What credit cards have over debit cards is better protection for purchases you willingly made, like say you bought a TV and it turned up in bits and the retailer didn't want to know - though even then they now often have similar levels of protection but is offered by the bank/card issuer, rather than law.
Click to expand...

Yes they have protection, but in the case of the Debit Card that is your money it may be taken from your bank account straight away you may not notice it for a few days or more, & may take some time to have the funds reinstated/refunded, but with a Credit Card it is not your money & you have longer to sort it out.

People have had their Debit Cards scammed & money has been taken from their account not leaving enough to cover bills etc, that is when the real problems arise.

I have a Debit Card & i never use it, only occasionally to take cash out of the cash machine inside my local bank.
 
Turnstyle said:
Last night I had a call from my bank to say that my card has been used in an attempt to transfer £400 via Western Union, a service known for being popular with fraudsters and one I have never used.

Transaction was stopped, and my card has been cancelled. Slightly inconvenient, but really glad the bank caught it so quickly.

I used Boomerang a couple of years ago. This really can't be a concidence...
Click to expand...
This is what concerns me the most. People who haven't been members for years.

And it isn't that they're keeping hold of the details, they're allowed to do that for a length of time and also it is common for subscription websites to do this for convenience of pausing memberships etc, etc, but rather that if our details are encrypted like they claim then it can only mean one of two things.

Either, as I previously posted, the website has been sending details to a hacker or inside employee before it gets encrypted and stored with some sneaky code in the website or it means that they are encrypted, but they're using either two-way encryption (ie. can be decrypted with ease) or simple encryption that can easily be reversed.

If the first option and you haven't used them in two years that mean that hole has been there for at least two years.

There is just no other way that they could get your details.
 
Though this hasn't affected me, given what Boomerang have said about not even having full card details on their end, what other ways (and how) could the scammers get them and it still be Boomerang's fault?
 
THE:MILKMAN said:
Though this hasn't affected me, given what Boomerang have said about not even having full card details on their end, what other ways (and how) could the scammers get them and it still be Boomerang's fault?
Click to expand...

Given what we know now the likelihood is that they have stored full card details, despite their insitence to the contrary. No other way for this to happen, really.

My guess? They have probably got some hack web design shop gobble their site and payment system together, and they have taken a shortcut in creating a recurring payment. Basically store the details and use them each month again. The fact that they didn't manage to take their site down properly would support this theory of a third party being behind their web implementation and them not really knowing how it works.
 
THE:MILKMAN said:
Though this hasn't affected me, given what Boomerang have said about not even having full card details on their end, what other ways (and how) could the scammers get them and it still be Boomerang's fault?
Click to expand...
Well they've said they have your full card number stored - encrypted. But they don't have the 3 digit security code, and also if you are enrolled in Verified by Visa or MasterCard SecureCode then the retailer never sees this so they won't have that either.

However, the 3 digit security code is not required to process a transaction, only the card number is. The security code, and Verified by Visa steps are designed such that it helps to protect the retailer.

No one is allowed to store the security code, so if hacks happen and your card number is exposed you can have payments taken but not with retailers who validate the security code.

However like I posted above, if they're encrypted then it either means they're using crap encryption or it was stolen before it was encrypted. When you submit data to a website whilst it may be sent securely over HTTPS the web server at the other end still sees the numbers you gave and so before it encrypts into unrecognisable junk it could be manipulated and sent via an email to someone, etc.

The other possibility I suppose is actually that their payment processor has been compromised.

Chittagong said:
Given what we know now the likelihood is that they have stored full card details, despite their insitence to the contrary. No other way for this to happen, really.

My guess? They have probably got some hack web design shop gobble their site and payment system together, and they have taken a shortcut in creating a recurring payment. Basically store the details and use them each month again. The fact that they didn't manage to take their site down properly would support this theory of a third party being behind their web implementation and them not really knowing how it works.
Click to expand...
They use a third party, there is a link in the footer to the company.

Another concern of course is that they have payment details, but no one is mentioning logins here. If you use the same password on Boomerang as well as other places - change it.

I use a unique password and email address for Boomerang so if that starts getting spammed then I'll know for sure something is up.
 
mangochutney said:
This is what concerns me the most. People who haven't been members for years.

If the first option and you haven't used them in two years that mean that hole has been there for at least two years.

There is just no other way that they could get your details.
Click to expand...

I just checked my emails, I cancelled my account with them in Feb 2013, so almost exactly two years ago.
 
Even if they do sort this out I think I will switch to using a pre paid card. Been looking around and there are actually some pretty good value options available.
 
popo said:
Even if they do sort this out I think I will switch to using a pre paid card. Been looking around and there are actually some pretty good value options available.
Click to expand...
That's the trouble, they're the only ones left so I want to use them but I don't trust the details being there!

No point blocking the card and then putting new ones in just for it to happen again.

Either they introduce PayPal or I'll have to look at pre-paid too, what good options did you find?
 
Even though I've not been a customer for two years, and the bank has cancelled the fraudulent transaction, I've sent Boomerang an email telling them I've been hit.

I'd urge others to do the same, so they have an idea of the scale of the problem. The statements they've released so far seem to imply that the issue isn't at their end, but the evidence here and on other sites suggests otherwise.
 
Turnstyle said:
Even though I've not been a customer for two years, and the bank has cancelled the fraudulent transaction, I've sent Boomerang an email telling them I've been hit.

I'd urge others to do the same, so they have an idea of the scale of the problem. The statements they've released so far seem to imply that the issue isn't at their end, but the evidence here and on other sites suggests otherwise.
Click to expand...
I think they know it is them now, they wouldn't have taken the homepage down otherwise.
 
Chittagong said:
Given what we know now the likelihood is that they have stored full card details, despite their insitence to the contrary. No other way for this to happen, really.

My guess? They have probably got some hack web design shop gobble their site and payment system together, and they have taken a shortcut in creating a recurring payment. Basically store the details and use them each month again. The fact that they didn't manage to take their site down properly would support this theory of a third party being behind their web implementation and them not really knowing how it works.
Click to expand...

mangochutney said:
Well they've said they have your full card number stored - encrypted. But they don't have the 3 digit security code, and also if you are enrolled in Verified by Visa or MasterCard SecureCode then the retailer never sees this so they won't have that either.

However, the 3 digit security code is not required to process a transaction, only the card number is. The security code, and Verified by Visa steps are designed such that it helps to protect the retailer.

No one is allowed to store the security code, so if hacks happen and your card number is exposed you can have payments taken but not with retailers who validate the security code.

However like I posted above, if they're encrypted then it either means they're using crap encryption or it was stolen before it was encrypted. When you submit data to a website whilst it may be sent securely over HTTPS the web server at the other end still sees the numbers you gave and so before it encrypts into unrecognisable junk it could be manipulated and sent via an email to someone, etc.

The other possibility I suppose is actually that their payment processor has been compromised.

They use a third party, there is a link in the footer to the company.

Another concern of course is that they have payment details, but no one is mentioning logins here. If you use the same password on Boomerang as well as other places - change it.

I use a unique password and email address for Boomerang so if that starts getting spammed then I'll know for sure something is up.
Click to expand...

Thanks both. Boomerang probably shouldn't have immediately come out with the response they did. If it turns out it is on them (even via a lax third party) that will piss victims off more than anything.
 
AdyCarter said:
customersupport@boomerangrentals.co.uk
Click to expand...

Yeah good idea, everybody frauded should drop them an email so that they understand the extent of this. I did send one too.

The amount of online reports have blown up since the 30 customers figure. Just looking at this thread - it must represent a tiny fraction of their subscriber base but we have several affected here. From that you can extrapolate that the actual number is way, way higher.
 
toythatkills said:
Maybe we should see how they handle this before praising their "fantastic service."

If it's true that they're responsible for this, and the evidence is piling up, then they're going to need to accept that rather than continuing to issue flat out denials while insisting that it's impossible it could be anything to do with them.
Click to expand...

Agreed, but I've been a member of Boomerang since 2009, and their rental service is fantastic.
 
Yep, just seen this thread, checked my account, 2 fraudulent transactions of £20 to William Hill Online (betting site)

I've canceled my card and emailed Boomerang. I'll have to phone the bank tomorrow to get that £40 back.
 
Dantis said:
It really isn't.

It's piss poor, but it's the only service left. Lovefilm wiped the floor with Boomerang.
Click to expand...
Not in my experience.

I never used to get much on release day with LOVEFiLM. With Boomerang the only time I don't get it on release day is if there is a blue moon.

They went to shit when Blockbuster collapsed and LOVEFiLM stopped games but they've recovered now.

And if you don't have anything out you get points whilst you're waiting. With LOVEFiLM it is just money pissed away.
 
I can't see any fraudulent charges, but I'm tempted to cancel anyway?

mangochutney said:
And if you don't have anything out you get points whilst you're waiting. With LOVEFiLM it is just money pissed away.
Click to expand...

Which is fortunate, because I usually have to wait at least a week for a new title to be dispatched. If they weren't the only choice, I'd drop them in a heartbeat.
 
Dantis said:
I can't see any fraudulent charges, but I'm tempted to cancel anyway?



Which is fortunate, because I usually have to wait at least a week for a new title to be dispatched. If they weren't the only choice, I'd drop them in a heartbeat.
Click to expand...
Up to you. I think it would be safe to say if the hackers have one card they have them all.

When I asked the bank if I should be proactive and cancel the card they didn't really advise me to do that, more just check statements. They'll cover you regardless of course.

When do you sent titles back in anticipation of getting a new release and what package are you on?
 
mangochutney said:
Up to you. I think it would be safe to say if the hackers have one card they have them all.

When I asked the bank if I should be proactive and cancel the card they didn't really advise me to do that, more just check statements. They'll cover you regardless of course.

When do you sent titles back in anticipation of getting a new release and what package are you on?
Click to expand...

I'll ring the bank and see what say, I guess.

I get titles post-release. I'm not sending them back a week early and crossing my fingers that I'll get lucky.
 
Dantis said:
I'll ring the bank and see what say, I guess.

I get titles post-release. I'm not sending them back a week early and crossing my fingers that I'll get lucky.
Click to expand...
You need to send back a game early because otherwise you're not going to be top of the waiting list as other people have been waiting in line longer than you.

It doesn't need to be a week, but it'll vary on your package. I'm on the Unlimited package, or whatever the one down from the highest is and I always make sure I have a free slot for 3 days ahead of release and it very rarely lets me down, and I get points for those 3 days.

I'd rather wait 3 days prior to release, get the game on release day than wait a week after release when people start sending their discs back after completing the game.
 
yep also got hit!!

two payments for £30 02 top up

phoned bank and they confirmed fraud activity and cancelled the card and pending transactions.
 
Yep. I've been had. 80 quid amazon transaction. The good thing is that I'm currently backpacking my way through vietnam so I can't cancel my cards and still have to use them. Also I can't get into my online banking from here. This couldn't have come at a better time really.
 
binhoker said:
Yep. I've been had. 80 quid amazon transaction. The good thing is that I'm currently backpacking my way through vietnam so I can't cancel my cards and still have to use them. Also I can't get into my online banking from here. This couldn't have come at a better time really.
Click to expand...

Get a phone and phone them. Stop doing everything else. In cases of fraud you have to tell them, otherwise your account will get gutted and bank won't be liable.

As for Boomerang, they might well have PCI compliance but they didn't have/follow an incident response plan, which invalidates PCI certification. They may also claim not to store the CCV numbers, but if your network has been breached you can store them (as an attacker) when the payment is taken. Same with encryption - if you're hacked, the hacker can decrypt. Basically, they're in serious trouble as a business due to IT failures, they just don't realise it yet.
 
gossi said:
Get a phone and phone them. Stop doing everything else. In cases of fraud you have to tell them, otherwise your account will get gutted and bank won't be liable.

As for Boomerang, they might well have PCI compliance but they didn't have/follow an incident response plan, which invalidates PCI certification. They may also claim not to store the CCV numbers, but if your network has been breached you can store them (as an attacker) when the payment is taken. Same with encryption - if you're hacked, the hacker can decrypt. Basically, they're in serious trouble as a business due to IT failures, they just don't realise it yet.
Click to expand...
"And what, Sir, was your incident plan?"
"Erm, to shit ourselves. Here look I even wrote it down."

As I've posted above, that people have no been members for a long time suggests to me that details have not been gained by way of syphoning off details as they were updated/used. If that is how it has occurred then it has been going on for years and the hacker wouldn't wait two years and then use the card they'd use it as quickly as possible.

That says to me the encryption is shit or non-existent.

"And what encryption methods did you use?"
"Base64. At first we thought about just adding 1 to the number but then we stuck with base64."
 
26 confirmed hits in this thread so far from Boomerang Rentals members.

And we are barely even through Page 2, only a couple of days in. I don't think we had as many affected gaffers as quick when the EA/Fifa or Sony breaches happened. This is bigger.
 
So I just had another look at my transactions and it's showing a few hits of £0.00 for the apple store so I have went ahead and cancelled my card to be on the safe side.
 
Scottish Sin said:
So I just had another look at my transactions and it's showing a few hits of £0.00 for the apple store so I have went ahead and cancelled my card to be on the safe side.
Click to expand...

You've been hit. Mine had those as a forerunner to real charges. Wise move on cancelling.
 
Just had a call from bank about unauthorised transaction (around £800) but nothing went through. I recently cancelled my subscription, gonna email Boomerang later today.
 
My bro got hit last night as well, my account seems fine but im poor and there is zero cash in there currently with no overdraft. Im still gonna cancel my card.
 
jesu said:
This is what I'm thinking too.
The few years I used LoveFilm was amazing for me and the amount of games I played.
I was hoping Boomerang would take their place.

But if they just try and brush this under the carpet, I won't be so keen to sign up.
Click to expand...

The thing is, surely the police fraud teams will get involved and they can't lie about something like this... or at least, that's what I assume? It sounds like they're doing everything right in terms of security, but if they're the source of the leak surely they would have to declare it?
 
You must log in or register to reply here.

Similar threads

UK GAF - trading Switch for Switch 2?
1
249
Shockwave_Fox replied
PlayStation Opens Official PlayStation 5 Rental Service In UK On PlayStation Direct
Business Platform  2
83
4K
FoxMcChief replied
Kotaku X account hacked
12
1K
MrTroubleMaker replied
Insomniac possibly got hacked?
2
86
15K
ReBurn replied
Renter Beware: GamersNexus alleges NZXT PC rentals are a scam
2
74
5K
M1chl replied
Top Bottom