UK Gaf: Boomerang rentals (possibly) hacked.

The reddit thread is getting fuller and fuller with folks having been hit.

Check your accounts UK GAF!
 
I'm fortunate enough not to have signed up to Boomerang yet, but I was planning to soon.
Guess I got lucky.
 
I got a text off my bank asking for authorisation for an O2 top up, I cancelled my card but I was wondering how that could have happened, cheeky bastards.
 
Fraudsters tried the incremental phone top-up method on my brother's account and he uses that with Boomerang too! Thankfully Barclays put a stop to it after the second or third attempt.

Do Boomerang accept payment via PayPal?
 
Thanks for the heads up luckily for me looks like I removed my card info when I stopped using it about 1 year ago.

Really need to remove my card info from all my online accounts.
 
On Behalf on Boomerang
We take security of card details very seriously and we are compliant to the latest PCI compliance standards.
The payment card details that we store, are all encrypted, even employees cannot see a customers full card number. We do not accept card details over the phone.
Furthermore, we don't store all the card details on our systems. For example we don't store the 3 digit security code or the bank security code i.e. Verified by Visa or MasterCard Secure.
All this means it is very unlikely someone could retrieve your card details and as we mentioned in our individual replies, and even if they could break the encryption, we physically don't store all the details a fraudster would need to make a purchase from a legitimate site with reasonable security measures.
The O2/Vodaphone fraud problem has been ongoing for a number of years, it would seem. While we aren't able to comment on these companies fraud prevention methods, it seems unlikely that they would accept purchases without at least the 3 digit security number being provided at the time of purchase.
In fact, they would be required to ask for the 3 digit number and verified by Visa/Mastercard Secure, to maintain the required level of payment card security.
As to the source of the fraud, there are many ways fraudsters can obtain an individuals card details and so it is more likely that your card details were obtained via other means.
Please contact us directly if you would like further information.
Click to expand...
Direct quote from someone at Boomerang. Not exactly inspiring given that it is clearly obvious this isn't just a coincidence and that many Boomerang customers are being hit as a result of this.
 
Not that I'm going to sign up now, but out of curiosity, is the service any good? I'd heard a mix of good and bad, was planning to make a decision based on the free trial.
 
I tried the free trial a while ago, would that have required me putting payment details in? I can't see any payment details on my account so I'm not sure if i removed them or just didn't need them.
 
xandaca said:
Not that I'm going to sign up now, but out of curiosity, is the service any good? I'd heard a mix of good and bad, was planning to make a decision based on the free trial.
Click to expand...

I like them. Service was good but I'll be cancelling now to be honest. I need to return my current game and pay for a few days but I'm reluctant to pay via card. Which is awkward as they have no other means.
 
Weird, I just had to cancel my 'spare' credit card due to someone hitting it for about £4ks worth of stuff (most got blocked, some stuff didn't). Just assumed it was one of those things, but the timing is uncanny and I definitely signed up to Boomerang Rentals last year to rent Borderlands 2 using that card...
 
Hm, doesn't look like i've been touched yet after going through my recent transactions.

Will keep a close eye on it though, thanks for the heads up.
 
Never used it, sucks that they got hacked. Shame they are trying to cover it up, it seems clear to me that they're the cause of it... too much of a coincidence to not be.

What are the hackers even doing with mobile top ups? I don't get it? Do they have their own app with micro transactions and buying them using the top ups to safely transfer the money to themselves? Not even sure if that's possible with phone credit but I can't think of anything else.
 
Was a previous customers of there's and had 220 taken from my account last weekend with another 420 attempted which the bank stopped. Wondered where my details had been taken from.

Thankfully Ive had everything refunded now
 
Thanks for heads up, will check now :(

Looks like I'm OK, thankfully...

hospitaldriver said:
Was a previous customers of there's and had 220 taken from my account last weekend with another 420 attempted which the bank stopped. Wondered where my details had been taken from.

Thankfully Ive had everything refunded now
Click to expand...
How long ago were you a customer? My card expired 2 months ago, so maybe they had old details, if they got you and you aren't a current customer hence I haven't been hit.

Chris1 said:
Never used it, sucks that they got hacked. Shame they are trying to cover it up, it seems clear to me that they're the cause of it... too much of a coincidence to not be.

What are the hackers even doing with mobile top ups? I don't get it? Do they have their own app with micro transactions and buying them using the top ups to safely transfer the money to themselves? Not even sure if that's possible with phone credit but I can't think of anything else.
Click to expand...
You never know really. You could probably find many other companies that everyone who was affected have also used. Tesco, Amazon, McDonalds. Just pick any big company and you could probably work a connection there as well if you wanted to.

But they're all big, massive companies. Boomerang isn't, so you'd have to say increases the likelihood of it being the source. However if they're saying they're storing encrypted details and not storing security codes then I believe them. It is required that you do that.

But that doesn't mean they're in the clear. They could be storing it all like that, but what if someone has added code to the page where you enter your card details that just before it turns your input into encrypted form it pings off a quick email to the employee doing an inside job or hacker that added some code there?

However what is curious is that people are giving examples where their details have been used on websites that I know for a fact use Verified by Visa and MasterCard SecureCode and as far as I know this information is never shared in any way shape or form with retailers. So in other words to successfully put an online transaction through with card details obtained from Boomerang they'd still need to know what your Verified by Visa and SecureCode passwords are. Unless they're bank hasn't enrolled them in that. In which case - get enrolled.

As for top ups, it could be because they're quick and easy to test if the card is valid. They're low value and chances are you have a mobile use one of those networks so the bank might not think anything of the transaction.
 
Update from Boomerang @ Reddit

An Update On behalf of Boomerang

At this moment in time, we believe there are approximately 30 people who have stated that they have had fraudulent transaction attempts against their card and either are or have been a member of our service.

It has been mentioned, that a bank has stated that we are the source of the data breach. We can confirm that at this stage no banks or card issuers have contacted us with any concerns, neither have the police, and so far there is no evidence that points to a Boomerang data breach.

As previously stated, we take payment card security very seriously and our initial investigation confirms that the card details that we store have been and continue to be encrypted. In addition, as previously stated, we do not store the 3 digit security number or the bank security code (customers are redirected to thier banks page for this part of the process).

There are potentially, other possible sources for this issue, however, as a responsible retailer, we are currently conducting a full investigation, which may take several days.

We will update this thread as the investigation progresses.

We would ask that those people who have posted thier concerns, please contact us directly so that we can investigate their specific account - customersupport@boomerangrentals.co.uk

Thank you.
Click to expand...
 
I'm with Boomerang, just checked my account and so far nothing out of the ordinary appears to be there. I'll definitely keep an eye on it though, thanks for the heads up.
 
Thanks for the head's up on this. Just checked my recent transactions and thankfully I haven't been hit. I will be keeping a close eye on things though.
 
I alerted my two friends who use boomerang, one of which has been taken for £400. Currently on the phone to his bank.
The other ain't checked yet.

For me, the card I had against my account expired last month, so hopefully that saves me from any issues, obviously that's if it's a case of bank details being stolen rather than just passwords.
 
I am a member, but no obvious charges against my account. Its a shame, because I find their service really good.
I don't know if this saved me, but I broke my card just before Christmas and got a replacement just before the new year. But boomerang have taken a payment yesterday.
 
Had an account with them over a year ago to make a one of purchase. Read this thread, checked my account and there was 7 transactions each £32 used on Amazon on the 9th Jan

Card cancelled, will get my money back.
 
It seems very suspicious that everyone's a Boomerang member who's had the money taken.

That being said, there are a lot of services that are popular with Boomerang's 'target audience', so it could just be a large coincidence.

Either way, thanks for bringing it to my attention. Who knows how long it would have been before I noticed.
 
I got hit yesterday, 5 transactions for Groupon and one for Zavvi, totalling just over £1000. Then i see this today, i'm a member of Boomerang. Coincidence?
 
I cancelled my membership or subscription back in 2012, I think. Can't remember if my cards details are still on there though and I've lost access to the email I originally signed up with so I can't double check.

Oh well, guess I'll just have to keep an, extra careful, eye out.
 
Chris1 said:
What are the hackers even doing with mobile top ups? I don't get it? Do they have their own app with micro transactions and buying them using the top ups to safely transfer the money to themselves? Not even sure if that's possible with phone credit but I can't think of anything else.
Click to expand...


The top ups aren't what is important, its a common low cost transaction (for example, if you saw a 02 Top Up on your Statement you may think you just went over your contract or it may just be regular money coming out and it can also check if a card is valid and it won't bounce
 
Mobile top ups are a way they check card numbers are valid before selling on the numbers as active accounts.

----------

Another confirmed boomerang customer here, hit for £40 in top ups. Rang the bank and cancelled the card. Could have been worse.

I hope the company survives, it is the last decent rental company left - if they continue to claim it wasn't on their end though I will be reluctant to add new card details when I am up for renewal next month. Too many hits to be a coincidence.
 
popo said:
I hope the company survives, it is the last decent rental company left - if they continue to claim it wasn't on their end though I will be reluctant to add new card details when I am up for renewal next month. Too many hits to be a coincidence.
Click to expand...

This is what I'm thinking too.
The few years I used LoveFilm was amazing for me and the amount of games I played.
I was hoping Boomerang would take their place.

But if they just try and brush this under the carpet, I won't be so keen to sign up.
 
Yep, this happened to me today, I used to be a Boomerang customer. My bank just contacted me to alert me that my card details were used to do big online purchases from a luxury store, a sports retailer and a fashion retailer. Card canceled, refunded and fraud reported to police. Some chav will be fucked. I am early in the alphabets, so they might be simply working down the list of cards they have.
 
I currently subscribe to Boomerang and have just had 1P taken from my bank account for some mobile phone company, cancelled my card as a result. The bank said they may have been testing the card ahead of a big purchase another time.
 
Add another name to the list of those with compromised details; just had to cancel my card due to an almost £400 payment made today to Western Union which most certainly was not me...
 
Shit... I'll check now.

Fuck, can't site is down. Canceled my sub a while back but I can't remember if I removed the card deets.
 
I would just like to say I hope this doesn't have a major negative effect on them.

Their service is fantastic and while this is concerning lets not get the pitchforks and torches out.
 
You must log in or register to reply here.

Similar threads

UK GAF - trading Switch for Switch 2?
1
247
Shockwave_Fox replied
PlayStation Opens Official PlayStation 5 Rental Service In UK On PlayStation Direct
Business Platform  2
83
4K
FoxMcChief replied
Kotaku X account hacked
12
1K
MrTroubleMaker replied
Insomniac possibly got hacked?
2
86
15K
ReBurn replied
Renter Beware: GamersNexus alleges NZXT PC rentals are a scam
2
74
5K
M1chl replied
Top Bottom