How many hundreds of thousands took out a Lyca sim through many referral sites to take advantage of a good deal promoted all over the web?
It will be typical for people to be with Lyca.
Those minority on the internet are also making assumptions, we don’t have data of people who’ve just instead had fraud attempts who haven’t been in with Lyca
Here’s my logic, there has to be something in common between the users being affected here and on ISPReview
Clearly, it is the same group of people attempting fraud against me and those users, because they are attempting to purchase at completely unheard of merchants at the same time
So what else is the common value? It’s not just Virtual Cards, a few posters have been with LBG or HSBC aswell
Since the card was only used at Lyca I assumed it was them and made the thread, during which a lot of people who were Lyca users responded showing screenshots of attempts at the same merchants. People who had deleted their card from Lyca or requested an account deletion were not affected, suggesting to me that a live copy of Lycas database had been compromised, or someone had access to MITM the script that unencrypted card details and posted them to the gateway on the subscription date - possibly meaning you wouldn’t be affected if your renewal date hadn’t come up yet
Deleted my old card in the Lyca account just for good measure and turned off auto renewal. Can’t see anywhere to close the account entirely though, do I have to contact them ?
Just to confirm, Monzo told me they presented the expiry date and CVC correctly. It’s an insanely remote possibility that they managed to randomly generate that correctly for one user, no mind 10 people that happen to be users of this forum and ISPReview…
@Carlo1460 i understand what you’re saying, but the card details didn’t come from nowhere. There was clearly a leak at some point, it wasn’t Monzo because the issue affects multiple banks, so who was it? That’s what im trying to answer here
This is called fraud. Not Lyca fraud. It’s not specific. I guess you’ve some time to put in learning of ways fraud happens, given the time you’ve spent here and ISP over this.
My starting point is what I did with the card, which is very limited
I copied it from the Monzo app on my iPhone to the LycaMobile website running in Safari. LycaMobile was hacked last year, and their website submits your card details directly to their backend… this is completely unnecessary and any company who cares about cybersecurity would never want to handle payment details and would redirect you to their gateways website or embed it in the page, where they never have to see them
So the possible breach points here are:
Monzo
My iPhone
LycaMobile
Picking the most likely one, I posted a thread and found other users affected with the exact same merchants. Searching social media for those merchants only brings up one result, somebody asking Lyca why their details are floating around on the web yesterday
Then there’s websites with poor design allowing multiple attempts as noted on the link above.
It’s only coding to generate card, ccv etc, and then another code to punch said data to whichever website they can gain data points from on how close they are.
Like I said, it’s coincidence, but not fact.
If my Monzo Grocery virtual card happens to have fraud attempts, do I go screaming at Coop for being compromised?
The only people who have made posts about these merchants trying to charge their card are Lyca users
If CoOp had been breached less than a year ago, I would imagine they would be your top suspect
On the ISPReview forums and here, nobody has replied stating they were charged who wasn’t a LycaMobile user. If someone who never used their card with Lyca had these charges, that would settle it, but everyone who has are a Lyca user.
That might be more likely on ISPReview but not so much here
@Carlo1460 While the idea of the bad actor generating cards randomly is plausible, it’s very unlikely because they are using Stripe or Stripe via Shopify to process these payments
Stripe has taken a lot of steps to prevent mass card testing, I’ve seen it in action many times. When I messed up a script on a website using stripe, my clients account was terminated after 100 payment attempts in quick succession.
I’m being generous saying the change of generating a correct random card is 1/1,000,000, but for the bad actor to be able to test this card on a single Stripe account or against a single merchant, and for even two users on this forum no mind 4 to have a payment attempt against said account… it’s just such an incredibly remote possibility.
The World Market Ecomm merchant was seem by 4 different users, if the rate of a correct card was even 1 in 100,000 it would take atleast 300,000 random card payment attempts to get the result of 4 users posting about that merchant. What’s the chance those are also Monzo forum users?
If we were seeing people saying they had the charges without using Lyca, id be assuming it wasn’t them who were breached
But everyone who’s seeing these charges on here and ISPR are/were Lyca users at some point, that’s pretty much my only point
Even outside of these platforms, the only people affected are Lyca users. The ISPR forums will be a biased source because of the nature of the user base, but the Monzo forum is a wide net and it still happens the only people who were affected on here are users of Lyca
All that’s needed is card and expiry generally. Makes it easier to generate and websites that don’t require CVV make great easy targets for checking if card details are genuine.
CVV is only an additional security process, not a requirement for payment.
Virtual cards do have CVV, I just entered mine to Xbox.
I know, I think he misspoke and meant they didn’t present it to make the payment… I was inferring above that Lyca say they don’t store the CVC and monzo say they didn’t use the CVC