Fraud will never stop

How many hundreds of thousands took out a Lyca sim through many referral sites to take advantage of a good deal promoted all over the web?

It will be typical for people to be with Lyca.

Those minority on the internet are also making assumptions, we don’t have data of people who’ve just instead had fraud attempts who haven’t been in with Lyca :eyes:

Here’s my logic, there has to be something in common between the users being affected here and on ISPReview

Clearly, it is the same group of people attempting fraud against me and those users, because they are attempting to purchase at completely unheard of merchants at the same time

So what else is the common value? It’s not just Virtual Cards, a few posters have been with LBG or HSBC aswell

Since the card was only used at Lyca I assumed it was them and made the thread, during which a lot of people who were Lyca users responded showing screenshots of attempts at the same merchants. People who had deleted their card from Lyca or requested an account deletion were not affected, suggesting to me that a live copy of Lycas database had been compromised, or someone had access to MITM the script that unencrypted card details and posted them to the gateway on the subscription date - possibly meaning you wouldn’t be affected if your renewal date hadn’t come up yet

Deleted my old card in the Lyca account just for good measure and turned off auto renewal. Can’t see anywhere to close the account entirely though, do I have to contact them ?

Well, it’s a hill I’m willing to die on until I’m proven otherwise.

Just to confirm, Monzo told me they presented the expiry date and CVC correctly. It’s an insanely remote possibility that they managed to randomly generate that correctly for one user, no mind 10 people that happen to be users of this forum and ISPReview…

@Carlo1460 i understand what you’re saying, but the card details didn’t come from nowhere. There was clearly a leak at some point, it wasn’t Monzo because the issue affects multiple banks, so who was it? That’s what im trying to answer here

Yeah I’m sure more info will come out over the next few days giving a clearer indication. Suppose at this time it is speculation

3 Likes

This is called fraud. Not Lyca fraud. It’s not specific. I guess you’ve some time to put in learning of ways fraud happens, given the time you’ve spent here and ISP over this.

Remove Lyca from the picture and go explore.

My starting point is what I did with the card, which is very limited

I copied it from the Monzo app on my iPhone to the LycaMobile website running in Safari. LycaMobile was hacked last year, and their website submits your card details directly to their backend… this is completely unnecessary and any company who cares about cybersecurity would never want to handle payment details and would redirect you to their gateways website or embed it in the page, where they never have to see them

So the possible breach points here are:

  • Monzo
  • My iPhone
  • LycaMobile

Picking the most likely one, I posted a thread and found other users affected with the exact same merchants. Searching social media for those merchants only brings up one result, somebody asking Lyca why their details are floating around on the web yesterday

Is my conclusion unreasonable?

1 Like

What you need to know about distributed guessing attacks – Hotspot Shield VPN.

Then there’s websites with poor design allowing multiple attempts as noted on the link above.

It’s only coding to generate card, ccv etc, and then another code to punch said data to whichever website they can gain data points from on how close they are.

Like I said, it’s coincidence, but not fact.

If my Monzo Grocery virtual card happens to have fraud attempts, do I go screaming at Coop for being compromised? :man_shrugging:t3:

The only people who have made posts about these merchants trying to charge their card are Lyca users

If CoOp had been breached less than a year ago, I would imagine they would be your top suspect

On the ISPReview forums and here, nobody has replied stating they were charged who wasn’t a LycaMobile user. If someone who never used their card with Lyca had these charges, that would settle it, but everyone who has are a Lyca user.

That might be more likely on ISPReview but not so much here

2 Likes

@Carlo1460 While the idea of the bad actor generating cards randomly is plausible, it’s very unlikely because they are using Stripe or Stripe via Shopify to process these payments

Stripe has taken a lot of steps to prevent mass card testing, I’ve seen it in action many times. When I messed up a script on a website using stripe, my clients account was terminated after 100 payment attempts in quick succession.

I’m being generous saying the change of generating a correct random card is 1/1,000,000, but for the bad actor to be able to test this card on a single Stripe account or against a single merchant, and for even two users on this forum no mind 4 to have a payment attempt against said account… it’s just such an incredibly remote possibility.

The World Market Ecomm merchant was seem by 4 different users, if the rate of a correct card was even 1 in 100,000 it would take atleast 300,000 random card payment attempts to get the result of 4 users posting about that merchant. What’s the chance those are also Monzo forum users?

Used to see many things at Barclays, same merchant consecutively, over similar time periods.

Customers hadn’t all shopped the same place.

Maybe my experience lets me keep an open mind until presented with facts.

1 Like

I agree and I appreciate your perspective aswell

If we were seeing people saying they had the charges without using Lyca, id be assuming it wasn’t them who were breached

But everyone who’s seeing these charges on here and ISPR are/were Lyca users at some point, that’s pretty much my only point

Even outside of these platforms, the only people affected are Lyca users. The ISPR forums will be a biased source because of the nature of the user base, but the Monzo forum is a wide net and it still happens the only people who were affected on here are users of Lyca

Update actually, I was wrong, monzo support confirmed they didn’t have the CVC, only number and expiry

Lyca say publicly on their website, they only hold your encrypted full card number and expiry date

Monzo told me they only presented the number and expiry date

All that’s needed is card and expiry generally. Makes it easier to generate and websites that don’t require CVV make great easy targets for checking if card details are genuine.

CVV is only an additional security process, not a requirement for payment.

Virtual cards do have CVV, I just entered mine to Xbox.

2 Likes

I know, I think he misspoke and meant they didn’t present it to make the payment… I was inferring above that Lyca say they don’t store the CVC and monzo say they didn’t use the CVC