Hackers hacked into British Airways through their site and application, stole data from thousands of customers.
But how was it possible?
Hackers hacked into British Airways:
BA does not disclose any technical details about this violation, but cyber-security experts have some suggestions about possible methods. Hackers hacked into British Airways and stole names, e-mail addresses, and credit card details, including card numbers, expiration dates, and three-digit CVV codes.
At first glance, the firm’s statement does not give any details about the break-in, but “reading between the lines”, one can draw a conclusion about possible potential attack routes, says an expert on cybersecurity Professor Alan Woodward from the University of Surrey.
Take the BA specification for the exact time and dates between which the attack took place. 22:58 BST, August 21, 2018, to 21:45 BST, September 5, 2018, inclusive.
“They very carefully stated this statement to say that anyone who made a card payment between these two dates is at risk,”
says Professor Woodward.
“This is very similar to the fact that the details were hacked at the entry point. Someone managed to get the script on the website.”
This means that when customers print their credit card information, a piece of malicious code on a website or BA application can furtively retrieve this data and send it to someone else.
Professor Woodward points out that this is a growing problem for websites that implement code from thirdparty vendors. This is called a supply chain attack.
Third parties can provide the code to run payment authorization, advertising, or allow users to log in to external services, for example.
An attack on Ticketmaster recently:
Such an attack also affected Ticketmaster recently. After the customer service was identified as a potential cause of a breach involving up to 40,000 users from UK.
Without further details, it is impossible to know exactly whether something like this has happened to the BA.
“He can easily be an insider of a company that forged the site and app code for malicious purposes.”
Said Professor Woodward
This is because companies don’t intend CVV codes for storage, although at the time of payment they can process them.
Since CVV data, a three-digit security code on credit and debit cards were also taken during the attack. It was likely that the details were shot live, according to Robert Pritchard, a former cybersecurity researcher at GCHQ and founder of The Cyber private company Security Expert.
Thinking about the BA #hack, it's unusual that they know data was accessed during a particular timeframe (definitely not historical) – perhaps a tapping into some form of data feed between website & app, but not access to databases? #BritishAirways https://t.co/1NS84bDKcL …
— Andrew Dwyer (@andrewcdwyer) September 7, 2018
“This means that it was either a direct compromise with their booking site or a compromise from a third-party provider,”.
He told the BBC.
Professor Woodward added that private firms that use a third-party code on their websites and applications must constantly check such products to ensure that there are no security weaknesses.
“You can put the strongest lock on the front door,” he said, “but if the builders left the stairs to the window, where do you think the robbers will go?”