ic: website ic:blog
  ic: website Home · Archives · Photo Gallery · ic: forum RSS logo - thanks to www.nineteenlabs.comWeb feed (RSS)  
The life and times of james Hart: his family, his music, life in Luton and his occasional escapes onto the internet.

« Weekend away | Main | Goodmans CD1505Wi (and similar) - comments, news and an excellent blog! »

Saturday, 11 April 2009

On-line fraud - lessons learned (hopefully by Play.com, too!)

Beth received an email from Play.com on Wednesday morning to say that the order she had placed was ready for dispatch. To someone simply known as 'Mary' at an address in North London.

As one might imagine, this was extremely nervewracking, so the first thing that Beth did was cancel the order; fortunately, it was early enough in the morning that the offices hadn't been opened, so the process couldn't get much further, and no money had been taken off the credit card.

She phoned the office as soon as it opened, and the first thing Play.com did was close her account; somewhat summary, I suppose, but the most effective means to prevent a recurrence. It was obvious, from what the customer services assistant said, that other orders had been placed with other customers' accounts to the same address.

Once again, Twitter has really impressed me; Beth kept tweets up-to-date about her experience, and a friend of ours picked up the story and passed it to Rory Cellan-Jones, who's the BBC's Technology reporter. He gave me a call, and I put him in touch with Beth, who told him the full story. Whether anything will come of it, I don't know, but it's further evidence, if any were needed, that Twitter is a really powerful channel for finding news stories.

On reflection, I have a suspicion what happened. We were a bit concerned that Beth's laptop may have had the Conficker virus, which is why I spent a couple of evenings rebuilding it just before the 1st of April 'payload day' that security experts predicted could cause havoc on the internet, were the millions of infected computers instructed to create 'denial of service' attacks on major websites.

What actually happened on the 1st of April was.. very little. I was rather taken by the notion that what actually happened was that it was set as the end date for an 'auction', where the details of all the computers infected were sold off to the highest bidder, so all the information that was harvested could be used to carry out fraud just like that which happened to Beth.

There are, of course, lessons to be learned from these experiences. What was - and remains - quite concerning is that:

  • Play.com retains credit card details (in fact, it was certainly the case when Beth was victim of the fraudulent activity that one needs to call the customer service centre to remove them!)
  • It is also possible, without any verification whatever, to change the delivery address of an order.

In my opinion, this is why Play.com was seen as a suitable host for such criminal behaviour, and I would not recommend creating or retaining an account with them until they sort this out. On this occasion I think we (and Play.com!) were lucky; I know what a hassle - and possibly even embarrassment - it is to have to call credit card companies to inform them of fraud. It's a shame, because Play.com do some very good deals on games and music, but I can't put a value on security and reassurance.

Posted by james at April 11, 2009 1:11 PM

This site is owned and operated by Image Communications, including all content and stuff.
It's powered by Movable Type 5.2