Feed
 

John Lewis Credit Card

Avatar David Moon
Whilst my sister was on holiday in India (iMac off not sleeping) someone spent £999 with Dyson using her John Lewis (MasterCard) credit card. On reporting it, JL immediately refunded the money and issued a new card but she can not longer make purchases via her Mac. I suggested she talked to JL Financial Services and this is her reply

So! I have had a long chat with jlp security. As far as they are concerned, someone got into my computer, found all my personal details including the card no. etc and did the fraud that way. So they have put a block on my computer until i have evidence to show them that I have had the iMac professionally ‘cleaned’!!!

This is the first time I have heard of a card issuer making such a claim. My personal experience of JL Financial Services has never impressed me. e.g. Their new smart phone App requires quite a complex password but will not allow copy and paste.Their efforts at security seem OTT and rather crude.

I don't even know how I would get an iMac "professionally checked" except by taking it to Apple and I suspect a pointless idea anyway. Probably best just to drop JL! Comment and advice welcome

Re: John Lewis Credit Card

Avatar Mick Burrell
That sounds total c**p to me! I assume her Mac was safe at home - no sign of a break in? Her Mac was off so hopefully not set to auto login meaning they'd need her admin password. Are her card details actually stored somewhere on her machine as plain text rather than in a password app?

I'd be grateful for answers as I use a JLP card but could change it!

Re: John Lewis Credit Card

Avatar David Moon
Will be visiting sister on Saturday and we will call Apple and get their take. I will let you know.

Re: John Lewis Credit Card

Avatar Tony Still
I think the first question is what makes JL think that the order was placed from your sister's computer? If they have evidence that that's what happened, it's time to check that she has a log-in password set etc and whether there is any sign on the machine itself of the order being placed. Do they know where the item went?

There seem to be several more-likely scenarios. I can imagine the card getting skimmed in places she doesn't usually go (airport, India) and being a useful number since whoever skimmed it knows she's not likely to be aware of the fraud until she gets home. I presume she is still physically in possession of the card.

It is tempting just to say "get a different card" but I know my other half would never part with her JL card. I will be giving her a cheque to pay for her birthday present, bought with her JL card because she wants the JL vouchers (clue: 27" Retina display).

Best of luck.

Re: John Lewis Credit Card

Avatar David Moon
Tony, someone would have had to break in to the house to use her computer. JL seem to be claiming that someone hacked her Mac and got the card details. She is not someone who leaves computer switched on all the time and it is password protected. It would appear that the fraudulent transaction used her computer ID (MAC no?) because JL have now blocked use of card on Mac but sister says it still works using iPad on same network.

Re: John Lewis Credit Card

Avatar David Moon
OK here is an update. We had a chat with Apple who took a similar cynical view to ours but suggested we could check Mac by running Malwarebytes already installed and gave clean report.
Going into a bit more detail. Before going to India my sister used the card to pay £19.50 to Royal Mail to set up saving their mail for two weeks while they were away. John Lewis claim that the Dyson order was placed from the same device as that order to Post Office hence the Mac must be the guilty party. I was surprised that they actually know what device places an order. If that detail information is flying about then I would have thought it could have been picked up elsewhere in the system. More research to be carried out!

Re: John Lewis Credit Card

Avatar Mick Burrell
Hi David, not sure how many of these questions you can answer ;-)

1) How does the Mac connect to the router? (If wireless, is security WPA2?)
2) Are JL going by the IP address the ISP gives the router or do they also have the Mac address of the iMac?
3) Was the Royal Mail payment online or at a counter?

Re: John Lewis Credit Card

Avatar Tony Still
So who is breaching privacy by telling JL about the Royal Mail transaction?

And the same question about stealing the MAC address of the Mac. If it's the IP address then that is entirely unreliable: the Mac will be using NAT from the router and the IP address of the router is dynamically allocated by the ISP (ie may have been reused for someone else) - you can't read anything into that.

You could try forcing the Mac to refresh (change) its IP address from the router (DHCP refresh in Network preferences; Advanced > TCP/IP) which will change the Mac's IP address but my argument above suggests that this is useless; it might sway them in any argument though.

Re: John Lewis Credit Card

Avatar Mick Burrell
Tony - I don't think there would be any access to the home network IP address (given to the iMac by the router when using DHCP) - they shouldn't be able to see anything behind the router - but rather the IP address given by the ISP to the router. In my experience, although this could change if you restart the router, in my experience it doesn't.

If she tries to make another purchase on the JL card but from another device on the same home network, if they have blocked purchases from the router's IP address, the purchase would be blocked. However, if it does go through yet the iMac fails then they have somehow linked it to that one machine.

Re: John Lewis Credit Card

Avatar Tony Still
I've just deleted my proposed reply. On reflection, I think it's more likely that JL are using the browser's identity: that will have told them it was a Mac. Together with the router's IP address, that is more specific although it doesn't tie down which Mac in a house with several. If that's the case, I believe it's easily faked.

You can see the data you're leaking here.

Re: John Lewis Credit Card

Avatar Mick Burrell
Hi Tony - that's a very useful link, thanks. I clicked the link just to see if I'm being a smart a**e :-)

It tells me I'm using Chrome 61 (I don't have Chrome installed on my machine) and I'm using Windows 10 whereas it's actually High Sierra. My IP address is one I've never heard of and certainly not the one my ISP has given me. Oh, and apparently I'm in London. On the plus side, it got the size of my monitor spot on ;-)

I'm sure you'll know how I've achieved this is but do you think it's a useful (brief) topic at the next meeting?

Re: John Lewis Credit Card

Avatar Lionel Ogden
It told me I was using Safari 11.1 which I am and that I was located in Dorchester, which I am-almost. The IP address was mystery. Should I be concerned that this information is so easily available. Do firewalls actually work?

Re: John Lewis Credit Card

Avatar Mick Burrell
Nothing to do with your firewall Lionel - that information is being sent out not coming in. The IP address is the one Plus Net gives your router (assuming you're still with Plus Net).

I don't think you should worry unless you're ashamed of using Safari ;-)

Re: John Lewis Credit Card

Avatar Tony Still
This data has many legitimate uses and some that are less so.

Also, as I said and Mick has proved, it is easily faked. We can ask Mick to reveal all at the next meeting, we shouldn't steal his thunder here.

Re: John Lewis Credit Card

Avatar Mick Burrell
Ah, I appear to have dropped myself in it!
 
Feed