Travelex being held to ransom by hackers(bbc.co.uk)
bbc.co.uk
Travelex being held to ransom by hackers
https://www.bbc.co.uk/news/business-51017852
68 comments
This is probably a good reminder for everyone to ask how their customer data is backed up. Obvious your code is checked in to many git repos. Is your customer data on a server that automation can tamper with? If so, is a copy periodically written to a write-only destination that only a small number of people can manage, and then backed up to another location that a different group of people can manage? It probably also would not hurt to have a signed copy of a manifest that has checksums of all the files.
And a good reminder to get cash for your destination country before you get there where possible.
The hole in the wall forex place near me has wayyyyyy better rates than an airport’s currency desk.
Practically anyone does.
The hole in the wall forex place near me has wayyyyyy better rates than an airport’s currency desk.
Practically anyone does.
In the UK, the cheapest way to pay for things abroad is to get one of the travel-specific credit cards. The Halifax Clarity card is probably the best known, but I see that there are others now. These give you better rates than even the best forex places and don't charge per transaction fees. Obviously it's always wise to carry a little cash when travelling, but I can't recall the last time I had to use it, and I travel a lot for work.
My experience in France is that every little shop will have a 5-8 EUR minimum for card payments.
Of course you could buy your croissants from the Carrefour, but who would want to do that???
Of course you could buy your croissants from the Carrefour, but who would want to do that???
That would be illegal in Poland, as we have regulated transaction fees and card payment minimums have been outlawed for a few years now. You can easily pay for bread rolls by card here.
I've found that typically the easiest and very close to the cheapest way to get foreign cash is to simply withdraw it from an ATM in the destination country. Always make sure that they're charging your bank in the local currency to avoid poor exchange rates. You'll usually pay a couple bucks at the ATM and a couple more at your bank (unless you use somebody like Charles Schwab), but even with a $5 surcharge, the market rate used usually beats out the rate you can get at a money changer or from your bank before you travel.
That's been my experience as well. Using credit cards when possible and withdrawing cash from ATMs are the two best ways to get a good exchange rate.
And then there are the American banks that charge foreign transaction fees on all foreign transactions, even those in US$.
Fuck you PNC.
Fuck you PNC.
Yeah. That's pretty frustrating. I always try to make sure that I have at least one card that doesn't have foreign transaction fees and I stick to that card I'm out of the country.
And if you can find places where there’s cashback, you can also skip the ATM fees
Definitely! My credit union (BECU) actually refunds ATM fees which is an amazing perk. Before I was with them I would try to look up ATMs without fees ahead of time but that can be pretty tricky and inconsistent (especially outside of cities).
Ordering currency from your bank has pretty decent rates as well. Seems a lot of people don't realize that's an option (at least in the states / same with converting back to USD).
Probably depends on country and currency.
I get better Canadian dollar to Thai Baht rates after I land in Thailand (high demand for stable foreign currency over there), vs trying to buy THB while in Canada, as retailer desks have premiums for holding it.
I get better Canadian dollar to Thai Baht rates after I land in Thailand (high demand for stable foreign currency over there), vs trying to buy THB while in Canada, as retailer desks have premiums for holding it.
And some currencies are best held for the shortest time possible.
> Is your customer data on a server that automation can tamper with? If so, is a copy periodically written to a write-only destination?
Wait, so now we should have customer data in more locations?! I'm not disagreeing at all - except that that seems directly contrary to the "intent" of the GDPR in the first place (though you could cynically say that the real intent of the GDPR was to raise money, employ bureaucrats, and shake down mainly-U.S. companies.
Wait, so now we should have customer data in more locations?! I'm not disagreeing at all - except that that seems directly contrary to the "intent" of the GDPR in the first place (though you could cynically say that the real intent of the GDPR was to raise money, employ bureaucrats, and shake down mainly-U.S. companies.
It can be in the same country, just not the same pod/environment. It could even be a backup server with a vaulting policy that prevents backup admins from deleting things. i.e. require 2 C-levels to input something to delete anything.
Devastating for them I imagine. Website offline since 31st December, purposefully timed attack for maximum disruption I would imagine.
Looks like they had aspiration to IPO earlier in 2019, imagine this would now not be on the cards for a long time.
I wonder how much the ransom is for. It appears to be an enormously damaging attack - I wonder if paying it is the best option for their business at this stage, then follow the money.
Looks like they had aspiration to IPO earlier in 2019, imagine this would now not be on the cards for a long time.
I wonder how much the ransom is for. It appears to be an enormously damaging attack - I wonder if paying it is the best option for their business at this stage, then follow the money.
The problem with paying it is that even if it works, and all the machines decrypt in a timely fashion, you have no idea if the attackers have left anything else in the network that they could use to enter again.
You might not even find out the original entry point, and stop others following. Also it will be expensive.
You might not even find out the original entry point, and stop others following. Also it will be expensive.
You still may never find the entry point if you don't recover the machines. Saudi Aramco and Maersk fell victim to similar ransomware attacks and practically had to start from scratch buying storage devices straight from manufacturers to get back online. NotPetya was so destructive it didn't leave behind much in the way of meaningful evidence. If you don't recover the encrypted data you probably won't recover evidence that points to patient zero anyway.
Episodes 53 and 54 of https://darknetdiaries.com/episode/ are a good listen on this subject.
A bigger problem is that you've now painted a huge target on your back as a company that is known to have security problems and pay ransoms.
Finablr, Travelex's parent company IPO'd last year. Stock price is not looking too healthy today.
There is a very interesting wrinkle to this attack that I haven't heard of before, although I imagine this isn't the first attempt at it.
Unlike typical ransomware, the threat isn't "we will delete all this data," but "we will sell all this data, and you will amass crippling fines under the GDPR regulations."
Unlike typical ransomware, the threat isn't "we will delete all this data," but "we will sell all this data, and you will amass crippling fines under the GDPR regulations."
Yeah, this is a relatively recent evolution of ransomware schemes: https://krebsonsecurity.com/2019/12/ransomware-gangs-now-out...
No they are not “weaponising GDPR”, they are simply making it more obvious which companies aren’t protecting your data.
I have no sympathy for them. They've charged extortionate exchange rates to travellers for decades, so now they get themselves extorted by hackers? Karmic justice.
Most of the substantive reporting seems to point back to here: https://www.computerweekly.com/news/252476283/Cyber-gangster...
The Travelex website said it was down due to "planned maintenance". Is that not an outright lie, since it was obviously down for other reasons? Is there anything preventing a company from lying about something like this?
In previous projects I have worked on many years ago, the "down for maintenance" page was the page that was automatically served by the reverse proxy whenever we took the backend app servers down for whatever reason (emergencies, planned releases etc)
Granted this was years ago - I don't know what people do these days if all backend servers are unavailable.
I guess the alternative to "planned maintenance" is the more-accurate message of "OMG - shit's on fire dude!" but that is not appropriate for corporate PR speak ;-)
Sounds to me like someone probably got a "turn everything off while the police investigate - do not touch anything or we'll chop your fingers off/fire you" edict from management, so they wont even put up an unplanned-emergency message for fear of crossing-management/damaging evidence/screwing up while putting up a rushed message/letting hackers back in/etc
Granted this was years ago - I don't know what people do these days if all backend servers are unavailable.
I guess the alternative to "planned maintenance" is the more-accurate message of "OMG - shit's on fire dude!" but that is not appropriate for corporate PR speak ;-)
Sounds to me like someone probably got a "turn everything off while the police investigate - do not touch anything or we'll chop your fingers off/fire you" edict from management, so they wont even put up an unplanned-emergency message for fear of crossing-management/damaging evidence/screwing up while putting up a rushed message/letting hackers back in/etc
This would be ok for the first hour/day when this happenend, but after a whole week when it's been clear that extremely sensitive customer information has been breached then this is not an acceptable response and/or excuse.
They should put up a responsible message and pro-actively notify customers too. I hope they will get the highest possible fine for GDPR violations. This is an appalling response and treatment of customer data.
They should put up a responsible message and pro-actively notify customers too. I hope they will get the highest possible fine for GDPR violations. This is an appalling response and treatment of customer data.
I don't believe that, from the journalist* "Travelex has not responded to our multiple requests for response to these allegations. Not answering calls/ texts voicemails for the last couple of hours."
* https://twitter.com/joetidy/status/1214599174664138757
edit: also they gave a different (spreading virus v. third party issue) statement here earlier: https://eandt.theiet.org/content/articles/2020/01/travelex-t...
* https://twitter.com/joetidy/status/1214599174664138757
edit: also they gave a different (spreading virus v. third party issue) statement here earlier: https://eandt.theiet.org/content/articles/2020/01/travelex-t...
Travelex operates in Europe and is bound by GDPR regulations.
Travelex should have notified their supervisory authority within 72 hours of the breach, and are also required to notify end users in a timely manner.
https://gdpr-info.eu/art-34-gdpr/
According to the article, end users still have not been notified.
The lack of timely and proper notification as well as the misleading website information can be taken into account by the data protection authority in determining if the company should be fined, and the fines in question can be quite substantial.
Travelex should have notified their supervisory authority within 72 hours of the breach, and are also required to notify end users in a timely manner.
https://gdpr-info.eu/art-34-gdpr/
According to the article, end users still have not been notified.
The lack of timely and proper notification as well as the misleading website information can be taken into account by the data protection authority in determining if the company should be fined, and the fines in question can be quite substantial.
Indeed.
I'm puzzled by this:
> "Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom. The idea is to weaponise the hefty fines associated with GDPR violations to pressure the company into paying."
I can't imagine that promises from REvil/Sodinokibi that stolen data had been deleted would reduce fines over GDPR violations.
I'm puzzled by this:
> "Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom. The idea is to weaponise the hefty fines associated with GDPR violations to pressure the company into paying."
I can't imagine that promises from REvil/Sodinokibi that stolen data had been deleted would reduce fines over GDPR violations.
> Travelex operates in Europe and is bound by GDPR regulations.
To clarify, it's not that Travelex is located in or operates in Europe, it's that they hold data of EU residents. If they operated in Zimbabwe yet held data on EU residents, they would still be bound by GDPR.
To clarify, it's not that Travelex is located in or operates in Europe, it's that they hold data of EU residents. If they operated in Zimbabwe yet held data on EU residents, they would still be bound by GDPR.
How could they enforce that? By barring EU residents from dealing with Travelex?
Note I am not suggesting that this will happen with this particular company. I don't understand this case well enough to comment on it.
In a hypothetical situation of a non EU company significantly breaching GDPR this could be resolved by e.g. seizing all funds belonging to the company in EU banks or in extremes by finding the company's board in contempt of court and then arresting and imprisoning them if they ever travel to a country with a extradition agreement.
In a hypothetical situation of a non EU company significantly breaching GDPR this could be resolved by e.g. seizing all funds belonging to the company in EU banks or in extremes by finding the company's board in contempt of court and then arresting and imprisoning them if they ever travel to a country with a extradition agreement.
Well Travelex is a gigantic company, well-run (business-wise if not infosec-wise :P) and would comply with any imposed fines etc.
But your question is interesting. Imagine an onion service, theoretically perfectly shielded, that took Personal Data from it users and then sold it. Or even a normal Internet service, based in North Korea. GDPR would be unenforceable.
Ultimately we depend on the norms of international agreements, the desire and need to interoperate with global banking systems, etc.
But your question is interesting. Imagine an onion service, theoretically perfectly shielded, that took Personal Data from it users and then sold it. Or even a normal Internet service, based in North Korea. GDPR would be unenforceable.
Ultimately we depend on the norms of international agreements, the desire and need to interoperate with global banking systems, etc.
As far as I can tell there's still no actual mechanism in existence to enforce GDPR against an entity which has no significant operations in/financial exposure to the EU.
The GDPR text basically says "we'll ask other countries nicely and negotiate with them".
I'll be interested to see how the first real case goes against even a US-based entity that doesn't operate in the EU, much less one based in a country like North Korea.
The GDPR text basically says "we'll ask other countries nicely and negotiate with them".
I'll be interested to see how the first real case goes against even a US-based entity that doesn't operate in the EU, much less one based in a country like North Korea.
I assume they will just block the domain.
"they" being the entire EU? there's no mechanism for that.
> no mechanism for [blocking access to company X for the whole EU]
..they'll ask all the EU ISPs in each of 28 member states to block company X - nicely.
() "EU citizens" meaning potential customers of company X - the "enticement" for company X to pay the EU the fine.
..they'll ask all the EU ISPs in each of 28 member states to block company X - nicely.
() "EU citizens" meaning potential customers of company X - the "enticement" for company X to pay the EU the fine.
Maybe someone should organize a campaign to flood the European GDPR Regulators with "our data might have been compromised already or maybe in the future, and might have contained data on EU residents, that might be considered 'sensitive' We are - (or will be) - working on it, but just wanted to let you know immediately so that you can't say we didn't warn you and slap us with a ga()-illion dollar/euro fine.." () “Ga” subject to change at any moment based on ECB forecasts, or how much we don’t like you.
All kinds of companies, from all over the world (eu or not) flooding the GDPR headquarters in Brussels with "pre-emptory warnings". The purpose of course being to let them know how ridiculous (and possibly/probably arbitrary) their regulatory framework
And is anyone else annoyed that since GDPR started, every single website that even so much as stores your username now has a "this website uses cookies" thing you have to click on to get rid of it? And if you turn off cookies, you see this damn intrusive thing every single time. How is this making the web "safer"?! Can "we" (whatever that means) petition them to enact a standard where people can set a preference in their web browsers that says "I don't care unless it's financial/medical/physical-address data" It's a $#%$5# pain in the collective derriere.
I wouldn't be surprised if some websites are doing it as a matter of course, "just in case" - like the "this product contains things that are known to cause cancer cause cancer to the state of California" - applied to everything - in a catalog that sells drill bits (okay, I suppose the couple of nano-grams of drill-bit-dust coming off it). Just to be safe (pun unintended).
All kinds of companies, from all over the world (eu or not) flooding the GDPR headquarters in Brussels with "pre-emptory warnings". The purpose of course being to let them know how ridiculous (and possibly/probably arbitrary) their regulatory framework
And is anyone else annoyed that since GDPR started, every single website that even so much as stores your username now has a "this website uses cookies" thing you have to click on to get rid of it? And if you turn off cookies, you see this damn intrusive thing every single time. How is this making the web "safer"?! Can "we" (whatever that means) petition them to enact a standard where people can set a preference in their web browsers that says "I don't care unless it's financial/medical/physical-address data" It's a $#%$5# pain in the collective derriere.
I wouldn't be surprised if some websites are doing it as a matter of course, "just in case" - like the "this product contains things that are known to cause cancer cause cancer to the state of California" - applied to everything - in a catalog that sells drill bits (okay, I suppose the couple of nano-grams of drill-bit-dust coming off it). Just to be safe (pun unintended).
> And is anyone else annoyed that since GDPR started, every single website that even so much as stores your username now has a "this website uses cookies" thing you have to click on to get rid of it? And if you turn off cookies, you see this damn intrusive thing every single time.
I am indeed very annoyed that so many companies are throwing an online tantrum over the very reasonable requirements of GDPR. Most of those cookie banners aren't even GDPR-compliant because they don't let you opt-out of tracking and don't actually tell you what data they are tracking or who they are giving it to.
Just tell people what you are actually fucking doing with their data and let them opt-out of having their data collected. It's not that fucking hard.
I am indeed very annoyed that so many companies are throwing an online tantrum over the very reasonable requirements of GDPR. Most of those cookie banners aren't even GDPR-compliant because they don't let you opt-out of tracking and don't actually tell you what data they are tracking or who they are giving it to.
Just tell people what you are actually fucking doing with their data and let them opt-out of having their data collected. It's not that fucking hard.
I think the GDPR is great regulation that puts people before companies.
No, and no, because they'd just say they started planning the maintenance as soon as they recognized the problem.
Could say they put the website into maintenance, when somebody had violated and disabled their back end.
Website's "fine" - it's just waiting to be plugged into something that works.
Website's "fine" - it's just waiting to be plugged into something that works.
What are the odds that they've exposed the personal information of thousands of airport travellers who have exchanged foreign currencies with them?
Low in this case (read the CW article https://www.computerweekly.com/news/252476283/Cyber-gangster...). The "ransom note" seems generic and it implies they aren't sophisticated data thieves, just disruptors.
That said, there has been news of late that these kinds of attacks are indeed stepping up the value chain of stealing, selling, mining the data itself. But I would tend to think not, in this case, as the ransom note would have been much more severe.
That said, there has been news of late that these kinds of attacks are indeed stepping up the value chain of stealing, selling, mining the data itself. But I would tend to think not, in this case, as the ransom note would have been much more severe.
Your guess is as good as anyone's. Given the way the communication is going, I'd say more likely than not.
But the article says all computer systems are off which is clearly not the case so who knows...
But the article says all computer systems are off which is clearly not the case so who knows...
I suppose most transactions don’t require ID. Maybe some countries require them for all.
Anyone who pays the terrible airport rates for large conversions is probably laundering money.
Literally every other option is better.
Anyone who pays the terrible airport rates for large conversions is probably laundering money.
Literally every other option is better.
Mini Ask HN: assuming you were designing a similar system, how would you design to prevent this happening? What would make your system "immune" from this sort of ransom attack so you could redeploy an be up and running again quickly?
Sure there are the basic security hygiene steps etc, but what architectural steps can you take to combat this risk?
I have some thoughts (e.g. append-only logs replicated in multiple places, everything 12-factor'd and containerised and ready to re-deploy at a moment's notice etc), but curious what prevailing wisdom is?
Sure there are the basic security hygiene steps etc, but what architectural steps can you take to combat this risk?
I have some thoughts (e.g. append-only logs replicated in multiple places, everything 12-factor'd and containerised and ready to re-deploy at a moment's notice etc), but curious what prevailing wisdom is?
For Windows systems use AppLocker to prevent any unauthorized applications from executing. Thus even if a user's account is compromised they won't be able to run the malware. Of course this doesn't protect against malware that executes inside an approved application (like a web browser or MS Office) but it closes off many potential attack vectors.
https://docs.microsoft.com/en-us/windows/security/threat-pro...
https://docs.microsoft.com/en-us/windows/security/threat-pro...
It's perhaps worth discussing the possibility that append-only logs replicated to multiple places may be likely to make the mishandling and theft of private data more likely, rather than less.
The only real form of true immunity to private information theft is to have no private information. It's impossible to lose what you do not have. Everything else is layered controls and policies to detect, alarm, contain, deter, and otherwise enable you to deal with attacks as they come. That's what good defenses looks like for most companies - defense in depth.
In practice, it often looks like aggressive patching policies and administrative controls coupled with careful monitoring, limited access to production, and regular audits. Security is a whole-enterprise problem, rather than a purely technical one that can be entirely addressed by code fixes.
The only real form of true immunity to private information theft is to have no private information. It's impossible to lose what you do not have. Everything else is layered controls and policies to detect, alarm, contain, deter, and otherwise enable you to deal with attacks as they come. That's what good defenses looks like for most companies - defense in depth.
In practice, it often looks like aggressive patching policies and administrative controls coupled with careful monitoring, limited access to production, and regular audits. Security is a whole-enterprise problem, rather than a purely technical one that can be entirely addressed by code fixes.
Append-only logs replicated to multiple places is probably illegal under the GDPR. People have the right to demand all data about them is deleted, e.g. once they are no longer Travelex customers.
An interesting question is would you rather your bank leaked some personal information about you, or would you rather they lost all your information, and therefore all of your money?
An interesting question is would you rather your bank leaked some personal information about you, or would you rather they lost all your information, and therefore all of your money?
Travelex, as a financial services company, is probably obligated to retain records. GDPR defers to these obligations.
A company outside finance might definitely have these problems!
A company outside finance might definitely have these problems!
They're obligated to retain some information for a certain period of time, but certainly not all information that they have and not forever.
You're absolutely right.
In this case, it means that an append-only data store with a fixed retention time might be a perfectly reasonable way to store certain kinds of records. This means that an append-only data store is not guaranteed to run up against deletion requirements in all cases.
In my opinion, this is particularly salient and worth being aware of when the conversation centers around a financial company, data storage, GDPR, and deletion requirements. It is possibly not always likely to be as simple as "use append-only" or "append-only likely to be illegal".
In this case, it means that an append-only data store with a fixed retention time might be a perfectly reasonable way to store certain kinds of records. This means that an append-only data store is not guaranteed to run up against deletion requirements in all cases.
In my opinion, this is particularly salient and worth being aware of when the conversation centers around a financial company, data storage, GDPR, and deletion requirements. It is possibly not always likely to be as simple as "use append-only" or "append-only likely to be illegal".
> financial services company, is probably obligated to retain records. GDPR defers to these obligations.
Gee - how long until the GDPR-o-crats demand a fine from a company (possibly the "right to be forgotten" thing), and the company then uses the defense that "we would have destroyed the information, except for some other EU regulation.. You figure your own way out of that logical puzzle!"
Gee - how long until the GDPR-o-crats demand a fine from a company (possibly the "right to be forgotten" thing), and the company then uses the defense that "we would have destroyed the information, except for some other EU regulation.. You figure your own way out of that logical puzzle!"
Fortunately, GDPR explicitly spells out that it defers to other legal retention obligations.
Obviously everyone would much prefer the former. GDPR is a very bad law for many reasons, but rendering many basic IT strategies for robustness "illegal" (maybe) is one of them.
Of course GDPR defenders tend to take a stance of, anything reasonable is actually not illegal under GDPR even if it might appear to be so at first. It really is a horribly vague and useless piece of law making. I really hope the UK scraps it after Brexit, though I don't hold out much hope.
Of course GDPR defenders tend to take a stance of, anything reasonable is actually not illegal under GDPR even if it might appear to be so at first. It really is a horribly vague and useless piece of law making. I really hope the UK scraps it after Brexit, though I don't hold out much hope.
https://www.bleepingcomputer.com/news/security/sodinokibi-ra...
has information about this being specific ransomware.
One possible vector for the attack, from that article, is that apparently they had an unsecured pulse Secure VPN which has a known and quite nasty vulnerability, which is being actively exploited.
has information about this being specific ransomware.
One possible vector for the attack, from that article, is that apparently they had an unsecured pulse Secure VPN which has a known and quite nasty vulnerability, which is being actively exploited.
So the “camp out in airports and rip off naive travelers” company has bad tech? Shocking.
That's a minor portion of their business, mostly to keep the name out there. The current business is in large B2B F/X transactions - friends of mine worked at a boutique firm in the midwest and both coasts (HIGHLY profitable) that was acquired by them in the 2000s.
I find it interesting that the article makes no mention of why the hack was possible in the first place and how good or bad the security practices of Travelex were.
Don't get me wrong, the criminals who conducted this should be tracked and brought to justice, but - to use an analogy - if your bank kept your hard-earned cash in a big pile next to the entrance door, wouldn't you feel a tad unhappy with the bank if it got stolen?
And shoudldn't proper reporting paint a slightly more rounded picture of what actually happened (as in: how easy was it for the hackers to circumvent security measures at Travelex?)
Don't get me wrong, the criminals who conducted this should be tracked and brought to justice, but - to use an analogy - if your bank kept your hard-earned cash in a big pile next to the entrance door, wouldn't you feel a tad unhappy with the bank if it got stolen?
And shoudldn't proper reporting paint a slightly more rounded picture of what actually happened (as in: how easy was it for the hackers to circumvent security measures at Travelex?)
We need to make paying ransoms to hackers illegal. If that results in the victimized companies going bankrupt then that is an acceptable consequence pour encourager les autres.
I think it has to come down to insurance-mandated security requirements.
And enforce it.
Canada doesn’t let you pay hostage ransoms (per law), but has never charged anyone either.
Canada doesn’t let you pay hostage ransoms (per law), but has never charged anyone either.