Andrew Kulin Posted January 15, 2019 Share Posted January 15, 2019 My card is also compromised. By downhill skiers or snowboardersso it appears. About $1700. Thanks Canuck Gamer for posting this as it made me check my credit card statement online this morning. Link to comment Share on other sites More sharing options...
37mm Posted January 15, 2019 Share Posted January 15, 2019 I used a (Visa) Debit card to purchase CMSF2 ten days before Xmas. No issues... yet. Even if they had your card details, how would they get the "secret question" purchase confirmation answer correct? That's administered by a completely different system. Link to comment Share on other sites More sharing options...
rocketman Posted January 15, 2019 Share Posted January 15, 2019 Luckily I wasn't affected. I placed my order the same day it was announced. But I can't help but think that it might be connected to the massive forum thread spams we've had over the past six months. Forums are not the same system as the store, but someone is messing with BFC Link to comment Share on other sites More sharing options...
sburke Posted January 15, 2019 Share Posted January 15, 2019 3 hours ago, Thewood1 said: Typically, when you start getting charges from stolen info, the culprits will put a small charge through, like one to two dollars. They do this to test the card and prep it for a larger transaction. I had my cc number compromised a couple times in the last few years and got a very detailed explanation from my CFO. He convinced me to only do online transactions with PayPal, Steam, or a burner card. Never use a debit card. He said Paypal is very close to impossible to compromise unless you are in very unsecure area and using it, like in an airport wifi. The other thing he said is always run a cheap VPN. Like Paypal, its close to impossible to compromise. Nothing is foolproof, but Paypal combined with a VPN will make it difficult. I was hit through PayPal. Pretty much your only real protection is to monitor your accounts closely and have it send alerts for transactions above a self defined threshold. Link to comment Share on other sites More sharing options...
mjkerner Posted January 15, 2019 Share Posted January 15, 2019 6 minutes ago, sburke said: I was hit through PayPal. Pretty much your only real protection is to monitor your accounts closely and have it send alerts for transactions above a self defined threshold. Surprised at at that, Steve. Bummer. I have never been hit through Paypal, which I have used for over 15(?) years whenever it's an option, and I do A LOT of online purchasing of books and miniatures and stuff for my better half. My CC has been hit 3 times over that period, though. Sux big time. (I apparently have an affinity for comp servers in NJ and Oklahoma, and gas stations in Los Angeles! Link to comment Share on other sites More sharing options...
AlexUK Posted January 15, 2019 Share Posted January 15, 2019 (edited) Oh oh! A bit of a stupid question, but how can I check the method of payment I used? Edit - I checked, PayPal, I guess I am ok. Edited January 15, 2019 by AlexUK Link to comment Share on other sites More sharing options...
slysniper Posted January 15, 2019 Share Posted January 15, 2019 I also had my credit card compromised, it is the card I purchased CMF2 on and the bad activity just happened in January. I think you are correct in that BF's information on our accounts could be compromised. Link to comment Share on other sites More sharing options...
Erwin Posted January 15, 2019 Share Posted January 15, 2019 Checked with my CC co and there were no fraudulent charges subsequent to buying CMSF2 (so far). However, cos I was traveling till a couple weeks ago and only purchased the game last week. So... Link to comment Share on other sites More sharing options...
A Canadian Cat Posted January 15, 2019 Share Posted January 15, 2019 4 hours ago, PhilM said: Because of the time gap I didn't initially associate the card being compromised with the BF purchase, but it seems far too many examples to be just coincidence Clearly from early in the thread there is something that warrent's a look but don't forget for any group of people if you ask "any one have any suspicious CC activity" you will get hits because criminals are always up to no good an trying to get CC numbers to steal. So, just because we have people with suspicious charges does not mean they are *all* due to some breach of the BFC store. Just reminding everyone not to panic - got hold you favourite towel if that helps. And I am not trying to single @PhilM for some reason just keying off his comment to remind everyone... Link to comment Share on other sites More sharing options...
Battlefront.com Posted January 15, 2019 Share Posted January 15, 2019 Hi all, Thanks for starting up the thread and adding too it as this allows me the opportunity to explain how things work. Battlefront has nothing to do with the credit card transactions in any direct way. When you go to pay an encrypted pipe opens up between your browser and our credit card processing service (which is PayPal). We never, ever receive any of your credit card data, not even as a data stream. Instead, what we receive is various bits of transaction data from PayPal, such as unique transaction number, approval/rejection result, etc. From this our hosted store backend systems determine what to do with your order. If PayPal says the transaction cleared then your order is processed, otherwise it is not. I can't emphasize enough that there is no opportunity for your credit card data to come from us and go to the bad people out there. The only two possibilities I can think of are sniffers on your computer or some sort of data breach with PayPal. Both are possibilites, of course, but Battlefront is merely incidental in that case. The other possibility, of course, is that these are all coincidental and the breaches happened for some other totally unrelated reason (e.g. part of a multi-million card breach through a retailer that does retain credit card info). Now, on a personal level I had a credit card compromised a few months ago with the usual tiny transaction in a foreign country to test if the card was active. I also have my cards seemingly randomly replaced way before they are set to expire. Two years ago I had my debit card information, including my PIN, "skimmed" somewhere in the Washington DC area. Check out "skimming" information out on the web and you'll see that it's gotten VERY sophisticated in the past few years. Scary sophisticated. OK, so back to the topic here... There is absolutely no way, at all, that your credit cards were "breached" due to anything specific to Battlefront. They can't breach what we don't have. All I can do is compile a list of your credit card transaction numbers and forward them to PayPal so that they can investigate. If you recently had your card breached, please contact the Help Desk and provide your Order Number with us, the date of the fraud charge, and the amount. That should be enough information. DO NOT PROVIDE ANY CREDIT CARD INFORMATION AT ALL!!! If there isn't a special place in Hell for people who breach and use credit cards, I for one hope the policies are changed to accommodate these most deserving of people. Steve Link to comment Share on other sites More sharing options...
Battlefront.com Posted January 15, 2019 Share Posted January 15, 2019 BTW, we have always had the option (old store and new) to receive and keep credit card information. This would take the form of receiving the credit card fields in the checkout form instead of them being discarded. Some vendors store data for the convenience of the customer as the payment method is "on file". Amazon is a good example of this. But NO WAY, NO HOW do we want to have anything to do with any of that!! If multi-billion Dollar companies, with a staff of IT cyber security workers, can't protect your data then we stand no chance at all. Instead of exposing you, and by extension Battlefront, to this sort of mess we don't go anywhere near your credit card info. That's the only sane choice for us to make and we are, at the end of the day, reasonably sane people (excepting our interest in making wargames... that's nuts). Steve Link to comment Share on other sites More sharing options...
Michael Emrys Posted January 15, 2019 Share Posted January 15, 2019 (edited) I am comfortable with the thought that BFC is not directly culpable in any way. Didn't PayPal report just a couple of weeks ago that their computers had been hacked and personal information of thousands of their users compromised? I am vague on the details as I was only mildly interested in the report since I do not use PayPal. A few hours ago I contacted my bank to cancel my old card and issue me a new one. In general I won't be giving the information contained on it until I actually make a purchase. I am also going to do a survey of the cookies on my machine and clear any that look questionable or unnecessary. But I expect that any attack by a sufficiently determined thief can find a way to do mischief. Michael Edited January 15, 2019 by Michael Emrys Link to comment Share on other sites More sharing options...
Battlefront.com Posted January 15, 2019 Share Posted January 15, 2019 7 hours ago, Warts 'n' all said: I don't think that my problem stemmed from this site as I haven't bought CMSF2. So perhaps it is my punishment for buying something from S@%£&. New bank card in the post and a refund into my account, so no major harm done. The chances are that all of the reports here are purely part of the law of averages. The amount of credit card fraud out there is massive and Christmas season would be the best time to intercept/breach as that's the most active time in the entire year. Lots and lots of completely up-to-date cards to get a hold of. If you all are aware, the Marriott Hotel (parent company, lots of subsidiaries) just had a massive breach where 500,000,000 credit card numbers were stolen. I put that number out with all the zeros to emphasize the scale of that ONE breach. Here is a link that shows that 100,000,000+ breaches are not uncommon: https://en.wikipedia.org/wiki/List_of_data_breaches So here's the thing about coincidence. They don't call it coincidence for nothing Have any of you with the credit card breaches had any financial transactions (including their restaurants, bars, etc.) at any Marriott related facility during the time your breached card was active? Could be 3 years ago one time to buy one beer. That's the problem with stored credit card info, it can be stolen at any time. Now fast forward to the Marriot breach. Some criminal gets a list of several million numbers and sells them to people around the Christmas season. Guess what will happen? Lots of fraud charges appearing very quickly for a huge number of people before the cards are shut down proactively. To you it looks like there's a cause and effect because you're thinking about only RECENT charges, not that beer you bought 3 years ago or the parking garage that you put your car into that was conveniently located across from a shop you went to. Which means the process you are using to evaluate cause and effect is fundamentally flawed because there is no meaningful cause and effect relationship to focus on. Even when it is possible to narrow things down, it's impossible to get specific enough to say "this is where the crime happened". When my ATM card was stolen it was highly probable, though not certain, that it was stolen when I visited DC. Even if I was correct, I couldn't tell you where the info was skimmed because I did at least a dozen transactions at places that could have been skimmed. Steve Link to comment Share on other sites More sharing options...
Battlefront.com Posted January 15, 2019 Share Posted January 15, 2019 All that said, I'll still pass on the info we receive from you to PayPal. However, my presumption is you guys got burned by Marriott or some other massive credit card breach. Perhaps one that isn't even public yet. Sometimes they take a while to get out into the public. Steve Link to comment Share on other sites More sharing options...
PhilM Posted January 15, 2019 Share Posted January 15, 2019 1 hour ago, Battlefront.com said: Hi all, Thanks for starting up the thread and adding too it as this allows me the opportunity to explain how things work. Battlefront has nothing to do with the credit card transactions in any direct way. When you go to pay an encrypted pipe opens up between your browser and our credit card processing service (which is PayPal). We never, ever receive any of your credit card data, not even as a data stream. Instead, what we receive is various bits of transaction data from PayPal, such as unique transaction number, approval/rejection result, etc. From this our hosted store backend systems determine what to do with your order. If PayPal says the transaction cleared then your order is processed, otherwise it is not. I can't emphasize enough that there is no opportunity for your credit card data to come from us and go to the bad people out there. If there isn't a special place in Hell for people who breach and use credit cards, I for one hope the policies are changed to accommodate these most deserving of people. Steve Steve, I understand and accept that this (my bold bit of your quote above, and the rest of your post) is so: my piling in was only to increase awareness of the problem and get BF customers to check their card accounts, JUST IN CASE some of the problems are related to people's BF transactions. As you also say, the cards may well have been compromised in a completely different breach ... So, apologies if it seemed like I was holding BF to account for this; nothing further from my mind. And even if it were the BF transaction (though not BF ...) at fault ... my CMSF2 big bundle upgrade is well worth the hassle of needing a new credit card! 1 Link to comment Share on other sites More sharing options...
Combatintman Posted January 15, 2019 Share Posted January 15, 2019 1 minute ago, PhilM said: Steve, I understand and accept that this (my bold bit of your quote above, and the rest of your post) is so: my piling in was only to increase awareness of the problem and get BF customers to check their card accounts, JUST IN CASE some of the problems are related to people's BF transactions. As you also say, the cards may well have been compromised in a completely different breach ... So, apologies if it seemed like I was holding BF to account for this; nothing further from my mind. And even if it were the BF transaction (though not BF ...) at fault ... my CMSF2 big bundle upgrade is well worth the hassle of needing a new credit card! Totally agree there mate - well said all. 1 Link to comment Share on other sites More sharing options...
Erwin Posted January 15, 2019 Share Posted January 15, 2019 Thank you for the reassurance. Link to comment Share on other sites More sharing options...
Battlefront.com Posted January 15, 2019 Share Posted January 15, 2019 5 hours ago, PhilM said: So, apologies if it seemed like I was holding BF to account for this; nothing further from my mind. No need to apologize! The thread was started and added to with the best intentions. It was also noticeably polite and non-accusatory Most people don't understand the inner workings of a complex system unless they have a direct reason to know about it. I certainly am no expert on credit card security issues either. But as the guy that has set up multiple stores for us over the years I've learned a thing or two! And before my debit card was stolen I had never heard of the term "skimming", so I know a decent amount about that now. Steve Link to comment Share on other sites More sharing options...
SgtHatred Posted January 15, 2019 Share Posted January 15, 2019 6 hours ago, Battlefront.com said: Hi all, Thanks for starting up the thread and adding too it as this allows me the opportunity to explain how things work. Battlefront has nothing to do with the credit card transactions in any direct way. When you go to pay an encrypted pipe opens up between your browser and our credit card processing service (which is PayPal). We never, ever receive any of your credit card data, not even as a data stream. Instead, what we receive is various bits of transaction data from PayPal, such as unique transaction number, approval/rejection result, etc. From this our hosted store backend systems determine what to do with your order. If PayPal says the transaction cleared then your order is processed, otherwise it is not. I can't emphasize enough that there is no opportunity for your credit card data to come from us and go to the bad people out there. The only two possibilities I can think of are sniffers on your computer or some sort of data breach with PayPal. Both are possibilites, of course, but Battlefront is merely incidental in that case. The other possibility, of course, is that these are all coincidental and the breaches happened for some other totally unrelated reason (e.g. part of a multi-million card breach through a retailer that does retain credit card info). Steve You say that, but I just took a look at the checkout page. All it would take is a bad guy with access to your hosting solution (say, your admin password) and basic javascript knowledge to grab credit card information directly off the input form you generate before it is sent anywhere. Easy and common enough. OnePlus got nailed by something similar last year. The credit card I used to buy CMSF2 was breached. A first for me. It's a tap card, so it would have to be a web transaction that got me. That doesn't guarantee that Battlefront.com was breached or anything, but your explanation here is faulty. Link to comment Share on other sites More sharing options...
Wicky Posted January 15, 2019 Share Posted January 15, 2019 My tupenthworth as a webmaster - there was a mass hotmail and disposable email hack that started in Dec (tested on students then became more widespread soon after in a phishing campaign) and became more readily apparent in early January that I had to issue a warning for folk to check and change their passwords. I think from insecure passwords susceptible to brute force hacking. Possibly if hackers gained access to email accounts they could also glean banking info as a priority?? https://www.necl.co.uk/index.php/news/194-watch-out-for-dodgy-emails-appearing-to-be-from-necl-clubs Link to comment Share on other sites More sharing options...
Battlefront.com Posted January 16, 2019 Share Posted January 16, 2019 1 hour ago, SgtHatred said: You say that, but I just took a look at the checkout page. What I said is accurate. What you're talking about is not the same thing. 1 hour ago, SgtHatred said: All it would take is a bad guy with access to your hosting solution (say, your admin password) and basic javascript knowledge to grab credit card information directly off the input form you generate before it is sent anywhere. Easy and common enough. OnePlus got nailed by something similar last year. Sure, in theory. There's many different paths to those sorts of attacks, but the more likely cause is the 939,092,588 accounts that were documented to have been compromised in 2018 alone (this according to that Wiki article I linked to). 1 hour ago, SgtHatred said: The credit card I used to buy CMSF2 was breached. A first for me. It's a tap card, so it would have to be a web transaction that got me. I agree. Although tap/chip cards can be compromised as well (just more difficult), the chances are it was an online transaction of some sort. If you had only used your card for one and only one purchase and that was from our website, then we'd have a definitive answer. 1 hour ago, SgtHatred said: That doesn't guarantee that Battlefront.com was breached or anything, but your explanation here is faulty. Not really faulty, but I do agree I did leave out one possibility. It is true that if someone had control of our backend, either through us or by compromising our host, they could alter the Javascripts to transmit the credit card data back to someone (not us) instead of having it discarded as it should be. At least in theory, as I have no idea how practical that is for our given set of circumstances. As I said, we're taking this seriously even though we don't think we're involved at all. The Human mind is pre-programmed to look for patterns. We all do it. As I stated already, just because you got a fraud charge today doesn't mean it has anything to do with a recent legitimate use of your card. It's like people who get symptoms of food poisoning blaming the last thing they ate when it generally was something they ate 24-48 hours earlier. Mind you, despite not thinking this has anything to do with us we're still moving ahead with due diligence on this issue. No matter how small the chance is, it's not zero. Steve Link to comment Share on other sites More sharing options...
SgtHatred Posted January 16, 2019 Share Posted January 16, 2019 1 hour ago, Battlefront.com said: What I said is accurate. What you're talking about is not the same thing. Sure it is. It's exactly the same thing. Information being entered on your website might be intercepted by a 3rd party. A script surreptitiously installed on a website to steal data entered before it is encrypted or sent to a transaction provider is pretty common. 1 hour ago, Battlefront.com said: Sure, in theory. There's many different paths to those sorts of attacks, but the more likely cause is the 939,092,588 accounts that were documented to have been compromised in 2018 alone (this according to that Wiki article I linked to). True, I didn't even think it could be my BFC purchase until I saw this thread. I've purchased a bunch of computer parts from a Canadian retailer that recently went bankrupt, auctioning off hardware that had 17 years of complete transaction logs, unencrypted. I assumed that was the cause of my problem, and that the fraudulent purchases were made at places that didn't require the new CVV2 number. Security online sucks and you are always at the mercy of whatever provider you are dealing with. 1 hour ago, Battlefront.com said: I agree. Although tap/chip cards can be compromised as well (just more difficult), the chances are it was an online transaction of some sort. If you had only used your card for one and only one purchase and that was from our website, then we'd have a definitive answer. Nope. It's been used many places. There are only a couple of places that my recently refreshed CVV2 could have leaked from though, unless something hilarious happened like Amazon got compromised. BFC is one of those places. 1 hour ago, Battlefront.com said: Not really faulty, but I do agree I did leave out one possibility. It is true that if someone had control of our backend, either through us or by compromising our host, they could alter the Javascripts to transmit the credit card data back to someone (not us) instead of having it discarded as it should be. At least in theory, as I have no idea how practical that is for our given set of circumstances. It's not uncommon. British Airways and OnePlus are recent examples of that. If your email got compromised or your provider was compromised, or your provider was slow with a critical update, or had a disgruntled support guy, or someone guessed your password or... Once they have access it's silly easy. No encryption, no fuss, just gotta hide some javascript in the Web 2.0 hell every website has become. Easy. 1 hour ago, Battlefront.com said: As I said, we're taking this seriously even though we don't think we're involved at all. The Human mind is pre-programmed to look for patterns. We all do it. As I stated already, just because you got a fraud charge today doesn't mean it has anything to do with a recent legitimate use of your card. It's like people who get symptoms of food poisoning blaming the last thing they ate when it generally was something they ate 24-48 hours earlier. Mind you, despite not thinking this has anything to do with us we're still moving ahead with due diligence on this issue. No matter how small the chance is, it's not zero. Steve That's good. I just wanted to point out that you were mistaken when you said... 10 hours ago, Battlefront.com said: I can't emphasize enough that there is no opportunity for your credit card data to come from us and go to the bad people out there. Good luck figuring this out. It's always a pain, especially if there is nothing to find. Link to comment Share on other sites More sharing options...
Thewood1 Posted January 16, 2019 Share Posted January 16, 2019 15 hours ago, liamb said: Yeah my credit card was cancelled due to fraudulent activity over the weekend (and I'm in Australia). I bought SF2 when it launched. Interestingly the guy from the bank had a chuckle because the 'small test charge' of $1 was put through as "test only". He said they aren't normally dumb enough to name it that. Its not as dumb as it sounds. When you buy gas or stay at a hotel, they will put a test charge through if you aren't a regualr customer. It goes in and out so fast sometimes, the bank never lists it on the statement. I have seen some weird names when they do get tracked. Link to comment Share on other sites More sharing options...
Battlefront.com Posted January 16, 2019 Share Posted January 16, 2019 3 hours ago, SgtHatred said: Sure it is. It's exactly the same thing. Information being entered on your website might be intercepted by a 3rd party. A script surreptitiously installed on a website to steal data entered before it is encrypted or sent to a transaction provider is pretty common. Let me clarify. I stated that it was impossible for credit card data to have come from us because we don't store it. That's absolutely true and it is the way we avoid the #1 way credit card data is stolen. Specifically, someone hacks/phishes his/her way into a system and finds all that juicy data just sitting there. That's how 500,000,000 credit cards were stolen from Marriott, for example. Since we don't store the data this most common threat to customer data security isn't an issue for Battlefront customers. However, you pointed to a very different threat and that's not stealing the data, rather hijacking the process. For sure I didn't mention that, though I was thinking of that grouped in with the "sniffer" possibility (though admittedly that's not the same thing). In a hijack scenario the data probably never goes to our server, having the script send it directly to an external IP address. That way would be the smartest thing because then the hacker wouldn't have to worry about local defenses blocking port access or becoming suspicious about outgoing activity. So my guess is anybody smart enough to get in and rewire a script would instruct the customer's side to do the transmitting. That's certainly what I'd try to do if I were to try and do it. So that's what I mean by different. On the one hand there's stealing data that is legitimately transmitted by the customer to the vendor. On the other there's redirecting the data before (or after) it arrives. Why does this difference matter? Because if the data is there to be stolen ALL of it is there to be stolen. 500,000,000 in the case of Marriott. If the data is hijacked, then only the poor sods who interacted with the vendor after the hack was put in place are affected. Massive difference in terms of impact. Quote Security online sucks and you are always at the mercy of whatever provider you are dealing with. The only way to protect oneself from credit card fraud is to not have credit cards. That's just not feasible for most people. Quote Nope. It's been used many places. There are only a couple of places that my recently refreshed CVV2 could have leaked from though, unless something hilarious happened like Amazon got compromised. BFC is one of those places. Noted. Quote Good luck figuring this out. It's always a pain, especially if there is nothing to find. This is one of the things I hate most about the people who do this. Even when there's nothing to find it comes at a cost to everybody else. BTW, I just remembered a few weeks ago I received a brand new card for my primary credit card. It was totally out of the blue and there was no explanation for it. Obvious reason for the sudden card was that the old one was believed compromised. This was CapitalOne, so me thinks they know something we don't. Steve Link to comment Share on other sites More sharing options...
sburke Posted January 16, 2019 Share Posted January 16, 2019 (edited) 2 hours ago, Battlefront.com said: This was CapitalOne, so me thinks they know something we don't. Steve What's in your wallet?...… somebody's hand. On a side note a couple years ago we had a hacker do a presentation at a company event and he showed how you could read a credit card's data with a LOS device. Also talked about hacking hotel units to get data from folks who use the tv service for checkout. There are just way too many ways to get hit out there. That's why I drive around a truckload of chickens and do barter trade with eggs. Oh yeah I still owe you a couple dozen don't I steve? Edited January 16, 2019 by sburke 1 Link to comment Share on other sites More sharing options...
Recommended Posts