Jump to content
CanuckGamer

Fradulent Credit Card Transactions

Recommended Posts

And we're fresh out of eggs, too!  Great ;)

I just got back confirmation from our tech guys at our ecommerce store.  He checked all the possible scripts that could theoretically be hacked into transmitting customer data elsewhere.  No signs of any changes, so I think we're back to the most likely cause... coincidence.  Or more specifically, a combination of seasonal timing (this is the most active time for fraud), the scale of recent data breaches, and the standard odds that out of any group of people there will be x% getting hit in any given time period.

This article references an AARP survey that found 47% of Americans have been a victim of credit card fraud charges.  That seems low to me, but whatever the real number is it demonstrates the scale of the assaults on our credit cards by criminal elements.

https://www.creditcards.com/credit-card-news/aarp-survey-consumers-at-risk.php

Out of an abundance of caution I've changed all our financially related passwords, even the ones that are automatically force changed on a regular basis.

Steve

Share this post


Link to post
Share on other sites

Well, well, well.  Guess what I just discovered about one of my cards?  It got shut down by fraud protection services and, sure enough, there was a slew of fraud charges starting on January 11.  Several "fishing" charges of a few bucks, one $800 charge to a home improvement contractor way far away, and several others.  And guess what?  I've never used it to order a product from Battlefront.  Believe it or not, my job does come with a few perks, such as free games :)

This card sees hardly any use at all.  Mostly routine recurring charges and a few online store accounts from large organizations.

'tis the season!

Steve

Share this post


Link to post
Share on other sites

Ha see you work for Battlefront, there is the tie in!  Well that home improvement one might be interesting.  If it is a real contractor it may be they can actually catch someone for fraud.  

Share this post


Link to post
Share on other sites

Thanks to CanuckGamer for starting this thread, it would have been a couple more days before I checked my account. As it is my bank have already refunded the money I had stolen. Hopefully the rest of you blokes get your money back too ASAP.

Share this post


Link to post
Share on other sites

 

1 hour ago, Warts 'n' all said:

Thanks to CanuckGamer for starting this thread, it would have been a couple more days before I checked my account. As it is my bank have already refunded the money I had stolen. Hopefully the rest of you blokes get your money back too ASAP.

Agreed all, too right mate.

1 hour ago, Warts 'n' all said:

Sadly I can't help but think that by the time BFC release a new "Barbarossa" game mankind will have forgotten that the word "too" ever existed.

Barbarossa not released yet then I assume?😏

 

Edited by Combatintman

Share this post


Link to post
Share on other sites

How bizarre !  

 

For the first time ever I had someone try and take money from my CC last week for an online betting website.  After speaking with the fraud department at my bank I have now had a new card issued.  I only ever use that card for food and petrol.  However, the one time I used it online was to buy SF2!  I'm content that it is a coincidence but a spooky one at that.

 

:)

Share this post


Link to post
Share on other sites

I recommend subscribing to this site

https://haveibeenpwned.com

and the companion search engine to check your passwords (you need to trust them) is good to control damage if you suspect pwnage

https://haveibeenpwned.com/Passwords

I just was alerted this morning by these guys as my email address appeared on a massive database of emails and passwords counting 700+ M entries that was being shared around.

Edited by BletchleyGeek

Share this post


Link to post
Share on other sites

Supply chain attack is much more common than a malicious third party changing your javascript.  Pretty much all websites consist of a combination of bespoke coding and open source code and libraries.  The open source stuff may be getting pulled afresh into a website's codbase every time a new build of the website takes place.  Or, javascript on one's site may well be in turning calling third party scripts.  This is what happened to British Airways, whose customer's were exposed to a key logger due to third party libraries having been exploited.  I've been working on extremely high volume websites for 20 years.  The attack surface has changed markedly in the last 4 or 5.

Share this post


Link to post
Share on other sites

I was also hit two weeks ago. Thanks CG for starting the thread, and thanks Steve for the info. 

Share this post


Link to post
Share on other sites
3 hours ago, Andy_101 said:

For the first time ever I had someone try and take money from my CC last week for an online betting website.  After speaking with the fraud department at my bank I have now had a new card issued.  I only ever use that card for food and petrol.  However, the one time I used it online was to buy SF2!  I'm content that it is a coincidence but a spooky one at that.

I don't like coincidences, no matter how plausible the alternative explanations are, so i'm still keeping an open mind about what's what with our side of things.  But so far I've had them scour our scripts twice and there's nothing negative to report.

Note that a very common place to get skimmed in the US are gas (petrol) stations.  Often the pumps are isolated, dimly lit, and have major blindspots for security cameras.  Customers also don't look too hard at gas pumps as they are focuses on getting that part of the paying part over and done with very quickly.  ATMs are the other big one.  Here's a site that talks about it:

https://www.creditcards.com/credit-card-news/gas-pump-atm-skimmers.php

And this one with real world examples:

https://www.quora.com/How-does-credit-card-fraud-work-if-your-card-never-leaves-your-possession

The advice is to use any debit/bank cards is to limit their use to secure equipment (inside) at reputable locations.  Chances are there won't be any skimmers present.  If you do use your debit/bank card, use it as a credit card whenever possible.  At least in the US the banking rules might not cover fraud debit charges (varies by bank), but fraud credit charges are covered.  I was fortunate that the cash that was emptied out of my bank account with my skimmed ATM was refunded by my bank.  I'm very careful now.

The worst thing is that card skimmers are now being produced for and used by organized criminals.  That's never a good thing.

Steve

Share this post


Link to post
Share on other sites
1 hour ago, Jock Tamson said:

Supply chain attack is much more common than a malicious third party changing your javascript.  Pretty much all websites consist of a combination of bespoke coding and open source code and libraries.  The open source stuff may be getting pulled afresh into a website's codbase every time a new build of the website takes place.  Or, javascript on one's site may well be in turning calling third party scripts.  This is what happened to British Airways, whose customer's were exposed to a key logger due to third party libraries having been exploited.  I've been working on extremely high volume websites for 20 years.  The attack surface has changed markedly in the last 4 or 5.

Unfortunately, very true.  I'm hoping that the attacks on our data have finally gotten to the point where industries are willing to implement better systems.  The chips in our cards don't do anything for online transactions, but if we all had to have card readers on our devices that would cut out a lot of problems.  Card readers are now pretty cheap, so it's viable. Another one is to have an authentication process through a secondary device BEFORE the transaction is allowed to clear.  Notification that a transaction happened is helpful to catching fraud early, but it's already happened so it's not a real solution.  And my favorite is uniquely generated credit card numbers that are one time use by default.  Make an online payment and that number is no longer valid ever again.

Industry has been VERY lazy about this threat.  Very.  When my ATM card was hijacked I asked my bank "I couldn't be withdrawing cash with the same card 1000 miles apart within minutes, so why didn't your fraud protection algorithms flag it?".  The answer was "it happens so rarely we don't even systems to check".  Oh, that is so not the right answer!  In my case the bank was out $3700 because I have an overdraft credit line and so when they emptied out my ready cash the bank kept extending the criminals yet more money!  This was a couple of years ago so I'm hoping they've implemented something a bit better than hoping and praying.

Steve

Share this post


Link to post
Share on other sites
8 hours ago, Battlefront.com said:

Well, well, well.  Guess what I just discovered about one of my cards?  It got shut down by fraud protection services and, sure enough, there was a slew of fraud charges starting on January 11.  Several "fishing" charges of a few bucks, one $800 charge to a home improvement contractor way far away, and several others.

I just wanted to chime in and report I too had a fraudulent charge, but only for a 28 dollar Uber bill.

My bank's fraud service caught it and froze my account.

Just a little reminder you folks might want to go get a copy of your account statements and have a look, just in case.

Share this post


Link to post
Share on other sites
7 hours ago, General Jack Ripper said:

I just wanted to chime in and report I too had a fraudulent charge, but only for a 28 dollar Uber bill.

My fraudulent bill was also from Uber, but to the tune of $59.62.

Quote

Just a little reminder you folks might want to go get a copy of your account statements and have a look, just in case.

I've been getting my statements online for a few years now and am in the habit of checking them pretty regularly. That's how I was able to catch this one within a couple of days of it happening and reporting it soon after.

Michael

Share this post


Link to post
Share on other sites

coincidentally (there is that word again) I have gotten two phishing emails from the Sandton Radisson in South Africa this week at work.  My last stay there was I think in 2015.

Share this post


Link to post
Share on other sites

"That's an eye opener, Mr Frodo, and no mistake."

I also had a couple of attempted small transactions, about 2 weeks ago, on the card that I used for SF2. The CC issuer caught them and cancelled/replaced the card. All I will say is that it is odd that it was a new card which I had got but not used, so BF was the first online transaction I had done with it.

I did wonder whether to contact BF but then decided it was probably paranoia - however I saw this thread, and so joined in.

I am reassured by BF's not holding CC details. From my perspective I can't see how they got it other than BF's payment merchant (not BF). Anyway no harm seems to be done. 

I hope @sburke's eggs are organic and free range.😁

 

Share this post


Link to post
Share on other sites
On 1/17/2019 at 7:15 AM, BletchleyGeek said:

I recommend subscribing to this site

https://haveibeenpwned.com

and the companion search engine to check your passwords (you need to trust them) is good to control damage if you suspect pwnage

https://haveibeenpwned.com/Passwords

I just was alerted this morning by these guys as my email address appeared on a massive database of emails and passwords counting 700+ M entries that was being shared around.

Well that's the perfect recipe to fish-out identity and passwords

Share this post


Link to post
Share on other sites

Interestingly, I had a phone call today.

Apparently, something tried to make several small online bets with my debit card today (a trial run?).

None of the transanctions went through (as I expected the scammers couldn't get past the online purchase authentication process) & a new card has been issued. However, this is the first time I've ever had such a phone call & it not turn out to be just my bank being cautious.

An interesting "coincidence" to be sure... but my question from earlier in this thread remains.

Your bank card details, on their own, are pretty useless until you can bypass the back up authentication system.

How could that have been done?

Share this post


Link to post
Share on other sites

My last purchase with Amex was to battlefront. My card was just compromised. Luckily I caught it in a $1.50 test. Waiting for new one. I love the game but will not buy anymore til they change their payment method. Can’t just blame it on paypal. If that’s the case - drop paypal there are others with more encryption nowadays that are better. Years ago I had a problem with paypal - never use it - only for battlefront as it is only option. (Most sites give you multiple options.) Was gonna buy market garden , and all the other modules for CMBN but not now.

Share this post


Link to post
Share on other sites
58 minutes ago, coachjohn said:

My last purchase with Amex was to battlefront. My card was just compromised. Luckily I caught it in a $1.50 test. Waiting for new one. I love the game but will not buy anymore til they change their payment method. Can’t just blame it on paypal. If that’s the case - drop paypal there are others with more encryption nowadays that are better. Years ago I had a problem with paypal - never use it - only for battlefront as it is only option. (Most sites give you multiple options.) Was gonna buy market garden , and all the other modules for CMBN but not now.

that is just silly.(not you- the practical implications of this action)  I don't use paypal for CM purchases. I have made several purchases on BFs site over the past couple months and at the moment have seen no odd activity on my card.   Credit card fraud is a fact of life these days.  Watch your cards, pay attention to your account transactions, but to stop purchasing anything because you are worried about it just isn't realistic.  I don't mean this as CM specific, but in general.  Hell with all the skimmers in gas stations you could just as easily say I won't go to buy gas, or I'll only use cash.  You could do that, but in the long run is it worth it?  Just don't use a debit card that asks for a pin.  Your credit card transactions are protected.  Yeah it can be a hassle sometimes but going to the extreme of not using it in one context isn't really protecting you much.  

Online banking while sitting at Starbucks is a much more dangerous practice.  :D  

Share this post


Link to post
Share on other sites

I have a low limit CC solely for online purchases. I'm surprised that one-time CC #'s have yet to be the norm. In the meantime, getting a new CC # every couple of years will need to do.

Everyone's credit information is already in the wild. It's only a matter of time until bad actors get around to using it... Thank Equifax and others for that. We've become anesthetized to 100 million plus credit detail breaches reported every 3 months by some data broker or another.

Blaming BFC may placate some because easy and immediate.

The problem is big-data and privacy. In N-A, neither is adequately regulated.

Edited by Howler

Share this post


Link to post
Share on other sites

I too was hit with a fraudulent transaction a few weeks after buying CMSF2. It was only $0.75, so obviously testing the card. Caught by the bank within minutes and card was cancelled. Again, probably a coincidence. The only thing of note is that I'm in the UK and the transaction was somewhere in the US.

Share this post


Link to post
Share on other sites
3 hours ago, coachjohn said:

My last purchase with Amex was to battlefront.

I'm curious to know when that transaction happened. 

As an aside, I'm surprised to learn that AMEX works on our site.  I thought we had to have separate agreements with AMEX and Discover for those cards to be accepted by PayPal. 

3 hours ago, coachjohn said:

My card was just compromised. Luckily I caught it in a $1.50 test. Waiting for new one. I love the game but will not buy anymore til they change their payment method. Can’t just blame it on paypal. If that’s the case - drop paypal there are others with more encryption nowadays that are better. Years ago I had a problem with paypal - never use it - only for battlefront as it is only option. (Most sites give you multiple options.) Was gonna buy market garden , and all the other modules for CMBN but not now.

The problem is you don't know that your credit card was compromised because of a Battlefront transaction.  You have no way of knowing if that's the case, so it's pure personal conjecture and not something based on fact.  It isn't a good idea for us to change something major based on conjecture, don't you agree?

I've had credit cards compromised before and in fact just had one compromised last week.  I've had my ATM skimmed.  I've had credit cards proactively replaced without any explanation from the card companies.  I don't do any transactions on Battlefront.com, not even to test it.

As for PayPal being a security risk worse than others, I think that's a hard case to make.  Very hard.  Not to say PayPal couldn't get hacked or compromised in some way, but as of yet I've seen no evidence to suggest it has.  If it had, I'm sure it would be front page news.  Though such news could still be pending, I suppose.

To be clear, PayPal (the corporation) handles all of our our payments.  You can choose to use any type of credit card or PayPal account.  We do not force anybody to use a PayPal account.

Steve

Share this post


Link to post
Share on other sites
2 hours ago, schwerpunktgrenadier said:

I too was hit with a fraudulent transaction a few weeks after buying CMSF2. It was only $0.75, so obviously testing the card. Caught by the bank within minutes and card was cancelled. Again, probably a coincidence.

Probably.  However, I'm keeping this thread open just in case.  While I'm confident that everything that's possible for us to check has checked out fine, I still don't like coincidences any more than anybody else who has to deal with security issues.

Steve

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...