Fradulent Credit Card Transactions

[sburke]

22 minutes ago, Battlefront.com said:

That's another reason I'm keeping this thread open.  It is a chance to open up some eyes to the dangers out there.  As I said earlier, I've had my ATM card physically skimmed and fraud on credit cards multiple times.  Heck, remember long distance call phone cards from a couple of decades ago?  I had thousands of Dollars of charges to calls in Egypt, Kazakhstan, and other "exotic" places.  That was my first experience with fraud (someone probably watched me at Grand Central Station, IIRC).

The world out there is hostile to our privacy in general

Steve

LOL oh man that brings back memories.  They used to have folks hovering over those payphones looking for people using those and they would turn around and start selling the information immediately while you were still on your call.  Damn Steve thanks again for making me feel old. I'm gonna make sure you get the oldest eggs from the truck.

[coachjohn]

A little more history. I have two cards and an atm. I rarely use either card. My Amex was not used for they month of December except for BF sale. My credit card was used too enter a writing in a contest through paypal (I do not or will not have a permanent account.) and some house furniture. The CC was not not hacked. Both were done from the same computer. These are not coincidences. We live miles apart. Timing and tie ins connect them. Steve, I under stand you do not store info. I never allow sites to store mine (at least as far as I can be aware of.) I do not use either of these for gas or restaurants so i couldn’t be swiped.

At some time your internet connection / portal or your connection / paypal must have been compromised. Does it happen - yes! But it is obvious there is some connection here.

About fifteen years agoI had a card hijacked and items bought in Sweden, Denmark, etc. I was refunded, but I studied the situation as best I could. (I’m not a computer wiz) People who do this are smart. I was told by Amex back then they are broken in two main components. The big hackers and the smaller hackers. They are then divided into two - those using the info for themselves and those that sell the info. (This is a big big business in the black market.)

 

I was also told the smaller ones will hit a site - then run. Pull their hack up and go to a new site. These smaller one are random - they search for a vulnerability then exploit and run so as not to get caught. 

I think something happened here Steve. Just read the post. To say it’s coincidence is to be blind top the smoking gun in the killers hand with the body on the floor.

As you say “it happens” but it did happen!

 

 

 

[coachjohn]

Wow - just noticed 101 relies - maybe that’s coincidental too.

[A Canadian Cat]

8 minutes ago, coachjohn said:

I think something happened here Steve. Just read the post. To say it’s coincidence is to be blind top the smoking gun in the killers hand with the body on the floor.

Are you hard of reading? Steve has said several times he is well aware of the possibility that his own site could be hacked. That's why he had it checked. I honestly have no idea what else you expect. Steve checked the things is company has control over and reported what he knows to his other providers. That's pretty much what can be done.

[coachjohn]

Hard of reading? LOL that was a good one.

[sburke]

29 minutes ago, coachjohn said:

Wow - just noticed 101 relies - maybe that’s coincidental too.

*scratching head...*.  Coincidental to what?  Again I gotta ask.  What is it you are asking for?  Steve is checking to the extent he can.  We have maybe 25 cases now which Steve noted is a very very small percentage of activity on their site.  Still Steve isn't taking for granted that the percentage case is so ridiculously small and is still checking.  Could you be a little more concrete on what different you expect?  You are posting as if you expect Steve to do something he isn't and yet it isn't clear from your posts what that is.

[Battlefront.com]

52 minutes ago, coachjohn said:

A little more history. I have two cards and an atm. I rarely use either card. My Amex was not used for they month of December except for BF sale. My credit card was used too enter a writing in a contest through paypal (I do not or will not have a permanent account.) and some house furniture. The CC was not not hacked. Both were done from the same computer. These are not coincidences. We live miles apart. Timing and tie ins connect them.

Again, you are wrong.  One of the most hideous things about data breaches is your card is vulnerable from the first time you used it as the last.  Anybody that gains access to the card information during that time period puts your card at risk AT ANY TIME.  Meaning, your AMEX card could have been stored somewhere from a purchase you did 2 years ago (if it was active then, of course) and only now is breached.  So it's absolutely factually wrong to create a cause and effect link based on timing.

If you have read my responses (which I'm now wondering if you have) you'd see me cite the fallacy of food poisoning that so many people do.  It can be up to 48 hours after exposure before symptoms show up.  So when the last meal was at a crappy diner, they get blamed even though you in fact got sick at the 5 star restaurant from the night prior.  Or you got sick off of something in your own house that came in contaminated or was contaminated after.  Yet people insist on sticking with the factually flawed concept of causation by proximity.

The point is you've got an overly simplistic and fundamentally flawed concept of what's going on here.  That much is certain.

Quote

I think something happened here Steve. Just read the post. To say it’s coincidence is to be blind top the smoking gun in the killers hand with the body on the floor.

Sure, except in this case there is no smoking gun nor any visible hand.  That's what you're not getting so everything that follows from your flawed logic is also flawed.

Now, it could be that you are correct and that there was a data breach of some sort associated with our transactions.  I have repeatedly said I can not rule that out with 100% certainty.  However, if it turns out you are correct THAT would be a coincidence

Steve

[Jock Tamson]

1 hour ago, IanL said:

Are you hard of reading? Steve has said several times he is well aware of the possibility that his own site could be hacked. That's why he had it checked. I honestly have no idea what else you expect. Steve checked the things is company has control over and reported what he knows to his other providers. That's pretty much what can be done.

With respect, the developers have checked to see if files have changed unexpectedly.  They haven't, so that has ruled out one of many potential sources of issues.  Arguably the least likely, but definitely the most straightforward to check.  Not the same as checking if your site has a vulnerability.  Your developers are rarely the people that find vulnerabilities on the sites they build.  Most web developers I know don't truly understand what makes a website vulnerable.  They pull open source code off the web willy-nilly, they produce web sites that are vulnerable to cross site scripting almost as a matter of course.  Most would struggle to explain, definitively, how everything [DNS, etc] works to get content into a browser from initial HTTP request.

I'm not suggesting BF need to do more, merely clarifying that there is actually plenty more that can be done to give a site a reasonably clean bill of health.

[A Canadian Cat]

You are of course quite correct about the many ways to cause mischief on the web and the vulnerabilities of various libraries etc. I know you do actually have knowledge in this area. And you and Steve have pointed out that there are never guarantees in this area, heck even the best security experts are frequently behind on zero day exploits because some organizations keep them secret for their own purposes and others just have not been found yet.

My comment was directed at someone who has very unreasonable expectations about what can be done and what should be done. Heck he demands completely the wrong solution. Steve has given us a few examples of what he as done and said several times that he is aware that this is not fool proof.

So, I appreciate your respect and say - I was not talking to you by any means so please don't take offence.

[A Canadian Cat]

In light of that last exchange I had a peak at what I can see from the outside and with the tools I usually use in FF. My Cross Site scripting protection did not trigger (which is good - pretty good actually) and I gave my thoughts to Steve.

[sburke]

57 minutes ago, Jock Tamson said:

With respect, the developers have checked to see if files have changed unexpectedly.  They haven't, so that has ruled out one of many potential sources of issues.  Arguably the least likely, but definitely the most straightforward to check.  Not the same as checking if your site has a vulnerability.  Your developers are rarely the people that find vulnerabilities on the sites they build.  Most web developers I know don't truly understand what makes a website vulnerable.  They pull open source code off the web willy-nilly, they produce web sites that are vulnerable to cross site scripting almost as a matter of course.  Most would struggle to explain, definitively, how everything [DNS, etc] works to get content into a browser from initial HTTP request.

I'm not suggesting BF need to do more, merely clarifying that there is actually plenty more that can be done to give a site a reasonably clean bill of health.

The other minimal effort that can be done is to see if that same provider is getting any other complaints.  In this case you aren't having to rely on their technical skills just making sure they cross reference their issue tickets.

[luigim]

I've Just been scammed and I bought CMSF2 in december. I used this card only for Amazon and Battlefront. 

[Battlefront.com]

10 minutes ago, luigim said:

I've Just been scammed and I bought CMSF2 in december. I used this card only for Amazon and Battlefront. 

Thanks for chiming in.

My compromised card was on file with Amazon and it wasn't used to purchase anything on Battlefront.  It's possible that Amazon got hacked because they must be one of the biggest targets out there.  I would rather find out that our host was in some way compromised rather than find out Amazon was.

BTW, I asked for another sweep at our eCommerce site and they dutifully responded.  They've not found any signs of intrusion into our store or their site.  Of course that's not 100% guaranteed to mean there wasn't a problem, only that they didn't find anything even though they know (roughly) what to look for. 

Steve

[Battlefront.com]

One of the tech guys at our ecommerce site emailed me a hacker's list of personal data that's available for anybody to download.  It totals more than 87GB worth of data from more than 2800 different databases!  These are examples of the smaller breaches that happen every day without big media attention.

Scanning down the list of database names, I saw one theme over and over again.  My advice is if any of you here are into bondage/S&M stuff in the Internet, you might want to change your credit cards proactively.  Just saying...

Steve

[sid_burn]

2 minutes ago, Battlefront.com said:

My advice is if any of you here are in to bondage/S&M stuff in the Internet

Well I do enjoy combat mission.

[BletchleyGeek]

I was alerted of that on Thursday evening by the website that I linked up the thread. The story ran in The Guardian as early as Saturday morning, AEST.

[sburke]

51 minutes ago, sid_burn said:

Well I do enjoy combat mission.

That was worth this whole thread!

[luigim]

I think it's too much for a coincidence

[Battlefront.com]

3 hours ago, luigim said:

I think it's too much for a coincidence

Only a statistician can determine that with any degree of certainty.  Study after study has shown that Humans are piss-poor at evaluating this sort of stuff.  For those interested in how our brains work (I am endlessly fascinated by this subject!) here are two excellent podcasts digging into the SCIENCE of how badly our brains handle evaluating coincidences:

The Myth Of Coincidences And Why We Search For Their Meaning

https://www.npr.org/2016/09/27/495671322/the-myth-of-coincidences-and-why-we-search-for-their-meaning

Magic, Or Math? The Appeal Of Coincidences, And The Reality

https://www.npr.org/2017/05/08/527442620/magic-or-math-the-appeal-of-coincidences-and-the-reality

All that said, I also don't like coincidences of the type we're seeing here.  Which is why I'm keeping this topic open.  However, so far I've seen nothing actionable beyond the standard due diligence steps I've already taken.

Steve

[Battlefront.com]

Side note about PayPal's backend credit card processing system.  I can log into our PayPal merchant account and see only limited information pertaining to each and every transaction that comes through.  Credit card numbers, expiration dates, and CSV codes are not visible to me in any way, no matter what.  Even if someone hacked into our PayPal merchant account there's no way, at all, that they could get credit card information from any of you.

Steve

[Lethaface]

 

8 hours ago, Battlefront.com said:

Side note about PayPal's backend credit card processing system.  I can log into our PayPal merchant account and see only limited information pertaining to each and every transaction that comes through.  Credit card numbers, expiration dates, and CSV codes are not visible to me in any way, no matter what.  Even if someone hacked into our PayPal merchant account there's no way, at all, that they could get credit card information from any of you.

Steve

If it's something with the Battlefront website, I wouldn't typically expect your merchant account to be compromised but rather something wrong at the host or some standard app suite level. It's all speculation though.

The top 10 web vulnerabilities of 2017:

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

 

[coachjohn]

On a side note, it is crazy how easily it is to get our money back from the banks. Why? They just add the loses into our cost. First time my card was compromised i read a great article on this.

More recently, last year Netflix complained their service was being abused (i.e. additional non-sanctioned users.) Their answer - not better security, but to raise fees 10%. (Although they also claim that much of this was for additional creative content.)

 

 

[Battlefront.com]

34 minutes ago, Lethaface said:

If it's something with the Battlefront website, I wouldn't typically expect your merchant account to be compromised but rather something wrong at the host or some standard app suite level. It's all speculation though.

Oh, I totally agree.  The point of me mentioning it is to help educate people about all the vulnerabilities they might think exist which, in fact, do not.  Someone hacks into our ecommerce host... no data to steal.  Someone hacks into our server... no data to steal.  Someone hacks into our merchant account... no data to steal.  It's one thing to spend the time, effort, and expense to combat a completely hypothetical data breach by making meaningful changes, it's another to blindly make major changes to things which were unlikely to be involved in a breach even if there was in fact a breach.

For sure there are ways for people to hijack (i.e. not steal existing data, but divert new data), because all systems (even the NSA) are vulnerable to some extent.  Thanks for the link to that document.  I'll see what I might have missed and determine if there's any way to check.

BTW, that "Mega Hack" that was mentioned a few posts ago... that's a perfect example of how old data never dies.  Some of the hacked databases go back many years.  If someone placed a credit card order with one of the compromised sites 2 years ago AND that card is still active, it's vulnerable today as it was 2 years ago.

This reality we live in SUCKS.

Steve

[Battlefront.com]

4 minutes ago, coachjohn said:

On a side note, it is crazy how easily it is to get our money back from the banks. Why? They just add the loses into our cost. First time my card was compromised i read a great article on this.

Correct.  That and from a business standpoint sometimes it is cheaper to take the hits than it is to dodge them.  Same reason many corporations settle fraudulent legal claims instead of fighting them.  Businesses primarily care about bottomline calculations, not what goes in/out for any one transaction.

As I said earlier about my ATM card being compromised.  Thieves took $3700 cash out of our account before we noticed (we were away on a badly timed vacation and they hit into our reserve credit, so it took a while to empty us out) and when I asked why the bank's fraud detection didn't react to an obvious breach, they said (in so many words) that people much higher up than they made a calculation that it was cheaper to reimburse us for the fraud than it was to deploy systems to protect us from it.  That was a few years ago and I'm guessing their calculations have changed as skimming has increased.

4 minutes ago, coachjohn said:

More recently, last year Netflix complained their service was being abused (i.e. additional non-sanctioned users.) Their answer - not better security, but to raise fees 10%. (Although they also claim that much of this was for additional creative content.)

That sort of fraud doesn't cost Netflix anything per se.  All it means is that there's more streaming activity on one account than there otherwise would be.  Whatever the cost is for that, it's a rounding error in their expenses.  Their rates have gone up because competition for content has gone up.  That's not a claim, that's a documented reality.

Steve

[luigim]

My next online transactions, not only Battlefront.com ( I'm waiting for Red Thunder module to buy the bundle), will be on Paypal.. I hope it's safe