Fradulent Credit Card Transactions

[A Canadian Cat]

Sure got it.

Only one question left in my mind: If a series of people with at least one thing in common hit a problem that has multiple possible causes and you take the time to check all avenues of failure you can and all avenues suggested to you and they call come up as no problem found. What else would you call it besides a coincidence?

If Steve said oh there cannot possibly be anything wrong with our company it's just a coincidence then yeah I'd be upset too. But that's not what happened.

[Jock Tamson]

6 hours ago, IanL said:

So, since you are an expert what else should Steve be doing that he has not already done? Oh wait you admitted you were not an expert. Soooooo, what's the problem then?

The credit card payment page should really be using a hosted Paypal page, instead of POSTing via a form on the website.  

[MOS:96B2P]

On 2/4/2019 at 6:47 PM, Canada Guy said:

I do not blame Battlefront, I blame the scumbags

THIS!!!

[Battlefront.com]

This is really frustrating.  There's ABSOLUTELY NO EVIDENCE that people's compromised cards have anything to do with us.  None.  And yet some people refuse to understand this fact.  And it is a fact.  Now I have someone slandering us on another website.  I'm going to see about getting that taken down.  This is ridiculous. 

As was said before, even if EVERY SINGLE person that has responded here with a credit card compromise (including my own card) the total percentage is significantly less than 1% during the time period in question.  If someone hijacked our data stream somewhere, I'd expect there to be a lot more than that.  Woudn't you?

Steve

[Battlefront.com]

On 2/5/2019 at 4:45 PM, Jock Tamson said:

The credit card payment page should really be using a hosted Paypal page, instead of POSTing via a form on the website.  

I'll check with our provider to see if that's an option, but I suspect not. 

From my experience most web stores do not use hosted pages from their payment processor (PayPal or otherwise).  I expect that will change over time.

Steve

[Battlefront.com]

If anybody is inclined to post REAL information to threads like the one on Matrix, here's the summary of where we're at:

1.  A tiny fraction of customers who placed orders in the past 2 months have chimed in here to say their credit cards had fraudulent charges placed in the beginning of January. This includes my own card which, one would be correct to assume, was never used to purchase anything from Battlefront.com.  Which means some sort of group compromise happened AND that it includes people that have not placed an order with Battlefront.com.

2.  Battlefront never has, and never will, collect customer credit card information. Instead, credit card information goes direct from a customer's browser to our payment processor (PayPal/PayFlow).  All Battlefront gets is a report from the processor which gives the transaction a thumbs up or thumbs down along with some transaction codes.  Since someone can't steal what we don't have, there's absolutely no chance in a billion years that credit card information was taken from our server. 

3.  While it is theoretically possible to hack our website and change the order processing script to have the customer's browser hijack credit card info, this has already been checked by our webstore host and there have been no changes to our scripts.   They checked twice, in fact, because I asked them to.

4.  If anybody thinks they are immune from massive data breaches like these, think again. It must be remembered that nearly a billion online accounts were documented to have been breached in 2018.  Most of us have had a credit or bank card compromised more than once (I had an ATM card physically skimmed, including PIN).  Even those who think they haven't had a card compromised have probably received a replacement credit card out of the blue.  That means the card company thinks your card has likely been compromised and is proactively replacing it.

5.  Some think that the tiny fraction of customers who had a credit card compromised AND placed an order for CMSF2 couldn't be a coincidence.  Which is wrong on so many levels.  First, most of the people reporting in say they bought a CMSF2 product, which isn't surprising since that's the biggest selling group of products in the time period covered.  Obvious coincidence.  Second, my credit card was also hit with fraud charges at the very same time in a very similar way as the others noted here, but I've never used it to purchase items from Battlefront.com.  Obvious coincidence.  Third, timing of a specific purchase and a fraud charge inherently means nothing because a card used years ago, and stored somewhere, is just as vulnerable as a card used 5 seconds ago.  Trying to tie a specific transaction to a specific breach is, therefore, not straight forward and is prone to being coincidental.  Fact is, Humans are thoroughly documented to be very poor evaluators of cause/effect and extremely prone to incorrectly finding meaning in something that has none.  Be it religion, "lucky" lottery numbers, bad things happen after a black cat crosses ones' path, two people in a room of 30 having the same birthday is noteworthy, etc.

With that said, because the world is a very complex and nasty place when it comes to cyber security, I can not 100% rule out someone somehow got a hold of a tiny slice of customer payment data one time for a limited time.  Nor can I rule out winning the lottery if I pick up a discarded ticket on the sidewalk.  Which is why I will always check into the possibility of a customer breach just as I will always pick up a discarded lottery ticket. 

Steve

[Battlefront.com]

And with that, I'm finally closing this thread.  I've spent a lot of time on this topic already and there's nothing new to be learned from it.  Note that I did not say that I wasted a lot of time on this topic.  Making sure that your experience with our store is not putting you at financial risk is a responsibility we take very seriously.  Checking all the angles and allowing you guys time to introduce new information is the right thing to do.  But after doing all the right things, more than once, it's time to move on.

For any of you hesitant to place an order on our website, you might as well cut up your credit cards and throw them away.  Every single time you use it you're at risk of it being compromised.  That's just the way it is.

Those of you who have pointed out that a more secure way to make Internet payments is through PayPal are correct.  I have also been switching over to PayPal for my Internet purchases over the past couple of years.  It's not vulnerable in the same way as credit cards, though even that is not assured secure in other ways.  Sadly, the bad people out there have no shortage of ways to steal from us.

Steve