Credit card fraud after buying e-cig supplies

[elfstone]

There are many reports like this one resulting in threads that then usually get closed, after aggressive replies explaining that the fraud is most likely not related to vaping purchases. Those replies are not correct. While I understand their motivations, they are simply not correct.

I will no argue with anybody, and I will not explain further, but I now know for sure that vape related web stores are are leaking cradit card info. It's a fact, and there's no way around it.

Use prepaid cards. If not, look into all transactions. Apart from obvious unrecognized purchases, if you notice any $1 - $6 transactions that you do not understand, or if you notice any immediately reversed small transaction, cancel your card immediately. Make sure at least you use cards for which you know the fraud protection policies. But you'd best use prepaid.

 

[j0ker]

First you have to understand that most of the vendors, if not all, are using a payment processing service. In other words, the information isn't being stored by their site, it's being passed to their service provider, a payment gateway. So if it's being leaked, most likely it's the gateway. It's not out of the question but it's not likely either.

You also have to take measures into you own hands. One important thing is to make sure you have a secure connection with the host. The address should begin with "https://". This will ensure that your data is encrypted between you and the server.

There are also malicious programs that are used to capture you data that can be hidden in your PC. Windows users are more susceptible to these programs.

Just saying "I only use this card for purchasing vape supplies and it has unapproved spending on it" is not conclusive proof that it's the fault of the supplier or actually their payment processor.

If you feel you have conclusive proof that the supplier is releasing this information, feel free to send me the details and we will look into the matter.

 

[Bostonsnboxers]

There are many reports like this one resulting in threads that then usually get closed, after aggressive replies explaining that the fraud is most likely not related to vaping purchases. Those replies are not correct. While I understand their motivations, they are simply not correct.

I will no argue with anybody, and I will not explain further, but I now know for sure that vape related web stores are are leaking cradit card info. It's a fact, and there's no way around it.

Use prepaid cards. If not, look into all transactions. Apart from obvious unrecognized purchases, if you notice any $1 - $6 transactions that you do not understand, or if you notice any immediately reversed small transaction, cancel your card immediately. Make sure at least you use cards for which you know the fraud protection policies. But you'd best use prepaid.

Kudos for being brave enough to step out and issue caution to the masses....really.

There are some wonderful people, and things I love about this forum, but one of them is NOT being attacked en mass when you reach out and and try to spare others your experience/pain, and I've seen an awful lot of it here lately.

I've been shopping online since the possibility existed simply because I'm not physically able to do it any other way. I've also been advising people about online security/safety, building and upgrading computers, etc for as long and never had a problem until a month or so ago. Luckily my cc co supplies security measures that I took full advantage of and it all worked out well for me, but it could have been a nightmare.

I hope it all comes out ok for you, and thanks again. I for one think it's important that we all feel we can communicate w/each other about things like this.

 

[Standpoint]

I've had cc faud happen to me twice in my life; once from a bad walmart employee, and once when making an e-cig purchase from a well known vendor. I am 100% positive the fraud happened directly after and from my e-cig purchase. I am an IT technician with a great deal of knowledge on malware and cc fraud. Was definitely not my PC or anything related to my network. I cannot say whether the fraud was due to some form of man in the middle break-in/encryption crack or from the transaction from the vendor to the cc processing agency. Due to the popularity of the vendor I will not name it; however I feel this is part of the reason why one hears less about this issue.

I feel this is a real issue that is being 'buried' due to legal fears and an unwillingness to allow for free speech on the subject. I hope more people are allowed to chime in on this topic in this thread.

 

[V8P]

My CC was hacked just last week for over $1000 in charges and the very first thing that came to my mind was my vape related purchases. The very first thing I notice and always had a concern with was the security of a lot of these sites that we use. Some of them look like they were made in 30 minutes in a very basic html web builder so one can only imagine what their security must be like.

 

[V8P]

I should also mention that I'm also in IT so I really don't need the "shopping safely with a PC 101" speech.

 

[Incognito™]

This happened to me as well (a few days ago)... and it wasn't due to a malicious program on my computer.

I was one of the ones who tried to share this info with others... but the powers-that-be swiftly shut me up.

This thread may actually be allowed to exist because no (vape site) names are being mentioned.

Until recently, I had no idea this forum was such a dictatorship. It always seem fair and laid back.
It seemed to be more for vapers rather than vendors.

Its seems to be the other way around now.

 

[Scotay87]

I had an incident back in Oct where an attempted transaction was made on my card... Thankfully it was denied by my cc company... When speaking to a cc rep on the phone they gave me the name of the business where the attempt was made which happen to be in the same area of a well known popular vendor clear across the country from me that I had recently used... Bit much of a coincidence If you ask me... I don't blame the business per say but more likely an employee who probably does not make much more than min wage... Regardless I have not dealt with them since and don't recommend them since I had a bad CS experience as well...

 

[Tx2pack]

I also had an incident recently where an attempted transaction of $860 was made on my card. Fortunately, my CC company declined the transaction and contacted me. I use my card frequently so I made no connection to recent purchases at a well known vape site but the possibility exists that they are connected.

 

[SCTony]

I am glad this issue was discussed. It made me more cautious about my c.c. and now I get an e-mail when any charge is made above a certain amount. I should have had that notification feature in effect earlier but I wasn't aware of it until now. I wasn't very concerned about using c.c. for internet purchases on https sites before but now I know there can still be problems and I am a little more prepared. I hope this thread doesn't get deleted too.

 

[PVPuff&Stuff]

First you have to understand that most of the vendors, if not all, are using a payment processing service. In other words, the information isn't being stored by their site, it's being passed to their service provider, a payment gateway. So if it's being leaked, most likely it's the gateway. It's not out of the question but it's not likely either.

You also have to take measures into you own hands. One important thing is to make sure you have a secure connection with the host. The address should begin with "https://". This will ensure that your data is encrypted between you and the server.

There are also malicious programs that are used to capture you data that can be hidden in your PC. Windows users are more susceptible to these programs.

Just saying "I only use this card for purchasing vape supplies and it has unapproved spending on it" is not conclusive proof that it's the fault of the supplier or actually their payment processor.

If you feel you have conclusive proof that the supplier is releasing this information, feel free to send me the details and we will look into the matter.

Good points, but there is one thing that's being overlooked. The shopping cart software that is used by vendors is a huge target for hackers. Once they find out which cart you have, they run script kiddie downloads until they find a site that's vulnerable.

Vendors not patching and staying current on their shopping carts I think is a huge issue. It was a year or so ago...with Zen Cart users. 80% of them that I tried had an admin folder named "admin". If you don't have the slightest clue how to hide your admin folders, you probably shouldn't be handling a cart.

I seriously doubt anyone is stealing anything intentionally...like Joker said, vendors don't store credit card info. I don't even see it....except the last 4 digits. It's about the failure to keep up with security patches and known holes.

Pretty simple to put 2 and 2 together. Security holes that aren't patched are vulnerabilities....easily exploited by anyone able to find the right script.

 

[kenetix]

http://blog.siteground.com/oscommerce-vulnerability-fixed-on-all-siteground-servers/

Yep just because you think it is secure doesn't mean it is at all. So everyone saying I don't think it is the vendor, well your right it isn't the vendor but doesn't mean they are secure......

I'm a Level 4 Merchant and I heard that PCI Scanning was optional, is that right?
According to the new standards, if you are a level 4 merchant that processes less than 20,000 transactions and you don't store payment card information on your server, and your shopping cart provider is PA DSS validated, then you may not need to do quarterly scans, but you will still need to fill out the annual SAQ. However, if your shopping cart provider is not PA DSS validated, then you will need to be PCI DSS Compliant and provide an annual SAQ and quarterly scans of your IP, and possibly scan your shopping cart providers IP if the shopping cart is hosted on their server and not directly on yours.

For example, here's what Bank of America states on their website... Effective October 1, 2008: PCI Level 4 merchants using third-party software are required to either use PA-DSS-validated payment applications or meet PCI-DSS compliance requirements in order to board as a new merchant with Bank of America.

What it really boils down to is your acquirer's (your merchant bank's) specific requirements, as each acquirers requirements are different. Your acquirer has a lot of influence on what you need to provide as far as PCI DSS compliance. If you are concerned about your liability or your responsibility as a merchant, contact your acquirer and ask them what they want from you in order for you to meet PCI DSS Compliance requirements.

Just because your vendor has pci scanning doesn't mean much because all they have to do is get it done quarterly. Every 3 months and in web time 3 months is ages..

What is the difference between Quarterly Scanning and Daily Scanning?
Other than frequency, they're the exact same service. Quarterly scanning is just the minimum number of scans required for PCI DSS Compliance for all merchants. There are however, two very good reasons to do daily scanning. The first reason is to make sure that your server is continually checked and protected against any new vulnerabilities that come up - I like to think of it as anti-virus software for your server. The second reason is to make your customers feel more comfortable. Think of it this way... Would you rather buy something from a website that is scanned for vulnerabilities once every three months or scanned every single day? Same with your customer. Obviously daily scanning is more expensive, but the price per scan is much lower, making it more affordable.

 

[ITPython]

Cross my fingers I have not had any problems yet and I have ordered several times from many different vendors.

This thread would be much more useful if people posted the sites they are fairly confident that their info got stolen from. Just saying "It happens and it's a fact" does nothing for anybody. I realize that it still may be 'speculation' but if it gets out in the wild the vendors will need to take extra measures to secure their stuff, and if they are indeed secure, they should let us know by taking the time to address the situation on a public forum in order to clear their good name.


So while it may not be Ok to post the suspicious sites, how about allows us to post the ones we have purchased from and have not had any issue with? Heck, why not make some gigantic poll that people can vote on, and whatever site has the most "Yes, this site stole my CC info" should be looked further into. Because if 10,000 people order from X site and have no problem, while one person had their info stolen, its a good bet that the site isn't to blame.

 

[Mr. P]

This thread would be much more useful if people posted the sites they are fairly confident that their info got stolen from.

That is when the problems start. When someone posts a vendors name that is when the mods step in and delete the thread.

 

[Bostonsnboxers]

Cross my fingers I have not had any problems yet and I have ordered several times from many different vendors.

This thread would be much more useful if people posted the sites they are fairly confident that their info got stolen from. Just saying "It happens and it's a fact" does nothing for anybody. I realize that it still may be 'speculation' but if it gets out in the wild the vendors will need to take extra measures to secure their stuff, and if they are indeed secure, they should let us know by taking the time to address the situation on a public forum in order to clear their good name.


So while it may not be Ok to post the suspicious sites, how about allows us to post the ones we have purchased from and have not had any issue with? Heck, why not make some gigantic poll that people can vote on, and whatever site has the most "Yes, this site stole my CC info" should be looked further into. Because if 10,000 people order from X site and have no problem, while one person had their info stolen, its a good bet that the site isn't to blame.

Oh, it's been done, and as stated it's either deleted or everyone jumps on the poster and attacks them (as I stated earlier), or accuses them of being responsible (keyloggers, viruses, stupidity) or worse, a troll trying to ruin the reputation of the vendor. Do a search for a few relavent keywords...you'll see.

 

[V8P]

It made me more cautious about my c.c. and now I get an e-mail when any charge is made above a certain amount. I should have had that notification feature in effect earlier but I wasn't aware of it until now.

This is a great feature to have on your accounts. I was getting all the notifications via email and text on my phone while I was at work so I immediately took action.

 

[VapoVamp]

I experianced the same thing a couple weeks ago...I posted along with others but didn't mention the site name(for obvious reasons)but they closed that thread. I haven't ordered from any e-cig vendors since then. Looking for one close enough to drive to. I've got three within an hour driving...I still order my DIY stuff but thats through a 70 year old company and have never had a prob. I believe its the CC processing, by shady fly by night companies that come cheap for a mom & pop supplier. I would rather they take care of the CC processing themselves, but that is costly. Maybe, they'll see these threads and upgrade to a more secure site....The names that were mentioned in the closed thread haven't stated any comment that I'm aware of? See you in the Vapehaze

Oh, it's been done, and as stated it's either deleted or everyone jumps on the poster and attacks them (as I stated earlier), or accuses them of being responsible (keyloggers, viruses, stupidity) or worse, a troll trying to ruin the reputation of the vendor. Do a search for a few relavent keywords...you'll see.

 

[Youmadbrah]

I use prepaid and I always calculate my purchases to be exactly = credit. I add the last drip tip or 5 ml juice bottle to clean the credit card.

 

[j0ker]

This happened to me as well (a few days ago)... and it wasn't due to a malicious program on my computer.

I was one of the ones who tried to share this info with others... but the powers-that-be swiftly shut me up.

This thread may actually be allowed to exist because no (vape site) names are being mentioned.

Until recently, I had no idea this forum was such a dictatorship. It always seem fair and laid back.
It seemed to be more for vapers rather than vendors.

Its seems to be the other way around now.

I wasn't going to reply to you but I think I will because your statements are way off base. First, your threads were closed because you were cross posting, which is against the rules. One thread, that's it, posting more than one thread regarding the same issue is uncalled for and as stated, against the rules. Not to mention, you provided absolutely no proof, not valid anyway. If you plan the slander someone, it's best to have concrete proof, otherwise you become liable for your remarks. You also do damage to this person/vendor that cannot be taken back. So if anyone ever has a complaint regarding unauthorized use of your CC, we encourage you to report it to the ECF staff. Protecting our membership is our #1 priority, so we take these matters seriously, from both sides of the complaint.

Dictatorship? This is when one person controls everything, which is not the case here. We have a group of staff members that collectively manage this forum, it's not just one person, in fact the membership is also an element of the management here. We take anyone's complaints or ideas under consideration. We aren't as closed minded as some think, many things have been changed due to member's suggestions. I will say this, this is a privately owned forum, and this owner has a specific environment he wants to provide to the membership. So yeah, there are rules he (we) have established through years of experience.

I thought of a good example, someone comes to my house, I have rules in my house. Some may not like them but that's ok, it's my house, so they'll either abide by my rules or they can get out. It's just that simple. Well the forum is very similar, we are all guest here, and the owner of this house has rules established that we must follow.


Now....back on subject.

What I do to protect my funds. My bank has free checking, so I created a separate account off of my main account. This account I keep a small amounts of cash and add to it as needed. This is pretty easy since internal to the bank, the accounts are linked but not so much as they can automatically pull funds from the other. I can manually transfer funds between the two accounts, which is nice in a spur of the moment purchase. So no matter what happens, only a minimal amount can be drawn from this account, AKA my "Slush" account. <---no sure where I got that name So this account is used only for online purchases. Even with the extent of this setup, my main debit card got scammed and it has never....ever been used for online purchases. This debit card is only used for local purchase, Walmart, gas, food, etc... So really nothing is fool proof and that's ok because most cards will recover your funds when your finds are removed without authorization. Now this won't work for everyone but some it may, so it's something to think about.

BTW...elfstone, the offer still stands. If you would like to contact me in regards to your claim, the door is always open.

 

[salemgold]

My bank has the option of creating a one time use CC # for any online purchase. I set the dollar amount and once the number is used, it can't be used again. I have never had a problem using it so if your bank has this option, it may be worth looking into.