Credit Card Fraud

[nuttyriv3r]

This is amazing. This is totally the vendor's fault! I know this is a tight knit subculture, but come on. The only way it isn't the vendor's fault is if your computer is hacked. It is 2013. An e-shop should not be in business if they cannot afford to encapsulate credit card data with bullet proof security and encryption. They need to be held accountable because they shouldn't even offer to store your CC info if they don't know how to protect it. They shouldn't even know what the actual number is. The usual process should involve a 128 bit encrypted SSL connection that hits the proccessor and either end is ignorant of what's exactly contained in that data stream. That credit card number is being transmitted and/or stored in plain text. Blaming the processor is pointless. Settling for processor blame does not coerce the vendor into researching why this happens nor does it motivate them to spend the extra money for a more reputable ecommerce platform...they're being cheap. If this happened at Walmart none of you would be saying, "It's not Walmart's fault."

Kudos to the OP for spreading awareness.

 

[RedhatPat]

CrazyIvan/Crash Moses - Vapers don't have the same options we had as smokers. If you see someone defending a vendor it is probably a result of brand loyalty. Until my ADV (all day vape) taste changes, I will jump through as many hurdles as it takes to get my "brand" because the alternative is repulsive to me.

 

[darkstorm]

If this happened at Walmart none of you would be saying, "It's not Walmart's fault."

Walmart is not forced, through the nature of its industry, to use small, high profit, high risk, credit card processors. Ecig vendors are.

 

[retired1]

This is amazing. This is totally the vendor's fault!

And you know this how? You have a magic ball that is able to pinpoint the exact cause of the card compromise?

 

[QusieQ]

Deleted, misunderstood previous post, original comment not relevant

 

[nuttyriv3r]

I posted this on another thread, and it's relevant here, too. I am not trying to be a jerk, but this is a mom and pop industry, and it's worthwhile to spread awareness and get something done about this. Are vendors following and applying this standard? PCI Compliance Guide Frequently Asked Questions

Saying card data was compromised doesn't mean anything unless the lazy or ignorant merchant does not properly encrypt the database where that information is stored. A hacker could do a dump of a database holding credit card info, but if that data is properly encrypted, they would need a cluster farm of super computers working for years to decrypt those numbers. So the blame goes on those who do not understand or utilize industry standard methodologies of protecting customer data.

Now the OP's statements are accurate, and unless you can narrow down exactly where the compromise of your CC info occurred, it's unfair to place blame. However, it appears there is a consistent trend growing here which is disconcerting. Vendors should spend the extra money to ensure they are protecting their customer's data properly. From what I've read, the merchants are going to get fee hikes and eat some of the costs of losses from the processor.

The claim that e-cig vendors are reduced to shady merchant accounts is not a good argument. They face higher fees because the e-cig market is considered high risk, so if they are using a shady merchant account, then they are being cheap. A simple Google search shows there are hundreds of processor waiting to tap into this billion dollar plus industry. They are basically banks and they have regulations and face incredible fines if they are not following guidelines. I think blaming processors for actual theft of a credit card number and maybe a CCV number is absurd.

If you are going to blame some online entity, then you have to take a look at your own personal security (browser, router, virus, trojans, malware), the merchant's security provisions, the web server they are using, and the ISP that hosts their web servers and databases. Currently Java has been compromised on many different levels and many Linux servers are being compromised, specifically Apache servers which are widely used as a cheaper alternative at web hosting companies. In some instances there is no patch available yet, and to assume servers and PC's have been properly patched is bad practice. The Java exploits were so bad, that the industry recommended uninstalling it completely until Oracle fixed the problem, which took a few weeks, and once it was patched security professionals found more exploits and holes. I've seen these e-shops and they look pretty remedial and are probably full of holes - could probably be hacked by a script kiddie that copies and pastes malware code.

Saying it's the processor is weak and highly unlikely. So putting heat on vendors should push our industry to a better standard of e-commerce security.

 

[Caridwen]

Please confine posts on this topic to one thread.

 

[jrentor]

This happened to me as well, I have only ordered from 3 places and don't know which one it came from:

myvaporstore
madvapes
electronicstix



I see the original poster said he ordered from empiremods. I took a look and noticed empiremods and myvaporstore both use volusion.com for their CMS. Maybe that is common culprit? I don't know I contacted MVS and they basically said they it nothing on their end they spend thousands of dollars on security software and said I should check my machine out. It not my machine it clean, and never had this happened ever until I started ordering from these 3 places.

I really don't know which vendor it is, but super hesitant to order from ecig online (wish I had a store in my area) and not sure what to do. I have a new credit card in the mail but won't get it until next week

 

[retired1]

It not my machine it clean, and never had this happened ever until I started ordering from these 3 places.

I don't know how many machines I've had to nuke and pave because of root kits belonging to people who said it was "clean".

 

[jrentor]

I don't know how many machines I've had to nuke and pave because of root kits belonging to people who said it was "clean".

if I supposedly had a trojan or rootkit which is extremely rare in linux if you know what you are doing, why all of a suddenly it happened to steal my credit card in the past 2 weeks of ordering? After years of ordering from major online ecommerce sites for 10+ years with this same credit card?

Also why are none of my accounts hacked? My email? or any other websites I use?


Yes it possible it happened because of something I ordered from amazon last few weeks, but chances of that is highly unlikely especially since there seems to be a rampant credit card fraud in the ecig vendors


I always find it insulting when people assume it something users are doing something wrong when you don't know their background instead of looking at what the real problem is.

 

[retired1]

Root kits are not rare in Linux. The very first root kits were written for Unix nearly 50 years ago. Linux does not make one immune to the various bugs out there.

Recently there was a spate of infections that were infecting Linux machines left and right. Machines running scripts that checked the MD5 sums of critical files were able to detect the changes to specific library files that resided on the machine. Killing the actual infection was extremely difficult, often resulting in the wiping of the infected machine (normally recommended with an infection of this type).

Do not buy into the hype that Linux is secure. It's only as secure as the person who's using it. And what's going to gain someone a more immediate gain? Attempting to break into an account? Or using an easily obtained credit card which was filched via a keylogger or rootkit?

As I stated before. You have to make sure your own machine is squeaky clean before pointing fingers elsewhere. And while it's entirely possible that some vendors aren't doing all that they can to protect a customer's information, until absolute proof is obtained that points to that vendor, unconfirmed accusations are unwarranted.

 

[jrentor]

Root kits are not rare in Linux. The very first root kits were written for Unix nearly 50 years ago. Linux does not make one immune to the various bugs out there.

Recently there was a spate of infections that were infecting Linux machines left and right. Machines running scripts that checked the MD5 sums of critical files were able to detect the changes to specific library files that resided on the machine. Killing the actual infection was extremely difficult, often resulting in the wiping of the infected machine (normally recommended with an infection of this type).

Do not buy into the hype that Linux is secure. It's only as secure as the person who's using it. And what's going to gain someone a more immediate gain? Attempting to break into an account? Or using an easily obtained credit card which was filched via a keylogger or rootkit?

As I stated before. You have to make sure your own machine is squeaky clean before pointing fingers elsewhere. And while it's entirely possible that some vendors aren't doing all that they can to protect a customer's information, until absolute proof is obtained that points to that vendor, unconfirmed accusations are unwarranted.

Yeah only if you run your session as root, Linux was built from the ground up with security in mind unlike windows. If you are not running your session as root, there is no way you are going to get a rootkit on your desktop/laptop while browsing the web, unless you purposely install some app from a repository that is not verified.



In Linux most hackers attack webservers through exploits and then install a rootkit, huge difference between a desktop running ubuntu for example.

 

[retired1]

Yeah only if you run your session as root, Linux was built from the ground up with security in mind unlike windows. If you are not running your session as root, there is no way you are going to get a rootkit on your desktop/laptop while browsing the web, unless you purposely install some app from a repository that is not verified.



In Linux most hackers attack webservers through exploits and then install a rootkit, huge difference between a desktop running ubuntu for example.

Wrong again. You can be infected via a java exploit. Which is exactly how the infections I mentioned in my last post occurred. It nailed Windows, Apple AND Linux machines.

 

[supermarket]

Well, it happened to me today

Last night I made an order from empiremods, this morning there was a authorization I did not make. While fraud protection covered me, I think I know what happened ...

For the first time ever, I saved my credit card information on my acct with empiremods for future transactions. I will NEVER do that again. I notified Empire, waiting to here back. I have never had an issue with them before, until I saved my info. I did go into my empire acct, and delete my card information!

Will I order with empiremods again --YES, but if it happens again --NEVER

Have you read the forums at ALL?

I wouldn't think anyone would be careless enough to save their CC# on a vape vendors site , after reading these forums.

Come on bud.

 

[supermarket]

Yeah. Happened to me too. I don't save my info on the vendor sites. Still a bit of hacking and some kid in California got 2 hoodies, 6 pair of creates and a poor of power stilts... And I have to wait for a new credit card to com in sometime next week or the week after. I have fraud protection, so I'm not going to get bent out of shape about it. Since the sports store and the toy store they bought from has the address the stuff was sent to, I feel a bit sorry for the kid that's gonna get in a lot of trouble. Not REAL sorry, but a bit

Sorry to inform you, but it more than likely wasn't a kid who ordered it. It was more than likely a hacking group, who sells the CC information to another fraud ring, who then purchases random stuff, from random places, and sells the stuff online.

They never get anything sent to real addresses that relate to them. Instead, they case a house out, and have something sent to a house where they know the people won'tbe home. Then they simply drive up, grab the packages, and wala, they are gone.

 

[jrentor]

Wrong again. You can be infected via a java exploit. Which is exactly how the infections I mentioned in my last post occurred. It nailed Windows, Apple AND Linux machines.

Proove it nailed any linux machines if they were not running as root? I never saw any evidence of it.

Besides who runs java anymore nowadays?


Java sucks plain and simple.


Are you saying my credit card was stolen from a supposed java exploit? Lets be real, and getting sidetrack from the real issues that most of these ecig vendors are using same CMS, and good chance there are exploits in those

 

[boshans]

Man that sucks, I feel for you. Happened to me a couple of weeks ago,tried to put through some dating site charge 6 times, 6 times! Luckily my bathough since I had to get a new card and everything then.

/rant Also, I've seen this point being made in multiple of these threads, and to me it just doesn't make sense, this isn't aimed at anyone, just in general: Everyone saying that "oh maybe your card number got stolen a while ago and it wasn't the vendor, and the hackers are just using it now." I'm sorry, but that makes no sense to me whatsoever. Someone posted that your card could get stolen and then you wouldn't see a charge for a year or two...really? You guys need to think from a hacker point of view. They are absolutely not going to hold onto that card info for long, maybe a day or two, if even. Once they get a card number that is good, and has an account with money in it, they are going to use that .... RIGHT away. They are not going to sit on a card number and not even attempt to see if it is good or not. Why? What if that person changes banks, what if that person doesn't have money in the account anymore, what if they change cards? They thief is going to want to use it immediately, to take away these variables. They get a card number, run a test charge to see if it's active and has money in it or whatnot, and then they are going to use it right away. They are not going to wait, at all. They're not just going to sit on a card and not run a test charge either, for the same reasons I stated above. So basically, if you get fraud on your card, it happened recently, very recently, from whoever you ordered from in the past few days. Not something you ordered or bought from weeks ago. /end rant

 

[jrentor]

Man that sucks, I feel for you. Happened to me a couple of weeks ago, tried to put through some dating site charge 6 times, 6 times! Luckily my bank was like, uh no, and didn't even let the charges go through, so I didn't lose anything. Still a pain though since I had to get a new card and everything then.

/rant Also, I've seen this point being made in multiple of these threads, and to me it just doesn't make sense, this isn't aimed at anyone, just in general: Everyone saying that "oh maybe your card number got stolen a while ago and it wasn't the vendor, and the hackers are just using it now." I'm sorry, but that makes no sense to me whatsoever. Someone posted that your card could get stolen and then you wouldn't see a charge for a year or two...really? You guys need to think from a hacker point of view. They are absolutely not going to hold onto that card info for long, maybe a day or two, if even. Once they get a card number that is good, and has an account with money in it, they are going to use that .... RIGHT away. They are not going to sit on a card number and not even attempt to see if it is good or not. Why? What if that person changes banks, what if that person doesn't have money in the account anymore, what if they change cards? They thief is going to want to use it immediately, to take away these variables. They get a card number, run a test charge to see if it's active and has money in it or whatnot, and then they are going to use it right away. They are not going to wait, at all. They're not just going to sit on a card and not run a test charge either, for the same reasons I stated above. So basically, if you get fraud on your card, it happened recently, very recently, from whoever you ordered from in the past day or two. Not something you ordered or bought from weeks ago. /end rant

Exactly right!

That is why I knew it had to be related to the ecig vendors that I just made purchases with since only transactions I made in past 2 weeks ecigs and one from amazon.

 

[porkchopharry]

Once these guys know that a certain type of site are working with payment processors that might be easier to exploit than others, they will make the rounds and hit them one by one. Think PRON, hard to get a processing company to work with you and when you do, they may be a bit less "stringent" and are targeted more often. Looks like this is the way a lot of payment processors view vape related sites. Like an adult site almost.

 

[Caridwen]

Any more cleanups and the thread will be closed.