Fraud Charges 2nd Time This Year. !!!! Retailers get your **** together!!!

[retrox]

Indeed, wolcen.

http://www.reddit.com/r/electronic_...aaaand_more_fraudulent_charges_this_time_not/

http://www.reddit.com/r/electronic_cigarette/comments/1dqno5/more_fraudulent_charges/

http://www.reddit.com/r/electronic_cigarette/comments/1dop0h/fraudulent_charges/

The evidence may be circumstantial, but a common denominator has clearly emerged.

 

[wolcen]

FWIW, if any of you are getting any "document contains insecure content" security messages from your browser while on ECX, so far the only thing I've found is the Free shipping and Retail location images from their site not being over https (while the rest of the page is, hence the warning). I haven't come across any "real" issues myself so far in looking at their site - what I've noticed should just be a mistake on their side [i.e. hard-coded image urls]. Of course, I can only view client-side behavior, so any evaluation I could do [that is also legal to do] is quite limited. Anyway - back to my point: if you get such a warning, particularly on the login or checkout pages for any vendor, do not continue - don't even type into anything on the page (those images are not on the checkout page, and so you should not get any security warnings for those pages).

The Norton/verisign validation stamp comes out completely legit for me. I'm not sure what that system actually checks in terms of potential weaknesses in a system, but whatever it does comes out clean, or else is reporting any failures to ECX.

Again, I'm making no claims whatsoever - just sharing my observations for whatever they are worth to the community.

ETA: The Trustwave logo also appears legit to me. If I understand it correctly, they appear to be a 3rd party PCI-DSS compliance auditor. That does not necessarily mean (and in my experience does not mean) they verify things themselves, but that they ask ECX if they do such and such procedures (use whatever encryption in transit/at rest, throw away data elements that are not allowed to be stored, have authorization required for various things, and perform auditing of certain actions, etc.) and if ECX answers everything correctly, Trustwave says OK you pass and can add our stamp. I don't mean to minimize what's involved in PCI-DSS compliance, but I don't think that's a misrepresentation of what I've seen of the process either.

ETAA: PCI-DSS = Payment Card Industry Data Security Standards (I think anyway). Basically, all the rules you must follow when dealing with CC#'s.

 

[NLDV]

Someone stole my cc# last week as well.... I got charged for $2 and some change from some place in Washington and whoever used my card reversed the charge! As soon as i saw this in my bank statement, I promptly cancelled my card and got a new one... I had recently made a few purchases online and no clue which site it got stolen or intercepted from... I used ecigexpress, and a couple other non-e-cig places...

edit: I had also used a couple other e-cig sites as well but that was a week or two before these last batch of charges

 

[jericoriver]

My bank recently changed ownership. I was issued a new card. I had changed it at popmoney and made a order from ECX. My account had a .41 debit, the next day I got a call from bank security,some one was trying to buy some $300.00 boots online. They canceled my card, the next day I had a call from an online store to see if I was actually trying to order something and to tell me my card was coming back as invalid. Popmoney and ECX were the only two places that I had used the new card at. I'm not saying it was from them .It could have been from my computer. I use the paid malwarebytes and avast on it.

 

[MDV39]

HEY ALL! im part of the freakin club got the lovely call this morning. Used my card at ECX and popmoney and had a bunch of shoes charged to my account.

 

[Uma]

We picked up a debit card at Walmart, to use for online purchases. Guess what. My money was stolen from it too just yesterday. Yep, on THE day I got the notice that I can finally pay for my goodie on a list I've been on. Go figure eh. Now I can't get my goodie. I saved for months, and someone else stole my money. That was a DEBIT card mind you. I shopped at ecigxpress last month for DIY flavors. (the first time I've used this particular card).
Same thing happened last year with a different DEBIT card, but I didn't shop at ecigxpress at that time.

 

[Bullette the Cowdog]

Check this out. Info for prepaid card users. None of us are safe!
More arrests expected in multimillion-dollar credit card fraud ring, authorities say | NJ.com

Quote from article:
The leaders of the group purchased the identities of victims from online brokers who got the information from computer hackers, officials said.

I read another article about this yesterday. I think they got $14 million from ATMs.

Edit: oops. It's $45 million. Not $14 mm. A mm here. A mm there. After awhile its real $!

 

[Bullette the Cowdog]

Here's more:

Quote from article:
In a process known as "punching," electronic account information from the cards' magnetic strips would be transferred onto counterfeit cards, which were provided to "strikers" who conducted the purchases at retailers all over the Eastern Seaboard, authorities say.

Teams of strikers purchased retail gift cards that were then used to purchase various electronic items, authorities say. Those items were then sold in bulk to fences in New York and New Jersey, authorities say. The fence would then sell the items to other people for cash payments.

Nigeria: 20 Nigerians in Multi-Million Dollars Credit Card Fraud in U.S. - allAfrica.com

 

[Tripster]

Just want to alert those who have those "Virtual Credit Card Numbers", those numbers that are generated have a specific code from the bank they were issued and if you are number/tech savvy...identifying those numbers will be a walk in the park and than could lead to gathering the account holders info.

Pre-paid Debit cards be it VISa and or Mastercard/etc also have their own security flaws, just cause it isn't attached to any bank accounts doesn't mean safe...they are still vulnerable just like those Virtual Credit Card Numbers.

FWIW

 

[aubergine]

I've read every post in this thread and understand all of the variables involved in deciding whether to name vendors whose customers have been hit. (My personal opinion is that it's a good idea, for reasons that many have put forward in other posts. Not to blame when no blame may be appropriate, but for consumer protection.)

The one conclusion that I've firmly drawn is that the vendor I'll trust is the one whose website (front and center) displays a warning when security has been breached:
"Sorry. This site has recently been compromised by credit card information theft; we are very carefully checking all of our software for any security vulnerabilities and will process no transactions until we feel certain that we've done absolutely everything that we can on our end to protect your online shopping safety."

That warning could also be accompanied by a disclaimer re any online sales being guaranteed absolutely safe, and suggestions like the ones frequently mentioned in this thread for alternate payment methods.

Transparency apparently is, but shouldn't be an issue. What all mindful consumers know is that if businesses refuse to protect their own customers, then it's the consumers' job to do so.

 

[Tepid]

The pre-paid card stuff is safe to use. Just make sure you get a new one every time and cancel it after you receive your purchase.
That article states the thieves went and bought pre-paid cards and used those for purchasing goods, much easier to deal with at merchants than trying to use a real stolen card.

I have decided that untill I can check with my bank, I bought a pre-paid visa, loaded $150 on it and purchased my goods with it.
It has about $10 left, I will go to the store and spend that, then close this card out, get a new one and start over.

The pre-paid cards are fine, they have a limit of whatever cash is on them and can't go over.

I don't want that compromised either, but, it's less hassle than using my real debit card in the long run.

The reason I do it this way is, the gift cards can only be pruchased in certain amounts (100, 50, 25, maybe 250 etc.)
With a pre-paid, you can put 120 on if you want, and don't have to deal with trying to use 3 of them at one time to make a purchase.
Such as, I can only get max $50 cards at the store I go to, this wasn't enough for me to buy what I wanted (Vamo).

Anyway, that is how I will be doing it from now on.

 

[antfuzz]

I too recently had my debit card hacked. In my opinion the only thing that will keep you safe from having money stolen out of your account is to check your bank account daily or better yet at least twice a day. I had 2 micro-charges on my account which was a dead giveaway and within a few hours an $800 charge was made but refused because of insufficient funds.

 

[Tripster]

I'd suggest checking your account/s at least 3 times a day, kinda like taking breaks from work...why 3, well within a matter of seconds fraud happens.

 

[retrox]

The one conclusion that I've firmly drawn is that the vendor I'll trust is the one whose website (front and center) displays a warning when security has been breached

Nail on the head. Ecigs are such a burgeoning business opportunity right now, it's hard for me to imagine that there aren't many people just getting into online sales who do not have the resources of an Amazon or an Ebay and lack experience with web security in general. As such, I expect there to be growing pains on that front. Hence the importance for us, as consumers, to do our part and protect our own finances online; but hackers have been exploiting online shopping sites for years and years, and they've managed to breach even the most secure systems out there. They've got a huge head start on our beloved ecig retailers.

I've implemented a one strike and you're out policy. If you're a good vendor and you let my CC info slip, it then becomes your responsibility to become a great vendor by assuring me that you've taken steps to ensure that it won't happen again. Not in an email or a PM, but out in the light of day for all to see. If a vendor cannot at least grant me that courtesy, I've got a list of others who can.

It's why I will continue to buy from and recommend AVE as a supplier, regardless of the inconvenience ordering from them caused me once upon a time. It's my responsibility to do everything in my power to shop smart online, and ordering only from vendors who can prove to me that they're serious about correcting security issues is of paramount importance to my responsible efforts.

Placing the welfare and satisfaction of the customer before company image is the best way to prove to me that they're serious.

 

[patkin]

I too recently had my debit card hacked. In my opinion the only thing that will keep you safe from having money stolen out of your account is to check your bank account daily or better yet at least twice a day. I had 2 micro-charges on my account which was a dead giveaway and within a few hours an $800 charge was made but refused because of insufficient funds.

Most banks offer email and/or cell phone alerts. I have mine set up to alert me for any hit above 50 cents for any purchase on or offline or any transfer... have to do it for each of those types individually. That way I don't have to constantly check the account.

 

[skyztheLynnit]

Just want to alert those who have those "Virtual Credit Card Numbers", those numbers that are generated have a specific code from the bank they were issued and if you are number/tech savvy...identifying those numbers will be a walk in the park and than could lead to gathering the account holders info.

Pre-paid Debit cards be it VISa and or Mastercard/etc also have their own security flaws, just cause it isn't attached to any bank accounts doesn't mean safe...they are still vulnerable just like those Virtual Credit Card Numbers.

FWIW

Does this include shopsafe? https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go


I've been using it since i read about the debacle

 

[retrox]

Can anyone tell me more about the fraud issues @ MBV?
I'm worried about placing another order.

I've placed 5 orders with MBV over the past 3 months with no issues, and will be placing another tomorrow. I have notifications and check my bank statements multiple times per day. That's all the information I can offer you.

The focus of this particular round of fraudulent activity appears to be ECX at the moment, not MBV.

 

[cags]

you might find this interesting

http://www.e-cigarette-forum.com/forum/ecigexpress/416242-ecigexpress-public-announcement-regarding-security.html

I use virtual numbers. it is the best way I can protect myself. if I get got, well, I get got

the ONLY way to be 100% safe is to use cash at a B&M. period.

 

[tmcase]

you might find this interesting

http://www.e-cigarette-forum.com/forum/ecigexpress/416230-ecigexpress-public-announcement-regarding-security.html

I use virtual numbers. it is the best way I can protect myself. if I get got, well, I get got

the ONLY way to be 100% safe is to use cash at a B&M. period.

Link doesn't work.

 

[patkin]

Can anyone tell me more about the fraud issues @ MBV?
I'm worried about placing another order.

Every time I've seen MBV crop up on a list, that list has also included either ECX or AVE so I don't think MBV is necessarily implicated. I have seen peeps say they buy from MBV regularly without a problem. During an earlier outbreak this year, MBV was one I contacted over chat at their site asking what processing center they used and they told me promptly and courteously. That, in itself, says a lot to me as a couple of others either did not answer the question at all or were rude or defensive when they did. Sorry I can't say more as I was just canvasing my usual vendors or vendors for possible future purchases but haven't ordered from them yet.