In response to a thread in the new member forum.

[hoogie76]

In response to this thread:

http://www.e-cigarette-forum.com/fo...n-fraud-immediately-after-my-first-order.html

By looking at our website, we are pci compliant. In an effect to maintain PCI compliance, our servers here and at our cart hosting company, 3dcart, have to be scanned monthly for any changes. At madvapes, WE DO NOT HAVE ANY ACCESS TO ANY CREDIT CARD INOFRMATION other than first 4 digits, last 4 digits and the billing address you provide. We can see if a card has passed an AVS (Address Verification) and if the 3 digits on the back of the card match and the expiration date matches but WE CANNOT SEE THE ACTUAL DATA, only result codes.

Even on the our credit card processor's backend system we also do not have access to any information other than first 4 and last 4 digits of the card, the amount and billing address info.

If you are a repeat customer, you already know that you have to enter your credit card info everytime at checkout as we do not store any credit card information at all. Card info is entered by you, processed securely by the card processing api then gone. All that's left is a transaction ID that references the transaction.

Suprisingly enough, I had 3 debit cards hacked last year and I never used them ANYWHERE. I always open a points visa card under my regular bank accounts and use that exclusively for any charges so nobody has direct access to my money But they still got hacked and were never used. 2 of the cards still had the activation stickers on them so go figure how that happens.

I feel for the customer that had an issue and it's easy to assume a lot of things but our reponse is the same on the few times that we have been asked about this.

hoog

 

[Sjkader]

Hoogie,
You have been doing this for awhile. Its never the end users fault. Always the business. (was that a little thick in sarcasm?)

 

[hoogie76]

Yeah.. I feel bad when this happens to people but there's nobody for us to call and no way to help in reference to a customers card being stolen. All we can do is make sure we are compliant in our processing. I did however call some of the merchants when my card got stolen so they wouldn't get porked with a chargeback, but that's just me knowing that with a chargeback, not only are you losing the merchandise if it shipped but also get whacked with up to a $60 processing fee. Most were more than happy to reverse the charges.

hoog

 

[Sjkader]

I feel bad for the guy, but in the world we live in there are so many people who are one step ahead of any security that can be put in place. Its a double edge sword anytime you use a form of electronic currency.

 

[siampumpkin]

So far there are three members including myself who have immediately been the target of credit fraud after purchasing from your company. This is too much of a coincidence for you not to reassess all connections to your system. I sent a very nice heads up message to your company and was quickly brushed off as not important. All three members live in different regions and/or countries so it being on our end is unlikely as we all purchased from you in recent weeks. You have a hole in your system somewhere and while you may not be able to access the credit card data, a skillful hacker is. Whether this hacker is a member of your staff or an outside intrusion it is your responsibility to find out and to treat your customers with respect and not disdain.

 

[Doorknob]

I am one of those that had fraudulent charges on my card within a 24 hour period of ordering. I in no way am pointing fingers at you, but this is something that needs to be looked into. It may not have originated from MadVapes directly, could be the provider you utilise for your transactions.

But the fact is there are a few that this has happened to under the exact same circumstances. Maybe only a few now, but being vigilant as we have discovered this we may be able to prevent many more from becoming victims. I again am not placing blame on anyone in particular, but what comes to light is that this isn't just some random strike, and what can we do from here to find out what happened?

 

[Bostonsnboxers]

Add me to the list...you are not the only vendor I purchased from so I won't point fingers, but within 48 hrs of placing my order (first) I had fraudulent charges on my card (i use an ipad...no virus, keylogger, etc) for the first time in my life!
It's starting to look like a little more than a coincidence that it's happened to a few others. In any case, there's enough of a pattern to warrant a second look on your part I think. Could your carrier/handler/website whatever have been hacked?

~Patti

 

[ChrispyCritter]

Add me to the list...you are not the only vendor I purchased from so I won't point fingers, but within 48 hrs of placing my order (first) I had fraudulent charges on my card (i use an ipad...no virus, keylogger, etc) for the first time in my life!
It's starting to look like a little more than a coincidence that it's happened to a few others. In any case, there's enough of a pattern to warrant a second look on your part I think. Could your carrier/handler/website whatever have been hacked?

~Patti

I think it's possible that it got hacked somewhere in the line but from reading what the OP posted it looks like it probably wasn't in his store since they don't have access to the numbers.

Don't assume that an iPad can't get malware it runs on a iPhone like operating system that uses apps and hackers have been turning their attention to Apple lately unlike the past where it wasn't cost effective for them to do so.

 

[Bostonsnboxers]

I think it's possible that it got hacked somewhere in the line but from reading what the OP posted it looks like it probably wasn't in his store since they don't have access to the numbers.

Don't assume that an iPad can't get malware it runs on a iPhone like operating system that uses apps and hackers have been turning their attention to Apple lately unlike the past where it wasn't cost effective for them to do so.

Sure, you can read my reply in the other thread where you addressed this

 

[ChrispyCritter]

Sure, you can read my reply in the other thread where you addressed this

Yeah I read it now and responded there. I'm interested in this in case MadVapes system was hacked somewhere so I can watch out. Anyone can be hacked..looking at the info the OP posted it doesn't look likely to be in there store. I was also reading around and only the one person is saying they think their info was got at MadVapes and the other couple are not sure where it happened.

 

[Bostonsnboxers]

Yep, I am not saying blame lies anywhere with Madvapes, but I did see someone (the reason for this thread) mention them directly, and another in this thread and felt I should toss my case in the hat in case they have been compromised somehow. It could happen to anyone.

Of the vendors I purchased from, all were vendors I've used before w/o issue, 2 were start ups, and then Madvapes...first time ordering from them. That was my last purchase before the fraud occurred, and just a day and a half later. Could be coincidence...

 

[Bostonsnboxers]

"..........I was also reading around and only the one person is saying they think their info was got at MadVapes and the other couple are not sure where it happened.

Just wanted to add the only reason I stepped up was that there are 2 in this thread (not counting myself) alone

 

[Loveridden]

To be honest I am a little worried, I want to use the Facebook discount next week before it expires, along with a gift certificate I earned....I am not worried that it is an employee of madvapes that is doing this, I am worried that a hacker has found a way to get this info from ppl purchasing from the madvapes site tho. Say it ain't so!!

 

[ChrispyCritter]

To be honest I am a little worried, I want to use the Facebook discount next week before it expires, along with a gift certificate I earned....I am not worried that it is an employee of madvapes that is doing this, I am worried that a hacker has found a way to get this info from ppl purchasing from the madvapes site tho. Say it ain't so!!

As long as you're using a credit card and not a debit/bank card (shouldn't use these for online purchases or in stores really) you are pretty protected..if you're worried buy the stuff and check the card. I plan on buying stuff with the discount myself and am not too worried. Credit cards have loss protection by law and the most it could cost you is $50 by law for fraudulently made charges (read Fair Credit Billing).

From what I've read though CC company's generally don't hold the card holder responsible for anything usually as long as it's reported in a timely manor. Also you have 60 days to report CC fraud from the day you receive the bill with any fraud on it. You always have to keep an eye on your CC's..MadVapes has the right security "seals" on there site so unless I read claims with 100% proof of a hack or a lot more of them I'm not worrying too much.

 

[six]

I am worried that a hacker has found a way to get this info from ppl purchasing from the madvapes site tho. Say it ain't so!!

It's good to know what PCI Compliance means.

Security Metrics has scanned madvapes as recently as December and the SSL certificate is good until June. I've never bothered to look to see who they use for their merchant account/payment processing, but there aren't that many companies doing it. Most of them handle millions of transactions for hundreds of thousands of businesses per day.

If none of that makes you feel better, maybe get a per-paid visa from your local walmart to use for your online purchases.

 

[Bostonsnboxers]

As long as you're using a credit card and not a debit/bank card (shouldn't use these for online purchases or in stores really) you are pretty protected..if you're worried buy the stuff and check the card. I plan on buying stuff with the discount myself and am not too worried. Credit cards have loss protection by law and the most it could cost you is $50 by law for fraudulently made charges (read Fair Credit Billing).

From what I've read though CC company's generally don't hold the card holder responsible for anything usually as long as it's reported in a timely manor. Also you have 60 days to report CC fraud from the day you receive the bill with any fraud on it. You always have to keep an eye on your CC's..MadVapes has the right security "seals" on there site so unless I read claims with 100% proof of a hack or a lot more of them I'm not worrying too much.

I agree...and would add monitor your activity carefully!
My little fiasco cost me nothing but some time and a bit of grief, but I thank God I stopped using my debit card awhile back and went to a credit card...with reward points

 

[5vz]

I worry every time I purchase anything online. It is as bad as smoking was, you know every time you do it that there is a danger involved.

Just went to set up alerts on an account, the actual cc company's website says it is insecure on my browser! I hope it is just the hour and they are updating or something. I will not mention the company as if a hacker reads along and everyone is going to their account and logging in, well, i.d. theft begins. Just make sure you can tell when a site is secure before logging into your account.

I don't know what is happening here, but I hope it is figured out fast.

 

[scinsc]

I use a CitiBank card that creates a "virtual account" number for each transaction. Once the number is used it can never be used again. Works great and easy to do.

 

[Shadoweb]

Working in the security field, the people who used the card fraudulently would be amateurs to use it that close to getting it. They usually sit on the card data for months so it's not so easy for you to find where they got it from.

 

[5vz]

Adding to shadoweb's:

They sit on a lot of cc info to sell too. Loads at of people's cc info once.

Sometimes it is just randomly generated, just another way.