- Status
I whole heartedly agree with you on the prepaid card! I think this is a route I will go from here on out as to protect myself, and I am in Walmart frequently enough that it would be easy to pick one up.
Alright I feel the need to chime in here. As an IT guy and someone with a bachelor's in computer sciences there is a lot of misinformation going on here. So let me straighten a few things out.
First and foremost, Madvapes didn't get hacked. They don't store credit card information. As a matter of fact, the form you fill out for payment goes straight to the company that processes the payment. Madvapes can request a report about payment information from their company but that does not give full credit card details. Beyond that, the company that processes their payments does not store full credit card information either. Beyond that again, even if they did, a company like that has servers that are so encrypted it is beyond impossible for them to be hacked.
The whole thing is an understandable concern because of the recent hacking outbreak against large companies. Let me explain something to you though. Sony's basic enterprise system does not have 1/1000000th the encryption that a bank does. If it was that easy why has no one ever hacked a bank? That's because the encryption used for internal systems that deal with money are ridiculous. Sorry guys, not going to happen. The companies that do nothing but process payment information use the same encryption a bank does. Because for all intent and purposes they are a bank.
Now for some random misinformation. Mac OS and Apple products are just as vulnerable to viruses as PCs these days. The concept of Macs being "virus-free" is very old and out dated. IF you are on a Mac, get a virus protection program. You are being targeted just as much as a PC user.
Paid virus scan software has gone down hill. The top rated antivirus program for true positives and true negatives is Avira. And guess what..... it's free. The only thing Mcafee is top rated for is false positives. But even with the best antivirus, people are still susceptible to viruses, malware, spyware, and such. Fact is folks, keep your cache clean and stay off of websites that aren't trusted and you will have no problems.
I have shopped online for the last 10 years and I have never once had a card compromised. Simply because I keep my computer clean and I don't buy from companies I don't trust. I have done business on a several times monthly basis with madvapes for like 15 months. And my cards still work perfectly.
First and foremost, Madvapes didn't get hacked. They don't store credit card information. As a matter of fact, the form you fill out for payment goes straight to the company that processes the payment. Madvapes can request a report about payment information from their company but that does not give full credit card details. Beyond that, the company that processes their payments does not store full credit card information either. Beyond that again, even if they did, a company like that has servers that are so encrypted it is beyond impossible for them to be hacked.
The whole thing is an understandable concern because of the recent hacking outbreak against large companies. Let me explain something to you though. Sony's basic enterprise system does not have 1/1000000th the encryption that a bank does. If it was that easy why has no one ever hacked a bank? That's because the encryption used for internal systems that deal with money are ridiculous. Sorry guys, not going to happen. The companies that do nothing but process payment information use the same encryption a bank does. Because for all intent and purposes they are a bank.
Now for some random misinformation. Mac OS and Apple products are just as vulnerable to viruses as PCs these days. The concept of Macs being "virus-free" is very old and out dated. IF you are on a Mac, get a virus protection program. You are being targeted just as much as a PC user.
Paid virus scan software has gone down hill. The top rated antivirus program for true positives and true negatives is Avira. And guess what..... it's free. The only thing Mcafee is top rated for is false positives. But even with the best antivirus, people are still susceptible to viruses, malware, spyware, and such. Fact is folks, keep your cache clean and stay off of websites that aren't trusted and you will have no problems.
I have shopped online for the last 10 years and I have never once had a card compromised. Simply because I keep my computer clean and I don't buy from companies I don't trust. I have done business on a several times monthly basis with madvapes for like 15 months. And my cards still work perfectly.
letsrock;
How did Amazon get hacked? Do they not use the same type of cc processing companies? (BTW, some banks have had info hacked, but that is a different story and not an online purchasing issue.)
How did Amazon get hacked? Do they not use the same type of cc processing companies? (BTW, some banks have had info hacked, but that is a different story and not an online purchasing issue.)
Well 1, Amazon wasn't hacked. Zappos was hacked. Amazon owns Zappos but they have completely different systems admins and different encryption settings.
2 No they do not use the same processing companies. As far as I know Amazon has there own processing company. Hence why they store credit card information for 1-click purchase and whatnot. Which is the issue. These companies that process themselves don't generally hire security specialists like banks do. Even the FBI recruits security specialists like crazy. Most CS majors don't go into security so they are in high demand. Huge companies like Amazon and AT&T have their own processing companies, otherwise the smaller companies like epay and ccbill would do nothing but process Amazon orders. Zappos probably didn't have the level of redudancy and firewall that Amazon does. The day Amazon.com's banking servers gets hacked is the day I eat my Roughstack.
3 No banks (at least of a decent size, there have been a few small local banks.) have been hacked other than by security companies. Security companies have super computers and privy information going in. Such as the baseline language of the server interface and the operating system version. It is basically testing to see if it's possible.
In order for joe schmoe to get into one of those servers he would need to bypass first a physical firewall. Which is nothing more than a server that has mac addresses inputted into it by a systems admin that to allow access to only those people. That by itself is a herculean task. Once past that they would need to bypass encryption. Encryption is basically a billions of digits long number that changes every few seconds. It is almost literally impossible. Especially when you take into consideration that the systems admin would be getting red flag emails that someone is trying to access their server. Lastly those servers are generally set fail safe, other than a few small tasks like running reports, where only hardwired peripherals can allow the user to see the GUI and access the full information contained in it. If it was something any hacker could do they wouldn't bother with DDOS attacks, keyloggers, and credit card fraud. This stuff is no joke. The people who set up this security have to stay aware of what hackers are learning to do. And believe me they take their job seriously, otherwise they wouldn't have a job very long.
No, more than three as another has come to light and it happened to them within the past week. Madvapes seems to want to stand behind the fact that they have "seals of security" displayed on their site that they are in fact secure, they pay for a security service and are "scanned" a few times a year and to them this is "proof" that they are invincible.
Well that is not the case. The proof is astounding that so many people under the same exact circumstances and from different areas of the world all made purchases at MV, and all have had fraudulent charges placed on their accounts within hours of the purchase. Anyone that thinks this is a local computer issue and not something tied in to MV or their credit processor is blind to the evidence.
Just because many people on a daily basis have had perfect transactions with no issues doesn't mean a REAL problem doesn't exist. MV themselves have not even lifted a finger to investigate any and all possibilities and stand behind their "paid for" security setups at their site. NO site is 100% secure no matter how much you pay for that protection. The least they could do is look into the issue that was brought up, but instead feel that there little security images posted on site is their Fort Knox seal of approval.
And Mr. IT guy the only thing that you posted that is fact is that Apple products do have viruses. A bachelors degree in CS does not beat the degree that I have in CS if labels must be used to prove information integrity. Banks have been and will be hacked. They are not just reported as often due to instilling fear in the public, it isn't something that they just figure they would let you know about on a daily basis, may be considered bad business if stuff like that got out. Are they secure? Yes more so than the local mom and pop stores, but fact is there is no 100% security. The group Anonymous is perfect proof of that, now there is a group that knows security.
The simple facts are this. At least 5 people now had the EXACT same thing happen to them under the EXACT same circumstances doing business at the EXACT same place. All these people live in different parts of the world, and none of us know one another. What is the possibility that we all purchased items using our cards at another place (same) prior to or directly after buying from MV in which we were then compromised? The chances of that happening are nil...
The chances of us all having key loggers, viruses etc at the same time serving the same purpose again nil...
The proof is there and if MV refuses to consider the slightest possibility that this is any way linked to them then so be it and I will take my business elsewhere. They won't be hurting without me. But as more people come out maybe then they will take issues such as this a little more seriously and stop relying on the fact that a service they pay for tells them they are secure.
Again I will state that I do not place blame directly at MV, but I do firmly believe that they are linked to this be it them or the credit processor company they employ and their false sense of security they so proudly display on their website.
Most of you have not and may never be compromised and I hope that remains the case. If you are I sincerely hope that it isn't the result of doing business directly or indirectly with MV, because then you would look the fool.
I also had a fraudulent charge just after a purchase from madvapes.. not trying to bash or cause arguments. Just thought that this is something that should be known
I think anybody with half a brain knows nothing is 100% secure..I don't think anybody has proved there card was compromised because of MV's site..they are PCI certified and that means they meet the credit card security standard. It doesn't mean 100% safe as I said but it's the best they can do. To be PCI it only required them to scan annually and it appears that they scan quarterly and that's more than what is required.
Also the few that have come forward have been longer than in a week. I'm not saying it's not possible that the info was gotten from there CC processors but I am not all that worried either as it's a few reports out of over 31,000 registered customers. I see a lot of e-cig vendors out there that are a lot more iffy that MadVapes.
In fact I started buying from them in part because there site seemed a lot better than most out there and comes highly recommended by a lot of people that buy from them. I also think it's possible a couple of these people posting might be being less than honest. I'll worry more when it's a widespread issue or if I saw it myself.
What the people that have had there CC data compromised need to do is to make sure to report the issue and not let it go if it's something to do with the MV site the police will figure it out because they will...
Last edited:
I read your post in negative reviews and I noticed you said you monitored your card after you bought from MV and didn't use the card anywhere else since then..but a lot of times with CC fraud someone might get your number and not use it for months and from reading a few of your post I would guess you make a lot of online purchases..so it would be hard to be sure that your card info was got from MV site unless they caught someone..not saying it wasn't but unless you only used the card at MV then you can't be sure either..if someone at MV CC processor is getting numbers and using them in a few days I'm sure it probably won't be long before they are in jail...
The internet can be a great place and sometimes not so great, there are even people who claim to have degrees that they do not have
(not to mention illegal activities, beyond hacking I prefer to not mention here)
To even claim advanced degrees then try to implicate a company (any company) for losing information they do not (and cannot)possibly possess is something I draw my own conclusions upon.
I will not talk about degrees, or experience in security- no need to , just a tiny bit of common sense is all that is needed in this particular situation IMHO
In this age of remote card readers and other things, it IS quite possible a few (of thousands) who used some certain place and got fraudulent charges are in no way related to anything other than sheer coincidence- to make the statement as fact this cannot be the case , is beyond absurd
(not to mention illegal activities, beyond hacking I prefer to not mention here)To even claim advanced degrees then try to implicate a company (any company) for losing information they do not (and cannot)possibly possess is something I draw my own conclusions upon.
I will not talk about degrees, or experience in security- no need to , just a tiny bit of common sense is all that is needed in this particular situation IMHO
In this age of remote card readers and other things, it IS quite possible a few (of thousands) who used some certain place and got fraudulent charges are in no way related to anything other than sheer coincidence- to make the statement as fact this cannot be the case , is beyond absurd
You have to understand PCI compliance and what the scan process is before you make a statement like this. We do not store card data and our cart, 3DCart does not store card data. Card data is entered through a secure webpage and transmitted directly to the card processor while being encrypted the entire time. Anyone can put an image on their website and not be secure. The image means nothing, but the process does and to get the security metrics image, which is required by our card processor, there is a scan for approximately 60k vulnerabilities as well as compliance of our network at our location. This is not a certificate you can download but has to be earned by being compliant with the requirements.
I would not call 3 out of 286,000 transactions processed as ASTOUNDING. We have requested information from everyone who has claimed that their card was compromised and have asked if they can give us details on what, where and when the charges have been placed and you know how responses we've had? -- ZERO
Gee, sorry I didn't notice you sitting at my desk watching me ignore the problem. You have no idea what I've done with this and how even 1 report of this concerns me. Where did you get the idea or info that we've done nothing on this? You have no clue whatsoever on what weve done.
Jumped from 3 to ASTOUNDING to 5.
Wheres the proof? and where in the hell did you get that information other than assuming all of this?
I'm open to suggestions if youve got any besides: requesting info from the consumers, doing additional security scans, AV scans on our secure dedicated server(there are no other websites or access to our server), having a valid ssl certificate (you can click it, it's more than just an image), port scans, contacting our card processor, viewing IIS logs, blocking blocks of ip addresses and monitoring server activity -- all in a combined effort with our card processor and cart provider. This is the NOTHING weve done so far.
hoog
Disclaimer: This certificate confirms the site shown above has been tested for common security weaknesses and no significant security vulnerabilities were found at the date shown above. this certificate does not imply the website shown above is completely invulnerable to unauthorized attacks.
Directly from SecurityMetrics linked from your site. This is why I don't put any faith in a business that use their standards as excuse. No place is 100% secure and I have already said that.
As far as asking for information, you never asked me. Matter of fact all I got from you was a ticket reply with a link to this thread as your answer. In which you began talking about how you are compliant. Any business accepting credit cards must be compliant, it isn't anything special to be so. But being compliant doesn't equal secure. It means at that specific time you were tested no SIGNIFICANT SECURITY VULNERABILITIES were found. Were there some before the scan or maybe directly after? No one knows. Which begs me to ask are there any un-significant vulnerabilities?
Could I have been hit with a virus, possible but highly unlikely, a keylogger? again possible but unlikely. The fact that more than one person had this happen under the circumstances these did is astounding, what is even more astounding is that more than two people. Even 3 out of an amazing 286,000 should be enough to concern anyone. What about those that might have had this happen we don't know about, maybe those (if there are any) who don't know of this forum to speak up? Maybe we are just 5 real unlucky people who just so happen to have something terrible happen under uncanny common circumstances....
As soon as I saw what happened I sent you a ticket, not accusing you or your company but making you aware something was not right. You did nothing besides send me a link to this very thread and assured me none of your employees had anything to do with it. You never contacted me again, saying anything or showing that you were doing anything with the info we gave you. So yes I did assume that you did nothing, why wouldn't I. Are you required to keep me posted? No. But the common courtesy would have gone far with me. It would have helped the investigation my bank is doing knowing that you to were investigating the situation on your end with the services you use to run your business. But as far as anyone knew, you stated your case here for all to see and left it be. Again an email, ticket update or even a PM would have been all that was needed, even though you are under no obligation to provide that.
In my very first reply in this thread I was wanting to raise awareness of the situation, I asked what can we do from here to find out what happened, too which nothing was said.
You can stand by your security compliance argument that is fine by me, all I want you to understand is that these thefts occurred to people doing business with your site, going through your CC processor and shopping cart, the vulnerability is somewhere in between. The possibility of that vulnerability being on our end of the link is slim to none, as we are five people from all different places in the world different days and times, but all with one thing in common.
I hope that that those affected get compensated, I luckily have, and I hope those who have not been compromised here or anywhere remain that way and be vigilant keeping an eye on all your accounts everyday and report anything odd the moment you see it. After all you are the only protection you have against crimes like these.
Directly from SecurityMetrics linked from your site. This is why I don't put any faith in a business that use their standards as excuse. No place is 100% secure and I have already said that.
As far as asking for information, you never asked me. Matter of fact all I got from you was a ticket reply with a link to this thread as your answer. In which you began talking about how you are compliant. Any business accepting credit cards must be compliant, it isn't anything special to be so. But being compliant doesn't equal secure. It means at that specific time you were tested no SIGNIFICANT SECURITY VULNERABILITIES were found. Were there some before the scan or maybe directly after? No one knows. Which begs me to ask are there any un-significant vulnerabilities?
Could I have been hit with a virus, possible but highly unlikely, a keylogger? again possible but unlikely. The fact that more than one person had this happen under the circumstances these did is astounding, what is even more astounding is that more than two people. Even 3 out of an amazing 286,000 should be enough to concern anyone. What about those that might have had this happen we don't know about, maybe those (if there are any) who don't know of this forum to speak up? Maybe we are just 5 real unlucky people who just so happen to have something terrible happen under uncanny common circumstances....
As soon as I saw what happened I sent you a ticket, not accusing you or your company but making you aware something was not right. You did nothing besides send me a link to this very thread and assured me none of your employees had anything to do with it. You never contacted me again, saying anything or showing that you were doing anything with the info we gave you. So yes I did assume that you did nothing, why wouldn't I. Are you required to keep me posted? No. But the common courtesy would have gone far with me. It would have helped the investigation my bank is doing knowing that you to were investigating the situation on your end with the services you use to run your business. But as far as anyone knew, you stated your case here for all to see and left it be. Again an email, ticket update or even a PM would have been all that was needed, even though you are under no obligation to provide that.
In my very first reply in this thread I was wanting to raise awareness of the situation, I asked what can we do from here to find out what happened, too which nothing was said.
You can stand by your security compliance argument that is fine by me, all I want you to understand is that these thefts occurred to people doing business with your site, going through your CC processor and shopping cart, the vulnerability is somewhere in between. The possibility of that vulnerability being on our end of the link is slim to none, as we are five people from all different places in the world different days and times, but all with one thing in common.
I hope that that those affected get compensated, I luckily have, and I hope those who have not been compromised here or anywhere remain that way and be vigilant keeping an eye on all your accounts everyday and report anything odd the moment you see it. After all you are the only protection you have against crimes like these.
Why do you feel like 5 out of 286k is astounding? Something like 10% of computers have a keylogger on them. Also, how do you explain the fact that someone managed to hack credit card info, but only took five?
Now I'm not saying that it's impossible for MV to get hacked, but it's highly unlikely that a hacker would steal less than 0.01% of the available credit card info. Now THAT'S astounding.
I know it seems like a coincidence to you, but I bet if you go to Amazon or iTunes or something, there would be way more than 0.01% of the people claiming their credit card got stolen because of that site's security.
It's such an astoundingly small number that it's just not probable that MV is at fault here.
Now I'm not saying that it's impossible for MV to get hacked, but it's highly unlikely that a hacker would steal less than 0.01% of the available credit card info. Now THAT'S astounding.
I know it seems like a coincidence to you, but I bet if you go to Amazon or iTunes or something, there would be way more than 0.01% of the people claiming their credit card got stolen because of that site's security.
It's such an astoundingly small number that it's just not probable that MV is at fault here.
Last edited:
And why is that? Because I repost deals in the deals & steals thread from emails that I receive? That doesn't mean I make a lot of online purchases.. The MV purchase was the first online purchase I've made in months. I make my own juice and have a large supply of all that stuff.. The only reason I purchased from MV was because I'm building a new mod and also repairing an old one.. But I'm really just mad at myself at this point cause I had my cart full at digikey I wish I would have just made my purchase there and called it a day.
Your car info could be hacked at any site and I didn't say it wasn't at MV CC processor but just that it could be somewhere else..in the new members forum is a post about it happening at other sites..another thing is if your card has an RFID chip it could be got from someone near you..also you're saying the 1st online purchase in months very easily the info could have been compromised at a store.
Also checkout this post and thread http://www.e-cigarette-forum.com/forum/new-members-forum/267085-my-credit-card-info-stolen-today-vapor-website-3.html#post5268481 the user is saying it might be a MasterCard thing and the info could have been stolen over 6 months ago..I have no idea what your card though.
I'm not sure about that but I have made over 10 purchases at MV and so far I haven't had any issues including one a week and a half ago. I do follow this issue because I like to be sure as a lot of big company's have had issues it could happen anywhere but if it did it wouldn't prevent me from buying from them unless it wasn't addressed..the best thing you can do is report it and message the vendor as I know you have.
AMEN......
I have made COUNTLESS purchases from MV, even in the last few days, and do not have ANY concern whatsoever, nor will I......
I would be way more concerned carrying my card through the mall or Wal-Mart than ordering online from a responsible vendor such as MV!! Sure, ANYTHING is possible ANYWHERE electronic payment is used, but I trust that hoog and the crew are up on their game and WOULD NOT TOLERATE even the hint of any criminal activity from someone trying to hack their servers, much less ONE OF THEIR OWN EMPLOYEES!!!
There are ALWAYS troublemakers and in my experience they are usually trying to cover their own actions......No accusations here.......but it wouldn't be the first time...
I'm a repeat customer. It would have been nice to have this portion of your response and information in your first post and without the defensiveness.
I understand that you must feel under attack, but I would recommend that you keep your customers informed and let them know that you are taking the situation seriously in a professional manner. I do understand that you have made every effort to ensure transactions are secure. I sincerely hope that where ever the problem lies will be discovered and resolved for all parties quickly.
Mine was a Visa debit card from my credit union, it doesn't have a RFID chip. My card numbers were used to charge a purchase at a store in Beijing. Which luckily for me caused the card to be immediately frozen. And everything was straightened out with my bank. But as of now haven't received a response from MV.
Thank you for linking that thread.
- Status
Similar threads
