My Freedom Smokes & Unauthorized Transactions

[xint]

Sorry for the long delay, but here's the update:

MFS responded to my email and they are aware and looking into it. Though they say that "MyFreedomSmokes employs security techniques to reduce the risk of stolen credit card information. The website's encryption technology prevents access to credit card numbers and MyFreedomSmokes does not write credit card data to its database. These two tactics should eliminate the risk of stolen credit card information."

Yes - do elaborate. Not that I'm arguing with you, just curious for the sake of root-cause analysis.

I noticed they're using the e-commerce platform that godaddy has recently incorporated, and also noticed that there have been vulnerabilities in it, including ones that allow attackers to redirect DNS entries to spoofed sites.

Analysis/testing of their payment form finds that:

1. They use Magento Commerce for their online store system.

2. When I submit payment information my web browser sends the complete credit card information straight to their server with no encryption outside of HTTPS.

So that means that their website does receive complete credit card information before processing it via Authorize.net. But I assume they don't actually store anything except for the last 4 digits. HTTPS will also prevent any third party that isn't your computer or MFS's server from seeing this data.

3. There are existing exploits for Magento Commerce that allow credit card numbers to be intercepted through their servers:

With all this considered, this means any interception of credit card numbers most likely came from something hidden on their server by some third party.

 

[kartoffelfaust]

Sorry for the long delay, but here's the update:

MFS responded to my email and they are aware and looking into it. Though they say that "MyFreedomSmokes employs security techniques to reduce the risk of stolen credit card information. The website's encryption technology prevents access to credit card numbers and MyFreedomSmokes does not write credit card data to its database. These two tactics should eliminate the risk of stolen credit card information."



Analysis/testing of their payment form finds that:

1. They use Magento Commerce for their online store system.

2. When I submit payment information my web browser sends the complete credit card information straight to their server with no encryption outside of HTTPS.

So that means that their website does receive complete credit card information before processing it via Authorize.net. But I assume they don't actually store anything except for the last 4 digits. HTTPS will also prevent any third party that isn't your computer or MFS's server from seeing this data.

3. There are existing exploits for Magento Commerce that allow credit card numbers to be intercepted through their servers:

With all this considered, this means any interception of credit card numbers most likely came from something hidden on their server by some third party.

The highlighted line makes all the difference. My brief glance through their system gave me the impression of deferred processing, implying cc#s were indeed stored.

 

[xint]

Which is why I would rather use payment methods that redirect through the payment processor's site. I mean like how PayPal payments are conducted through their site, and then redirect back to the vendor site after successful payment.

It's more difficult to get customer's credit card information if it's never sent to the store in the first place.

 

[jseah]

Unfortunately, credit card fraud does happen. It doesn't matter whether it is from a B&M or online. My credit card info had been stolen twice over the last two years and unauthorized charges made. The first time was the Target hack (I had used that card at Target on Black Friday). They sat on the credit card info and didn't use it until almost 6 months later. The credit card company immediately suspected fraud since I used the card, and less than an hour later, my credit card number had also rang up almost $1,000 in purchases several hundred miles away. When I spoke to the customer service agent at the bank, they said that sometimes they will not use the stolen card info for several months to wait until the heat dies down and you are not as vigilant. The second time happened last year, less than a year after the first time, with the replacement card. The bank called me to verify because someone tried to use the card to purchase multiple gift cards at a drug store in NYC and the bank immediately put a freeze on the card. To this day, I still have no idea where they might have gotten the card number from.

At the end of the day, the important thing when you suspect fraudulent activity on your card is to first contact the card company to report it. You are never responsible for any of the fraudulent use, and nowadays as soon as you report it, the card company will automatically cancel the card and reissue you a new one with a new account number.

 

[kartoffelfaust]

Which is why I would rather use payment methods that redirect through the payment processor's site. I mean like how PayPal payments are conducted through their site, and then redirect back to the vendor site after successful payment.

It's more difficult to get customer's credit card information if it's never sent to the store in the first place.

Exactly - I completely agree. Push funds to the vendors account, instead of having the vendor pull funds from yours.

 

[Brandon Ford]

Alright, so I just found this thread tonight because I too had my debit card information stolen after making a purchase from myfreedomsmokes and was curious if anyone else had this problem. Well, here it is.

So my story goes.... I recently got a new debit card and have only used it a handful of times. The only online purchase I made with it was from myfreedomsmokes. Just a few days ago (while trying to by juice from a local vapor shop) my card was declined. After looking into it and contacting my bank I found that there were numerous transactions I did not make on my account.

After researching more my best conclusion was that it had to be stolen from myfreedomsmokes. I sent in a support ticket, warning them. They ignored it for 4 days. I posted on their facebook warning others and asking them to respond to my ticket. They deleted my post. Finally I decided to just call them. They said they would look into it and later that day they responded to my ticket, with the same response given to xint. It seems like they're trying to hide all of this. I really don't appreciate it and others should be warned.

 

[pistolpete]

I just got a call today from my cards security department today with the same deal I called the owner Chris will see if he gets back to me or not.

 

[jseah]

This is disturbing if three customers all got their cc info stolen. Who knows how many more?

 

[Jdurand]

As MFS is one of my go to vendors, I'm going to go check my transaction records now. Thanks for this thread.

 

[Jdurand]

Well I just went back to January, holy crap do I buy lots of vape stuff from MFS! But there are no unauthorized transactions. I may just go get that card replaced though, just for piece of mind. I don't blame MFS for these issues. it can happen to anyone. I do think MFS should jump on here though and let us all know they are aware and have taken care of the problem. This could really hurt their orders from this large of a group and they do seem to be quite popular here.

 

[jimstratus]

I do think MFS should jump on here though and let us all know they are aware and have taken care of the problem. This could really hurt their orders from this large of a group and they do seem to be quite popular here.

I am fairly certain forum suppliers can not reply to any thread outside their own supplier sub forum. Therefore by ECF rules they can not jump on here and respond. If the discussion were taken to MFS sub forum they would then have the ability to respond.

Sent from my SCH-I535 using Tapatalk 2

 

[Misty]

Thread is moved to MFS Forum so that they can respond.

 

[TaylorMade]

Thank you for moving this to our forum so that we could respond.

From time to time MFS, like most online businesses, receives customer service inquiries regarding potential fraudulent transactions relating to our site. These inquiries normally amount to 1/5 of one percent (0.002) in relation to our overall order volume and upon investigation, they generally turn out to be unrelated to MFS. Earlier this week we noticed an increase in this number to 4/5 of one percent (0.008) and, while still a very small number, we consider anyone getting their info stolen a serious matter and therefore began researching the issue further.

At this point our web hosts and developers have ensured us that there are currently no risks to transactions placed on our site. We are continuing to investigate whether there were any potential vulnerabilities either on our site, at our payment gateway (Authorize.net), or with our credit card processor that may have previously existed that could have put our customers’ information at risk. We are also forwarding feedback and comments posted here to our security team so that they can further investigate any potential threats mentioned.

We definitely take these issues very seriously and want people to feel safe transacting with us without fear of their information being compromised. We will post any significant updates related to this issue in this thread as we learn new info.

 

[kartoffelfaust]

Can you answer the previous questions about credit card data retention and storage? That is, do you store, or does the e-commerce platform store on your behalf, credit card information for use at a later time, either by the customer or for subsequent batch or deferred processing?

If yes, what security policies are in place to protect the data?

In a properly implemented cryptographic system, disclosing the above will not effect the security of the data it protects.

While MFS may be an innocent bystander in this, full disclosure does help to ease the minds of customers.

 

[TaylorMade]

Not a problem. I'm not an expert in this area, but I will answer your questions to the best of my understanding.

The MFS website does not store any payment info anywhere. All CC info is passed directly to Authorize.net. All payments are set to "Authorize and Capture" without any deferred processing. We request payment authorization immediately as the order is placed and then our batches are settled nightly.

We have been contemplating the introduction of a recurring billing product such as an e-liquid of the month club, which would require that the payment info be stored for the subsequent transactions each month. However, if this product is introduced, then all of the payment info would be stored and processed by Authorize.net so we would still not store any payment info on our site.

Hope this helps and please let me know if you have any more questions.

 

[kartoffelfaust]

Not a problem. I'm not an expert in this area, but I will answer your questions to the best of my understanding.

The MFS website does not store any payment info anywhere. All CC info is passed directly to Authorize.net. All payments are set to "Authorize and Capture" without any deferred processing. We request payment authorization immediately as the order is placed and then our batches are settled nightly.

We have been contemplating the introduction of a recurring billing product such as an e-liquid of the month club, which would require that the payment info be stored for the subsequent transactions each month. However, if this product is introduced, then all of the payment info would be stored and processed by Authorize.net so we would still not store any payment info on our site.

Hope this helps and please let me know if you have any more questions.

Thank you for the clarification. The mystery further deepens.

 

[gibbs]

Looks like I may be the 4th victim. On 3-17 I made a purchase from My Freedom Smokes, and the next day was contacted by my CC company stating there was fraudulent use of my card from someone overseas, and my account was frozen. The only use of the card was to pay an annual CC fee in early Feb, and to My Freedom Smokes. I have since cleared up any problems with my CC account, and asked for a new card to be issued. I now agree that fee's to vendors should be "pushed and not pulled".

 

[mattiem]

I hate to think that this is the case but I too placed an order 3/13/15 and caught a fraudulent charge on my CC 3/25/15. Fortunately I keep a close eye on my CC transactions and caught the charge while it was still pending. The charge was to VENETIAN INN in the amount of $9.44. I called my CC company and got it taken care of but in this day and time with so much already on our plates, it is frustrating to have to go through all that goes into having to get a new card and having to update your CC info. on everything, including recurring charges.

I really do hope that this was just a coincidence because MFS is my go to supplier for my Nicotine and various other vaping supplies and has been for well over 3 years.

 

[fxRich]

The only time in the past 3 months I used a particular card was at MFS. With in days someone tried to use my info in Geogia. No more purchases for me from MFS.

 

[AndrewH]

I hate to pile on to the bandwagon but I too had this happen to me, I've been purchasing my atomizers for my Joyetech Ecom from MFS for 8-9 months now. This last time that I did so charges starting appearing on my card for stuff that I never authorized. It totaled $195.16 and the transactions match the same exact places that another member posted on here. Fortunately I was able to get most all of the money back by going to my bank and having them take it back. I wont be purchasing anything from MFS until this issue is recognized (that a mistake was made or that a breach occurred) and addressed, there's too many cases in this thread alone for it just to be a coincidence or user error. I take my personal security very seriously and always research websites before I use my card there so this is very upsetting to me as I really like MFS.

Andrew