Stolen Credit/Debit card info

[Chiwen]

Do you guys realize that the vendors your buying from online don't even have access to your CC number? When you buy online it's done through a payment gateway such as authorize.net, and a merchant processor. The online vendor simply gets notification that you've paid for your order and the charge was approved, nothing more. I know, because I run an online store. I, nor any of my employee's, could steal my customers info if we wanted to. And no, my online store has nothing to do with ecig's, it's welding supplies.

That said, there are ways they could process themself, but I highly doubt any of the online ecig vendors are doing so. If they retain your cc number, they have all kinds of PCI compliance they have to deal with and it's expensive to do so.

I also don't understand all the fuss about it. Sure, it's a bit of a hassle to have to call your cc company and tell them you didn't make the charges, but do you realize that the stores that the theives are purchasing from ARE going to be out that money? As soon as you report the fraud on your card, their bank account gets automatically debited for the purchase and you get refunded, before they are even notified. In the meantime, the thief is off to sell their product on ebay.

There is absolutely nothing they can do about it either, other than file a police report and hope their goods can be recovered and returned to them. Yea, good luck with that.

I am aware of that, yep. Which is why I said I wasn't going to name the vendor and hurt their business, because it's not directly their fault. Likely the data is being intercepted between the vendor and processor. Like you know online business, I know about protecting those businesses and their data, it's my job to know. I'm pretty well versed when it comes to how this is happening.

The fuss is easy to understand, from my point of view. This website/forum is about vaping, the people who had their information stolen were vapers, and almost every vendor that has been reported by people having their info stolen has a presence here. People feel violated, regardless of who's fault it is, and there's a natural human want/need to vent about things bothering them. Especially with others facing the same problem. Given that, this would seem to be the best place to 'fuss' about having your banking information stolen after buying vape supplies.

Not at all coming at ya either, just saying.

Sent from my GT-P3110 using Tapatalk 2

 

[Hendry]

This is why I only use credit cards for online shopping, never debit. With a credit card it's the banks money you are risking in case of fraud, with a debit card it's your funds that are at risk. Sure, you will probably get your money back if your debit card is compromised, but do you really want to risk losing access to your funds for any length of time.

 

[ScottP]

My guess is that the people who have lost their CC info use Internet Explorer and now most likely have a keystroke logger on their system. If this is the case it wouldn't matter where you shopped online, the fact that you typed the CC number into an infected machine is more than likely what caused the loss.

My suggestion is to use multiple virus/malware scanners to make sure your machine is clean and STOP using Internet Explorer. Instead I suggest using Firefox with the NoScript add on to block most of the infection vectors to prevent this from happening.

For those that don't know what a keystroke logger is, it is a tiny piece of malicious code and that can infect your computer and record every keystroke that you type and then send the information to a remote server. They are used to collect all kinds of personal information such as CC#'s, SSN, Address, Phone, passwords to your banking sites, etc. Very nasty little buggers.

 

[CrazyClown]

Try eset and mb and do a good scan of your pcs! See what you come up with.

 

[oxygen thief]

I had an $11 charge from a cosmetics store in China, I caught it the next day and closed the account. I've never bought anything from China.

 

[Light Seeker]

My guess is that the people who have lost their CC info use Internet Explorer and now most likely have a keystroke logger on their system. If this is the case it wouldn't matter where you shopped online, the fact that you typed the CC number into an infected machine is more than likely what caused the loss.

My suggestion is to use multiple virus/malware scanners to make sure your machine is clean and STOP using Internet Explorer. Instead I suggest using Firefox with the NoScript add on to block most of the infection vectors to prevent this from happening.

A valid guess with equally valid suggestions, but assuming its the end-users issue isnt always correct. In my case I have done everything you've listed, along with way more on top of this you have not itemized. I'm totally and absolutely confident that it isn't any key logger, remote control, virus, worm, kiddy script, browser security hole, unknown or unauthorized rouge process or program, open and vulnerable ports, software masquerading as drivers or other system utilities, out of date OS nor applications, or any other fault of my system, lan, firewall, router, or any user procedures. The cc was compromised either at the vendor or their cc service bureau if they don't have a merchant account. Been professionally employed in IT since 79, do know a thing or 2 about key loggers

 

[supermarket]

Coming from a computer security perspective, I would like to remind everyone here to NEVER use the same username/password combination for a forum such as HERE, and an e-cig vendor site.

This is a KNOWN scam that is being done actively at other places as we speak.

Hackers can gain access to the username/password database of forums, and cross reference them to places where the forum users might share credit card information, and use the same username/password combo.



While a poster above mentioned that the ecig vendors aren't likely the culprits, I entirely disagree. I'm not saying they ARE, I am saying the possibility lies equally with them, as it does the CC processing centers, or anyone else between YOU, your credit card information, and them.


For example, I just ordered from a vaping web-site that gives you the opportunity to save your CC# on their site. They are well known on here, so don't think its some random no-name site I'm talking about. That information, as far as I know, isn't stored on the site processing CC payments, it is stored on the same server hosting them, unless I'm incorrect.


The fault can lie in YOU, the credit card holder, the vaping business owners and/or employees, hackers using exploits, the CC processing company, and probably a few other variables. I wouldn't exclude any of them.


I hope nobody takes offense to this, however, I have a degree in Computer Information Security and Assurance, and my redflag goes up when I see an obvious connection between multiple example of CC fraud and users/posters in the same forum and/or ordering from the same sites.

Definitely no need to blame anyone until a culprit is found, no need to cause more damage than what is already being caused. HOWEVER, everyone's suspicions SHOULD be heightened, and the vaping e-stores should be doing EVERYTHING possible, at their expense, to make sure it isn't on their end.

I wish everyone the best!

 

[supermarket]

My guess is that the people who have lost their CC info use Internet Explorer and now most likely have a keystroke logger on their system. If this is the case it wouldn't matter where you shopped online, the fact that you typed the CC number into an infected machine is more than likely what caused the loss.

My suggestion is to use multiple virus/malware scanners to make sure your machine is clean and STOP using Internet Explorer. Instead I suggest using Firefox with the NoScript add on to block most of the infection vectors to prevent this from happening.

For those that don't know what a keystroke logger is, it is a tiny piece of malicious code and that can infect your computer and record every keystroke that you type and then send the information to a remote server. They are used to collect all kinds of personal information such as CC#'s, SSN, Address, Phone, passwords to your banking sites, etc. Very nasty little buggers.

While you are correct, keyloggers ARE a possibility, that still isn't the core issue. The CORE issue is that their seems to be an OBVIOUS connection between users/posters on this forum (who ALSO use online vaping stores) and CC fraud.

From a computer security perspective, this isn't a coincidence. As someone else mentioned, fraud happens all the time, and in higher numbers each and every year, especially electronically, however judging from my own experience this is not random.

If anything, it is possible the forum and/or certain online vaping sites are the target of hackers using exploits.

 

[supermarket]

A valid guess with equally valid suggestions, but assuming its the end-users issue isnt always correct. In my case I have done everything you've listed, along with way more on top of this you have not itemized. I'm totally and absolutely confident that it isn't any key logger, remote control, virus, worm, kiddy script, browser security hole, unknown or unauthorized rouge process or program, open and vulnerable ports, software masquerading as drivers or other system utilities, out of date OS nor applications, or any other fault of my system, lan, firewall, router, or any user procedures. The cc was compromised either at the vendor or their cc service bureau if they don't have a merchant account. Been professionally employed in IT since 79, do know a thing or 2 about key loggers

I'm going to agree with you on this one. That is the entire reason I posted on this thread in the first place, as someone had mentioned that it wasn't likely on the vendors end. I would disagree, and say it likely to be an issue either connecting with this forum itself, certain vendor sites, and/or the CC processing center. Just my two cents.

 

[Light Seeker]

Forum software, often open and misconfiged, is an easy target. Purchases the jacked cc are used at are not at ecig stores though, seems there's a wide variety of bogus charges being made inmany industries & etailers. What I suspect is ecig retailers, prohibited from PayPal, & too small and not enough credit for merchant accounts, are victims of questionable and perhaps shady cc payment bureaus.

 

[supermarket]

Forum software, often open and misconfiged, is an easy target. Purchases the jacked cc are used at are not at ecig stores though, seems there's a wide variety of bogus charges being made inmany industries & etailers. What I suspect is ecig retailers, prohibited from PayPal, & too small and not enough credit for merchant accounts, are victims of questionable and perhaps shady cc payment bureaus.

Regardless of where the exploit/culprit is, based on the random purchases being made with the stolen credit card information, I'm ASSUMING it is probably a GROUP (combined effort), and a RING (meaning they have a specific con, and a complete system for working this con).

In other words, I don't think this is one person doing it, and I also don't think its a few people who just got the idea one day to steal info (dishonest employees). Based on the purchases, it SOUNDS like either through an exploit in the forum/vaporing online businesses, there is a crew working around the clock to steal the CC info, and then make random purchases , and re-sell the items ONLINE, probably via eBay, craigslist, or something else).


The only reason I'm connecting the dots like this, is because it all seems extremely familiar to other theft operations I've seen before, a few of them specifically involving online forums.

 

[supermarket]

Some steps that could be taken to assist in resolving this issue:

1) Forum owners..... make sure your forum isn't being exploited.
2) Forum posters..... change your password now, and at random intervals (once every 2 weeks or so, as an example) until this issue is resolved.
2) Forum posters.....don't use the same username/password, or email/password combination on ANY online vaping sites. if you use the same e-mail for logging into the forum, dont use the same password you use on the forum as you do for the sites you order vaping products from

Also, everyone who sees this thread would be wise to keep a close eye on bank statements.
Anyone who is the victim of this theft, notify your BANK , the VENDORS you have ordered from, and the FORUM immediately. It will do more help to notify all THREE (including the forum) than most realize.

Vendors.....make sure you contact the CC processing services and let them know what is going on. If it IS on their end, they usually have the means to discover the culprit very quickly, provided they are told quickly enough.





I know some of you are against sharing the names of the vendors you have ordered from, if you are a victim of CC theft, however, I personally think it is the right thing to do.

ACCUSING a vendor of foul play, without evidence, is wrong. Posting the vendors you have recently ordered from, after being a victim of CC theft, is perfectly logical and acceptable (IMO).

 

[Light Seeker]

Totally agree supermarket! Wheres Inspector Clouseau.

 

[MrStik]

Varrius is very correct.

I work for a software company that engineers Business Solutions software, and that includes CRM, Accounting Solutions, and CC processing. Most smaller companies cannot afford PCI and PA-DSS compliant software. The software I support is an ERP software in the neighborhood of 10k-100k plus a % for licensing and a separate % for support. And my software has the ability to store Credit Card information that is encrypted.

But most E-Cig vendors more than likely employs a 3rd party to process all their credit card information and very likely does not store your CC information. But if you are entering in your CC information through the vendor's site, please verify that it is a secure site (https) and I would be very concerned if the vendor's site asks if you would like to save your CC for future purposes. That means that they are storing your information and hopefully encrypted.

 

[Racehorse]

its also the vendors responsibility to either rise to the challenge or ignore it. AVE is a wonderful example of rising to the challenge, taking their site off-line for a few days, switching CC processors, and now having new forms on their site, entirely due to not only their business ethics & concerns, but the vast number of posts on this forum singling out the coincidence between orders placed and fraud.

here here! I agree, AVE stepped up to the plate.

Are we hearing "crickets" from the other vendors?


Tell you what, I know, and my bank knows, what vendors I ordered from on my BRAND NEW CC which I got just to use online for ecig stuff. (again, it is one of their CC processors, not them, as vendors don't store CC numbers)

It got hacked. That CC has been recalled by my bank and taken out of circulation. I notified each and every vendor.


Good experiement to do? Order from exact same 4 vendors again.......with the new credit card . (vendors have been notified there is a problem.)

I get hacked again? Using same vendors. What do you think would be the proper things I would do next?

I know the answer, but nobody is going to like it very much.

 

[ch2468]

Good experiement to do? Order from exact same 4 vendors again.......with the new credit card . (vendors have been notified there is a problem.)

I get hacked again? Using same vendors. What do you think would be the proper things I would do next?

I know the answer, but nobody is going to like it very much.

4 vendors and 4 cards, and see which processors take the bait?

 

[Varrius]

Obviously if a vendor knows they have a security risk somewhere in their cc processing, they should make all reasonable efforts to eliminate it, including changing their cc processor. The point I was trying to make was that it seemed many were pointing fingers at the vendors specifically blaming them, and they probably had no idea anything was going on.

Once they have been made aware of a problem, then yes they should do something about it. Keep in mind, however, that many of them probably have a service contract with their merchant service, and they can't simply call and cancel them without penalty. They would basically have to prove a security breech to get out of their contract. I imagine most of them would have little to no clue how to do that on their own.

 

[Varrius]

This is why I only use credit cards for online shopping, never debit. With a credit card it's the banks money you are risking in case of fraud, with a debit card it's your funds that are at risk. Sure, you will probably get your money back if your debit card is compromised, but do you really want to risk losing access to your funds for any length of time.

It's actually not the banks money at risk at all. Banks are way to proud of their money to let that happen. When a chargeback occurs (reported fraud on your account), one of two things will happen. It will be approved and you get your money back, or it won't be approved and you don't get your money back. Most of the time it will be approved and your just fine. However, the store where the theif spent the money IS the one that loses, because they have to give the money back and their product is gone.

If your chargeback is not approved, which is unlikely because you didn't make the purchase, then your cc bank will not refund your card and you'll be responsible for whatever the theif spent. The only time I'm aware of this happening is when some of my friends spent money at an online store, and it went out of business. The banks had no way of getting money back from them, so they made the cardholder pay it. Like I said, either way the bank will not lose any money over it.

So to summarize my point, it is NOT the bank's money at risk at all, and usually not your money at risk either. It IS the merchant(s) where the theives spent the money that get screwed. They accept a cc payment with all pertinent information, really have no way to know or verify that it isn't a stolen card other than their sixth sense, and they lose all the money.

 

[supermarket]

Obviously if a vendor knows they have a security risk somewhere in their cc processing, they should make all reasonable efforts to eliminate it, including changing their cc processor. The point I was trying to make was that it seemed many were pointing fingers at the vendors specifically blaming them, and they probably had no idea anything was going on.

Once they have been made aware of a problem, then yes they should do something about it. Keep in mind, however, that many of them probably have a service contract with their merchant service, and they can't simply call and cancel them without penalty. They would basically have to prove a security breech to get out of their contract. I imagine most of them would have little to no clue how to do that on their own.

Maybe you are right, as I'm new to this forum....and I haven't seen all the other threads about CC fraud going on, not until I saw this thread anyway.


However, judging from THIS thread.....I can't say I've seen even ONE person blame any vendors for the CC fraud that is going around the vape community apparently.


Moreso, the person who started this thread, and the ones who admitted to having their CC abused, simply realized that this is NOT a coincidence....and SOMEHOW....someone between THEM, and the Vendors /CC processing companies.....there is theft going on.

Several of the people already stated that the cards they used were EXCLUSIVELY used for Vaping vendors, NOTHING else. That makes it quite clear that the culprits more than likely are somehow, in SOME way, attached to the vendors.

I don't think anyone thinks any of the owners of the vending sites are committing fraud. I certainly don't. It seems more likely that someone is TARGETTING the Vaping vendors, via an exploit , or the vendors are using cheaper CC processing companies because they can't afford the better ones.....and somehow that is compromising people who order through them.



Again, I don't think anyone is blaming any vendors here. I know if I was a vendor, I would want to know immediately if any of my customers are having their CC info stolen, and theres even a FRACTION of a chance it has to do with me my site.

 

[MikeA5]

I've spoken to a vendor that I suspected their CC processor may have been hacked and is where the CC fraud had originated.
The vendor told me to call their CC processor. The vendor was unwilling to investigate the problem. That herein lies the problem. Unless a vendor looses significant amount of business, they are willing to do "business" as usual. Why? Because they are still making money without any significant loss of revenue! I've been CC fraud hacked 3 times in a little over 2 years since making online ecig purchases. So I've decided to make my ecig purchases over seas using Paypal (since Paypal commerce is allowed overseas for ecig related purchases).
Yes I'll admit shipping is more expensive and it takes longer to arrive at my door but for me it's worth it. I would much rather purchase these things here in the USA but until this CC fraud, when buying ecig related stuff gets straightened out, I'll continue to make my purchases overseas.