Identity Theft

[Scottastic]

If this is the wrong section forgive me, but I just wanted to give people a head-up...

I have only made 3 online purchases in the past 2 months, and all three were in the past few days. I recently recieved an email from my bank that my checking account was overdrawn, which made no sense. Looking into it, there was a charge for almost $1000 to a website call flypgs.com, based in Istanbul.

It may not be caused by one of these sites, as I have heard good feedback on all three. I feel pretty confident that it is not due to a security breach of my computer, as I am running a fresh install of a Linux distro I have used regularly in the past.

The sites are as follows:

Cigar.com -- have received package
Egars.com -- have received package
cigarhumidors-online.com -- have not received, but is not late

Do with this as you will.

[G G]

Everytime I read one of these stories it makes me that much more nervous about ordering from over the pond.

[mikeyj23]

Quote:

Originally Posted by ggainey

Everytime I read one of these stories it makes me that much more nervous about ordering from over the pond.

All three he mentioned are US companies...

[Scottastic]

Quote:

Originally Posted by ggainey

Everytime I read one of these stories it makes me that much more nervous about ordering from over the pond.

Quote:

Originally Posted by mikeyj23

All three he mentioned are US companies...

Yeah, one of the first things I do is run a WHOIS search on the site I am buying from. Then I ask friends, check forums, etc. All three checked out.

It's possible it wasn't one of these sites fault, but the math adds up.

Update: BofA will do nothing until the transaction posts. I think that's rather backwards, no? If I were a bank, I'd bend over backwards to cancel payment before it was made.

[hotreds]

Cigar.com is a legit and very big outfit. Never heard of the other two- doesn't mean anything necessarily, but I don't think the problem is/was with cigar.com

[icehog3]

Lots of trusted sites are being hacked every day, without any wrongdoing by the site owners. Welcome to 2009, I work in a mid-sized suburb (80,000) and we see a dozen of these cases every day.

[bobarian]

Sorry this has happened to you, Scott. One of the dangers of our tecnology driven world is that others may be able to gain access to our personal information. I hope things get fixed quickly for you. However, you should know that it is very dangerous to use your ATM card for making online purchases. Your agreement with your bank and ATM card are very different from Credit card agreements. As Tom said, this happens daily to the tune of billions of dollars and may or may not have been the result of an online cigar purchase.

[M1903A1]

Quote:

Originally Posted by bobarian

Sorry this has happened to you, Scott. One of the dangers of our tecnology driven world is that others may be able to gain access to our personal information. I hope things get fixed quickly for you. However, you should know that it is very dangerous to use your ATM card for making online purchases. Your agreement with your bank and ATM card are very different from Credit card agreements. As Tom said, this happens daily to the tune of billions of dollars and may or may not have been the result of an online cigar purchase.

Absolutely. This is why I use a credit card only, and with a very low (comparatively speaking) limit.

[fxpose]

Best thing to do is get rid of your debit/check card or any other type of card which is tied to your cash/checking account. Use a credit card instead for all your on-line purchases and pay the balance in full each month so no interest accrues.

Even though the bank will eventually credit your checking account, it is a huge inconvenience while your checks are bouncing left and right, drawn from that same checking account.

I've been a victim of identify theft twice in the past twenty years. The last time about a year and a half ago. Someone made a purchase from an online clothing store which appears to be targeted toward the young crowd. Made purchases of about $500. I notified the CC company and they investigated. Turns out the items were delivered to my doorstep and signed for in the afternoon when I wasn't home! (BTW, I don't have children.) And the signature was not in my name. The CC company thankfully forgave the charge....thankfully 'cause it made me look as guilty as h*ll. Since then I upped the security on my computer and home network. Have no idea what happened.

[markem]

I'm gonna drop some info here because it is convenient, not because I'm bashing anyone. I've been involved in information security since time immemorial (at least it seems that way). I used to teach graduate information security and some of my former students are in very secret places as well as very critical places for protecting the financial health of (at least) our country. I speak with them often about the state of affairs.

Credit card theft (it's not identity theft) has been going on for years and years. It is one of the reasons that the credit card companies are required by law to limit your personal liability in case of provable compromise. In the old, old days, they sort of needed to somehow get hold of your card, but not anymore - technology is your friend, you will recall.

Credit card companies calculate the costs to see if better security is worth it for their customers. Customers rarely demand better security because of a lack of personal liability and because it often makes using the card harder (e.g., no online/telephone transactions).

The universal use of the CCV (or similar, the code on the back of the card) has largely rendered this supposed security feature useless. The code is fairly easy to calculate from the card number and some other information, but it is easier to just plain steal.

People think of the vendor being at fault when charges appear on their cards. This is rare. A legit vendor wants your repeat business and can't really gain by fraud since the CC company will refuse the charges. The vendor is hurt at least as much as (if not more) than the card holder.

The card processing companies have become huge targets as have the CC issuers themselves. One of the nasty little secrets is that almost no company encrypts their backup tapes and any company of any size stores them offsite in a so-called "secure facility". Some of the largest thefts of the past 5 years have been of backup tapes going to/from secure locations.

There has been a lot of talk about devices placed on ATMs, CC swipe readers, etc. to steal card info. These work pretty well, but only manage to get a small number of cards. But since people swipe their cards frequently, they get a bunch of press.

The short of it is that a legit vendor will likely never bilk you via CC (prices, now, well, that's a different story). An unscrupulous employee might, but not the vendor. The systems that they use to process your online trasnactions are almost never owned by the vendor, but a hosting company that works with the processing company. The processing company is the big fish here.

If you are in the US, you really can't really lose if your CC is compromised except that you may have to go without for a few days while they send you another. Cards tied to bank accounts are a different matter - not a good idea at all. The onus is on the issuer and the issuer puts great pressure on the processing company. Processing companies often handle millions of transactions a day, so your little cigar vendor is a small fish in a very lucrative pond.

All this is to say that casting aspersions at the vendor is largely misplaced. You wanted something they had, you chose to use your CC online where it can be stolen easily, you (at least in the US) are almost immune to any losses, but somehow you want your pound of flesh. Not really a sane thing to do, in my opinion.

Yes, my CC has been compromised. I was issued a new one, all fraudulent charges reversed and I went about my merry way. For me, it was 2 emails and three days, but I have a very tech-savvy bank.

Finally, a word about ATM cards. Keep very little money in the account tied to the ATM card - just a couple hundred or so. This way, you can get emergency cash if you need it but also limit your inconvenience in case someone steals that card information. The ATM card offers substantially less protections in case of compromise, btw.

[fxpose]

A month ago I received an email alert from B of A asking me to immediately call them about several unusual on-line CC transactions ranging between $20-$30 each. So I immediately called their customer service to "verify" these purchases. None were mine and they immediately canceled my CC account and issued me a new CC.
These fraudulent transactions did not fit my profile and purchase pattern, therefore I was immediately alerted by my bank.
They were 'testing' the card with petty purchases before attempting to make a sizable one.

Quote:

Originally Posted by markem

I'm gonna drop some info here because it is convenient, not because I'm bashing anyone. I've been involved in information security since time immemorial (at least it seems that way). I used to teach graduate information security and some of my former students are in very secret places as well as very critical places for protecting the financial health of (at least) our country. I speak with them often about the state of affairs.

Credit card theft (it's not identity theft) has been going on for years and years. It is one of the reasons that the credit card companies are required by law to limit your personal liability in case of provable compromise. In the old, old days, they sort of needed to somehow get hold of your card, but not anymore - technology is your friend, you will recall.

Credit card companies calculate the costs to see if better security is worth it for their customers. Customers rarely demand better security because of a lack of personal liability and because it often makes using the card harder (e.g., no online/telephone transactions).

The universal use of the CCV (or similar, the code on the back of the card) has largely rendered this supposed security feature useless. The code is fairly easy to calculate from the card number and some other information, but it is easier to just plain steal.

People think of the vendor being at fault when charges appear on their cards. This is rare. A legit vendor wants your repeat business and can't really gain by fraud since the CC company will refuse the charges. The vendor is hurt at least as much as (if not more) than the card holder.

The card processing companies have become huge targets as have the CC issuers themselves. One of the nasty little secrets is that almost no company encrypts their backup tapes and any company of any size stores them offsite in a so-called "secure facility". Some of the largest thefts of the past 5 years have been of backup tapes going to/from secure locations.

There has been a lot of talk about devices placed on ATMs, CC swipe readers, etc. to steal card info. These work pretty well, but only manage to get a small number of cards. But since people swipe their cards frequently, they get a bunch of press.

The short of it is that a legit vendor will likely never bilk you via CC (prices, now, well, that's a different story). An unscrupulous employee might, but not the vendor. The systems that they use to process your online trasnactions are almost never owned by the vendor, but a hosting company that works with the processing company. The processing company is the big fish here.

If you are in the US, you really can't really lose if your CC is compromised except that you may have to go without for a few days while they send you another. Cards tied to bank accounts are a different matter - not a good idea at all. The onus is on the issuer and the issuer puts great pressure on the processing company. Processing companies often handle millions of transactions a day, so your little cigar vendor is a small fish in a very lucrative pond.

All this is to say that casting aspersions at the vendor is largely misplaced. You wanted something they had, you chose to use your CC online where it can be stolen easily, you (at least in the US) are almost immune to any losses, but somehow you want your pound of flesh. Not really a sane thing to do, in my opinion.

Yes, my CC has been compromised. I was issued a new one, all fraudulent charges reversed and I went about my merry way. For me, it was 2 emails and three days, but I have a very tech-savvy bank.

Finally, a word about ATM cards. Keep very little money in the account tied to the ATM card - just a couple hundred or so. This way, you can get emergency cash if you need it but also limit your inconvenience in case someone steals that card information. The ATM card offers substantially less protections in case of compromise, btw.

Having spent much time in the Finance World in Canada including a very large online company that dealt primarily in credit cards I can say that everything mentioned in this thread applies to Canada as well.

[GoodFella]

3000+ was done on my CC not to long ago. all the charges were done from london. The same day that this happend i use my CC online from a shop in london. i dont blame the company but makes me worry more. i know it was not there fault. every thing is almost over now that i got a new CC but i did have to sign a few things.

[G G]

Quote:

Originally Posted by mikeyj23

All three he mentioned are US companies...

Totally missed that part.

[Scottastic]

Quote:

Originally Posted by markem

I'm gonna drop some info here because it is convenient, not because I'm bashing anyone. I've been involved in information security since time immemorial (at least it seems that way). I used to teach graduate information security and some of my former students are in very secret places as well as very critical places for protecting the financial health of (at least) our country. I speak with them often about the state of affairs.

Credit card theft (it's not identity theft) has been going on for years and years. It is one of the reasons that the credit card companies are required by law to limit your personal liability in case of provable compromise. In the old, old days, they sort of needed to somehow get hold of your card, but not anymore - technology is your friend, you will recall.

Credit card companies calculate the costs to see if better security is worth it for their customers. Customers rarely demand better security because of a lack of personal liability and because it often makes using the card harder (e.g., no online/telephone transactions).

The universal use of the CCV (or similar, the code on the back of the card) has largely rendered this supposed security feature useless. The code is fairly easy to calculate from the card number and some other information, but it is easier to just plain steal.

People think of the vendor being at fault when charges appear on their cards. This is rare. A legit vendor wants your repeat business and can't really gain by fraud since the CC company will refuse the charges. The vendor is hurt at least as much as (if not more) than the card holder.

The card processing companies have become huge targets as have the CC issuers themselves. One of the nasty little secrets is that almost no company encrypts their backup tapes and any company of any size stores them offsite in a so-called "secure facility". Some of the largest thefts of the past 5 years have been of backup tapes going to/from secure locations.

There has been a lot of talk about devices placed on ATMs, CC swipe readers, etc. to steal card info. These work pretty well, but only manage to get a small number of cards. But since people swipe their cards frequently, they get a bunch of press.

The short of it is that a legit vendor will likely never bilk you via CC (prices, now, well, that's a different story). An unscrupulous employee might, but not the vendor. The systems that they use to process your online trasnactions are almost never owned by the vendor, but a hosting company that works with the processing company. The processing company is the big fish here.

If you are in the US, you really can't really lose if your CC is compromised except that you may have to go without for a few days while they send you another. Cards tied to bank accounts are a different matter - not a good idea at all. The onus is on the issuer and the issuer puts great pressure on the processing company. Processing companies often handle millions of transactions a day, so your little cigar vendor is a small fish in a very lucrative pond.

All this is to say that casting aspersions at the vendor is largely misplaced. You wanted something they had, you chose to use your CC online where it can be stolen easily, you (at least in the US) are almost immune to any losses, but somehow you want your pound of flesh. Not really a sane thing to do, in my opinion.

Yes, my CC has been compromised. I was issued a new one, all fraudulent charges reversed and I went about my merry way. For me, it was 2 emails and three days, but I have a very tech-savvy bank.

Finally, a word about ATM cards. Keep very little money in the account tied to the ATM card - just a couple hundred or so. This way, you can get emergency cash if you need it but also limit your inconvenience in case someone steals that card information. The ATM card offers substantially less protections in case of compromise, btw.

I should probably state a little clearer what I think may have happened. I don't think any of these retailers purposely compromised my card. Like I said, I've heard good things about all three of these sites. What I think may have happened is that the security of one of those sites may itself be compromised. Especially with the recent news of denial of service attacks, it wouldn't be outside the realm of possibility.

I don't mean to slander (lible?) any of these sites. I know that a (few) ticket(s) for a airline based in Istanbul would not be worth the loss of business. For all I know, it may have been completely and purely my fault (virus, spyware, etc.) but I doubt it. I'm very careful about my computer and my network. And again, I just freshly installed a Linux distro that I am very familiar with. There are viruses and spyware for Linux, but not many.

[MarkinAZ]

Quote:

Originally Posted by markem

I'm gonna drop some info here because it is convenient, not because I'm bashing anyone. I've been involved in information security since time immemorial (at least it seems that way). I used to teach graduate information security and some of my former students are in very secret places as well as very critical places for protecting the financial health of (at least) our country. I speak with them often about the state of affairs.

Thank you for your input Mark

[ucla695]

Quote:

Originally Posted by fxpose

Best thing to do is get rid of your debit/check card or any other type of card which is tied to your cash/checking account. Use a credit card instead for all your on-line purchases and pay the balance in full each month so no interest accrues.

Even though the bank will eventually credit your checking account, it is a huge inconvenience while your checks are bouncing left and right, drawn from that same checking account.

I only use 'pure' credit cards for online transactions for this very reason.