Ever have a credit card number stolen???

Well I have been following this thread for the past few days. Decided to have the wife check on my checking account. Sure enough there is a charge of $189.00 on 2/11/11. I also ordered from Austin Home Brew 1/31/11.

Not cool

 

We don't hold any credit card numbers. No credit card numbers are stored on a computer.

We are switching credit card merchant services because that might be where the problem was.

eriktlupus: This incident could not have come from AHS.

Forrest

 

Forrest: how do you handle online orders? I know you said that you ring them up manually, after they are submitted online.

 

Was just going to ask and refer Forrest to page 3. I said what he is saying now and you produced the PM about hand processing. All on page three of this thread.


http://www.homebrewtalk.com/f19/ever-have-credit-card-number-stolen-223663/index3.html#post2624103

 

I just posted about AHS on another thread and someone gave me the heads up about this thread yesterday. Last night I got the call from the bank strangely enough. Obviously coincidence is not guilt; however, there is enough commonality that the issue needs looked at.

If Austin wants to be legitimate in there business dealings they should be contacting the local police and request an investigation of potential credit card fraud surrounding their shop. The detectives have the legal capacity to investigate the matter and start tracking things down to determine a source whether internal or from their credit card vendor. If Austin is not willing to do that and maintain transparency it will completely undermine their business because there are plenty of other online homebrew shops that don't have a correlation to card theft.

 

That is NOT the information I received in an email from AHS yesterday.

 

I agree Bensiff, the more this goes on, the more it stinks.

 

I think we all need to take a step back and think about this logically. Clearly, credit card numbers from AHS were compromised somehow, however there is NO evidence that AHS is anything more than a victim in this just like we all are.

AHS is in the retail busines, using a vendor for merchant services. They didn't build their own cc processing servce (to my knowledge). What is most likely is that their vendor was compromised. We just all happen to be customers of AHS who read HBT.

For the record, I live in Austin, I walked into AHS and bought on 1/18, and USAA has notified me I've been compromised. They're reissuing me new cards, and I *havent* seen any fake charges to date.

AHS is a great company. They are patient with customers, treat you well when you walk in, and they will talk to you about your ideas. I've been shopping with them for 9 years at three different locations. I trust them, and whatever Forrest says to me (or you) is honest to the best of his knowledge.

Let's not pile on a good local business that provides good products at good prices. None of us are liable for fraudulent charges.

For the record, I'm going there in an hour to buy a new picnic faucet and a carboy brush, and I'll use my credit card.

 

Then it sounds like an account breach has been pinpointed and all cards used at a merchant/processor within a certain time frame is being flagged then if no bogus charges have shown on your card.

 

Unfortunately, they don't have to be. There are "canned" trojans organized crime use to specifically target web servers. They monitor the data stream, peel off CC numbers and pass them back out to a collection host.

 

If the info was accessible via their wifi network, it'd be a piece of cake

Or, some sort of trojan (even a simple keylogger might do the trick given their practices) found its way in

 

Im Glad I read this. I just purchased last week from them. Going to check my account daily...what a pain.

J

 

+1 I have been meaning to spread more to other suppliers. Maybe this is the push I needed.

Sent from my iPhone using HB Talk

 

That is why I said coincidence doesn't prove guilt. However, something is wrong and it would behoove AHS to start working with the local authorities to help find the culprit to clear their name, for all we know it will get bumped up to the fed and it will open up or coincide with a larger investigation. In the meantime, for AHS, not being proactive and transparent will only lend to building the perception of a lack of concern for the customers at best or implicate guilt at worst.

In the meantime everyone should always remember to have appropriate computer security (ie don't use your iPhone to buy stuff) whenever doing anything online related to financial transactions. You should always use a credit card when ordering online to protect your bank account holdings. And you should never hand someone your debit card, if a purchase requires that (ie restaurant) use your credit card.

I might also add, this thread is only going to serve to damage AHS' business. If they work with authorities and can officially clear their name I'm sure the moderators would be willing to remove this thread to protect AHS. I was really happy with my purchase from them (other than the card being compromised) so I'm hoping its not their fault and all will turn out well. They sponsor this site, so in the end the best outcome is to clear their name and remove this thread. Until then, this thread will go on and they will lose business as a result.

 

No the best outcome is to clear their name and KEEP the thread.

Why should the thread be removed?

 

I told HBT forum admin not to take down this thread. We think the issue may be from the merchant service provider. We are changing merchant service providers.

We do not store any numbers on our site. We have not been contacted by any bank about this. We are still searching for evidence of a breech on our end. We have not found one.

Just to be sure, if you purchased anything from us January,1 2011 - February, 7, 2011 check your card statements. There appears to only be a couple week window. Get a new card to be safe. All of the incidences have been very late January to the first week of February.

Our Verisign security wasn't breeched and our hosting company can not find a breech and we are having them triple check.

Please check your accounts and your bank will take care of the charges. I am profoundly sorry about this issue and we are trying are best to get to the bottom of the problem.

It seems to be isolated to the end of January to the first week of February. Check your statements, please.

Forrest

I will keep you posted. Thanks for your support.

 

Forrest thanks for the info. like I've said I purchased on jan 20th and was not compromised. I am not sure how it happened but it does seem to have some connection to Ahs some how some way. Keep you're heads up I'm going to order my next recipe from you guys.

-= Jason =-

Sent from my Droid using Home Brew Talk

 

Thanks for the update Forrest, there's no doubt I will still be ordering from you guys, and i'm just starting my Brooklyn lager clone I ordered from you a couple of weeks ago. I can't wait to taste it.

 

Forrest - FYI, my AHB purchase was on Jan. 13 (both transaction and post date were 1/13). Fraudulent charges on my card were on 2/7.

 

According to AHS/AHB they have not been able to find a breach in their technical systems. I believe without a doubt that most, if not all, of these fraudulent charges that people were/are reporting in relation to this thread, stem from an initial purchase from AHS. The problem is in that chain of custody of CC numbers with AHS.

Generally speaking, we all pay more for goods and services when thieves prevail. It is not right and good to just sit back and rely on the CC issuers to eat any associated costs due to fraud and resting easy knowing one doesn't have to foot those costs on an individual by individual basis.

More specifically, I know that I received in my shipment a receipt for my CC purchase that is one that you get from processing a CC via one of those small point of sales machines or something similar. I also was told that they, AHS, was having difficulty shipping all the orders they received and were hiring or trying to hire new employees to help fulfill the orders. I have had very good service and product from them. However, it is negligence for me to continue doing business with them until the root cause and resolution are found and implemented. If I lived near them I would purchase with cash.

 

I'll still do business with them, but if the source of the problem is not nailed down I'll be using PayPal from now on.

 

As a side note to this Forrest, I am a security guy, and can tell you this...

Certificates are great, but a certificate does not equal security. When you do not physically control the server that the certificate was requested and installed on, you are at the mercy of the security controls of the provider.

What are their practices for securing the private key? The only thing protecting the private key is a passphrase on the certificate key database (probably not under your control).

Any admin working at the provider may have knowledge of the passphrase, any one that knows the passphrase can export the certificate with the private key.

Even if they don't have physical access to your server, they may centrally manage the certificates and have them stored on a central server that an employee might have access to.

With the private key, if you can capture the network traffic to the server at any point (as it comes in to the hosting facility, a span port on any switch in front of it, or on the server itself) you can look at the traffic with wireshark and view it decrypted using the private key.

My point is, I would not discount the hosting company just because they say they don't see any problems with your server. Again, this is an issue that should be escalated to the authorities. You can not say that there for sure is no issue with your verisign cert unless you physically have controlled that, which is not happening if you are in a hosting facility, most likely.

As for discovering anything from the forensics of this issue, you need to stop and take a break here. You or the provider or even just allowing your server to continue transacting business can be destroying evidence. In order to forensically study the server, it should be unplugged (network wise - not power) and left alone until qualified persons can examine it and acquire images of memory and disk. With a provider that is most likely not going to happen unless you have a dedicated server and they are willing to work with you, buy most likely only with the involvement of authorities.

However, there are likely more easy paths to this information. I hear conflicting info here, on one hand I hear that you put in a credit card number in the web server and AHS never sees it, on the other hand I hear people saying they have ordered stuff and get a printed credit card receipt from a terminal. Which is it? What is the path that a credit card number takes through your systems? If it really only hits the web server and then out to the processor, it can only be your web server (or somewhere within the hosting co) or the processor. If you pick up the info or it is fed to you to process manually, then all bets are off.

 

Just to check my system I ran Malwarebytes and Bitdefender, both the full paid versions and I came up empty as far as malicious items. So I am confident my loss did not originate in my system.

 

Do you store them on store PC's? Or better question, DID you? until a few days ago of course.

 

All I keep hearing from AHS is that they haven't found any problems and they have switched credit card processors. Did you do this because you think that's where the breach is or because you know that's where the breach is?

If you have not been able to solidly identify the breach by this point in time, you are in over your heads. You need to (and are legally required to) contact authorities.


.

 

In AHS' defense, I can almost guarantee you that this wouldn't be investigated criminally on his end.

In NY, credit card frauds are investigated on the victims' ends (they are the complainant), which in this case, seems to be people all over the country. The Austin PD would not investigate crimes that occurred out of their jurisdiction. The victim is not AHS, but the individuals who had their account information taken/used.

As I had to mention in another thread, I know this because it is my job. We wouldn't take a report on this from Forrest if AHS was based in NYC, we would have to take the reports from the victims, and only the ones who live in our jurisdiction.

 

That is why you would report to the acquiring bank and FBI rather than local LE.

 

Texas law also requires notification to consumers: http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm#521.053

 

I think this is only required once they determine that there was a breach. I wonder if it extends to AHB if the processor determines that they were breached because then, this duty technically only requires the processor to notify AHB and their other merchants. Interestingly, my first read indicates that they are only required to notify the residents of TX whose data was compromised.

I haven't done the research, but I do wonder what the TX statutes say about how long credit card information can be stored and under what conditions.

Interesting....

 

Texas law adopted PCI DSS compliance to dictate storage and use of credit card information. PCI DSS compliance was (is) a merchant requirement, but not enforceable by law - until states started adopting the PCI standards to make them enforceable.

 

I would like to know who processes the CC's manually at AHS. Is it the owner or is it delegated to a trusted employee or is it any employee that is told to do them for the day? I think that this fraud was conducted no more sophisticatedly than making copies of the card numbers in house, by hand or photocopying. Just my opinion.

 

We seem to be getting mixed answers about that... earlier AHS said it was all run manually, now I'm seeing that the numbers "aren't stored anywhere". I can't help but think how easy it is to take cell phone pics of card numbers or as you said, simple photocopies.

 

I know for a fact that the three online orders I made with AHS were accompanied by a CC processing receipt stating "Entry Method: Manual". AHS originally stated they processed the cards manually.

 

What I've seen is that they don't store numbers on their site....not that they don't store numbers on the computers in the store.

 

PCI is such a sham though. I admire it's aspiration, but it it designed to say, despite audits to the contrary, that you were not PCI compliant at the time of the breach. It is too open to interpretation.

 

Their site accepts CC numbers and are then manually processed. So someone has access to the card numbers and addresses during that process. It may be true that the CC numbers are deleted soon there after but someone had personal access to that info at some point in order to be able to punch the numbers into the point of sale device.

 

Okay so they don't store the numbers... but they have to be "stored" in order for someone to retrieve and run them, even if it's just a temporary storage.

 

They have to be stored somehow. I placed my order with AHS and it was not processed for a few hours. This means someone ran the card hours later. They can't do that if they dont store them.

 

The point I was making is that they are just saying they don't store them on the site. They are not saying that they aren't stored somewhere else....I agree they have to be stored somewhere in order to be manually processed.

 

My freekin gawd, is this thread still alive??? The Eagles had the answer "get over it" No one is going to be out of pocket...