Ever have a credit card number stolen???

[DeafSmith]

I'll still do business with them, but if the source of the problem is not nailed down I'll be using PayPal from now on.

 

[mobly99]

Our Verisign security wasn't breeched and our hosting company can not find a breech and we are having them triple check.
...

Forrest

I will keep you posted. Thanks for your support.

As a side note to this Forrest, I am a security guy, and can tell you this...

Certificates are great, but a certificate does not equal security. When you do not physically control the server that the certificate was requested and installed on, you are at the mercy of the security controls of the provider.

What are their practices for securing the private key? The only thing protecting the private key is a passphrase on the certificate key database (probably not under your control).

Any admin working at the provider may have knowledge of the passphrase, any one that knows the passphrase can export the certificate with the private key.

Even if they don't have physical access to your server, they may centrally manage the certificates and have them stored on a central server that an employee might have access to.

With the private key, if you can capture the network traffic to the server at any point (as it comes in to the hosting facility, a span port on any switch in front of it, or on the server itself) you can look at the traffic with wireshark and view it decrypted using the private key.

My point is, I would not discount the hosting company just because they say they don't see any problems with your server. Again, this is an issue that should be escalated to the authorities. You can not say that there for sure is no issue with your verisign cert unless you physically have controlled that, which is not happening if you are in a hosting facility, most likely.

As for discovering anything from the forensics of this issue, you need to stop and take a break here. You or the provider or even just allowing your server to continue transacting business can be destroying evidence. In order to forensically study the server, it should be unplugged (network wise - not power) and left alone until qualified persons can examine it and acquire images of memory and disk. With a provider that is most likely not going to happen unless you have a dedicated server and they are willing to work with you, buy most likely only with the involvement of authorities.

However, there are likely more easy paths to this information. I hear conflicting info here, on one hand I hear that you put in a credit card number in the web server and AHS never sees it, on the other hand I hear people saying they have ordered stuff and get a printed credit card receipt from a terminal. Which is it? What is the path that a credit card number takes through your systems? If it really only hits the web server and then out to the processor, it can only be your web server (or somewhere within the hosting co) or the processor. If you pick up the info or it is fed to you to process manually, then all bets are off.

 

[Snowhere]

Just to check my system I ran Malwarebytes and Bitdefender, both the full paid versions and I came up empty as far as malicious items. So I am confident my loss did not originate in my system.

 

[riverfrontbrewer]

I told HBT forum admin not to take down this thread. We think the issue may be from the merchant service provider. We are changing merchant service providers.

We do not store any numbers on our site. We have not been contacted by any bank about this. We are still searching for evidence of a breech on our end. We have not found one.

Just to be sure, if you purchased anything from us January,1 2011 - February, 7, 2011 check your card statements. There appears to only be a couple week window. Get a new card to be safe. All of the incidences have been very late January to the first week of February.

Our Verisign security wasn't breeched and our hosting company can not find a breech and we are having them triple check.

Please check your accounts and your bank will take care of the charges. I am profoundly sorry about this issue and we are trying are best to get to the bottom of the problem.

It seems to be isolated to the end of January to the first week of February. Check your statements, please.

Forrest

I will keep you posted. Thanks for your support.

Do you store them on store PC's? Or better question, DID you? until a few days ago of course.

 

[JonW]

<snip>... Again, this is an issue that should be escalated to the authorities.

<snip> If Austin wants to be legitimate in there business dealings they should be contacting the local police and request an investigation of potential credit card fraud surrounding their shop. The detectives have the legal capacity to investigate the matter and start tracking things down to determine a source whether internal or from their credit card vendor. If Austin is not willing to do that and maintain transparency it will completely undermine their business because there are plenty of other online homebrew shops that don't have a correlation to card theft.

All I keep hearing from AHS is that they haven't found any problems and they have switched credit card processors. Did you do this because you think that's where the breach is or because you know that's where the breach is?

If you have not been able to solidly identify the breach by this point in time, you are in over your heads. You need to (and are legally required to) contact authorities.


.

 

[Airborneguy]

In AHS' defense, I can almost guarantee you that this wouldn't be investigated criminally on his end.

In NY, credit card frauds are investigated on the victims' ends (they are the complainant), which in this case, seems to be people all over the country. The Austin PD would not investigate crimes that occurred out of their jurisdiction. The victim is not AHS, but the individuals who had their account information taken/used.

As I had to mention in another thread, I know this because it is my job. We wouldn't take a report on this from Forrest if AHS was based in NYC, we would have to take the reports from the victims, and only the ones who live in our jurisdiction.

 

[mobly99]

In AHS' defense, I can almost guarantee you that this wouldn't be investigated criminally on his end.

In NY, credit card frauds are investigated on the victims' ends (they are the complainant), which in this case, seems to be people all over the country. The Austin PD would not investigate crimes that occurred out of their jurisdiction. The victim is not AHS, but the individuals who had their account information taken/used.

As I had to mention in another thread, I know this because it is my job. We wouldn't take a report on this from Forrest if AHS was based in NYC, we would have to take the reports from the victims, and only the ones who live in our jurisdiction.

That is why you would report to the acquiring bank and FBI rather than local LE.

 

[JonW]

Texas law also requires notification to consumers: http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm#521.053

 

[Moby]

Texas law also requires notification to consumers: http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm#521.053

I think this is only required once they determine that there was a breach. I wonder if it extends to AHB if the processor determines that they were breached because then, this duty technically only requires the processor to notify AHB and their other merchants. Interestingly, my first read indicates that they are only required to notify the residents of TX whose data was compromised.

I haven't done the research, but I do wonder what the TX statutes say about how long credit card information can be stored and under what conditions.

Interesting....

 

[JonW]

I think this is only required once they determine that there was a breach. I wonder if it extends to AHB if the processor determines that they were breached because then, this duty technically only requires the processor to notify AHB and their other merchants. Interestingly, my first read indicates that they are only required to notify the residents of TX whose data was compromised.

I haven't done the research, but I do wonder what the TX statutes say about how long credit card information can be stored and under what conditions.

Interesting....

Texas law adopted PCI DSS compliance to dictate storage and use of credit card information. PCI DSS compliance was (is) a merchant requirement, but not enforceable by law - until states started adopting the PCI standards to make them enforceable.

 

[DaBiggin]

I would like to know who processes the CC's manually at AHS. Is it the owner or is it delegated to a trusted employee or is it any employee that is told to do them for the day? I think that this fraud was conducted no more sophisticatedly than making copies of the card numbers in house, by hand or photocopying. Just my opinion.

 

[bovineblitz]

I would like to know who processes the CC's manually at AHS. Is it the owner or is it delegated to a trusted employee or is it any employee that is told to do them for the day? I think that this fraud was conducted no more sophisticatedly than making copies of the card numbers in house, by hand or photocopying. Just my opinion.

We seem to be getting mixed answers about that... earlier AHS said it was all run manually, now I'm seeing that the numbers "aren't stored anywhere". I can't help but think how easy it is to take cell phone pics of card numbers or as you said, simple photocopies.

 

[DaBiggin]

We seem to be getting mixed answers about that... earlier AHS said it was all run manually, now I'm seeing that the numbers "aren't stored anywhere". I can't help but think how easy it is to take cell phone pics of card numbers or as you said, simple photocopies.

I know for a fact that the three online orders I made with AHS were accompanied by a CC processing receipt stating "Entry Method: Manual". AHS originally stated they processed the cards manually.

 

[Moby]

We seem to be getting mixed answers about that... earlier AHS said it was all run manually, now I'm seeing that the numbers "aren't stored anywhere". I can't help but think how easy it is to take cell phone pics of card numbers or as you said, simple photocopies.

What I've seen is that they don't store numbers on their site....not that they don't store numbers on the computers in the store.

 

[mobly99]

PCI is such a sham though. I admire it's aspiration, but it it designed to say, despite audits to the contrary, that you were not PCI compliant at the time of the breach. It is too open to interpretation.

 

[DaBiggin]

What I've seen is that they don't store numbers on their site....not that they don't store numbers on the computers in the store.

Their site accepts CC numbers and are then manually processed. So someone has access to the card numbers and addresses during that process. It may be true that the CC numbers are deleted soon there after but someone had personal access to that info at some point in order to be able to punch the numbers into the point of sale device.

 

[bovineblitz]

What I've seen is that they don't store numbers on their site....not that they don't store numbers on the computers in the store.

Okay so they don't store the numbers... but they have to be "stored" in order for someone to retrieve and run them, even if it's just a temporary storage.

 

[sudsmcgee]

We seem to be getting mixed answers about that... earlier AHS said it was all run manually, now I'm seeing that the numbers "aren't stored anywhere". I can't help but think how easy it is to take cell phone pics of card numbers or as you said, simple photocopies.

They have to be stored somehow. I placed my order with AHS and it was not processed for a few hours. This means someone ran the card hours later. They can't do that if they dont store them.

 

[Moby]

Okay so they don't store the numbers... but they have to be "stored" in order for someone to retrieve and run them, even if it's just a temporary storage.

The point I was making is that they are just saying they don't store them on the site. They are not saying that they aren't stored somewhere else....I agree they have to be stored somewhere in order to be manually processed.

 

[sudbuster]

My freekin gawd, is this thread still alive??? The Eagles had the answer "get over it" No one is going to be out of pocket...

 

[DaBiggin]

My freekin gawd, is this thread still alive??? The Eagles had the answer "get over it" No one is going to be out of pocket...

Do you like to pay higher prices for goods and services. We all pay for thievery. Not to mention I will not purchase again from AHS until they verify the root cause and fix it. That is what I recommend to my friends as well.

 

[sudsmcgee]

My freekin gawd, is this thread still alive??? The Eagles had the answer "get over it" No one is going to be out of pocket...

Perhaps, but I'm NOT ordering from them until it's resolved. Many others feel the same.

They already lost my last order because of this. I don't want to be without my cc for a week.

 

[JonW]

My freekin gawd, is this thread still alive??? The Eagles had the answer "get over it" No one is going to be out of pocket...

Seriously? This post needs to stay alive until the point of compromise is known and posted here.

At this point, this is about consumer confidence and transparency. AHS is already starting to suffer a loss of business because people don’t want to take the risk of their card being compromised.

FYI for those waiting to place an order - there has been absolutely no report of compromised accounts for those paying via PayPal, so that should still be a viable option.

 

[ChshreCat]

If "just getting over it" doesn't work, perhaps plugging our ears and going "LALALALALA" might. :fro:

 

[Fat_Bastard]

My freekin gawd, is this thread still alive??? The Eagles had the answer "get over it" No one is going to be out of pocket...

really? I'm out 459 dollars and change still.the bank and I are still fighting over this one last charge.as it stands right now they aren't inclined to credit my account.
mean while I have bounced checks and the subsequent charges for them.so don't go spouting off no one is out any money.
(I am fighting the check charges also)

 

[sudbuster]

really? I'm out 459 dollars and change still.the bank and I are still fighting over this one last charge.as it stands right now they aren't inclined to credit my account.
mean while I have bounced checks and the subsequent charges for them.so don't go spouting off no one is out any money.
(I am fighting the check charges also)

Sh!t, Fat_Bastard, that really sucks for you. Have you considered changing banks?

 

[Fat_Bastard]

Sh!t, Fat_Bastard, that really sucks for you. Have you considered changing banks?

I am going to as soon as I get this resolved one way or the other.
FWIW I blame no one but myself.I should have never used a debit card online.

most importantly...
F*@$ CITIBANK!

 

[DaBiggin]

I am going to as soon as I get this resolved one way or the other.
FWIW I blame no one but myself.I should have never used a debit card online.

most importantly...
F*@$ CITIBANK!

True, one should not use debit cards for many purchases. But don't accept blame that belongs to thieves.

 

[Airborneguy]

If I can make one recommendation for their site, the choice to pay via Paypal should be more prominent. Until this thread, I never even noticed that they offered it. Two days ago, in the midst of all of this, I placed and order. I would not have placed that order at this time (for the obvious reason) if I didn't know about the Paypal.

 

[Airborneguy]

That is why you would report to the acquiring bank and FBI rather than local LE.

I don't see the FBI investigating this. Local law enforcement handles credit card frauds. This is at worst a few hundred transactions. The FBI wouldn't step in at that level.