CC Fraud

[phil_hg_uk]

If you are unsure just use PayPal to pay them that way non of your details are passed to CRC just the money.

I always use PayPal where there is a choice with no problems and I have never had any problems from my customers paying me with PayPal either.

 

[potsy]

Just been informed that my credit card was hacked in the same way as others thru CRC, a $1 transaction that my card provider declined. Just had a purchase rejected at a store and this turns out to be the reason why.
New card being sent out. Bugger

 

[Deleted member 1258]

Just been informed that my credit card was hacked in the same way as others thru CRC, a $1 transaction that my card provider declined. Just had a purchase rejected at a store and this turns out to be the reason why.
New card being sent out. Bugger

I'm still waiting for my account with CRC to be sorted out.

 

[potsy]

I'm still waiting for my account with CRC to be sorted out.

Not read the whole thread, is it worth getting in touch with them then? They are my main supplier of bike related goodies.

 

[Deleted member 1258]

Not read the whole thread, is it worth getting in touch with them then? They are my main supplier of bike related goodies.

I got in touch just after I had my card scammed, and they phoned me for a chat shortly after. When they had sorted it? I got an E-Mail telling me it had been sorted, the E-Mail contained a £30 E voucher. When I tried to spend the voucher I found out that my account was screwed and I couldn't buy anything, I had an exchange of E-Mails then phoned them with some information they asked for, they said they would E-mail when it was sorted and I haven't heard a word since, about a week. It might be too late now but it might be an idea to let them know.

 

[potsy]

Well I got an E-mail response today telling me about the fraud and that it had been taken care of now, also got the offer of £30 off my next spend, I am still waiting for my replacement card but may well be shopping there again very soon

 

[DrSquirrel]

At least CRC had their system checked and rectified (and admitted the problem).

If you go somewhere else, what is to say that their site doesn't have the same kind of vulnerabilities but you don't know that yet?

Everywhere can be compromised, nothing is perfect - if you want to be safe don't buy online, don't use a bank etc etc... the benefits far outweigh the risks. Otherwise, use a Credit Card too, banks tend to protect you from wayward payments etc.

If you are unsure just use PayPal to pay them that way non of your details are passed to CRC just the money.

I always use PayPal where there is a choice with no problems and I have never had any problems from my customers paying me with PayPal either.

And no one else has ever had problems with Paypal? When infact there are so many issues with it, for one your password is the only thing needed to make a payment... and paypals fraud resolution is very very poor. (not to mention some dodgy issues inhouse).

Considering this was a "real time" hack, still explains how attackers can get CC details as its captured in real-time. What this also shows is that paypal details entered on the page could also be at risk......

I wonder how many people use the same email/password combo for paypal and other sites... not all websites store passwords in one way encryption (with salt etc etc)... http://xkcd.com/792/

To me it sounds like SQL Injection, there are way too many "developers" out there that don't sanatize data, or even test their own sites.

 

[Plax]

Makes me glad that I either use Paypal (with a completely different password to my regularly used one for chat sites. I'm glad I had the foresight to have different passwords and email addresses for the various online suppliers I use), or a credit card that is specifically for online purchases only. That way if your card gets jacked it is easier to narrow down the culprit.

Also just out of curiosity which CC providers do people use? There seems to be an awful lot of people mentioning HBSC, but no mention of other providers.

 

[2Loose]

Considering this was a "real time" hack, still explains how attackers can get CC details as its captured in real-time. What this also shows is that paypal details entered on the page could also be at risk......

I wonder how many people use the same email/password combo for paypal and other sites... not all websites store passwords in one way encryption (with salt etc etc)... http://xkcd.com/792/

To me it sounds like SQL Injection, there are way too many "developers" out there that don't sanatize data, or even test their own sites.

My colleagues and I have spent some time theorizing about this and sql injection was the first to be ruled out.
If it was, they'd have had access to the whole database, or at least a set of table columns. If only 0.1% of custom was affected, this seems unlikely.

I doubt that we'll ever know for sure, but I am leaning towards a man-in-the-middle attack as the favourite, with an unencrypted section of network being sniffed second, an xss flaw third and sql injection a distant last. We did assume that no machine on their network had been rooted though... still, no point theorizing, although it did make for an interesting conversation at work.

(if you like that kind of thing

)

 

[DrSquirrel]

Generally the site is not in-house hosted - so you can usually assume that security is better than some in house servers. Since there is going to have been some on site scripting to send this data off somewhere else, I start to think its SQL injection... since site edits can be made through this depending on the layout and content in it.

Imagine the title of an item is in the database... its not sanitised so that title can have scripting included etc. Easy.

Man in the middle - well it probably isn't going to be PER user, but between the site host and the CC processor - although this is so unlikely imo