Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | (show all)   Print Thread
Standard User Michael_Chare
(fountain of knowledge) Sun 05-Feb-17 13:21:00
Print Post

Credit card details stolen from website.


[link to this post]
 
I have just been told that my credit card details have been stolen from an internet site, but fortunately not used. The CC company said the police had informed them of the theft but did not say what the website was. The card will be stopped but, to my surprise, the CC company wanted my agreement to this first.

Anyone else with a similar experience?

Michael Chare
Standard User caffn8me
(knowledge is power) Sun 05-Feb-17 13:26:22
Print Post

Re: Credit card details stolen from website.


[re: Michael_Chare] [link to this post]
 
Was this a genuine contact from your credit card company in writing?

If it was by email or phone, you have almost certainly been the target of a phishing scam, especially if you gave the person who contacted you any of your personal details.

If that's what happened, contact your card company directly using the number printed on the credit card or paper statements and explain what happened and do it fast because the scammers will already be spending your money.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sun 05-Feb-17 13:29:31)

Standard User Michael_Chare
(fountain of knowledge) Sun 05-Feb-17 16:28:08
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
I did wonder, somehow the message that was left on my voicemail sounder real, unlike many phishing calls and emails.

The number I was asked to ring was not listed on the CC website, so I called a number I know, and was told their was an issue, so the call was likely to be genuine. When I did call the number I was told my name and asked to confirm my month and year of birth from a choice of 4.

Michael Chare


Register (or login) on our website and you will not see this ad.

Standard User Kenneth
(legend) Sun 05-Feb-17 16:37:05
Print Post

Re: Credit card details stolen from website.


[re: Michael_Chare] [link to this post]
 
I have been called to confirm suspect fraudulent transactions before - once because attempt to withdraw cash in Australia (I think CC details skimmed at a petrol station) and a couple of times genuine purchases but I could see why bank thought suspect (£1,000 paypal to Japan)

Ken

Nostalgia is memory with the pain removed
Standard User Michael_Chare
(fountain of knowledge) Sun 05-Feb-17 16:44:38
Print Post

Re: Credit card details stolen from website.


[re: Kenneth] [link to this post]
 
The Indians at our local Shell petrol station were skimming customers cards to collect money for the rebels in Shri Lanka. I was not done, but I was very pleased when the rebels were defeated.

Michael Chare
Standard User Zadeks
(experienced) Mon 06-Feb-17 15:56:37
Print Post

Re: Credit card details stolen from website.


[re: Michael_Chare] [link to this post]
 
I use PayPal as much as possible to avoid giving out my card details.

Edited by Zadeks (Mon 06-Feb-17 15:59:59)

Standard User Lars
(newbie) Tue 07-Feb-17 12:04:04
Print Post

Re: Credit card details stolen from website.


[re: Michael_Chare] [link to this post]
 
I think we should be 100% sure before using about cards anywhere online. We should boycott companies which are not following guidelines suggested by PCI DSS.

Basic security like SSL, Anti-Virus, Firewall, cannot be overlooked in any manners.
Standard User TrishaH
(knowledge is power) Tue 07-Feb-17 13:40:51
Print Post

Re: Credit card details stolen from website.


[re: Zadeks] [link to this post]
 
Me too - at one time I avoided using it if there was an alternative card method, but now it's improved so much, I tend to think of it as probably being safer to use.

Anyone know how good the Kaspersky virtual keyboard is when entering such details?

Standard User bobble_bob
(knowledge is power) Tue 07-Feb-17 15:55:33
Print Post

Re: Credit card details stolen from website.


[re: TrishaH] [link to this post]
 
Nothing is 100% safe but at the end of the day any fraud that happens in your account will be refunded by the bank so dont see a need to not use your card online aslong as you're sensible about it
Standard User TrishaH
(knowledge is power) Tue 07-Feb-17 16:32:41
Print Post

Re: Credit card details stolen from website.


[re: bobble_bob] [link to this post]
 
True - I just prefer not to have the initial stress of knowing someone did commit fraud with my details ...it's a bit off-putting for a while smile

Standard User bobble_bob
(knowledge is power) Tue 07-Feb-17 17:18:56
Print Post

Re: Credit card details stolen from website.


[re: TrishaH] [link to this post]
 
Agree with that. I had £400 once stolen from my account 7 or so years ago, and although i got it back quickly it effected me for many months. I would check my account every day online and get anxiety while logging in wondering if anymore had been stolen. Went on for a very long time, and even now i check my account daily (minus the anxiety) which all stemmed from that

I do buy stuff online now but just careful which sites i use

Edited by bobble_bob (Tue 07-Feb-17 17:20:19)

Standard User TrishaH
(knowledge is power) Tue 07-Feb-17 17:43:40
Print Post

Re: Credit card details stolen from website.


[re: bobble_bob] [link to this post]
 
Exactly how any breach affects us too. It's unpleasant to say the least.

In fact, I even hated logging into our bank accounts more than absolutely necessary ...still do keep it to a minimum, but scrutinise activity whenever I do.

We can do little more though than keep decent security software running, and be vigilant when visiting new sites ...after that, we've done just about all we can.

After all that, I need to go and pay my bank CC bill now! smile

Standard User caffn8me
(knowledge is power) Tue 07-Feb-17 17:51:55
Print Post

Re: Credit card details stolen from website.


[re: Lars] [link to this post]
 
In reply to a post by Lars:
I think we should be 100% sure before using about cards anywhere online. We should boycott companies which are not following guidelines suggested by PCI DSS.

Basic security like SSL, Anti-Virus, Firewall, cannot be overlooked in any manners.
SSL in all its iterations is already deprecated and up to date browsers will no longer connect to SSL sites. PCI-DSS now mandates a switch to TLS v1.1 or higher - the original deadline for which has already passed and been extended because businesses struggled to comply.

One problem is that it's difficult to determine whether a vendor is actually PCI-DSS compliant. Quick scans of a number of UK banks and building societies show that quite a few have online banking websites which aren't PCI-DSS 3.2 compliant [example].

I've looked at about ten sites and the only UK online banking site I've so far found that is PCI-DSS 3.2 compliant is Halifax.

But that's just websites. Even if a website is PCI-DSS compliant it doesn't mean that the rest of the business is. Do businesses print out credit card slips with the full PAN (Primary Account Number)? What happens to these printouts afterwards?

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(knowledge is power) Tue 07-Feb-17 18:01:48
Print Post

Re: Credit card details stolen from website.


[re: bobble_bob] [link to this post]
 
My feeling is that regular logins from a computer you trust to check your account activity are necessary these days to detect fraud.

There are so many ways that fraudsters can obtain credit card details that the sooner you discover a problem and report it to the bank, the better.

Even if you cancel a card (credit or debit), the fraudsters can work out what the number of the replacement card is because the card numbers follow a predictable sequence. Not all online sites require the CVV number to be entered. Amazon doesn't, for example.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Malwaremike
(committed) Tue 07-Feb-17 18:16:26
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
I agree it's difficult to understand bank security sometimes, like yourself we rely on common sense, checking accounts twice a week, and using up-to-date AV software. At login our banks still prompt us to download Rapport although it's already running according to its own 'dashboard'. The Firefox team says that Rapport is old software which cannot cope with today's techniques ... what more can we do?
Standard User bobble_bob
(knowledge is power) Tue 07-Feb-17 18:23:16
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Im more concerned if my personal details on a particular site are stolen than bank details. Bank details can be changed and stopped. Your name, address, DOB etc cant be and fraudsters can probably do more damage with that information

Edited by bobble_bob (Tue 07-Feb-17 18:23:26)

Standard User TLM
(legend) Tue 07-Feb-17 19:24:28
Print Post

Re: Credit card details stolen from website.


[re: Michael_Chare] [link to this post]
 
By coincidence (or not?) I was also informed on Sunday that a suspicious transaction of over £900 with my credit card was attempted, but blocked. Usually, to my annoyance, these things are me, trying to buy something legitimately, but this one wasn't.

The implication is that the details were stolen, but they didn't (or couldn't) give any indication where they might have been stolen from, or whether it was even online. They asked if I'd left the card unattended (No!)

They told me the website where someone tried to use the card - which was a US website I'd never heard of, and now can't remember. Tops something? But of course, it does not follow that this is also where the breach occurred - and, as I couldn't recall ever having visited, let alone bought from the website, it's unlikely.

Like yours, my card has had to be stopped and reissued, but I wasn't given a choice about this - I was told, not asked.

If I'd had a choice, I might have decided to leave it, as it's inconvenient, to say the least, and the attempted fraud wasn't successful. If it had been, it would have been the cc Co's loss in any case, as I had not been negligent (left the card anywhere, or lent it to anyone). But that is one reason they wouldn't have allowed me to keep the card. If the fraudsters tried again, successfully, they, not me, would have been the loser - so obviously, they weren't going to let a situation like that prevail. The card had to be stopped, whether I liked it or not.

They apologised for the inconvenience, but made clear it wasn't negotiable.

The whole thing might be quite coincidental, but having also had my card stopped, on the same day, your post caught my eye.
Standard User TLM
(legend) Tue 07-Feb-17 19:30:35
Print Post

Re: Credit card details stolen from website.


[re: Michael_Chare] [link to this post]
 
Very similar to my experience. The voicemail sounded genuine - I took steps to verify the number online before calling back.

Was asked some simple security questions (not from a choice, but things only I would know), and it was pretty straightforward and obvious it was really them.

Now waiting for the new card.
Standard User Michael_Chare
(fountain of knowledge) Tue 07-Feb-17 21:37:15
Print Post

Re: Credit card details stolen from website.


[re: TLM] [link to this post]
 
My new card arrived this morning, very quick as I had called them on Sunday. Hope you have similar luck.

Michael Chare
Standard User TLM
(legend) Tue 07-Feb-17 22:20:42
Print Post

Re: Credit card details stolen from website.


[re: Michael_Chare] [link to this post]
 
That's good - my provider told me it could take up to ten days, so I was expecting a long wait. Let's hope they were talking worst case, and it will arrive a lot quicker. I only phoned them yesterday, after picking up a voicemail from Sunday night.
Standard User wingco1
(legend) Wed 08-Feb-17 12:45:33
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Sarah, could you clarify something for me please, regarding PCI-DSS? Does this apply to all terminals where card details are entered, or just to the Bank etc., who process the card information?

Standard User caffn8me
(knowledge is power) Wed 08-Feb-17 14:01:22
Print Post

Re: Credit card details stolen from website.


[re: wingco1] [link to this post]
 
PCI-DSS rules apply to anywhere and to anything that transmits, stores or processes card data. PCI-DSS applies equally to the terminals at retailers where cards are swiped, inserted or tapped, and systems at banks and retailers used to process transactions.

PCI-DSS also covers paper records such as the printouts from card machines. A lot of people don't realize that there are two different formats of printout for each card transaction from a regular card machine. The copy given to the customer doesn't contain the full card number but the merchant copy has the full account number as well as the expiry date. That's all that's needed to commit card fraud. It's easy for a waiter in a restaurant, for example, to harvest credit card numbers and expiry dates. They could also harvest CVV numbers quite easily.

Card payment terminals supplied to small businesses are increasingly using an internet connection rather than dialup modems and this means that PCI-DSS covers the retailer's internal network as well as the card terminals. Does the retailer have wifi enabled? Is this segregated from the network used to transmit card data? Are all other systems segregated from the network used by card terminals? If they're not, the system isn't compliant.

Achieving PCI-DSS compliance for a small business that uses IP connected terminals can be prohibitively expensive. It's certainly quite a few hours of work for someone who has a reasonable level of technical expertise and there are other costs too. Small businesses often staple the merchant copy of the card slip to their till copy for their records. They need to keep the card slip until the card company chargback period has passed - which can be six months. At the end of this period they are required to destroy the card data. Do they? Are all these slips stored safely under lock and key?

I think that the banks are aware how difficult it is for small businesses to achieve proper PCI-DSS compliance and see it as a money making opportunity. Businesses which don't achieve PCI-DSS compliance are charged a monthly 'non-compliance fee' or a less favourable card processing fee. It's just another way for the banks to grab more money. As you can see from my previous post, banks' own systems aren't compliant with the latest PCI-DSS requirements.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Wed 08-Feb-17 14:10:42)

Standard User caffn8me
(knowledge is power) Wed 08-Feb-17 14:08:27
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Just as an example, have a look at the final post on UK Business Forums where a small business owner is trying to find a router suitable for PCI-DSS with network segregation. They've been quoted £1400 just for the router - a total ripoff. It just needs a basic router with VLAN capability.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User wingco1
(legend) Wed 08-Feb-17 14:21:17
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
How can businesses use PayPal over the internet with no requirement by PayPal to be PCI compliant?

Standard User caffn8me
(knowledge is power) Wed 08-Feb-17 14:44:39
Print Post

Re: Credit card details stolen from website.


[re: wingco1] [link to this post]
 
If a business uses PayPal only, they never have the customer's card number so aren't affected by PCI-DSS.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User wingco1
(legend) Wed 08-Feb-17 16:14:47
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Thanks for the clarification. One last question if I may. A Payments page on a website that links from that website, directly to a Merchant Account, where the details are entered on the Merchant Accounts page directly, and are not stored locally are not affected by PCI-DSS?

Standard User caffn8me
(knowledge is power) Wed 08-Feb-17 18:35:32
Print Post

Re: Credit card details stolen from website.


[re: wingco1] [link to this post]
 
If the payment details are entered directly on the website of the vendor but relayed to the processor, even if they are not stored by the vendor, they are subject to PCI-DSS. If the vendor's page has a frame within it for entering payment details that originates wholly and directly from the processor's site, the vendor isn't subject to PCI-DSS.

With PayPal (and Sage Pay/Worldpay etc), the vendor's page typically redirects the customer to a page hosted by the processor and so the vendor has no PCI-DSS involvement.

I hope that all makes sense.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User wingco1
(legend) Wed 08-Feb-17 21:33:15
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
Thank you very much for your patience and clarification. It is a complicated subject which you have explained very well to me. smile

Standard User TrishaH
(knowledge is power) Fri 10-Feb-17 22:02:05
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
If a business uses PayPal only, they never have the customer's card number so aren't affected by PCI-DSS.

If a business offers card payment, or another button for Paypal payment ..do they still not get the card details?

Do you know if the Kaspersky Virtual Keyboard is a good thing for adding extra security to entering payment details?

Standard User caffn8me
(knowledge is power) Sat 11-Feb-17 00:32:05
Print Post

Re: Credit card details stolen from website.


[re: TrishaH] [link to this post]
 
A business that takes payment through PayPal never receives the card details, they just receive the payment from PayPal and not directly from the customer. That's one reason why some people prefer to use PayPal for as many online transactions as possible.

Kaspersky is a very well respected firm so I'd imagine their Virtual Keyboard has been properly designed to add extra security to a transaction. I'll have a look at it next time I'm at a site that uses Kaspersky

[edit] OK, I've had a look online and, yes, the Virtual Keyboard protects against certain attack vectors such as keyboard loggers. It's a good solution.

Some UK banks have a similar system requiring certain login information to be entered using the mouse on screen rather than the keyboard - for exactly the same reasons.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sat 11-Feb-17 00:51:41)

Standard User TrishaH
(knowledge is power) Sat 11-Feb-17 00:55:48
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
A business that takes payment through PayPal never receives the card details, they just receive the payment from PayPal and not directly from the customer. That's one reason why some people prefer to use PayPal for as many online transactions as possible.
Very reassuring! I'll opt to use PP anytime I see it offered. Thanks!

Kaspersky is a very well respected firm so I'd imagine their Virtual Keyboard has been properly designed to add extra security to a transaction. I'll have a look at it next time I'm at a site that uses Kaspersky.
I've been with Kaspersky for some years now - used to have excellent UK customer service via direct email, but that person is doing a different job now -Still using it though, and currently KIS 16 - last version needed the virtual keyboard opening to use it when filling in details, but it now pops up automatically and operates in the background.
I'll buy next years renewal through somewhere like Amazon.

I've often wondered just how effective that keyboard is.
I have had a couple of CC attempted frauds that were picked up by both Amex and my bank Visa before they got anywhere - but perhaps not necessarily caused by any online transaction, or failing by Kaspersky.

Standard User caffn8me
(knowledge is power) Sat 11-Feb-17 07:36:47
Print Post

Re: Credit card details stolen from website.


[re: TrishaH] [link to this post]
 
The big danger is that a banking trojan will get onto your computer and start sending keystrokes entered on the physical keyboard when you visit banking websites back to the bad guys. What you enter via the virtual keyboard on screen generally can't be captured.

Kaspersky should detect trojans in the first place but there is a small chance a new one which hasn't yet been included in the virus definitions database could sneak past so the virtual keyboard provides extra protection.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User georgelnx
(member) Sat 11-Feb-17 09:14:05
Print Post

Re: Credit card details stolen from website.


[re: TrishaH] [link to this post]
 
I know it sounds like using Paypal is the answer BUT by doing so you lose your protection under the Consumer Credit Act 1974 Section 75 that makes the credit card company jointly and equally liable with the retailer if things go wrong.

http://www.moneysavingexpert.com/shopping/section75-...

Standard User TrishaH
(knowledge is power) Sat 11-Feb-17 12:57:36
Print Post

Re: Credit card details stolen from website.


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
The big danger is that a banking trojan will get onto your computer and start sending keystrokes entered on the physical keyboard when you visit banking websites back to the bad guys. What you enter via the virtual keyboard on screen generally can't be captured.

Kaspersky should detect trojans in the first place but there is a small chance a new one which hasn't yet been included in the virus definitions database could sneak past so the virtual keyboard provides extra protection.
The virtual keyboard no longer appears on the screen to use, it briefly appears to inform that it's protecting whatever details you are entering ...or at least, that's how it appears to be.
I like that it's automatic now, but think I preferred the visual actual keyboard.
Apart from that, it's good to know that extra layer of protection is present.
I do tend to check the database updates are recent.

As long as all seems well, I only visit the banking site when absolutely necessary - perhaps an average of once each week, Amex only when paying the bill.

I always run SuperAntiSpyware each night before shut down too - it seems to catch tracking cookies very nicely.

In reply to a post by georgelnx:
I know it sounds like using Paypal is the answer BUT by doing so you lose your protection under the Consumer Credit Act 1974 Section 75 that makes the credit card company jointly and equally liable with the retailer if things go wrong.

http://www.moneysavingexpert.com/shopping/section75-...
I hadn't known that - but PayPal offer some cover on things.
Mostly, PayPal is used with a debit card anyway, so cover isn't an issue. I do use a CC with it at times though, and may do so more often seeing it's more secure in many cases.

Standard User georgelnx
(member) Sat 11-Feb-17 13:13:34
Print Post

Re: Credit card details stolen from website.


[re: TrishaH] [link to this post]
 
@Trishah
Using a CC to pay through Paypal loses the Consumer Credit Act protection due to the way the Paypal is classified by the Financial regulators. Ditto on "Amazon Market" transactions but not Amazon transactions.
Parliament has shown a marked reluctance to sort out the Consumer Credit Act to give us protection against Paypal, Amazon Market etc. Given how much money passes through just those 2 companies using CC's it is a national shame.

Standard User TrishaH
(knowledge is power) Sun 12-Feb-17 00:40:18
Print Post

Re: Credit card details stolen from website.


[re: georgelnx] [link to this post]
 
In reply to a post by georgelnx:
Given how much money passes through just those 2 companies using CC's it is a national shame.
I quite agree - they have sufficient business to offer better protection on items bought through their site.

Pages in this thread: 1 | 2 | 3 | 4 | (show all)   Print Thread

Jump to