| Author | Thread |
|
|
01/03/2013 03:21:17 PM · #1 |
Be careful if purchasing something through the strobist site -- my mother had her credit card info stolen.
The Lighting In Layers video was recommended, and the strobist site said that it could be downloaded for $99 instead of purchasing the DVDs for $160. My mother in law said she would purchase it for me for Christmas. We followed the link, and purchased the downloads (which look very exciting, btw).
I received an email from her this morning that the bank has shut down her card in time to block thousands of dollars of debits.
The card had not been used since the end of November, except for the one transaction for the lighting in layers DVD.
I'm posting this here to let people know to tread carefully. I'm going to notify strobist and the company that handled the transaction, but since I don't deal with that site very often, and since it looked rather complex, I started here.
|
|
|
|
01/03/2013 03:29:52 PM · #2 |
CC fraud is surprisingly easy, and very common.
For what it's worth, your card number isn't even needed, as:
1. Your card number is based on the Luhn algorithm, and can be easily sequenced
2. Cards are issued in sequence, meaning that the expiration date is the same for a large batch of similarly numbered cards.
Now, maybe someone did steal her card from there, or maybe someone just calc'd up the right values, did a funds-availability check, and went to town on purchases that use limited verification. (you'd be surprised at the number of retailers that require little more than the number and exp. date, ie. prepaid cell phones)
For the curious, here's a method of calculating valid CC #'s. (frankly, this is over complex, effectively just add 7 or 17 to the final digit, unless it's in the 50's place, in which case iirc, it's a +5)
Being a security professional, I can say with some authority that the number of vulnerabilities each of us are subject to is somewhat scary. Frankly, you're limited to just being diligent, and hoping for the best, of course, some common sense measures for security aren't a bad idea.
Message edited by author 2013-01-03 15:32:27. |
|
|
|
01/03/2013 08:18:35 PM · #3 |
Originally posted by Cory:
...of course, some common sense measures for security aren't a bad idea. |
Sadly though common sense ain't so common anymore. I have an idea as to what you probably mean as I have worked as a PI and we dealt with fraud, but might be a good idea to post what you know are good security measures, esp online. |
|
|
|
01/03/2013 08:35:21 PM · #4 |
Originally posted by snaffles:
Originally posted by Cory:
...of course, some common sense measures for security aren't a bad idea. |
Sadly though common sense ain't so common anymore. I have an idea as to what you probably mean as I have worked as a PI and we dealt with fraud, but might be a good idea to post what you know are good security measures, esp online. |
Well, the actual rules in my mind work something like this:
If you want to be safe, don't expose yourself
If you want to do anything, you'll need to expose yourself
If you must expose yourself, a middle man like paypal is a good idea and limits risk
Even if you limit your exposure as much as possible, it's still likely that you'll get hit
So, therefore
Expect to get hit - watch for it and take appropriate action immediately, ensure that you are covered by your cardholder policy, and don't lose any sleep over it.
Sad when the best advice is "keep your head on swivel and your finger on the trigger, cause the enemy is right outside the walls and should be expected at any moment"... Of course, in the end that really is the best advice....
ETA: It's possible to make no mistakes and still lose.
Message edited by author 2013-01-03 20:35:44. |
|
|
|
01/03/2013 09:09:42 PM · #5 |
Note to self... Don't trust  Cory with any national secrets!
eta: I forgot the :P
Message edited by author 2013-01-03 21:10:28.
|
|
|
|
01/03/2013 09:18:15 PM · #6 |
| Cory, maybe you could right up a special thread and answer questions about the topic if you have the time? I for one am very interested in increasing my personal information security. I've googled the basic stuff, but its not quite the same as talking to a pro. |
|
|
|
01/03/2013 09:39:28 PM · #7 |
Originally posted by EL-ROI:
Note to self... Don't trust Cory with any national secrets!
eta: I forgot the :P |
LOL, did ya ever think I might already be one of the good guys? ;) |
|
|
|
01/03/2013 09:45:18 PM · #8 |
Originally posted by Devinder:
Cory, maybe you could right up a special thread and answer questions about the topic if you have the time? I for one am very interested in increasing my personal information security. I've googled the basic stuff, but its not quite the same as talking to a pro. |
If you've got any specific questions, feel free to ask whatever you'd like - remember that this is just one facet of my job, and as such I'm not as good as a specialist like gyaban, but I'd be glad to give advice on the topic here, or via PM.
I tend to feel like all of this stuff is really common sense and people sense, but in truth another huge factor is computer literacy.. But, to be fair, a good security policy needs to take into account every exposure, both digital and physical, and don't forget that no matter how secure you are technologically, the humans that are inevitably involved are still perfectly fallible, either through social engineering or via malicious intent.
So, post your questions here, or post a new thread (trust me I won't miss it).. Obviously it'll have to be Q&A, as the A is really more like an encyclopedia than a book, and certainly isn't well suited to a single post on a message board. I can answer questions about security questions related to: Home security, personal security/defense, computer security, and real-world information security to some degree - although I'm admittedly better with the other three.
Message edited by author 2013-01-03 21:54:00. |
|
|
|
01/03/2013 10:02:37 PM · #9 |
Originally posted by vawendy:
Be careful if purchasing something through the strobist site -- my mother had her credit card info stolen.
The Lighting In Layers video was recommended, and the strobist site said that it could be downloaded for $99 instead of purchasing the DVDs for $160. My mother in law said she would purchase it for me for Christmas. We followed the link, and purchased the downloads (which look very exciting, btw).
I received an email from her this morning that the bank has shut down her card in time to block thousands of dollars of debits.
The card had not been used since the end of November, except for the one transaction for the lighting in layers DVD.
I'm posting this here to let people know to tread carefully. I'm going to notify strobist and the company that handled the transaction, but since I don't deal with that site very often, and since it looked rather complex, I started here. |
Please send a tweet to @strobist. It's the best way to get in contact with him, and I know that he'd want to know about this. |
|
|
|
01/03/2013 10:44:33 PM · #10 |
Originally posted by Cory:
I tend to feel like all of this stuff is really common sense and people sense, but in truth another huge factor is computer literacy.. But, to be fair, a good security policy needs to take into account every exposure, both digital and physical, and don't forget that no matter how secure you are technologically, the humans that are inevitably involved are still perfectly fallible, either through social engineering or via malicious intent. |
Pretty much on the money with that one  Corey. Sad thing is, (as you have already indicated) that a great deal of the security posture is left in the hands of the end users. and humans are notoriously bad in this domain.
I have spent almost 40 years in the realm of security, I have found that people are for the most part the weak link in the chain. :O)
Ray |
|
|
|
01/04/2013 12:38:18 AM · #11 |
|
|
|
01/04/2013 02:04:16 AM · #12 |
|
|
|
01/04/2013 04:26:37 AM · #13 |
i used to work in IT security while at Sun microsystems and most the time its the users fault, ive been on the internet since 1993 and havent been hacked or scammed........
the best system is 98% secure ie locked in a concrete bunker underground off site back up etc and not connected to anything else, its pretty useless but its the most secure way so security boils down to practicality vs security teh only way its getting compromised is an invasion of said country
everyone moans about id theft and hacking yet they have weak passwords, they use the same password for everything, they insist on clicking on anything, example ..... click like on t his photo on facebook and 1000 puppies lives will be saved.... click..... spams all their friends etc
the problem with IT security is people, i have a different password for different sites and most my passwords are 8-10 characters long with no standard combinations
quote: "In many ways, this was all my fault"
|
|
|
|
01/04/2013 04:33:13 AM · #14 |
| Just do as what I do and keep all of your credit cards maxed out. The most they can try and get is about $10 before the transaction is ejected ;-) |
|
|
|
01/04/2013 04:37:10 AM · #15 |
| or like me.... dont have one :) |
|
|
|
01/04/2013 05:12:09 AM · #16 |
Originally posted by Giles_uk:
i used to work in IT security while at Sun microsystems and most the time its the users fault, ive been on the internet since 1993 and havent been hacked or scammed........
the best system is 98% secure ie locked in a concrete bunker underground off site back up etc and not connected to anything else, its pretty useless but its the most secure way so security boils down to practicality vs security teh only way its getting compromised is an invasion of said country
everyone moans about id theft and hacking yet they have weak passwords, they use the same password for everything, they insist on clicking on anything, example ..... click like on t his photo on facebook and 1000 puppies lives will be saved.... click..... spams all their friends etc
the problem with IT security is people, i have a different password for different sites and most my passwords are 8-10 characters long with no standard combinations
quote: "In many ways, this was all my fault" |
It's *NOT* just the users......the system's flawed too, for the same reason, only different.
Last Christmas, my credit card got flagged in a store for "Unusual Activity". Okay......nice to know the watchdogs are on it. Called the 800 number, and confirmed it was in fact me, doing my Xmas shopping in Best Buy, right here in my home town. Actually gave me a little bit of a warm fuzzy.
Fast forward eight months. A normal Saturday morning......stopped at the diner on my way to work for our regular B&B (Breakfast & Bitch) session. Paid for it with the card.
Here comes the magical part.......three hours later, 1400 miles away, I made a purchase at a Victoria's Secret retail store.
I found out about it later during a normal review of my account. The amount was exactly $300, in a store where EVERYTHING is $xx.95, and this is in a place where there is supposed to be a signature on the transaction with a card present.
No call from MasterCard.
Where the heck were my watchdogs? Considering I supposedly made this Victoria's Secret purchase 1400 miles away three hours after breakfast, and I'm a guy, doesn't this qualify as unusual?????
Two different MasterCards......and must be two different ways of determining what's unusual......or someone dropped the ball. Fortunately, this card was through my local bank and they made it all good, but it's not always the user's fault. This was a random credit card number generating scheme that was going on in this town 1400 miles away from me.
I was just "Lucky".
|
|
|
|
01/04/2013 05:40:18 AM · #17 |
Originally posted by vawendy:
Be careful if purchasing something through the strobist site -- my mother had her credit card info stolen.
The Lighting In Layers video was recommended, and the strobist site said that it could be downloaded for $99 instead of purchasing the DVDs for $160. My mother in law said she would purchase it for me for Christmas. We followed the link, and purchased the downloads (which look very exciting, btw).
I received an email from her this morning that the bank has shut down her card in time to block thousands of dollars of debits.
The card had not been used since the end of November, except for the one transaction for the lighting in layers DVD.
I'm posting this here to let people know to tread carefully. I'm going to notify strobist and the company that handled the transaction, but since I don't deal with that site very often, and since it looked rather complex, I started here. |
As I regularly get e-mails that claim to be from banks saying that my account is on hold (mostly from banks I don't have an account with), I'd want to be sure in this instance that your Mother hasn't fallen prey to a scam e-mail and hasn't inadvertently given away her details to a scammer.
|
|
|
|
01/04/2013 07:32:18 AM · #18 |
I get massses, and I do mean masses, of spam supposedly from American banks and companies that I don't deal with. They get swept out of my account unopened. My one and only credit card is through my bank, I closely review my statement every single month, and pay for purchases online only through PayPal. I'm still not complacent at all, as Cory pointed out, you can't afford to be.
One thing about my cc is that as I keep it paid down they keep raising my limit, which I DON'T want. So I'm going to call them up and tell them to knock it wayyyy down, and see if they can cap it there. One friend of mine had hers capped at $1200. |
|
|
|
01/04/2013 08:23:30 AM · #19 |
Originally posted by Abra:
Just do as what I do and keep all of your credit cards maxed out. The most they can try and get is about $10 before the transaction is ejected ;-) |
hehehehe, great idea. :) |
|
|
|
01/04/2013 09:34:38 AM · #20 |
| I have a VISA card which has allowed me to go to their website and be assigned a "temporary" number to use for online purchases. It could be be set to expire after some time limit (I think one week max), or even restricted to a single merchant or purchase. The "real" account number is never given to the merchant. |
|
|
|
01/04/2013 11:33:16 AM · #21 |
| How can you be sure it was that site was to blame? |
|
|
|
01/04/2013 11:44:33 AM · #22 |
| I recently had to call a credit card company to authorize my purchase... One of the common triggers for fraud is a large order for computer parts, and apparently not many 50+ year old women build high end computers from parts... Ha! |
|
|
|
01/04/2013 12:06:08 PM · #23 |
The sad thing is that fraud is everywhere. ATMs, restaurants, gas stations...(I saw a video about gas station attendants showing the camera how easy it was to do, but I can't find it). The little portable card swipers meant to help clients feel safe while employees swipe the card in front of them, has also provided an opportunity for said employees to first quickly swipe that card through their own reader to steal its information.
This article highlights one of the biggest hurdles - password-based protection is obsolete, as it has to be typed, and if you have a keytracking virus, it's an exercise in futility. In addition, the two-tiered security usually requests information that you know (mother's name, first house address, where you went to school), rather than something you have (a key, thumbprint, etc.). Biometric security seems attractive, but may also lead to gruesome crimes for someone hellbent on getting access to someone's digital life.
Finally, "the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification" is, quite frankly, inexplicable and appalling. |
|
|
|
01/04/2013 12:14:17 PM · #24 |
Originally posted by kenskid:
How can you be sure it was that site was to blame? |
Seems too coincidental to be anything else:
The purchases were made within a day or so after the real purchase. She's pretty much a strictly cash person. She doesn't purchase things online unless we help her with it, so the last online purchase was a month ago to shutterfly for Christmas cards. And there had been no other transactions for a couple of weeks. Also, the purchase was made from a mac, so it probably wasn't virus or malware related.
If it was me, there would be no way of tracking down where or when it was stolen -- I use my debit card for everything. But she uses hers only to drive to church every sunday.
|
|
|
|
01/04/2013 12:31:01 PM · #25 |
Originally posted by alohadave:
Originally posted by vawendy:
Be careful if purchasing something through the strobist site -- my mother had her credit card info stolen.
The Lighting In Layers video was recommended, and the strobist site said that it could be downloaded for $99 instead of purchasing the DVDs for $160. My mother in law said she would purchase it for me for Christmas. We followed the link, and purchased the downloads (which look very exciting, btw).
I received an email from her this morning that the bank has shut down her card in time to block thousands of dollars of debits.
The card had not been used since the end of November, except for the one transaction for the lighting in layers DVD.
I'm posting this here to let people know to tread carefully. I'm going to notify strobist and the company that handled the transaction, but since I don't deal with that site very often, and since it looked rather complex, I started here. |
Please send a tweet to @strobist. It's the best way to get in contact with him, and I know that he'd want to know about this. |
Is there a non-tweet option? I don't tweet... :(
|
|
