WARNING: TFSOURCE account billing info compromised! (May 2011)

Discussion in 'Transformers General Discussion' started by DarthMagnificus, Jan 7, 2010.

Thread Status:
Not open for further replies.
  1. lebowski

    lebowski The Dude abides

    Joined:
    May 16, 2008
    Posts:
    134
    Trophy Points:
    62
    Likes:
    +2
    Honestly, I'd personally go even one further and just outright report your card as stolen.
     
  2. frenzyrumble

    frenzyrumble Banned

    Joined:
    Jun 7, 2007
    Posts:
    8,656
    News Credits:
    50
    Trophy Points:
    176
    Likes:
    +61
    over a few bucks? no thanks. I use this same CC (debit card) for about 15 bill type auto-pays....and on a daily basis. besides, I'm "secure" to an extent with protection from my bank. If the card (God forbid) is misused, I'll report the charges and get reimbursed
     
    Last edited: Jan 7, 2010
  3. adamthered

    adamthered Reads comics. Starts shit

    Joined:
    Jul 7, 2002
    Posts:
    4,963
    News Credits:
    2
    Trophy Points:
    257
    Likes:
    +4
    I've only ordered one thing from them in the past, MP Megatron, when he was released. I just checked and I don't even have an account with them, it was so long ago. I'll keep an eye out on my CC account but I think my card has changed a couple of times since MP Megatron came out.

    Hope you all are able to take care of this without too many issues.
     
  4. payton34

    payton34 Well-Known Member

    Joined:
    Sep 15, 2007
    Posts:
    4,056
    News Credits:
    13
    Trophy Points:
    212
    Likes:
    +25
    Just to be safe, I sent an email to the guys at BBTS as well. Hopefully they'll keep a close watch on their own information.
     
  5. lebowski

    lebowski The Dude abides

    Joined:
    May 16, 2008
    Posts:
    134
    Trophy Points:
    62
    Likes:
    +2
    That few bucks is a probe. If it works, they get bolder. That's how it works.

    I guess like anything, it depends on your personal situation. If you have a $5K limit, and someone pops a charge that makes you go over that limit, and then you keep using the card, bad things can happen. A) While it's easy to get the fraud charges taken of, it can be a real bitch to get the subsequent overlimit fees and charges reversed. Sometimes if you go over your limit, finance charge rules can change as well. Even though a theft got you over the limit, it's not the CC companies fault that you don't watch your account closely. B) If you're overlimit, the CC company might start declining your "15 bill type auto-pays", and these 15 companies won't be sympathetic at all when it comes to late fees.

    That said, watch your statements closely, and you'll be fine. Just depends how diligent you are.
     
  6. DeathStorm

    DeathStorm Snoochie Boochies

    Joined:
    Jul 20, 2005
    Posts:
    2,645
    News Credits:
    1
    Trophy Points:
    201
    Likes:
    +1
    Guys, c'mon, stop blaming TFSource for this - it wasn't their fault. Security can always be bypassed by some thieving asshat, regardless of how secure a website thinks they are. There is no such thing as 100% protection.

    TFSource are good guys and I'm sure they are doing all that they can to get this stopped - assuming they are the target.


    I too have to get a new card. Luckily I'll be able to do it during my lunch at the local bank branch - shouldn't be too difficult. I've also removed my card info from Amazon. I never had it with BBTS, I use paypal with them. Damn, that reminds me, I need to remove it from Paypal as well...
     
    Last edited: Jan 7, 2010
  7. Zherbus

    Zherbus In Shogo Hasui, we trust.

    Joined:
    Oct 26, 2008
    Posts:
    2,362
    News Credits:
    3
    Trophy Points:
    151
    Likes:
    +6
    I did that too. I hadn't had any charges yet, so I'll keep my eye out just to be sure.

    It really sucks because TFSource is always way better customer service in my opinion. And who doesn't love their packaging. Unfortunately, they don't have the security verification thingy that BBTS has.
     
  8. ryan.j

    ryan.j Well-Known Member

    Joined:
    Sep 22, 2009
    Posts:
    1,859
    Trophy Points:
    126
    Likes:
    +3
    Still, it's some pretty fucking shit PR for them.

    i like them, they provide great service and stuff, but if in the back of my mind is the niggling doubt that i might have my CC details stolen using them i'll probably think twice before ordering, which is a real shame.

    It can't be compromised client accounts either because that masks the card number - the backend db itself looks to have been touched up. Plus you can't change the payment details on their system without another valid CC number to go in, which is incredibly annoying.
     
  9. Zherbus

    Zherbus In Shogo Hasui, we trust.

    Joined:
    Oct 26, 2008
    Posts:
    2,362
    News Credits:
    3
    Trophy Points:
    151
    Likes:
    +6
    Look at the top left corner of BBTS. See all that security protection?

    Find me that on TFSource. If I got hit with charges, I should feel dumb for leaving my card sitting there 'for convenience'.
     
  10. Waverider

    Waverider Supreme Dude

    Joined:
    Jan 10, 2009
    Posts:
    8,743
    News Credits:
    8
    Trophy Points:
    317
    Location:
    GTMO
    Likes:
    +454
    Ebay:
    Twitter:
    Google+:
    I checked my account and no itunes charge or anything that looks out of the ordinary. I used my card for the last 2 months at TFSource, Amazon,Robot Kingdom, BBTS, Toy Arena, Walmart and many others.
     
  11. Scantron

    Scantron Well-Known Member

    Joined:
    Oct 3, 2004
    Posts:
    8,248
    News Credits:
    3
    Trophy Points:
    211
    Likes:
    +9
    This...

    ...makes it appear they were.

    That said, I'm not pissed off at TFSource, since they're almost certainly a victim here too. However, this suggests it's not as safe to do business with them as it is with other online sites. I've been very happy with their service but, until I see evidence that they've upgraded their security, I won't be doing business with them. And, even if they do upgrade, I'll be wary about placing any future orders.
     
  12. lebowski

    lebowski The Dude abides

    Joined:
    May 16, 2008
    Posts:
    134
    Trophy Points:
    62
    Likes:
    +2
    It's a bit of a coincidence that it's happened to 5 or so of us, and that one of those 5 had a unique CC# given only to TFSource.

    1 of 3 three things happened:

    1) Someone on their staff stole it
    2) Someone not on their staff stole it from them
    3) Someone stole it from their CC processor

    In either case, it's shoddy data protection, and I don't do business with companies that handle sensitive data this way.
     
  13. frenzyrumble

    frenzyrumble Banned

    Joined:
    Jun 7, 2007
    Posts:
    8,656
    News Credits:
    50
    Trophy Points:
    176
    Likes:
    +61
    nevermind ;) 
     

    Attached Files:

    Last edited: Jan 7, 2010
  14. DeathStorm

    DeathStorm Snoochie Boochies

    Joined:
    Jul 20, 2005
    Posts:
    2,645
    News Credits:
    1
    Trophy Points:
    201
    Likes:
    +1
    So a Verisign icon is what you base website security on (the other products have nothing to do with cc protection)? Do you know what they actually do? They verify your card information against your address/personal info. They also offer Secure Socket Layer certificates. Both are low level security features and many sites use them without putting the verisign symbol on their site (Amazon, Best Buy, Walmart, are all clients - find the Verisign logo on their sites). Of course there are higher level security features that website use but, for obvious reasons, they aren't going to announce them on their site.

    You're falling into the "paranoia" trap that media has put on us and jumping to hasty conclusions. In general, card usage on the Internet is very safe, but sometimes things do happen. Nothing is perfect. It's akin to an airline crash. Very rare and all security measures are taken, but they still happen.

    Relax, take steps to cancel your card, and don't be so hasty to jump to conclusions - certainly don't blame TFSource. No online security is infallible.
     
    Last edited: Jan 7, 2010
  15. kronos

    kronos PSN = METROPLEX_84

    Joined:
    Apr 4, 2005
    Posts:
    1,826
    News Credits:
    1
    Trophy Points:
    232
    Location:
    Lavalette, West Virginia
    Likes:
    +6
    I wanna start by saying i work in the Credit Card industry, so i wanna give you all a few tips here IF YOU HAVE A CHARGE thats not authorized.

    1. File a police report. This covers your ass if anything happens down the road. The amount matters none. fraud cases are a tricky thing and the more you cover your ass the better.

    2. if you can swing it and you dont already have it, i would invest in a credit monitoring service. preferably one that offers some sort of insurance. keep it for a minimum of 6 months.

    3. if you cant do above, in 6 months pull your credit report. Depending on what info was lost, they can do more damage that just make a few charges. If someone gets a hold of your credit card, name, address, etc., they can access your credit bureau and go to town.

    99% of credit card companies wont refund the "stolen" amount if its less that $50. These are rules set up by Visa, Mastercard, and Discover. Im not sure about Amex. But if its a trivial amount, your bank may just do it.

    Monitor your old account number about 2 weeks after its closed. allot of times a credit card company will say they closed it but not really do it to give you time to change the number with subscription services.

    contact all businesses you have that card with and advise them that card is no longer valid. This is just as a convenience.

    If the rep at your bank says they will just remove the charge and issue a new card, request to speak to the fraud department. file a fraud case. Thats the only way thieves get caught.
     
  16. ryan.j

    ryan.j Well-Known Member

    Joined:
    Sep 22, 2009
    Posts:
    1,859
    Trophy Points:
    126
    Likes:
    +3
    they have an SSL certificate, they use HTTPS. technically that's a secure connection, the problem is elsewhere.
     
  17. ryan.j

    ryan.j Well-Known Member

    Joined:
    Sep 22, 2009
    Posts:
    1,859
    Trophy Points:
    126
    Likes:
    +3
    Click it, there is some unverified content. the unencrypted content is likely banners, flash or something like that and nowt to do with your creditcard details -

    There would be literally no point whatsoever having an SSL certificate and not using https for your site's CC transactions. doubly so given that is precisely what they'd have bought the SSL cert for in the first place. If there was something seriously wrong with the security on Tfsource firefox would drop a lung as soon as you hit it, rather than just flagging some content as unsigned.

    for what it's worth, the https thing basically prevents the internet equivilent of a 'wiretap' from intercepting the client's CC details before they reach the host server. it does this by encrypting traffic between the webserver and the client's browser.

    BBTS does exactly the same thing, but use Verisign to provide the cert and they encrypt everything rather than just certain traffic. One SSL cert isn't really better than another, but people so like to see 'names they trust' on sites.

    I'd bet irl money that the HTTPs thing is a big fat red herring, and the problem is unauthorised access to their Db. in the unlikely event that the database stores CC details in plaintext then we're all fucked along with the silly sod who wrote the ecommerce app, but even if they hashed the values it's not entirely foolproof - you just work it the opposite way to how you'd think - resolving generated CC numbers to hashes until you hit a match. But that's slow, processor intensive and would only mean some are compromised.

    all in all, just keep an eye on your statements. phone your bank if you're concerned. we already know they're using itunes to test the cards so that's a head start and knowing is half the.. no, wait. wrong one.
     
  18. frenzyrumble

    frenzyrumble Banned

    Joined:
    Jun 7, 2007
    Posts:
    8,656
    News Credits:
    50
    Trophy Points:
    176
    Likes:
    +61
    yep, you're right. I learned a while back it's not safe to enter any payment info on site with this icon though.
     
  19. Janitor

    Janitor Well-Known Member

    Joined:
    Apr 28, 2009
    Posts:
    3,006
    News Credits:
    2
    Trophy Points:
    262
    Likes:
    +1,135
    Good idea, just did that. I called my CC company and no recent little transactions (since I just created an account with TFSource 2 days ago). However I'll still monitor it.

    I really don't want to cancel my credit card though, had this # since 1996! Oh memories, I know this thing by heart. Ordering pizza during my school days, Xmas gifts on Amazon, and of course the many TF purchases...[cue montage featuring Lionel Richie's "Hello"]
     
  20. ILoveDinobot

    ILoveDinobot Baby ILD's #1 fan

    Joined:
    Jan 19, 2006
    Posts:
    19,322
    News Credits:
    11
    Trophy Points:
    337
    Location:
    They are not the hell your whales
    Likes:
    +4,222
    Ebay:
    Twitter:
    Instagram:
    YouTube:
    Crap, well my credit card can take a long time before it shows you what you bought so I won't know. :( 
     
Thread Status:
Not open for further replies.