PDA

View Full Version : Credit card theft via online shopping



PhilR
26-Sep-06, 11:43
On my recent computer build, I ordered several parts online from the US with my credit card (I'm in Kuwait). Most were from Amazon and one from another site I cant remember, but which was linked from Amazon. A couple of hours later, I got a call from my bank saying they had a suspicious transaction for just a few pounds-worth from a Hong Kong registered company. I said I'd check my purchases and get back to them. Nothing had been ordered of that value so I phoned and told them to cancel my card. Whilst on the phone they said another attempt had just been made for a small amount, which I told them to refuse.

I was lucky only to have lost a small amount, and I believe this is a trend where people who get your cc details can do a couple of small sample purchases to make sure the card works before hitting you with a big one.

Has anyone else had this happen to them?
How do they manage to get your details on so-called secure purchase sites?
What is the best way to counter this risk?

Phil

blueivy
26-Sep-06, 12:30
Hi PhilR,

There was a famous case in California where a company's database was hacked and credit card numbers stolen. The Californian State hite the company with a huge fine and amended the state law to attempt to stop this happening again. This is one way that your details can be stolen if the company themssleves store your credit card details.

It could have happened numerous different ways and some of the way are below (although I don't know your situation so some of them may not be applicable or possible for you).


If you store your credit card details on your PC, a hacker could get them from there. If you store your creidt card details on your PC, encrypt them.
Keyloggers are very popular just now. The new VML exploit that Microsoft has so far refused to patch until October installs a keylogger and sends back your PayPal details when you log onto that site. Keyloggers traditionally send back everything you type to a central server which stores the details and let's the thief access the details by searching through the logs. The recent keyloggers are getting a bit more sophisticated, as in the example above, where they are targetting specific details. PayPal comes up tops every month (quickly followed by eBay) as the top phishers choice.
As I said above, if the company stored your details in their database, that's the location thiefs will target.
A site that is compromised could send your details back to the thief; you enter your credit card details and the compromised site processes them but also send them off to somewhere else.
Other forms of spyware (other than keyloggers which I mentioned above) can log sites you visit and information you send.
Phishing emails or social engineering. If my bank called me to say there had been dodgy transactions on my account I wouldn't have beleived them (as my bank never calls me out of the blue). If your bank calls you or sends you an email, how many people give them their PIN, password or username? You'd think 'who'd be that stupid', but if it didn't work, they wouldn't use it so much ...
Fake websites. You buy a product from a website, they get your bank details and you never see the product (as it doesn't exist). Phishers have duplicated entire websites before (CitiBank) including information that you wouldn't normally look at.Even though the sites you visted are affiliated with Amazon, does Amazon check them out? I bet not and I bet they have that in their T's & C's too.

It's not easy to steal your card details and it's getting harder, although the thiefs are also working harder. The easiest way to get your credit card number is to simply ask you for it - if I do that and sound like asking for your details is something I do all the time (ie. I work in a call centre and sell soemthing or I work for a bank) then most people are going to feel more comfortable in handing them over. That's why social engineering is the easiest way to get your details and that's why it will always be until people become more suspicious. This is something I have a great deal of interest in - computer and onlilne security. You can never be too secure, but you can never be secure enough.

Best way to counter the risk, in my opinion:


Never give your details to anybody, including the bank, unless you have called them (if I call you I could be anybody, if you call me at the number on your statement then unless they are some very sophisticated crooks you WILL get your bank).
Get up to date anti-virus, anti-spyware (essential now as spyware is rapidly becoming a bigger problem than viruses) and a good firewall.
Make sure you only submit your bank details to ENCRYPTED sites that use SSL (the higher the better encryption).
Don't shop at store you know nothing about. Even these 'Verified by XYZ as a secure shopping site' don't mean everything. There was a recent article about this (which I can't find) that a number of these sites that were 'verified' were still dodgy.
And my tip, which is not applicable to you PhilR, is not to shop abroad unless you really have to. I just feel more secure shopping in the UK. A narrow minded and blinkered view I know, but it lets me sleep at night :) I have shopped abroad in the past but only with sites I knew were legitimate.Hope this helps, but it is only my two pence worth.

j4bberw0ck
26-Sep-06, 13:12
Another good idea (which may not be feasible in Kuwait) is to get a second credit card exclusively for internet use. Get a small credit limit on it, and choose an issuer who provides protection against internet fraud (I think Barclays offers this cover).

This in no way replaces the advice given above, but adds another layer of protection. I don't store my bank or card details on any pc, and have separate "strong" passwords for Fleabay, PayPal and internet banking which I don't let the browser "memorise".

blueivy
26-Sep-06, 14:23
Hi j4bberwock,

I suppose that's another one you mentioned - don't let the browser store passwords and credit card details!

blueivy
27-Sep-06, 21:54
See what I mean!

Hackers pillage AT&T online store ... (http://www.vnunet.com/vnunet/news/2163222/hackers-pillage-online-store)

Venture
27-Sep-06, 22:24
Hi Phil R the same thing happened to me in JUne. I was at home when my bank called and asked if I had bought anything within the last hour with my debit card. I hadnt. I had three transactions for small amounts like £1.70, 2.10 and £3.12 I immediately had my card stopped as well. I had like you recently purchased items from Amazon.

blueivy
27-Sep-06, 22:37
Hi Phil R the same thing happened to me in JUne. I was at home when my bank called and asked if I had bought anything within the last hour with my debit card. I hadnt. I had three transactions for small amounts like £1.70, 2.10 and £3.12 I immediately had my card stopped as well. I had like you recently purchased items from Amazon.

Hi Venture,

Was this through the main Amazon site or through one of the sites recommended by Amazon. I'm not sure if PhilR had the problem with external sites but what worries me is we have two real-world examples of people's details being used just after purchasing from Amazon!

And they say its the smaller retailers you should watch ....

j4bberw0ck
27-Sep-06, 23:14
And at the risk of introducing a political point, can you imagine how many hackers would be trying to crack the Government's proposed database of National Identity, if it existed?

Once they're in there they can be you and the police will arrest you for being the imposter........ they can defraud you with ease.

So if you think you have nothing to be afraid of from Identity Cards, think about some hassled, stressed out civil servant writing their password on a PostIt and sticking it to the underside of the keyboard. It's all it would take.

PhilR
28-Sep-06, 09:12
Thanks for the education everyone!

Good idea about the 2nd card just for online shopping J4berwOck.

I was happy that the bank call was genuine, as I recognized their number on my mobile, and they didnt ask for any card details, just informed me of the suspicious transaction.
Because I dont do much online shopping, I dont have my cc details stored on my pc (I dont think!). To be fair to Amazon, I cant confirm if the details were stolen from their site or the other smaller one. As an ironic aside though, 2 of the items I ordered from Amazon got lost in transit somewhere. When I emailed to point it out, they apologised, cancelled the order, refunded my money.....and the 2 items then turned up anyway!

A Kuwaiti friend of mine who works at the Ministry of Communications here recommended a software provider to me called Anonymizer (www.anonymizer.com). They have a product called TotalShield which encrypts data between your pc and whichever website you are visiting via a 'virtual tunnel'. It costs $100 per year.
It certainly seems to work, as Kuwait blocks many websites (ala China) and these come through no problem with the software switched on.

Would be very interested to hear your views and any pitfalls of this type of product.

Venture
28-Sep-06, 14:41
Hi Blueivy- Itw as from the main Amazon site. I order quite a lot of games and cds from it on a regular basis. Although my bank were on the ball when it came to detecting something was going on on my account, they havent come back to me yet with any details but they have refunded the money used.

j4bberw0ck
29-Sep-06, 18:15
A Kuwaiti friend of mine who works at the Ministry of Communications here recommended a software provider to me called Anonymizer (www.anonymizer.com) (http://www.anonymizer.com%29). They have a product called TotalShield which encrypts data between your pc and whichever website you are visiting via a 'virtual tunnel'. It costs $100 per year.

There are three pitfalls I can think of offhand:

1. The Anonymiser service knows which websites you visit (like a tracking cookie does) so you want to check the EULA about confidentiality of your surfing patterns;

2. Because eveything is routed through the anonymising servers (as I understand it) to disguise your IP address, it can slow down some sites. But if you're on the end of a gonzo broadband pipe, it should be OK.

3. It costs $100 a year!

Advantage in Kuwait is obvious - circumventing the government restrictions (when will governments learn????) but for here I'm not sure I'd use it. It can be argued that by disguising your real IP address (in fact, I think it changes your apparent address with every page throw), you're less likely to be attacked from the internet.

I suppose another obvious market is those people whose surfing interests are, shall we say, dubious, or people who want to surf from the office pc without getting canned by the IT department (who probably barred the Anonymiser IP anyway :lol: ).

Cheers!

blueivy
02-Oct-06, 11:25
I think the Anonymiser service is a good idea if you want to circumvent spying by your ISP, but has some drawbacks that I can see:

It is easily blocked from within countries, offices, anywhere the internet access is monitored. All the monitors have to do is block the IP address of the Anonymiser. I know WebSense (used in many large corporations and which I used to manage) marks them and are usually blocked by the monitors.
As j4bberwock says because everything goes through the same pipe it needs to be a big pipe. The servers will be load balanced so that's no so much an issue but the incoming and outgoing connection is.
$100.00 is a bit steep. Anonymizer (http://www.anonymizer.com) is currently having a special offer of $99.95 for 12 months which seems a better bet. I'm not advocating the site as I've never actually used it but it's one of the most popular anonymiser sites. I can't see if it will encrypt the traffic for this price though.If you're just looking to hide your IP address then a simple proxy will do this. Either check out your ISP that may provide a proxy or check out some of the free ones on the Internet. The free ones are used quite heavily and so may slow down your browsing.

Remember that when using an Anonymizer service the traffic between you and the service is encrypted, however you are not in control of the traffic once it leaves the Anonymizer service so this could still be intercepted.

I sell a product called SecurSurf that encrypts the traffic between your PC and SecurStar's servers and WILL circumvent spying by your ISP. It's currently on offer at at 80 euros for 12 months. SecurSurf has servers in a lot of countries (Germany, Netherlands, Czech Republic, Hong Kong, Malaysia, (Brazil, India, France, USA to come)) and they recommend you choose a server outside of your own country. Both do the same job, but I think SecurSurf has the edge with multi-country servers.

Remember that even though you have these products, your computer is still vulnerable to attack outisde of the tunnels that you use for surfing. To protect against this ALWAYS use a firewall!