credit cards on Hannants compromised

[Kev67]

I had noticed £30 taken out of my account for 02 prepay network, although I do not use this network I was alarmed at this and phoned my bank to cancel my card, I have noticed that Hannants keep your card details stored when you make a different transaction which is naughty and not very secure, and now I know why

[madmanrick]

My card details were stored on the site, however I was able to delete them yesterday BEFORE Hannants shut the site down. I have not placed an actual order with them since last spring, nor have I experienced any fraud as of this AM. It does seem that the fraud occurred from what I can discern about the complaints here, with people who had placed orders within the past few weeks. So I don't believe it was an actual hack of the site, but rather some sort of problem at the actual card processor(s), as Hannants has now indicated to at least one customer (see post above). This should make those of us who haven't placed an order recently, feel a bit more secure. However, as with ANYthing involving money ANYone who has placed an order with Hannants in the past, should watch their credit accounts like a hawk and report ANY suspicious activity (such as the trial charge of a dollar or two from nowhere) immediately to your bank or card issuer.

[Jan Jezl]

My card details were stored on the site, however I was able to delete them yesterday BEFORE Hannants shut the site down. I have not placed an actual order with them since last spring, nor have I experienced any fraud as of this AM. It does seem that the fraud occurred from what I can discern about the complaints here, with people who had placed orders within the past few weeks. So I don't believe it was an actual hack of the site, but rather some sort of problem at the actual card processor(s), as Hannants has now indicated to at least one customer (see post above). This should make those of us who haven't placed an order recently, feel a bit more secure. However, as with ANYthing involving money ANYone who has placed an order with Hannants in the past, should watch their credit accounts like a hawk and report ANY suspicious activity (such as the trial charge of a dollar or two from nowhere) immediately to your bank or card issuer.

I confirm, I made the same deduction - only people who made registration on hannants or made an order within LAST MONTH are affected. At least nobody confirmed opposite

[Julien (UK)]

I think as the problem has happened between the server and the clearing bank this has only happened to people who actually made an order in the past few days etc.

It looks like it was not hannants which got hacked but the people they clear the money through.

I just checked my details as was loggin in yeaterday but had not actually placed an order, no charges have been made to my CC.

Julien

[Sig Saur & Son]

I don't understand this paranoia over Paypal. I've been using it for years, hundreds and hundreds of transactions, not a single problem with fraud or theft. I think the fee is a little high but still prefer PP over CC.

Edited October 26, 2010 by Sig Saur & Son

[Jan Jezl]

Back to the trees. Another colleague from Slovak Republic provided me piece of information, that there were atempts to get money from his card, which he didn't use on Hannants for 8 months and in addition the card is not valid for half a year.

[gengriz]

I think as the problem has happened between the server and the clearing bank this has only happened to people who actually made an order in the past few days etc.

Sorry folks, but my last order with Hannants was 9 Sept and my card was hacked on Friday. From what I see, Hannants have little to do with this directly - it is a problem with a bank server in the US and a clearing bank in the UK (which Hannants just happen to use).

Not something to blame Hannants for or anything that they could do about it.

I, for one, will still be ordering from Hannants, with absolute confidence in THEIR integrity (if not in the banks).

FredT

[Busdriver]

This one's also being discussed over at Britmodeller and I'd just like to thank you all for raising this one on-line as the first I'd have known about it would have been my bank calling to tell me about it!

Card cancelled and thanks to Jen for making us aware I have not been not stung.

[DamienB]

What are the chances of a bank being hacked versus a retailer using a bespoke shopping cart/database... hmmm... from a hacker's point of view, which would you think was going to be more likely to have a security hole? If the hack was at the bank, why would Hannants close down their site?

It's pretty clear Hannants stored all your CC details, somebody has hacked their way in, lifted the entire list and is working through it one by one. Good job last time I ordered from them was so long ago that the card has expired! Whether that hack exploited a server vulnerability or a flaw in Hannants own code is immaterial - the problem stems from Hannants storing the details.

As a general bit of advice, storing your CC details with any retailer is less secure than making one-off purchases - try not to do it!

[JeskiM]

For those of you who have experienced unauthorized charges.... Have they all been large

transactions? Jan Jezl mentions $900 x 2, but recently I had a small charge (less than $2)

that I didn't make. My bank told me that crooks will sometimes make a tiny charge, to

check the account to see if it works, while trying to stay under the radar. I've used

Hannants a few times since they've implemented their new system.

I got a call on Friday from a vendor in NYC saying that someone in Vegas was trying to order an I-Phone ($250.00) online using my credit card.

I then called the Credit Card company; got the purchase removed, cancelled the account number and I should be getting mu new card this week sometime.

When I was at the bank this weekend to open a new checking account for my business, they gave me a new card, I mentioned that at least I will not have to be calling in fraud on this new card for a while. She asked me why I said that, so I told her what just happened. She told me that alot of stolen card/account number are taken from gas pumps. People will go to a gas pump and insert a reader into the slot a download the data....

- Matt

[dagger00]

I almost put an order 3 days ago...but as I understood (my English is not so good, I speak Spanish as first language), the problem or the main problem is between CC emited by USA Banks and the British clearing Co, Am I right?...I´ll check my CC daily then....

[Kalashnikov-47]

Fot this question - I've got charged 8 times. First there were small charges (0,05$ and around 2$) to check if it works, then big one.

No comments from Hannants, but number of charged people seems to be pretty large.

OK, Jan, then that's what was happening to me. I pay pretty strict attention to every penny that

goes in and out of my account. so they only got me for $1.53 before I caught them.

[prowler4]

Noticed the Hannants site was still down this morning for "maintenance."

Edited October 26, 2010 by prowler4

[Armitage]

What are the chances of a bank being hacked versus a retailer using a bespoke shopping cart/database... hmmm... from a hacker's point of view, which would you think was going to be more likely to have a security hole? If the hack was at the bank, why would Hannants close down their site?

It's pretty clear Hannants stored all your CC details, somebody has hacked their way in, lifted the entire list and is working through it one by one. Good job last time I ordered from them was so long ago that the card has expired! Whether that hack exploited a server vulnerability or a flaw in Hannants own code is immaterial - the problem stems from Hannants storing the details.

As a general bit of advice, storing your CC details with any retailer is less secure than making one-off purchases - try not to do it!

Would you like a little-used hang-man's noose with that order of yours? How about just waiting for the companies, banks and people concerned to come back to us and tell us what happened and who was responsible before jumping in as judge, jury and executioner for Hannants?

Your advice of never allowing retailers to store your CC details is good, solid advice, but it's a little unfair to decide on who is responsible for the problem and telling the world about it before the evidence is in surely?

Wayne

[DamienB]

Hey, feel free to take offence on somebody else's behalf Wayne. I have assigned no blame - just pointed out what's the more likely scenario.

[Spruemeister]

No fraudulant charges yesterday, today at least 8 show up this morning on my VISA. I removed the card details yesterday before Hannants closed their site. I have not ordered in the last month or two. Called and disputed, account closed, new card to be issued. I'm steamed. 2nd time in the last 6 months I've had to close a card due to this crap. By the way, VISA didn't catch this one. Thank you Jan!

Rick L.

[Armitage]

Hey, feel free to take offence on somebody else's behalf Wayne. I have assigned no blame - just pointed out what's the more likely scenario.

It's pretty clear Hannants stored all your CC details, somebody has hacked their way in, lifted the entire list and is working through it one by one. Good job last time I ordered from them was so long ago that the card has expired! Whether that hack exploited a server vulnerability or a flaw in Hannants own code is immaterial - the problem stems from Hannants storing the details.

I'd say that's a pretty strong assignment of blame, wouldn't you?

Your scenario is possible, and maybe even likely, but your statement above doesn't say 'possible' or 'likely' to me. I am actually on your side here too just for the record. All i'm saying is let's not hang Hannants before we know they are to blame.

Wayne

Edited October 26, 2010 by Armitage

[vince14]

What are the chances of a bank being hacked versus a retailer using a bespoke shopping cart/database... hmmm... from a hacker's point of view, which would you think was going to be more likely to have a security hole? If the hack was at the bank, why would Hannants close down their site?

It's pretty clear Hannants stored all your CC details, somebody has hacked their way in, lifted the entire list and is working through it one by one. Good job last time I ordered from them was so long ago that the card has expired! Whether that hack exploited a server vulnerability or a flaw in Hannants own code is immaterial - the problem stems from Hannants storing the details.

As a general bit of advice, storing your CC details with any retailer is less secure than making one-off purchases - try not to do it!

Unless you're Hannant's, the bank, the credit card processor or the hacker himself you have no idea what's happened. If you're an internet security expert, such as a CLAS consultant, you may well have a very good idea of what happened but you'd still have no details. It is very clear you are none of these, so perhaps you should avoid passing judgement.

Vince

[Edgar]

Hannant's have just asked Britmodeller to post this, on their behalf:-

Dear Customer,

We are very sorry but there is a payment card security problem on Hannants web site..

We received a few emails yesterday afternoon and today we have found that there is an actual problem.

Our initial enquiries indicate that the problem is between the company in America that maintains the server and the clearing bank in England that handles the payments and that several other companies around the world are also affected.

The website has been temporarily closed until the problem is sorted out.

The companies that manage the security side of this business are investigating.

When we know what has happened and we have accurate information we will be sending out an email to all our customers.

We are very sorry for this problem.

We will send more information as soon as we can.

Best regards

H.G.Hannant Ltd.

From that, I would say that blasting/blaming Hannant's was premature, and way over the top.

Edgar

[DamienB]

I'd say that's a pretty strong assignment of blame, wouldn't you?

No, I'd be assigning blame if I posted "Damn Hannants and their crap bug-ridden code". But I didn't. As I said, whether the flaw that has been exploited was in the server or Hannants own software is immaterial anyway.

Vince - hey I'm just a software engineer with decades of experience in building secure systems - and circumventing them, what would I know eh. Having cleared up the mess from a few hacks, the no.1 culprit is people relying on ignorance or obscurity to protect their systems. I've lost count of the number of customers I've discovered holding CC details in unencrypted form - or "encrypted" in so simple a manner that a schoolchild could decrypt the data in minutes. People rarely plan for the worst. And then usually claim the dog ate their homework when it all goes to pot.

[vince14]

Vince - hey I'm just a software engineer with decades of experience in building secure systems - and circumventing them, what would I know eh....

Being a software engineer doesn't make you an expert on this paticular situation. You know absolutely nothing about what has happened with Hannant's unless you're directly involved. The point is you were quick to condemn Hannant's for storing the credit card details in an un-encrypted format, but you have absolutely NO evidence that this is the case. You're just guessing, and whilst you may have guessed correctly, it's still just a guess. For all you know Hannant's could be as much of an innocent party here as the people who have had their cards tapped.

Vince

[peebeep]

"Damn Hannants and their crap IT consultant"

[Jan Jezl]

Hannant's have just asked Britmodeller to post this, on their behalf:-

From that, I would say that blasting/blaming Hannant's was premature, and way over the top.

Edgar

Nice. They give that official information for Brits and that's it??? Well, from my point of view this is significant minus for Hannants. I've exchanged 11 emails with hannants yesterday, forced another guys with stolen credit card data to write to hannats and THEN they started investigation and they even do not care to inform us or other people???

anyway, Edgar, thank you for posting

[moofles]

what are the chances of your card details being out, i placed an order around the 3rd of october, and i checked today and nothing has come through on my bill, just wondering if anyone who has used hannants is porked, or just some very unlucky people.

[peebeep]

Jan, Britmodeller got that statement because the owner contacted Hannant's to find out what was going on. Nothing to do with only telling the Brits I would suggest.

peebeep