Jump to content

credit cards on Hannants compromised


Recommended Posts

You thought online shopping was really safe. Turns out it's not.

Nothing is 100% safe. I've always known there's a risk associated with these cards, but

fortunately, the risk is small. The key is vigilance. I watch every penny that goes in and

out of my account. If you report the discrepancy to the Bank ASAP, chances are the bank

will cover you.

Funny thing with mine, I have been unemployed/redundant for quite a long time. Had

the criminals gone for the "big money" in my account - they would have been in for a

rude surprise! ;) There's never very much money in mine!

Link to post
Share on other sites
Nothing is 100% safe.
True, but I'm pleased to see that Hannants is again considering going with Paypal. It seems a much more secure method than having individual website process CC info.

QUESTION:

So many of these fraudulent transactions involve ordering products (even magazine subscriptions were mentioned).

In order to receive the products the crooks ordered they have to provide a delivery address.

Given an address wouldn't it be very easy for the authorities to catch the criminals???

;)

Link to post
Share on other sites
QUESTION:

So many of these fraudulent transactions involve ordering products (even magazine subscriptions were mentioned).

In order to receive the products the crooks ordered they have to provide a delivery address.

Given an address wouldn't it be very easy for the authorities to catch the criminals???

;)

It is my understanding that most of the individuals use either PO Boxes or other forms of "dead" drops in order to order their fraudulent goods. Those who order from Countries such as Nigeria and the like, have the goods sent to "legit" businesses and pay someone there a small fee to sign for them and then they pick them up. At least that's what I have read.

Edited by madmanrick
Link to post
Share on other sites

Well, I got hit today, too. My card issuer caught the charge and emailed and phoned me to confirm, so no harm done. It was two charges--a small $2 charge and a much larger $600+ charge with HP's web site. I closed the account and will be getting a new card. It's a bummer, too, as I still haven't goetten the items I ordered from Hannants two months ago (I blame the USPS).

Link to post
Share on other sites
Anyone owning up to being one of the 8!

Julien

Does it really matter. Some people are ticked off. I can understand that. But why ask them to come clean? That is a private matter.

At the same time though, Hannants is an online hobby retailer, NOT a Credit fraud prevention line. The speed at which this happened took them by surprise just as much as the rest of us. But they don't have a person watchdogging people's credit card numbers looking for suspicious transactions. Besides, it might have still continued for a couple more months if not for the fact that the people who got ahold of our card numbers tried to do a mass orgy of spending with them starting last weekend. And who is to say it didn't happen before Jan pulled the alarm? There could be others who got zinged who aren't on ARC, but didn't put two and two together.

If you are a retailer, you don't push the panic button until enough information gets collected to ensure it is warranted. Reason being is lost business means lost income. One or two reports of incidents could be isolated, so you ask the bank and the processor to look into it, but keep things going. More word trickles in, but you hear nothing back from the bank or the processor, keep going, but start checking on your end whereever you can. Finally the pieces of the puzzle begin to fall into place, so it then becomes a good idea to tell what facts you have at this time as you now have something you can say to the public and not fuel the speculation. But you still probably won't shut down until after you look over the contingency plans of how to shut down because you have employees processing the order at the warehouse and shipping them. How are they going to get paid, will they have to take time off? Will the insurance cover this? As such, if this becomes a lengthy shutdown, you have to plan ahead somehow. As big as Hannants is in the hobby retail industry, they certainly aren't the size of say ASDA or Walmart. As such, they can't push the panic button until they have a very clear indication of a problem from more then one source because their income stream is tied very much to their mail order side.

All things considered, given my knowledge of small business and the hobby industry, Hannants did exactly the right thing and could not have timed it any better, given the circumstances.

Link to post
Share on other sites

Just to add details for those needing a timeline. From my archived emails, Hannants announced their new website in late March and entered service in early April.

I re-registered my details and CC in the new website back then but haven't placed any orders yet. My last order was last year in their old website. The CC I use is a virtual one, but so far I haven't been hit. I called my bank anyways just in case. They told me that there's been no attempted charges or flaudulent behavior so far and there was no need to get a new CC#, just go the net banking site and deactivate my virtual card, but they'll be on the look out anyways.

Link to post
Share on other sites

From Hobby Search :

Dear

We are writing to let you know of a hacker or hackers that

penetrated our computer system and accessed customer data including

credit card information.

At the time of writing, we do not know of any of this information

being available publicly. It is important to us that you, the

customer, do not experience any monetary damages because of this

incident, and have provided the information of all the cards that

may have been involved in this incident to each of the credit card

companies so that they may monitor the activity on these cards.

If you have any concerns about the security of your card, please

contact the card company (via the number on the back of your credit

card).

Also, although we have switched to a more secure credit card

transaction system that only stores the last four digits of your

card on our databases on July 7, 2010, we have disabled credit card

payments indefinitely.

The credit cards involved in this incident are those used in orders

prior to July 7, 2010 (a maximum of 23,526 cards), and we are

notifying those affected with this email.

<The information that may have been accessed>

- Credit card numbers, expiration dates, cardholder names

We do not store personal verification passwords or security codes on

our databases, so these have not been accessed.

Again, we have switched to a more secure credit transaction system

on July 7 that only stored the last four digits of those cards and

cannot be abused by a third party.

We are deeply sorry for any inconvenience or concern that this

incident may have caused.

<A timeline of events>

October 6 - A system administrator found traces of attacks from

Korea and began investigating immediately. That night, we contacted

an external security firm to investigate.

October 7 - The external examiners began investigations in the

morning. We shut off our systems for emergency maintenance,

reinstalled all server operating systems and software, re-examined

security settings, and isolated the server.

Logs indicated that customer data had been sent out from our server

to the address of an institution in Korea.

We contacted that institution by phone and email about this incident

and confirmed that the data had been deleted. We believe that they

were used as a proxy.

October 8 - We revised program, network, firewall, and client

machine security and implemented an intrusion detection system.

October 12 - We contacted the credit card transaction handler and

began discussions about the course of action.

October 20 - The external investigators concluded their

investigations and determined which and how much data had been

ccessed.

October 28 - With the results of the investigation and cooperation

of credit card companies, we are ready to handle customer

correspondence and have sent out email notifications to the

customers that may have been affected.

The attackers took advantage of a security hole in our computer

systems.

We have not determined who they are, but have found the attacks to

be originating from an educational institution in Korea. We have

contacted this institution and requested they determine who the

attackers are and that they secure the data stolen.

We deeply regret that this incident has occured, and are

continuously examining the security of our systems. We believe that

the root of this problem was the lack of security awareness among

each and every employee and are making sure this should not happen

again.

We will work hard to maintain your confidence in Hobby Search and

hope to see your continued patronage.

Sincerely,

Toshiyuki Suzuki

President

Hobby Search

We have set up a FAQ here: http://www.1999.co.jp/info_card_qa_e.html

Link to post
Share on other sites

Well THAT is interesting. Makes me wonder if these two incidents are related. I would say all Hobby online retailers should be on the lookout for any hacks like this as if one group has done it and broadcasted their success, others might try to see if they can top this.

Link to post
Share on other sites
Well THAT is interesting. Makes me wonder if these two incidents are related. I would say all Hobby online retailers should be on the lookout for any hacks like this as if one group has done it and broadcasted their success, others might try to see if they can top this.

just checked out the net and hannants site is TEMPORARILY open again,you can browse and check things out but you STILL CAN NOT place orders on it

Link to post
Share on other sites

I just had a call from my bank asking if I'd used my debit card for a large (over £400.00GBP) in an O2 facility. Neither my wife nor I have an O2 ANYTHING!

Kudos to the bank 'cos we checked the account last night and there were no odd transactions then.

Needless to say, card stopped and we're now without the plastic fantastic until the new one arrives.

Now the thing is.....I have never used my card online....anywhere!

If I ordered from Hannants I used the phone but I know they did store my card details on their PC as they always ask for the security number off the back but never the full 16 digit number off the front, maybe the last 4 or something.

I'm gonna tell Hannants about this as they do need to know that when the new card arrives, I don't want my card details recording on the Hannants company computer(s). I'll just read off the details as they need them.

Damn!

I thought I wuz safe there, it just shows you eh?

Gaz

Link to post
Share on other sites

I have just received a phone call by my bank and they said me that this night from USA somebody atttempted to take 28 US cents from my credit card so my card has been blocked by the bank.

I write this here just let you know that they are still trying to take money from the credit card numbers stolen.

cheers

Roberto

Edited by Drake64
Link to post
Share on other sites

My bank rang me today and said there was a $1.68 transaction taken from my account from somewhere in the US. I brought something from hannants as well. The bank told me they take a small amount first to make sure the details they stole are correct then go back for a bigger amount later on. They've frozen my account and are sending out a new card. I'm lucky I just use a visa debit card so only transfer enough money onto it to cover my purchase at the time so they wouldnt have gotten much anyway. So even New Zealand on the other side of the world isnt safe.

Cheers

Dean

Link to post
Share on other sites

Just got a note from my bank. There were a few hundred $$$ worth of charges but the bank reimbursed straight away. I have not done any business with Hannants for a few months but my CC was still compromised, I suggest if you have ever used your CC at Hannants, cancel your card immediately.

Marcel

Link to post
Share on other sites

Score +1 - just called my credit card company and picked up the first test transaction, before the big hit arrrived.

Accounts was clean about an hour ago.

New card arrives in 5-7 days......

Last transaction with Hannants was 6 August, so this is starting to sound like malware which has allowed the stored records on the Hannants internal network to be exfiltrated.

Howard

Link to post
Share on other sites
Now the thing is.....I have never used my card online....anywhere!

If I ordered from Hannants I used the phone but I know they did store my card details on their PC as they always ask for the security number off the back but never the full 16 digit number off the front, maybe the last 4 or something.

I'm gonna tell Hannants about this as they do need to know that when the new card arrives, I don't want my card details recording on the Hannants company computer(s). I'll just read off the details as they need them.

It is VERY important that you tell Hannants about this. That information can be very helpful in determining exactly what system the hackers penetrated. If you remember correctly and you only ordered by phone, the web site is probably clear.

However, I don't see how you could have used the card as payment without the full 16 digits. They need those to charge your card. You didn't use any other method of payment?

And, to further complicate matters, the risk is just as big (in most cases even bigger) when you use the card in a store. You could very well been skimmed at your local convenience store.

Link to post
Share on other sites
It is VERY important that you tell Hannants about this. That information can be very helpful in determining exactly what system the hackers penetrated. If you remember correctly and you only ordered by phone, the web site is probably clear.

However, I don't see how you could have used the card as payment without the full 16 digits. They need those to charge your card. You didn't use any other method of payment?

And, to further complicate matters, the risk is just as big (in most cases even bigger) when you use the card in a store. You could very well been skimmed at your local convenience store.

When I make an order with Hannants (or used to.....) I would call them and give my item no. etc.... They would then ask if I wanted to use card no. ending in '4298' (for example) and then could I give the security number off the back of the card - this is an indication that the full number is in front of the guy at Hannants as I talk to him.....

I did ask them a while ago to remove any card details they had stored and I was assured that there was no risk of any kind.

- Famous last words huh?

I've spoken to Hannants and they are going to delete each card number after it's been used for the current transaction from now on.

Seems good to me and I will certainly use them again.

Gaz

Link to post
Share on other sites
True, but I'm pleased to see that Hannants is again considering going with Paypal. It seems a much more secure method than having individual website process CC info.

QUESTION:

So many of these fraudulent transactions involve ordering products (even magazine subscriptions were mentioned).

In order to receive the products the crooks ordered they have to provide a delivery address.

Given an address wouldn't it be very easy for the authorities to catch the criminals???

:bandhead2:

That's how mine came to light. The crook using my card provided an address in Las Vegas and may personal address is in TX. The owner of the shop that the attempted purchase happened at saw this and called me asking what's up with this order.....that's when I knew the account had been compromised.

As far as Hannants is concerned; I will not stop ordering from them. I don't believe it's their fault. I work in the computer field (Database Architect...security is something I worry about, but mostly only at the Database level, so security isn't my strongest point), but not to the level that our security group does...I have too many communications with them to realize that security is always a false sense and mostly consists of hiding the "keys".

Take the simple thing such as a password. We usually break up the password and distribute the pieces across the hard drive in various differnet files (one in the Registry somehwere, one part in some clear innocent looking, hard-to-find text file, and various other strange places where if the part was found it's useless. (I've seen this done to files; where the file is "shredded" and distributed across computers all over the world; so if one was hacked all they have is a useless part of some file)

Or if using encyption; there is some key involved....and that key needs to be hidden.

Wrapping data up within "Onions" as it traverses nodes in the network is another idea.

These are all things that can be found (eventually). Nothing is ultimatley secure, a lot of the theft that we fear is internal and by people in the know. Security in IT is usually in the realm of obfuscation and based on how well you can hide the "keys".

My rule is to just practice "Constant Vigilence" ... I check my accts. all the time and anything that is weird renders a call to the parties involved.

I would advise that it is not the best idea to store your cc info on some site anyways (but I don't always follow my own advice too...so I will not argue this point with anyone).

- Matt

Link to post
Share on other sites

Add me to the list...

BUT!

After Hannants redesigned the page, you had to re-register... And I haven't done so as I didn't order from them for a while.

However, I visited Hannants at Lowestoft in person in July and payed with my other card (I have two cards, one strictly for web payments and the other for everyday use); and 2 hours ago, I got a text message from my bank (I get texted for every credit card transaction), that my card was charged 2.31EUR in Palermo, USA... Of course I immidiately called my bank and blocked my card.

So it appears that the problem really doesn't lay in their database, as my data wasn't stored there...

Link to post
Share on other sites
I've checked and there have been no dubious movement on my card.

I feel so unloved.

Give me your card....then I'll get you some loving

.....I take that back; I won't give you any love..... but I'll give your card some loving :whistle:

They tried, but ultimately my card didn't return their love. ;)

- Matt

Link to post
Share on other sites
When I make an order with Hannants (or used to.....) I would call them and give my item no. etc.... They would then ask if I wanted to use card no. ending in '4298' (for example) and then could I give the security number off the back of the card - this is an indication that the full number is in front of the guy at Hannants as I talk to him.....

I did ask them a while ago to remove any card details they had stored and I was assured that there was no risk of any kind.

- Famous last words huh?

I've spoken to Hannants and they are going to delete each card number after it's been used for the current transaction from now on.

Seems good to me and I will certainly use them again.

Gaz

Ah, I see, at one point you DID provide the full 16 and after that they could pull out your file, see your number and just confirm that you wanted to use that. I was mystified on that detail after your first post. Convenient for them and you, and you only needed to provide the CVV number (as they didn't store that). Convenient, but a risk. It SHOULDN'T be such a risk, I'm surprised so many transactions has been done without providing a CVV number. That should be standard everywhere by now!

Everything points to their database being compromised (with your story being a key part in that puzzle). If the access point was through the website or some other means is impossible for us to know. Interesting coincidence that HobbySearch was hit at roughly the same time.

Link to post
Share on other sites

It can happened that is somebody of his staff that have stolen the credit card numbers from the PC and sell this database to somebody else?

It is a my suspect reading that also who haven't used the website for to order but only by phone have the same problems.

Link to post
Share on other sites

I did wonder about card skimming when I first read these reports. Not having bought from Hannants Lowestoft in a long time and not by card I haven't been affected.

A few years ago a local petrol station had a sophisticated card skimming setup where they'd inserted a 'black box' between the countertop payment machine and the outgoing phoneline. Your card was never out of your sight or reach but the details were still being stolen.

Caused me a little hassle a few weeks later up in the wilds of Scotland to find that my card was not being accepted (for fuel of all things!) because there was no way for the card firm to get in touch and tell me why!

Link to post
Share on other sites

WARNING!!!!

I just received an email from Hobby Search in Japan (the ones who have the instruction online).

They were also hacked. If you ordered before July 7, check your CC account. After that date they switched to a new system.

Thomas

This is the email:

We are writing to let you know of a hacker or hackers that

penetrated our computer system and accessed customer data including

credit card information.

At the time of writing, we do not know of any of this information

being available publicly. It is important to us that you, the

customer, do not experience any monetary damages because of this

incident, and have provided the information of all the cards that

may have been involved in this incident to each of the credit card

companies so that they may monitor the activity on these cards.

If you have any concerns about the security of your card, please

contact the card company (via the number on the back of your credit

card).

Also, although we have switched to a more secure credit card

transaction system that only stores the last four digits of your

card on our databases on July 7, 2010, we have disabled credit card

payments indefinitely.

The credit cards involved in this incident are those used in orders

prior to July 7, 2010 (a maximum of 23,526 cards), and we are

notifying those affected with this email.

<The information that may have been accessed>

- Credit card numbers, expiration dates, cardholder names

We do not store personal verification passwords or security codes on

our databases, so these have not been accessed.

Again, we have switched to a more secure credit transaction system

on July 7 that only stored the last four digits of those cards and

cannot be abused by a third party.

We are deeply sorry for any inconvenience or concern that this

incident may have caused.

<A timeline of events>

October 6 - A system administrator found traces of attacks from

Korea and began investigating immediately. That night, we contacted

an external security firm to investigate.

October 7 - The external examiners began investigations in the

morning. We shut off our systems for emergency maintenance,

reinstalled all server operating systems and software, re-examined

security settings, and isolated the server.

Logs indicated that customer data had been sent out from our server

to the address of an institution in Korea.

We contacted that institution by phone and email about this incident

and confirmed that the data had been deleted. We believe that they

were used as a proxy.

October 8 - We revised program, network, firewall, and client

machine security and implemented an intrusion detection system.

October 12 - We contacted the credit card transaction handler and

began discussions about the course of action.

October 20 - The external investigators concluded their

investigations and determined which and how much data had been

ccessed.

October 28 - With the results of the investigation and cooperation

of credit card companies, we are ready to handle customer

correspondence and have sent out email notifications to the

customers that may have been affected.

The attackers took advantage of a security hole in our computer

systems.

We have not determined who they are, but have found the attacks to

be originating from an educational institution in Korea. We have

contacted this institution and requested they determine who the

attackers are and that they secure the data stolen.

We deeply regret that this incident has occured, and are

continuously examining the security of our systems. We believe that

the root of this problem was the lack of security awareness among

each and every employee and are making sure this should not happen

again.

We will work hard to maintain your confidence in Hobby Search and

hope to see your continued patronage.

Sincerely,

Toshiyuki Suzuki

President

Hobby Search

We have set up a FAQ here: http://www.1999.co.jp/info_card_qa_e.html

<Contacts regarding this incident>

-----------------------------------------------------------------

Hobby Search Co, Ltd.

Telephone: 81-3-5833-3533 (International)

Fax: 81-3-5833-3534(International)

Hours: 10AM-9PM (10AM-6PM on weekends and holidays) 10/28 - 11/07

10AM-12PM, 1PM-6PM Mon-Sat except on weeks 2 and 3 of the month

11/8 onwards

(Hours listed are Japan time, GMT+9)

E-mail: hs-support@1999.co.jp

-----------------------------------------------------------------

Link to post
Share on other sites

Just talked to my cc company, and despite there being no dubious activity on the account they've suspended the card anyway - seems like they're now cancelling every card that was used with Hannant's regardless.

Vince

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...