I didn't go to Philly, but my CC has been hacked
CoinHusker
Posts: 5,033 ✭✭✭
I saw the thread about the fraudulent use of credit card numbers from people who attended the ANA show at philly but I didn't go to philly and I just got a call from my cc company saying my card was used today for fraudulent charges.
I didn't go to philly but I did use my cc for my ANA dues. Could the ANA data base been hacked into?
I didn't go to philly but I did use my cc for my ANA dues. Could the ANA data base been hacked into?
Collecting coins, medals and currency featuring "The Sower"
0
Comments
Someone bought a ticket to salt lake city Utah
mbogoman
https://pcgs.com/setregistry/collectors-showcase/classic-issues-colonials-through-1964/zambezi-collection-trade-dollars/7345Asesabi Lutho
<< <i>Did all the people that have credit card hackings perhaps also purchase things from the US mint?
Because someone tried to use one of my cards, but BofA blocked them (I've since cancelled it).
But I've NEVER done any ANA business, I have purchased from the US mint however, so there is
a possible vector, if all others have done the same. >>
I have past, but not in a couple of years.
Authorized dealer for PCGS, PCGS Currency, NGC, NCS, PMG, CAC. Member of the PNG, ANA. Member dealer of CoinPlex and CCE/FACTS as "CH5"
Because someone tried to use one of my cards, but BofA blocked them (I've since cancelled it).
But I've NEVER done any ANA business, I have purchased from the US mint however, so there is
a possible vector, if all others have done the same.
after reading several of these threads, i would estimate that someone is intercepting the wireless signals being sent
it is easily the most unprotected way of sending data and probably not that hard to capture, granted i don't know how hard that would be, just from what i've heard and read
.
Is there another way to do this without it being public?
We could set up a Yahoo! Group, make it members only, and discuss it there?
edit: A group has been made, if people want to get together to help narrow down where the leak or leaks came from.
Lance.
<< <i>.
after reading several of these threads, i would estimate that someone is intercepting the wireless signals being sent
it is easily the most unprotected way of sending data and probably not that hard to capture, granted i don't know how hard that would be, just from what i've heard and read
. >>
Anyone not using WPA-2 for their wireless security is asking for problems. WEP is highly insecure and can be cracked very quickly, and if you have no security enabled, you may as well just have a sign that reads "Rob Me" on your doorstep.
``https://ebay.us/m/KxolR5
|
|
|
|
Ok, a non-public Yahoo! Group has been made to discuss this. The purpose of which is to narrow down where the leak came from. Those interested in narrowing in down can PM me for details.
Yes, this will require joining Yahoo! but one can always use fake info for the join.
also, one will have to post here or in the other CC / Philly thread to let me know you want to join before sending me the PM
I won't be accepting new people into the group. I hope we have enough people on here with a history that it can be narrowed down using familiar names.
|
|
|
|
|
<< <i>Credit card companies and banks just say "Okay, sorry... we won't charge you".... but they're still paying for the goods and services. ?????? Go figure. >>
As more fraud occurs, their song will change. right now the business they make is a lot more than the loss to fraud.
<< <i>also, one will have to post here or in the other CC / Philly thread to let me know you want to join before sending me the PM >>
I posted earlier, but if you want a new one, here it is. I am interested, but I'm skeptical that we'll be able to narrow it down (but I'm willing to contribute!)
mbogoman
https://pcgs.com/setregistry/collectors-showcase/classic-issues-colonials-through-1964/zambezi-collection-trade-dollars/7345Asesabi Lutho
<< <i>
<< <i>also, one will have to post here or in the other CC / Philly thread to let me know you want to join before sending me the PM >>
I posted earlier, but if you want a new one, here it is. I am interested, but I'm skeptical that we'll be able to narrow it down (but I'm willing to contribute!) >>
we're in PM's now.
<< <i>
<< <i>.
after reading several of these threads, i would estimate that someone is intercepting the wireless signals being sent
it is easily the most unprotected way of sending data and probably not that hard to capture, granted i don't know how hard that would be, just from what i've heard and read
. >>
Anyone not using WPA-2 for their wireless security is asking for problems. WEP is highly insecure and can be cracked very quickly, and if you have no security enabled, you may as well just have a sign that reads "Rob Me" on your doorstep. >>
This is nonsense.
The security of the WiFi connection has nothing to do with the security of the transaction. If you use cable for your ISP, your neighbors and others on your link can snoop on your traffic.
The security of your credit card transactions comes from using SSL (a https connection) in your browser which is encrypted end to end.
<< <i>I sent out an email to those I know who are ANA members or who may have ordered something from the Mint but didn't go to the ANA Show in Philly. I'll be interested to see if any of them were hacked or not? >>
My card was compromised twice totalling about 2 grand. C'est la vie.
``https://ebay.us/m/KxolR5
<< <i>
<< <i>I sent out an email to those I know who are ANA members or who may have ordered something from the Mint but didn't go to the ANA Show in Philly. I'll be interested to see if any of them were hacked or not? >>
My card was compromised twice totalling about 2 grand. C'est la vie. >>
Well, neither of us were in philly so our cards couldn't have been "scanned". There's something going on here.
this could continue as they cycle through the card list.
this public forum is not the place to determine where cards were used in common since a lot of innocent sites will be named while trying to find the right one.
<< <i>this public forum is not the place to determine where cards were used in common since a lot of innocent sites will be named while trying to find the right one. >>
PM sent
JH
Proof Buffalo Registry Set
Capped Bust Quarters Registry Set
Proof Walking Liberty Halves Registry Set
Dead Cat Waltz Exonumia
"Coin collecting for outcasts..."
<< <i>and no web site has come out and said they were compromised.
this could continue as they cycle through the card list.
this public forum is not the place to determine where cards were used in common since a lot of innocent sites will be named while trying to find the right one. >>
Understand but please report back if you find a common source.
Luckily my credit card company caught it.
Puro's Coins and Jewelry
Rutland, VT
(802)773-3883
Link to my website www.vtcoins.com
Link to my eBay auctions
Buy, sell and trade all coins, US paper money, jewelry, diamonds and anything made of gold, silver or platinum.
"Seu cabra da peste,
"Sou Mangueira......."
<< <i>This could have nothing to do with Philly or ANA. Rather, it could be a B of A Security security breach. My Citibank card was one of something like 400,000 hacked last year. The card company goes public about this when it can't keep it quiet any longer. >>
My card was also hit and I hadn't gone to Philly or had any association with the ANA. Also Bank of America. This is the second time and I have up-to-date virus protection and don't use any shady websites to buy goods.
Successful Transactions With: JoeLewis, Mkman123, Harry779, Grote15, gdavis70, Kryptonitecomics
mbogoman
https://pcgs.com/setregistry/collectors-showcase/classic-issues-colonials-through-1964/zambezi-collection-trade-dollars/7345Asesabi Lutho
<< <i>It's not just B of A. My card is from Citi and I got the fraud warning last Wednesday. I'll give 10 to 1 that it was a merchant/business that we all use whose database was hacked... >>
exactly.
it could be a coincidence that the timing was with the ANA.
if we want to figure out who got hacked, we're going to have to start sharing info.
I have the Yahoo! Group set up and ready to go....
all we need are more than the 2 people who have already joined to take part and start comparing notes.
Verizon Wireless
Paypal
Amazon
I'll add more if I think of them.
Successful Transactions With: JoeLewis, Mkman123, Harry779, Grote15, gdavis70, Kryptonitecomics
Not even sure how that's possible, but I now need to go through my bill to make sure there are no questionable charges either.
I didn't go to the ANA show either, but there's definitely something fishy going on!!!!!!!!!!!!!!!!!!
Edited to add this was not a BofA card...
Michael Kittle Rare Coins --- 1908-S Indian Head Cent Grading Set --- No. 1 1909 Mint Set --- Kittlecoins on Facebook --- Long Beach Table 448
The Penny Lady®
<< <i>FYI, I posted on the Philly credit card thread that Coin World just contacted me, it seems they are doing a story on all the compromised credit cards. >>
Great! Not!
last thing we need is for people to know a bunch of coin collector's credit cards are floating out there. (or confirm it for them if they haven't figured it out.)
I'd rather have them do the story after the source of the leak has been identified.
Jade Rare Coin eBay Listings
<< <i>The local news reported some Redbox machines have been hacked. How many with hacked CC have used redbox lately? >>
Not I although I do also use it for Netflix. I also haven't purchased anything from the Mint since I got my new card so I don't think that's it either.
Paypal seems like a likely source.
Successful Transactions With: JoeLewis, Mkman123, Harry779, Grote15, gdavis70, Kryptonitecomics
Proposed methods of attack:
Wireless Attack
Virtually impossible. As has been pointed out, it is SSL (Secure Socket Layer) that virtually always secures your credit card transactions. That protocol rides inside any connection you use to connect to a network (wifi, ethernet, dsl, cable, whatever). While SSL isn't impregnable, successful attacks are few and far between. Additionally, as cards have been reported as breached outside the Philly show area, the proposed vector of attack is rendered impossible.
RFID or Stealth Mag Stripe Attack
Virtually impossible. With the number of reports of cards being hacked outside of the Philly show it seems highly unlikely this method was used. Additionally it has been confirmed that not all hacked cards contain an RFID chip.
Compromised website
Highly possible. In a community forum like this one, where everyone shares a common interest, many online transactions are made by the community at the same sites. Logically, if I were a competent attacker intent on getting the most bang for my buck, I would target low transaction cost website which cater to high-net-worth individuals. Sites which don't do massive amounts of revenue tend to have less stringent security practices. That said, all attackers are opportunists, so if a high transaction cost website was determined to be vulnerable... great!
Malicious code
Possible. This one hasn't been mentioned as far as I have read. Again, with communities such as this, users tend to visit similar sites over time. A website which doesn't participate in any form of e-commerce, but is regularly frequented by high-net-worth individuals makes for an appealing target to drop malicious code. This code then exploits the visitors browser/operating system in order to drop more malicious code onto the visitors machine. Over time, as the compromised visitor continues to use their PC the malicious code will transmit the desirable information (credit card form information, bank account numbers, etc...) back to the attacker.
Considerations:
False positives
Any analysis of these types of situations will reveal that form of mass hysteria can arise inside the effected community. People who have been victimized in the past, mentally imbalanced people, and people unintentionally spreading misinformation will all contribute to this hysteria. This will muddy the water and make it more difficult to accurately determine the scope and nature of the incident.
Participation & Honesty
It is common for effected parties to conceal or obfuscate their involvement. This is usually due to concerns regarding privacy and security and no one should feel compelled to participate in any sort of public investigation. It does however make community driven incident investigations all the more difficult.
Wild supposition and finger pointing are going to happen when people are violated. Moreover, those reactions will scale in direct relation to the size of the group which has been violated. But, I encourage everyone involved to attempt to refrain from pointing fingers anywhere until some hard evidence has been revealed. Should it eventually be determined that an organization knowingly withheld knowledge of a security breach then, sure, let your rage flow.
I think BofA calls their system ShopSafe. You have to log in to your bank account or credit card account to generate the new numbers and then put that in the online shopping payment, and it is a pain but it avoids being hacked later on. All they will get are some dead numbers that won't work anymore.
I also have my credit card account set up to send me daily emails on the credit card balance so I can see if anything large hits.
<< <i>I'm going to throw a little information into this thread to try to curb some speculation...
Proposed methods of attack:
Wireless Attack
Virtually impossible. As has been pointed out, it is SSL (Secure Socket Layer) that virtually always secures your credit card transactions. That protocol rides inside any connection you use to connect to a network (wifi, ethernet, dsl, cable, whatever). While SSL isn't impregnable, successful attacks are few and far between. Additionally, as cards have been reported as breached outside the Philly show area, the proposed vector of attack is rendered impossible.
RFID or Stealth Mag Stripe Attack
Virtually impossible. With the number of reports of cards being hacked outside of the Philly show it seems highly unlikely this method was used. Additionally it has been confirmed that not all hacked cards contain an RFID chip.
Compromised website
Highly possible. In a community forum like this one, where everyone shares a common interest, many online transactions are made by the community at the same sites. Logically, if I were a competent attacker intent on getting the most bang for my buck, I would target low transaction cost website which cater to high-net-worth individuals. Sites which don't do massive amounts of revenue tend to have less stringent security practices. That said, all attackers are opportunists, so if a high transaction cost website was determined to be vulnerable... great!
Malicious code
Possible. This one hasn't been mentioned as far as I have read. Again, with communities such as this, users tend to visit similar sites over time. A website which doesn't participate in any form of e-commerce, but is regularly frequented by high-net-worth individuals makes for an appealing target to drop malicious code. This code then exploits the visitors browser/operating system in order to drop more malicious code onto the visitors machine. Over time, as the compromised visitor continues to use their PC the malicious code will transmit the desirable information (credit card form information, bank account numbers, etc...) back to the attacker.
Considerations:
False positives
Any analysis of these types of situations will reveal that form of mass hysteria can arise inside the effected community. People who have been victimized in the past, mentally imbalanced people, and people unintentionally spreading misinformation will all contribute to this hysteria. This will muddy the water and make it more difficult to accurately determine the scope and nature of the incident.
Participation & Honesty
It is common for effected parties to conceal or obfuscate their involvement. This is usually due to concerns regarding privacy and security and no one should feel compelled to participate in any sort of public investigation. It does however make community driven incident investigations all the more difficult.
Wild supposition and finger pointing are going to happen when people are violated. Moreover, those reactions will scale in direct relation to the size of the group which has been violated. But, I encourage everyone involved to attempt to refrain from pointing fingers anywhere until some hard evidence has been revealed. Should it eventually be determined that an organization knowingly withheld knowledge of a security breach then, sure, let your rage flow. >>
this is why I set up the Yahoo! Group.
Fortunately, they declined the Airline charge, but the McQueen hit was just a verification with no amount which was approved, but no amounts have yet been charged. Guess I live without a debit card for the next week or so until I get a new card.
MsMorrisine PM sent.
Text
Disclosure it was done by the company Stronghold and I am not affiliated with them other than I did find them and ordered one of their wallets when this tread started.
I received the link in a email from a friend.
About 16.5k in charges nationwide+international
Not only has my card been frozen, my account has also. It may take up 2 weeks to unfreeze my acct.
Btw with only 1 acct I hahe to live on my pocket change for the next two weeks.
<< <i>For those that want to see how the RFiD is compromised here is a Youtube video showing how easy it can be done.
Text
Disclosure it was done by the company Stronghold and I am not affiliated with them other than I did find them and ordered one of their wallets when this tread started.
I received the link in a email from a friend.
I did the same and should have my wallet on Wednesday.
Interesting video...I had no idea how easy it is to get your cc info of some cards.