Credit card info stolen...

[CraigSchumacker]

Folks:

I do not want this to become a big thread or issue, but felt a head's up was in order.

This morning, I received an email from Vonage that my Chase credit card payment had been rejected for my phone line monthly charge.

Chase had seen suspicious activity, and turned off the card, already.

I called Chase, and determined the invalid charges. Attempts totalled $10,400.

This afternoon, Alpha Software sent out an email pointing out that the companiy storing the account information for Alpha's Online Store was compromised.

It may be just coincidence, but please consider calling your bank if you had credit card info in the Alpha store.

Better safe then sorry... And thank you Alpha Software for your continued loyalty to your customer.

Craig

[popellis]

Quote:

Dear Customer,

We have been informed that there has been a security breach at the Internet Service Provider where our web site is hosted. This may have resulted in your credit card information being compromised. While it is entirely possible that your credit card information has not been stolen, in the interests of caution, we recommend that you contact your credit card provider to discuss what steps, if any, they recommend.

Going forward, we no longer store credit card information on our side. This will eliminate any risk associated with placing credit card orders on our site.

We thank you for your support and look forward to helping you build your businesses and organizations with Alpha Five Version 10.

Sincerely,

Alpha Software

I did check my CC and there was a small charge made with it that I did not make, so I now have reported the card stolen. I just thought others should know.

I am not trying to start a panic or a blame game. Just thought you should know.

Mark

[Marcel Kollenaar]

Saw the mail and blocked my cc immediately.

[NoeticCC]

I'm kind of glad that the card stored in my Alpha account is no longer valid (because I screwed up the verified by visa while trying to order some books on my phone!)

[mmaisterrena]

The contractor that bought my alpha v10 lics. told me that the first deposit he made didn't work (i didn't believed him, shame on me) He might had his number stolen I already forwarded the email to him.

[aRob]

Since Alpha doesn't deny it, then it's probably not a hoax.

Would be nice to know when it happened.

[mmaisterrena]

For a reference, My contractor said he made the deposit 2 weeks ago

[Scott_S]

Wouldnt it have been nice if alphasoftware would have told you the last 4 digits of the card number that they have on file... that way you dont have to guess which card you used.

[popellis]

Quote:

Originally Posted by Scott_S

Wouldnt it have been nice if alphasoftware would have told you the last 4 digits of the card number that they have on file... that way you dont have to guess which card you used.

Yes Scott that probably would have been nice, but for me I only use 1 card for internet purchases. It has the lowest credit amount, just incase.....

[James S]

I also NEED an option to change my password.(unless I missed it)

It seems reasonable that other data may have leaked including password, customer, billing & order history.

[Scott_S]

Quote:

Originally Posted by James S

I also NEED an option to change my password.(unless I missed it)
It seems reasonable that other data may have leaked including password, customer, billing & order history.

Well apparently I don't have a online account at alpha as I asked for my login info to be sent to me and it comes back blank. So either I ordered over the phone or worse yet my account was hijacked.
If I ordered by phone I wonder if they still have to have some record of it, last time I upgraded was 05/2007.

[dlazenby]

I got that message today also. I called my credit card (AmEx) and they said that there had been no other activity on my card (i.e., suspicious transactions) since the date of my a5 v10 purchase (10/31).
Not a good feeling. I am going to have my card replaced.

[Steve Wood]

I cancelled my CC and confirmed that Alpha has indeed removed the CC information from my account. The History also does not show CC information. It shows license numbers which I would only worry about if the hacker was an Alpha Developer.

[MikeC]

Quote:

only worry about if the hacker was an Alpha Developer

Now that's a nasty thought!

[RossAllen]

The card I purchased A5 with was used to buy a boatload of domain names with hosting at numerous hosting companies. They used an address in Vietnam that one of the companies recognized right away when I called, they said this guy does it all the time and has been doing it for a long time (you would think they would set something up to catch accounts using that particular address). I assume it was done for spamming because he was purchasing hosting with the domain names. Only one company I called would give me the name of a domain purchased on the card, that domain name is not showing up as being registered.

I appreciate the fact that Alpha notified us as soon as they found out about the issue. We caught it in a few days and a reversal on it was no big deal but its nice to know where the leak was.

[Rick Sloan]

I received an e-mail today from Alpha, that my credit card info may be compromised. I cancelled my card today.

That answers the question regarding going on the web for me.

Maybe Alpha will concentrate a little more on the desk top side in the future.

The web is clearly not a safe environment to work in as of yet.

[Doug Page]

Quote:

Originally Posted by dlazenby

I got that message today also. I called my credit card (AmEx) and they said that there had been no other activity on my card (i.e., suspicious transactions) since the date of my a5 v10 purchase (10/31).
Not a good feeling. I am going to have my card replaced.

Don't forget that it is not just people who purchased recently as these are records that were kept on file from your last purchases. I have not purchased v10 yet, however my card was hijacked a week ago. So just because you have not purchased recently does not mean that your card is safe!

[dpawley]

Yep, got the email today also... I also wanted to know the last 4 digits of the cc for the last purchase. So I went to the Alpha Software contact us page and sent and email. In a few minutes I had the info. Fortunately I had used a virtual credit card, as I do for all online purchases now...so hopefully I have averted a cc hijack.

[bvandyke]

I noticed in May there were 2 small, almost not noticable, charges from vendors located in the State of Ma. that there was no way i had made on my credit card. I cancelled my credit card immediately and was issued a new one at that time.

I always wondered how that could have occurred on my Corporate Business credit card...perhaps i know why now.

[SMARTII]

Shortly after I ordered a V9 Application, a $98.00 Charge appeared on my card. I notified my bank. They investigated and it was a charge from Cabela's for a Gift card...No Address of the purchaser...
Coincidence?
They issued a new card.

[Axeman]

Also had an email,

Phoned cc company and stopped and replaced card and also confirmed that the last two products I bought were from Alpha.

As a matter of intrest, how does one stand if money goes astray from the card due to this type of activity?

Quote:

Originally Posted by dpawley

Fortunately I had used a virtual credit card

Sounds secure. How does that work, like a pay as you go type of thing?

Thanks Alpha for letting your customers know.

[MikeC]

Harry,
Most credit card companies either have only a $50 maximum liability or $0 like I have for when your credit card is lost, stolen, or as in this case, hijacked. Call and ask or read the terms of your card (yeah, how many people actually read that!! ).

[Axeman]

Quote:

Originally Posted by MikeC

read the terms of your card (yeah, how many people actually read that!! )

Trouble is Mike it seems that every time I get a statment they always include a load of paperwork in with it. Small print galore.

Open statment, have a moan, throw it in the cuboard, pay when near due.

[gmeredith17]

Well this is huge. Well done to Alpha for notifying us and taking the decision not to store the information in the future. As others have said it would have been nice to know the last four digits of the credit card used. Not sure how Alpha can tell you what it was if they are no longer storing the information but I guess we can all check our own bank statements.

Does anyone actually know when the information was taken? Was is it all at once or over a period time? I have checked my account but cannot see any unusual transactions over the last month.

[eddiejen]

My credit card company contacted me two weeks ago and told me my card had been compromised and they had put a stop on it.
I only received the email this morning but now I know where the number was stolen from.

Edgar

[Rick Sloan]

The question begs to be asked, if credit card numbers are compromised, what other information has been as well.

I would suggest to all the Alpha "family", keep a close eye on their overall finances, not just cancelling their credit cards.

[RossAllen]

Quote:

Originally Posted by Axeman

Also had an email,

As a matter of intrest, how does one stand if money goes astray from the card due to this type of activity?

I'm familiar with the procedures. When I say the charges were reversed I mean we were given a credit by the bank until they investigate further. A form is sent to us to fill out. They will then notify the companies of the charge-back by mail and online and give them the opportunity to dispute it.

This perp didn't use our address, he used his own in Vietnam so that pretty much killed it. In addition, the majority of domains he bought were registered in his name, not the name on the card. That right there shows the card was compromised during that period. I also caught it 4 days after he started using the card.

However, I do know had he ordered products shipped to the name and address on the card we could have a problem even if we returned the products. What I'm not sure of are the issues that arise when someone downloads a product.

To protect yourself:

1) If you primarily use a debit card ask your bank if you can get one on a 2nd account that you transfer money into as needed for purchases.

2) Never use a check online.

3) Check your account often and change your pin and password every 4 months.

4) Use one card per account.

5) Don't charge anything online if they ask for your driver's license, date of birth or Social Security number.

6) Optional but a good precaution if something occurs: after canceling your card call the companies where charges were made and tell them fraud was committed - this took me the better part of a day (billing departments don't have phone priority like sales). If they ask you if you have already contacted your bank and requested a charge back SAY NO. The first thing companies will ask for is your credit card number, giving them that is a last resort, ask them to search by name or last 4 digits or a combination of. One company I called had over 100 accounts using the same last 4 digits and did not retain the name on the CC so I ended up giving them the full CC, they issued an immediate credit.

As a merchant its wise to ONLY USE 3rd party payment processing for charges done over the internet (i.e.: 2Checkout and Paypal). With 2Checkout and Paypal security is their problem because all of the CC processing takes place on their site. Both of which charge higher fees then a bank, take longer for processing (especially 2Checkout which also retains a portion for charge-backs) and can be a pain in the butt but as you can imagine something like this could destroy your business IF most of your customer base is set-up for recurring charges. If you take CC's over the phone enter the info into your CC machine as they give it to you or at the very least don't retain it on a computer. Don't use an online virtual CC processing service (where you substitute using a machine in your office for a website that allows you to enter the CC numbers you receive).

[StevenMcLean]

Well thanking Alpha for the notification is Bizarre. They by law have to notify all potential clients within 48 hrs of breach. It seems from others that they knew a couple weeks ago? Humm.....

[Steve Wood]

Your last paragraph I think is key for us developers as we build e-commerce applications. I don't keep CC information on any of the apps I have built and they do use a 3rd party payment processing company where THEY store the CC information. I don't have the bandwidth or liability coverage to deal with it. Does the Alpha E-Commerce app hold CC information, I can't recall?

I take it back, I built one app for a billing company that holds bank checking account numbers. But that system is not in my control, sits behind an ISA server, uses SSL, the database is encrypted, the only screen that shows the bank info only shows the last 4 digits, and not a single page is public other than the login.a5w page. (That's what the client wanted, I didn't think up most of those security measures.)

[CraigSchumacker]

Tom:

I became aware of a problem yesterday, when Chase had closed down the card. I got the email a few hours later.

I also had a charge to Cabela's for $65.

Chase believes this started the last week in October. When did you see the Cabela's charge?

They said I'd have to self audit my account to look for more. If you say your charge was back in June, I have to go back and do a lot of research.

Another company I bought software for, trying to boost Alpha sales, says their credit card info was stolen a few months ago. It may be unrelated, but your Cabela reference leads me to believe that your problem and mine are tied together, closely.

When do you think that Cabela charge was?

Thanks,

Craig