How do you keep a credit card from getting hacked? It got stolen in December and the card company issued a new card. I used it one time with Pay-Pal. Bam, I get hit again. This is an online only card. I don’t keep passwords or card info on the ‘puter. I’ve been changing log-on names and passwords ‘till I’m dizzy. Card company keeps hinting my “kids” are using it. Repeatedly asked who had access to it. That ticked me off. I don’t have kids, just Kim and I. It’s funny, I use a different card from a different company when this one gets hacked, (Third time in a little over a year) until the new one arrives and nothing has happened to that card yet. Hopefully. Though I’ve never used that card on Pay-Pal. I’m just trying to narrow it down to what online store it is getting swiped from. Card company could care less. They are not out anything and I’m not out anything, but it ticks me off. You know the merchants that got swindled are ticked. Any ideas?

Shoot typed a whole bunch and lost it.

Ok try again. Cancel the credit card with that company completely. Don't even activate the new card. Get a new card from another credit card company. Someone or something has acessed your PC most likely or your e-bay/pay pal account. Either by following your traffic or by cracking pay-pal or ebay or both. They are doing it via e-mail also. There are webpages that look exactly like e-bay and paypal that launch malicious code and take personal information for the sole purpose of identity theft. There may be malicious code on your pc that is sending your personal info as it is entered. Wipe your computer using a program like evidence eliminator or cyberscrub to name two after every internet session.

There are ebay/paypal based malicious code that is evading contemporary antivirus software. The software may see it but might not be able to remove it. Was talking to someone on another site about it recently. Do not enter any personal info on any website without a secure link, typically shown as (HTTPS) in the url. Unsecure pages are simply the standard +http:www.whatever.com+.

If your credit card has been compromised, it is highly advisable to make sure you know how before you use another credit card on your pc again. Consider anonymous browsing with programs like tor/privoxy/mozilla/proxy switch bundle. Shortly after I joined this site, I lost every file on C:my documents. Not sure if it was a result of this site but I feel it was local. Can not prove it. But all mydoc's data folders were deleted and replaced with jibberish. It is possible this happened through irc use or torrent use. But since switching IP's and going anonymous there have been no further problems. Whomever did it was slick. Anyways, that's the inexperienced advice I will give. Check google or your prefered search service for any terms mentioned that are unclear. Think security first. Read up on IP logging. Do not enter personal info unless you are 85% confident in your security. Unfortunately on the net, you can not be 100% sure of security. I thought at one point that a simple hardware firewall with nat would be enough. Wrong. Wireless networks are a threat also.

An associate thinks I was attacked through my network but I run wpa encryption. Not impossible to crack but difficult. Either way, anyone whom is determined enough to access info can. So if you do use a card on line, use one with a low limit that you are comfortable with and be sure you understand as well as possible the threats.

Good luck. Be safe.

PS: if you are interested in any direct links for tor or computer wipe info, post back. I'll do what I can.

Tim,
Change all your passwords to all your online accounts after you get new Credit Cards. Somewhere along the line I think someone has picked up a password you use at paypal or ebay.

Shoot typed a whole bunch and lost it.

Shortly after I joined this site, I lost every file on C:my documents. Not sure if it was a result of this site but I feel it was local. Can not prove it. But all mydoc's data folders were deleted and replaced with jibberish.


That is a pretty strong accusation. I would hope you have some type of proof before you made a statement like that. Personally I wouldn't return to a site if I thought someone hacked my system.
Especially since that would be the site admin (ME) you seem to be accusing of some wrong doing for your misfortune..

Here is the story. Back in December I got E-mail from E-bay on a bid notification. Since I had gotten phishing E-mails claiming to be Alltel, I ignored them. Then I got a win notification. Curios, I went to E-bay and found out I could not log on. I then check the credit card and find several long distance phone calls. I call the card company and cancel. Now I get e-mails from the seller on e-bay demanding payment. I go to back to e-bay to see if I could change my password. Low and behold, the guy never changed my secret question. I change everything to lock him out and find a new ship to address, with a name, street address, city and state added to my account. Card company issues new card. I get that mess straightened out. Changed my passwords on E-bay, Pay-pal, online card account, etc. Change my card number on Pay-pal. January, I use the card one time with Pay-pal and three days later, another $60 long distance phone call appears on the new card. This time I didn’t find out until I used Pay-pal again and then went to pay my credit card off. So I’m going through this again. I use Firefox for the browser, Norton Systemworks, Ad Aware, Microsoft Anti-Spyware, and Zone Alarm. I can’t detect anything on my computer. Passwords are stored in the DVD burner. Is Pay-pal that vulnerable? He made a lot of long distance calls before he placed a bid on E-bay. I find out he had opened an account with the long distance service in my name using my address. In ’04 I got hacked, but nothing went through Pay-pal. Everything charged to the card to various merchants. I’m just trying to figure out where the person is getting that card number. Thanks for the info.

Did you change your secret question everywhere? Remenber that is almost the same as having your password. If you don't have the password it is the way to get it.

It's not anything on your PC based on what you are saying.

I just changed them on Pay-pal. I had only changed the password when the last card got hacked. Log-on is your E-mail address. And you get notification if someone changes it. E-bay is the only place I can verify that someone actively tried to change something. Nothing changed on Pay-pal. Several years ago, a site called Egghead.com sent me an E-mail saying they had discovered their site had been hacked. They recommended that I cancel my card, which I did. That site went under and resurrected as Newegg.com. That new credit card lasted a few years until ’04, when it got hacked. A few things got purchased. Credit card company said then a business probably got hacked and didn’t know it. Now this. But I only made one purchase through Pay-pal on the brand new, less than 2 week old card. Right now, no cards are listed with Pay-pal. I’m just trying to learn how these people can swipe these numbers.

Don't know if this helps, but you can circumvent PayPal's password if you call them and have 1) the last 4 digits of the credit card on file or the last numbers of the bank account on file and 2) the primary email account. You might need the phone number on the account as well, I don't remember.

But my point is that if the person had that information because you accidentally tried to log into a "spoofed" version of the PayPal site, and he captured your password, and then logged in and copied all of that information down, then it doesn't matter if you changed your password. All of that information that allows someone to circumvent the password is available in your account on the web site. He would only need in once and then he can call them and it doesn't matter that you changed the password.

PayPal will probably have records of who called and when. You might want to try your investigation there.

The reason I know this is because my wife keeps track of bank account numbers, credit card numbers, things like that in our house. I have no idea what my own account numbers are. Whenever I call PayPal, I need to have the web site open as I am talking to them so that I'll know what the last 4 digits of my own account is when they ask :) It's all listed in the account section.

Tim,
Change all your passwords to all your online accounts after you get new Credit Cards. Somewhere along the line I think someone has picked up a password you use at paypal or ebay.




That is a pretty strong accusation. I would hope you have some type of proof before you made a statement like that. Personally I wouldn't return to a site if I thought someone hacked my system.
Especially since that would be the site admin (ME) you seem to be accusing of some wrong doing for your misfortune..

Dear Chuck Jones,

From the way I am quoted, it might look as an accusation. Perhaps that is out of context. Or possibly the thought was composed incorrectly on my part. Regardless, the last intention was to accuse you as an adminastrator of this website or anyone else that might be able to track, with the correct knowledge and information, all the way back to my poor little hard drive of hacking my system. The proper term is cracking anyways. Hackers don't destroy files and information or use it maliciously. Hackers are more harmless and up to the challenge over anything else. As I understand it. But I have been mistaken before.

To summarize, sorry you interpreted that as an accusation on your part. That is not what I meant. Even if so, the comment to say that personally you would not return to website you were hacked at - well. I might. ;)

Allow me to clarify. What I meant when I said "Around the time I joined this website..." was to give a frame of reference in time. And a sense of perspective to tkcomer that a threat is valid from any location. There is always the possibility of the threat. Perhaps someone locally as in "Located in this geographical area.." I'm refering to online threats in this case wich is why you may have interpreted this as an accusation.

A local attack is what I suspect in my case. But of course I can not prove it. I wasn't making an accusation. Even if I was, I would not be able to prove it. Just like I wouldn't be able to prove any potential attack came from xdcc or torrent or other avenue of malicous intent. But my system is fairly stable and secure. Like I said, an associate of mine in Chicago felt I had a weakness in my Wifi. So we reconfigured. But I tried to crack it before from two different radio enabled devices and was not able to do it. Although I'm no professional either.

I think I have said it in a past post somewhere but this is an excellent site that provides an excellent service to the community. Perhaps I am perceived as a rouse to that. But that is not my intention either. To prove so, I would be willing to donate, anonymously, 50$ to go towards the operating costs of this website. The only thing I would request is that a scan of the money order be shown possibly in a post on this thread or a new one with some sort of way (if possible) to show that the fund went to the payment of the bill for this server. Of course, no potentially harmful information would need to be shown. A simple photocopy with identfying information blacked out would suffice. Send me a pm with a business address or post it here. You will receive the donation next week if you choose to accept it. I am doing this because I don't feel too good being accused of making an accusation at you if that makes any sense. I do appreciate this website.

In addition, I am going to donate 50$ to the local red cross for the hurricane relief issue in the Louisiana/Mississippi region. A family member recently sent pictures from his efforts there. Want to see some? It is still a horrible situation. A horrible situation in our own country. I would challenge anyone who reads this thread to donate however much they see fit to this cause. I happen to have a 50$ bill in front of me and that is what I feel like sending at this moment. Of course, I will be sending a money order. Feel free to spin this to a new thread if necessary. I feel while donation and voulunteering is important, it is not necessary for anyone to be recognized for it as a person, corporation or entity. Perhaps just being a human and an American is enough.

Back to the topic, I feel changing passwords is simply not enough. I don't think Newegg is compromised because my stuff hasn't been hit. Although, I wipe everything every time I enter personal info on the web wich is really the only way to be sure your information is not corrupted. I'm also failing to see why you are sure that there is still not anything embedded on tkcomer's pc('s). tkcomer, in 04 you were hacked? I assume you took measures to make that less possible in the future. You use a router with firewall? If so, you really don't need all those other programs. As long as you scan with avg or an udpating virus scanner. Trend micro offers something really nice called house call on line. A good DOD level wipe software would be good to have also. It's hard to say exactly how it is happening to you tk because I don't know exactly how it works myself. But it happens. And if it happens as soon as you use ebay and paypal - well - the only way to be safe until you do know what is going on, or at least - have a real good idea, is to not use those sites any more for personal or professional buisness transactions. I stopped using them in 2003. But it's up to you.

Like I said, good luck. Stay safe. Thanks for reading.

Explanation is ell received and excepted. No apology is needed. I thought afterward I might have read to much into it but was just unsure.

As far as a donation I can't except but really appreciate the thought. I don't want any user to feel obligate or even a need to donate to the site. I feel that once I get advertising up to speed it will be sufficient.

If you want to make a donation in behalf of the site PLEASE give to CASA at www.bfmcasa.com CASA is by far my most favorite charity.

I do agree with the advise you give to Tim but also just attempting to interject other possibilities in addition to yours.

Jeremy stated exactly what I was going to say next.

Be Safe and Stay Safe

Fair enough Chuck. I do not disagree with you or Jeremy either on the subject of security. Just felt a little put off and I can get wordy when I feel strongly about something. At the same time, I would be lying to say I never took something out of context myself. RE: the amish thread

but I'm not going to say sorry when I'm misunderstood again. If I have the time like I do this evening I might explain myself furhter in future threads. I just like to spur thought in areas that are maybe not considered by others.

Thanks.

My wife's credit card was stolen last year but I did not report it to the credit card company. I noticed that the guy who stole it was charging less on it than my wife was. I figure I am ahead.

Now I don't care who ya are....


.... That's funny right there. ;)

Yes, I have a router. I’ve used it and Zone Alarm for several years. The only thing E-bay told me to do was to down load their tool to make sure that I’m really on their site. It only works for IE, not Firefox. But that wasn’t the problem. I didn’t respond to any E-mails until after it happened. And the phone calls were the first things on my statement, leading me to believe they got the number first and then tried to use it on E-bay. They were on my statement a full two weeks before my info got changed at E-bay. But I came up with a name and street address. The same as in ’04. Neither side cared. Card company wasn’t out any money. E-bay wasn’t hurt. THAT’s what ticked me off.

I would be extremely ticked off also. I had two or three incidents with dishonest buyers/sellers and the last time pay-pal locked me. Managed to only lose 25$. 2003 that was. Shut the whole thing down. The only time I buy anything on line is new from a an established store. Sometimes I call them and make sure the transaction is secure or just purchase the product I'm looking at over the phone. But some sites want you to use the online purchasing thing. So then I watch as close as possible and wipe all data immediately after I have my receipt. The interesting thing is, you say you have tool for verifying e-bay's site? That's a new one to me. Easily verified by google search I'm sure. Maybe they do have a tool to use to verify their site. But if they don't and there is no support of this tool. There is your huckleberry. Just another guess.

Looks ebay does use some sort of tool. So back a step. Too hard to say without getting into your registy to find our if there is as keylogger or some sort of malware in there. Like you say, e-bay and the credit card company aren't going to care. That's how they are. Unless the problem starts hitting their bottom line.

Good luck. Let us know if you find more. Very interested to know.

I looked into this a little more... I hope this helps???
New EBay Scam Tricks Local Man

LAST UPDATE: 2/15/2006 8:38:42 AM

EBay users have long been the target of a number of internet scams. But some shoppers savvy to those old tricks are now falling for a new deceptive scheme that plays on their disappointment over losing an auction bid! We've warned you many times about those EBay phishing scams. That's where you get e-mail, supposedly from ebay, asking you to re-register your personal information,,, of course, it's all a big lie. Now comes a new scam-- aimed at those who bid but don't win Ebay auctions. That's what happened to Daniel Clemmons of Hamilton, who went to EBay in search of a new truck. DANIEL CLEMMONS: "I placed a bid for it on Ebay for $2300 and when I woke up it said I was out-bidded." Although he lost the bidding war, a few days later Clemmons received these e-mails with an EBay address saying he has a second chance to buy the truck, and asking if he still wants it. CLEMMONS: "I replied back and said yes. Next thing I get a security confirmation from EBay with EBay's heading saying here's all the steps to make the purchase happen. I was to take the money to Western Union." Interesting, in telling Clemmons to send the money through Western Union, the crooks tell him Western Union money transfers area designed mainly for sending cash to friends and family in need. So don't tell them that you're sending money to an EBay seller, otherwise they may prevent you from sending the money through. CLEMMONS: "DID YOU THINK TWICE ABOUT PUTTING IT THROUGH WESTERN UNION? No because he said we'd go through the official EBay rules and regulations." But, after sending the money to Chicago, the buyer stopped emailing, and Clemmons realized he had been scammed. He contacted EBay, was told the company was aware of this and other scams, but it can't get his money back. CLEMMONS: "It's a travesty. There's people like me that work everyday hard for their money and save and save to try to purchase something nice for themselves and in a matter of house its gone. Everything you worked for and tried to save its gone." E-Bay says it's doing its best to combat fraud, in fact it unveiled a program called 'My Messages'. If you ever receive an email claiming to be from ebay, just go to EBay's website, log on, and click on 'My Messages' to see any messages EBay sent--so you'll know if what you received was legit. And never, ever, wire money to someone you don't know through services like Western Union. Clearly, the second chance emails Clemmons received were bogus. He's filed complaints with the police but chances are not good that he'll get his money back.
source:www.wkrc.com

................ahhh, I avoid all this confusion. The sellers will take a good ol' fashion postal money order anyday.

At least a money order doesn't cost me any interest.............see ya mark

This credit card thing is ticking me off. New card, changed passwords and secret questions everywhere. I use this card one time at Ecost and the very next day, a long distant call went on the new card. I cannot get Citibank and Netzero Voice to contact each other on why this is happening. This is the third time I have told Netzero Voice to not allow anyone to open an account in my name. All Citibank will do is knock the charge off and issue a new card. I can’t figure out who I’m madder at. Netzero for reopening an account in my name or Citibank for not following up on the bogus charges. THIS time when I get the new card, I’ll pay off the charges and cancel the card. The other two cards have never been hit. But they are not my internet cards. Well, the Sears card is on occasion. You have to use it to get the discount when they offer it. The other card is used when the Citibank card is down.

I think in your case, tkcomer, with all the hassles you've been through, you might want to get one of those pre-paid disposable credit cards they offer now for your online purchases. Use your regular credit cards for offline things and use the pre-paid one for online things.

In my narrow mind, I keep thinking Netzero posts the charges and Citibank is adding them to the new card. Can’t prove that but I think that is what’s going on. The last two times I called Netzero, they said they posted the charges to the OLD card. The one that had been cancelled. To me, that is a mistake by Citibank if Netzero is able to do that. NetZero is not seeing the card as cancelled. But then again, I keep canceling my “account” at Netzero, and they keep firing it back up. Also, in my little mind, what is the difference between ordering online from a company at E-cost, or walking in and using the card at their store? If they get hacked, the info is in the same ‘puter.

That is why I use PayPal and have a PayPal Debit card. My number is a virtual number, so each time I charge something to it Paypal changes it. The number on "my end" stays the same, however the number they get is void after payment is cleared.

I have a Pay-Pal account to pay for things. But a lot of vendors don’t use it. I generally buy stuff that I can’t get in this town. Unless the price difference is outrageous. I’ll give an example. I bought a tiller online to go behind a tractor. $1600 delivered to the farm. Not one dealer in this area would sell me one for under $2000 that would fit my tractor. But I still think this is Citibank’s fault. How could someone charge something to a card that is supposed to be dead?

The paypal thing is a debit card, based on what you have in your paypal account. It is different than using just paypal. You can even go to the bank and withdraw funds if necessary.

I used to have one before.

My PayPal card is my primary method of payment. I haven't carried cash in years unless I had to. People around the world load it up, and I distribute the funds (or rather the wife does ;)). I even pay my car payment through it. I only keep a bank account for the checks and money orders I get.

PayPal even has the Master Card logo so I can use it anywhere they accept Master Card credit cards.
And Daphne is right, it will only use what I put in the Paypal account. And it is pretty easy to put funds on the card. PM Tkcomer and I will tell you more about it if you want more information.

I use Firefox for the browser

a couple of suggestions:

* pick up the netcraft antiphishing toolbar - http://toolbar.netcraft.com
* make your passwords stronger - dictionary or word based passwords are cracked instantly on most computers irregardless of length. - http://www.lockdown.co.uk/?pg=combi&s=articles
* change every password for every single account that requires a password and make them all unique (here is a tip, take a full sentence easily remembered and use the characters as the password, i.e. the top of this page says Maysville Kentucky BBS - Reply to Topic - Firefox Web Browser. Using this as an example, my password might be MkBr2T-FWB. - 11 characters, mixed case, alphanumeric and from the estimated time to crack is greater than 23 years ). Change all passwords for ebay, paypal, email, web site logins, msn, yahoo, irc, jabber, icq, skype, etc. If you also have the ability to change your user name, do that. You can also cancel the account and then create new ones
* dont write the passwords down or use any password safes
* use ssl whenever logging into things like webmail, web site logins, paypal, etc. Even if the site doesnt advertise ssl logins, just go to the login address and change http to https and refresh - a lot of times it will work. If it doesn't, tell the owner of the domain you will no longer use their services until they secure their login page. (SSL certificates are free these days, so there is no excuse)
* never send any passwords using clear text communication methods, such as email, icq, msn, yahoo, irc, web login, etc.
* cancel any accounts not being used. For example, if you are a once-in-a-while ebay member, cancel your account each time you make a purchase and transaction completes. If you no longer use email from some_domain.com, why even have it active?

Now, if you follow these steps....you should be much more secure.

Additional suggestions for businesses:
*Lock down your system. This requires getting rid of your spyware removers, antivirus, etc that is not needed with proper access controls in place (and most of the time you wont even need to do windows updates). Get rid of all the crap, you just solved 90% of your problems. Its all a waste of money anyways buying virus software - and to prove my point...you have the most up to date virus scanner and you are still getting infected aren't you? If you only use 15 applications, why have all the other crap installed? Setting access controls on those 15 applications and only those 15 applications will be much better and safer to begin with. Unless one of those 15 applications gets infected, no virus or spyware will be able to run.
* Dont log in as Administrator ever! Make a duplicate account with limited admin rights assigned to a normal user account. By the time you usually need full admin rights on windows to begin with, you are about to reinstall anyways.
* Lock down services by removing default usernames and passwords - MS SQL server has many!!! MS IIS needs replaced with something more secure. Dont use remote admin software that is dumb enough to send the file it takes to login via plain text - get ssh for windows - there are even free binary versions of openssh.
* those of you from 10 years ago who locked down your firewall by setting rules for specific service ports only (default allow) - throw that firewall away and get one that is set to DEFAULT DENY except specifically allowed. Make sure the firewall doesnt talk. Don't allow everyone to your web server. Dont allow everyone to your mail server. Dont allow everyone to ssh. Tighten this down by ip or region or usernames (why would someone from turkey need to read your web pages unless you are doing business in turkey??? Block the entire country by ip blocks - if you dont know what they are - have a look at your logs and Im sure you have had many hack attempts from turkey recently).
* Auditors and Pen Testers, although that is my line of business, is simply a waste of money that makes CEO's/CTO's happy. Stop wasting money try to secure something that never will be and simply follow these recommendations.....like I said, lock the systems down correctly, you just solved 90% of all current problems and future problems. To emphasize this...what is easier to manage, a system with 1,000's of executables or only 15 or so?