Privacy nightmare at Hobby Search, credit card data stolen!!!!!

[Nozomi]

Hobby Search announced this today:

 

Original Source: http://www.1999.co.jp/info_card_e.html

 

Regarding a security breach and stolen customer data

 

To Hobby Search customers:

 

We are writing to let you know of a hacker or hackers that penetrated our computer system and accessed customer data including credit card information.

 

At the time of writing, we do not know of any of this information being available publicly.

It is important to us that you, the customer, do not experience any monetary damages because of this incident, and have provided the information of all the cards that may have been involved in this incident to each of the credit card companies so that they may monitor the activity on these cards.

If you have any concerns about the security of your card, please contact the card company

(via the number on the back of your credit card).

 

Also, although we have switched to a more secure credit card transaction system that only stores the last four digits of your card on our databases on July 7, 2010, we have disabled credit card payments indefinitely.

 

The credit cards involved in this incident are those used in orders prior to July 7, 2010 (a maximum of 23,526 cards)

 

- Credit card numbers, expiration dates, cardholder names

 

We do not store personal verification passwords or security codes on our databases, so these have not been accessed.

Again, we have switched to a more secure credit transaction system on July 7 that only stored the last four digits of those cards (3,794 cards) and cannot be abused by a third party.

We are deeply sorry for any inconvenience or concern that this incident may have caused.

 

<A timeline of events>

October 6 - A system administrator found traces of attacks from Korea and began investigating immediately. That night, we contacted an external security firm to investigate.

 

October 7 - The external examiners began investigations in the morning. We shut off our systems for emergency maintenance, reinstalled all server operating systems and software, re-examined security settings, and isolated the server.

Logs indicated that customer data had been sent out from our server to the address of an institution in Korea.

We contacted that institution by phone and email about this incident and confirmed that the data had been deleted. We believe that they were used as a proxy.

 

October 8 - We revised program, network, firewall, and client machine security and implemented an intrusion detection system.

 

October 12 - We contacted the credit card transaction handler and began discussions about the course of action.

 

October 20 - The external investigators concluded their investigations and determined which and how much data had been accessed.

 

October 28 - With the results of the investigation and cooperation of credit card companies, we are ready to handle customer correspondence and have sent out email notifications to the customers that may have been affected.

 

We deeply regret that this incident has occured, and are continuously examining the security of our systems. We believe that the root of this problem was the lack of security awareness among each and every employee and are making sure this should not happen again.

We will work hard to maintain your confidence in Hobby Search and hope to see your continued patronage.

 

 

28 October 2010

Toshiyuki Suzuki

President

Hobby Search

[CaptOblivious]

Well, bthat explains that. They are being amazingly open about what happened! I applaud that.

[KenS]

I received one of those emails today. The text is essentially identical to what you posted, with a couple of wording changes, including the addition of this:

 

"The attackers took advantage of a security hole in our computer systems. We have not determined who they are, but have found the attacks to be originating from an educational institution in Korea. We have contacted this institution and requested they determine who the attackers are and that they secure the data stolen."

 

which doesn't add anything to what the other text says.

 

I checked my credit card account, and did not find any suspicious charges.  When I called my bank they hadn't yet been notified of any problem, but I had them retire the card number and issue a new one, just to be safe.

 

I've been using paypal with them since July anyway, but from the email it would appear that older transactions had kept the credit card info with the transaction.

[Claude_Dreyfus]

Again, I used to use my credit card, however switched across to Paypal a while ago. That said, I'll be checking with my bank tomorrow and sitting tight until Sunday...when my current card expires.

[Mudkip Orange]

They are being amazingly open about what happened! I applaud that.

 

Agreed.

 

I'm good, as my last HS order was on a now-expired CC. Look forward to when they actually start taking cards again.

[Lawrence]

I had an order in April, no email from HS and the card is still in use, will call the bank tomorrow and keep my fingers crossed.

[CaptOblivious]

Yeah, no emails from them either…hrm. Although it's been over a year since my last order, saving the one made well after 7 July…

[cteno4]

the sky is not falling and this wont loose us any money...

 

excellent they are being open and up front about it, few companies ever are unless forced to do so. small hit to their reputation now, but bennies for being honest and upfront and could be big hit if they didnt and it became a problem. it looks like they brought in professionals to do this communication, important to keep their overseas customers (all of us) informed and hopefully still a future customer.

 

i used two cards with HS over the last few years and neither has had any suspicious charges on it from this. i did move over to paypal when they started the half off shipping and just kept doing it. takes a tad longer for the payment request loop, but simple and no typing in the cc numbers. I got the letter twice, i guess as i used two cards with them in the past. fortunately i just happened to close one of the cards a couple of weeks ago though.

 

im glad i kept my clients doing little transactions on using paypal. makes life simpler for the security measures and puts all the worry on them...

 

lists of names/cc numbers are stolen so often now days its not that big of deal and at least they did not store the verification codes. you hand your card over to folks all the time that can easily grab all the info when you do pop transactions.

 

its no problem with all the major ccs if there are any fraudulent charges. you just call them up and they are disputed and you dont pay. i have had numbers grabbed in the past and this happen and never a worry about the charges. what is bad is if its a debit card that works like a visa/mc then the money thats lifted from your account is not put back for a while till they sort things out (at least thats how it was when mine was stolen a few years back and a bonnie and clyde run was done on it) so that can hurt along with cleaning out that account, so i never use those type cards. who gets hurt is the guy who took the fraudulent transaction -- they wont get paid from visa/mc or have the money removed from the merchant hold back funds.

 

always best to look over your transactions each month to make sure none are frauds. if you do that and find something bad and call then never a problem. its if you wait and find it 6 months later you may be sol...

 

cheers

 

jeff

[Kamiyacho]

Agree.  I also received the letter but see no suspicious activity in my account.  It is easy enough to watch for unusual transactions on-line.

[cteno4]

I forgot to mention that the cc companies are not going to be holding folks to pay for any fraudulent activities as if they did or hassled you much on it it would be the beginning of the end of their business. where it is hurting is that it does drive their costs up and thus fees and interest rates you pay on the ccs along with hurting the defrauded merchants.

 

the odd thing is that there have been some great proof of concepts of cards with small chips in them that generate a series of encrypted code keys either just changing every 15 minutes or when you push a button. this would really truncate most of these fraud issues, but they have not materialized in the market at all for some reason. there was just a report this week in popular media about new ccs with things like buttons on them to show you balances, or let you choose if you want to pay for something from your credit or reward points, all very cheesie ideas that are just marketing ideas, but the security code key could save billions in fraud. odd... guess visa/mc does not want to have to change the whole system to incorporate a rotating security code into the existing system and pushing the cost onto merchants for fraud is easier.

 

cheers

 

jeff

[westfalen]

I check my account every couple of days anyway and no fraudulent transactions yet, it looks like HS were on top of things pretty quickly.

[clem24]

I canceled my card just so to be on the safe side. Yes I don't have to pay for fraudulent transactions, but at the same time, I don't want to be always on the look out for these things. Took 2 minutes on the phone and new card is one the way! Yippee!

[cteno4]

clem,

 

im afraid you might have to do this once a week if you really knew how many times your card info was lifted! rarely are folks let known about it! it is a good practice to just go over your statement every month due to this. takes two secs and fraudulent stuff usually stands out quickly and calling your cc then takes care of it w/o any other hassles (unless they charged a lot of money, then they may want you to fill out some paperwork, but never been a problem).

 

ive had this happen maybe  a dozen times over the last 20 years. i used cc a lot for business as well so more exposure i guess.

 

cheers

 

jeff

[westfalen]

clem,

 

im afraid you might have to do this once a week if you really knew how many times your card info was lifted! rarely are folks let known about it! it is a good practice to just go over your statement every month due to this. takes two secs and fraudulent stuff usually stands out quickly and calling your cc then takes care of it w/o any other hassles (unless they charged a lot of money, then they may want you to fill out some paperwork, but never been a problem).

 

ive had this happen maybe  a dozen times over the last 20 years. i used cc a lot for business as well so more exposure i guess.

 

cheers

 

jeff

I think you're right, I've had an instance in the past with half a dozen transactions on my card in Brazil that I knew nothing about, seemingly small purchases at grocery stores and the like, calling the bank and getting them wiped out was IMHO less of a hassle than getting a new card and then advising everyone I do business with of the change.

 

I'm sure this happens often enough to make you never want to use a credit card again if you knew, we just know about this instance because of Hobby Search's Japanese 'bending over backwards for the customer' way of doing business.

 

I'm also wondering if, seeing that a Japanese company was targeted, the perpetrators were mainly trawling for Japanese card info.

[Guest ___]

What scares me is that the CCs are going away slowly from magnetic strips to RFID technology which is much easier to data-grab. While it is a little easier to manage data securely online, it's much harder to secure data from a hand-held scanner. Here in MD, we have two RFID cards for transit. SmarTrip and CharmCard (both interchangeable in sue between DC Metro and Baltimore MTA) In the winter of 2010, MTA plans to give all MARC train and MTA fare collection handlers handheld RFID readers for fare collection. It would not be all too hard for these to be acquired outside of a TA.

 

And while the TA's like to say if you have multiple RFID enabled cards in a wallet, only one can be read at a time, I learned already the hard way on Metro last week, that's not true as I had the same fare deducted off both my SmarTrip and CharmCard when I entered the system at Grosvoner and exited at Farragut North stations. (Actually it wasn't the hard way but rather an expensive experiment to see if it could read two stacked cards in a wallet at the same time, then compared the values by touching add-fare machines to see if it subtracted the same value from both cards at once inwhich it did)

 

the risks with the current technologies here used in America would be the same with e credit cards.

[cteno4]

RFID is not as secure, but a bit more difficult to fake, but not all that hard. you also can read at a short distance so it easier for someone to copy your card data than swiping a mag strip.

 

two cards could get read easily if you place them near as the way rfid works is set up to do exactly this. basically the sensor blasts a very short charging blast of radio energy, then sits and waits to receive a signal for a short period, then repeat. the energy blast is collected by a coil on the RFID chip that induces a current to run the chip which discharges the energy back over the coil as a code over radio waves (forgive me if you already know this). the key is these system sit there doing alternating charge/receive cycles all the time so it will hit one card and then if a second card is there it will register it if they are interoperable systems. the only way to prevent this would be putting a pause in there where it would not read another card for say a half a second, but could be dicy when you have high flow rates. if your cards were registered to you i guess they could do a cross check that you should only be charged to on one of them, but would require the two systems talk to each other and that may be tough. or the cross reference info would need to be encoded on your card (tough).

 

what they do do is try to make the sensor coil a certain shape to only register the cards in a very set geometric space above the reader area to try to help things in your pocket, purse, bag, etc from getting read as well. i had fun with this when working with RFID PIT tags like 20 years ago to see if we could use them to put in critters in a tank for visitors to identify with a reader. by changing the coil shape and winding materials you could get all sorts of sizes and shapes of effective sensor fields. here in also lies a security flaw as you can create long, thin ones that would be great at pointing at someone's purse or wallet!

 

i still think the idea of just plugging in a 4 or 5 digit security key code thats created from the card at the time of purchase would solve so much of this. would not matter how the cc number was entered as it would only get validated with the proper security key issued w/in minutes of the transaction. it would be a pain for the rapid transactions that cell phones are now doing, but that system usually has some sort of validation you do on the cell phone to say do a transaction (like buy a candy bar). the easy way to get over not having more than one card read would be if you had to press a button on the card in order for it to be read. all this would need be is a simple spst momentary switch that when you press it connects the coil to the chip so that when its not depressed the coil could never charge the chip. again not as convenient for the speed charge like walking thru a metro stall...

 

cheers

 

jeff

[Guest ___]

My annoyance is both WMATA and MTA claim that what happened should not, and that having multiple smarttrip cards would not be read simultaneously. I do know that in Japan, that a gate will not read a PASMO and Suica card at the same gate.

 

RFID is not as secure, but a bit more difficult to fake, but not all that hard. you also can read at a short distance so it easier for someone to copy your card data than swiping a mag strip.

 

two cards could get read easily if you place them near as the way rfid works is set up to do exactly this. basically the sensor blasts a very short charging blast of radio energy, then sits and waits to receive a signal for a short period, then repeat. the energy blast is collected by a coil on the RFID chip that induces a current to run the chip which discharges the energy back over the coil as a code over radio waves (forgive me if you already know this). the key is these system sit there doing alternating charge/receive cycles all the time so it will hit one card and then if a second card is there it will register it if they are interoperable systems. the only way to prevent this would be putting a pause in there where it would not read another card for say a half a second, but could be dicy when you have high flow rates. if your cards were registered to you i guess they could do a cross check that you should only be charged to on one of them, but would require the two systems talk to each other and that may be tough. or the cross reference info would need to be encoded on your card (tough).

 

what they do do is try to make the sensor coil a certain shape to only register the cards in a very set geometric space above the reader area to try to help things in your pocket, purse, bag, etc from getting read as well. i had fun with this when working with RFID PIT tags like 20 years ago to see if we could use them to put in critters in a tank for visitors to identify with a reader. by changing the coil shape and winding materials you could get all sorts of sizes and shapes of effective sensor fields. here in also lies a security flaw as you can create long, thin ones that would be great at pointing at someone's purse or wallet!

 

i still think the idea of just plugging in a 4 or 5 digit security key code thats created from the card at the time of purchase would solve so much of this. would not matter how the cc number was entered as it would only get validated with the proper security key issued w/in minutes of the transaction. it would be a pain for the rapid transactions that cell phones are now doing, but that system usually has some sort of validation you do on the cell phone to say do a transaction (like buy a candy bar). the easy way to get over not having more than one card read would be if you had to press a button on the card in order for it to be read. all this would need be is a simple spst momentary switch that when you press it connects the coil to the chip so that when its not depressed the coil could never charge the chip. again not as convenient for the speed charge like walking thru a metro stall...

 

cheers

 

jeff

[Martijn Meerts]

Any security scheme they come up with, will be hacked sooner or later. Those that are hacked later are usually also the ones that are so user-unfriendy, that no ones uses them (and therefore are not interesting for people to hack in the first place =))

 

I'm not overly concerned with all this technology and getting hacked and what not. If it happens, it happens, I'll call the bank, block the card and have them figure out the rest. If I worry about getting my credit card stolen, I might as well never leave the house, because I could get hit by a car. Of course, if I stay inside, the house might collapse ;)

[Lawrence]

Have been in touch with the guys and Ryo Negishi confirmed my card was one of those affected, being a debit card I have had to phone the bank and cancel it.  Unfortunately this affects my ebay \ paypal accounts, also my car insurance payments and a couple of other regular payments, it is going to take me ages to sort it all out  :angry5:  Not a happy bunny