|
Post by Rob Monfea on Oct 26, 2010 18:55:06 GMT
Dear All,
A number of users of Hannants Web mail order (myself included) have had fraudulent credit/debit card transactions over the last few days. In my case, the money was debited to a Nat West credit card account.
Hannants have issued the following statement:
"Dear Customer
We are very sorry to have to tell you that a number of customers who have used our website have had their card details stolen and used by criminals.
ALL CUSTOMERS THAT HAVE ENTERED CARD NUMBERS ON OUR NEW WEBSITE PLEASE CHECK YOUR ACCOUNTS FOR SUSPICIOUS CHARGES OR ATTEMPTED CHARGES. If you see any please contact your company that issued your card.
At the moment no one is sure how this has happened. There are several internet security firms investigating everything and we will keep you all updated as soon as we can.
There is no sign of any intrusion into the server where the card number and expiry date information that we keep is encrypted*. The CVV number is not stored.
After looking at the information we have received we think this mainly affects some customers who have sent us an order in the last 2 weeks though there are 3 from September.
We have been contacted by about 40 customers so far but are not sure how many others have had their cards compromised but have not told us yet. If you know your card has been compromised PLEASE tell us. Please send us as much information as you can as soon as you can. We need as much information as soon as possible.
Please look out for small 'insignificant' test charges of under $5.00 followed by larger charges of varying amounts. Charges have originated from different countries and in different currencies.
Until we have found out what has caused this problem and it has been fixed we have closed the website. None of the experts can find any problems with it but until the problem is resolved we prefer not to take any risks.
We have deleted ALL card numbers from the website database. We are aware that a few of you wanted access so you could delete your details but we have done this for everyone.
Paypal. We have been asked why we do not accept it. There are 2 reasons. Firstly when we started work on the new website 4 (four) years ago we could not get it to work with the fully stock controlled warehouse that we wanted to run. We did some trials but it took too long for payments arrive in our bank account which would seriously have delayed the despatch of orders. Things have now improved. Secondly it was too expensive. 3 times the cost of handling Visa and Mastercard. All our payments are now handled by Sage pay, a large British firm. Recently they have started working with Paypal and our website designers had been doing some work to incorporate it into the website. We are going to speed up the work on this and try to get it incorporated quicker.
We will re-open the website as soon as we can but will not be rushing into it.
Thank you for your help and understanding.
ALL CUSTOMERS THAT HAVE ENTERED CARD NUMBERS ON OUR NEW WEBSITE PLEASE CHECK YOUR ACCOUNTS FOR SUSPICIOUS CHARGES OR ATTEMPTED CHARGES. If you see any please contact your company that issued your card."
Hannants appear to be as much of a victim in this as the rest of us. With their website offline their business will be affected (probably the last thing they need in the current economic climate). I would encourage everyone to remain calm and be supportive to them.
If you have had a card registered on the new Hannants website, I would strongly urge you to check it ASAP and monitor for any unusual activity. If you do find anything unusual, contact your bank immediately and have the card frozen! Please also drop Hannants a line, so as to aid their investigation. The more data they have, the easier it will be to track the criminals.
My bank have been very understanding and have refunded the £545 taken in the fraudulent transaction.
I will post more as we hear it from Hannants.
Cheers,
Rob Monfea UKLO for IPMS (UK)
|
|
|
Post by The Hooded Claw on Oct 26, 2010 21:13:58 GMT
If I were Sage Pay I'd be a little annoyed about that. Implies that the problem may lie with them as 'they handle all our credit card transactions'. There are many many people who use Sage pay (myself included) who have not had this problem. It appears to be an issue with how Hannants' website stores Credit Card details for back orders.
It has been brewing for years in this industry, sooner or later one of the major player mail order houses was bound to get hit. Funny how its the biggest one first isn't it, someone did their homework well it appears.
THC
|
|
|
Post by Radish on Oct 27, 2010 9:10:25 GMT
Yes....I've been "done" twice in the last few months on different cards. Interestingly, one was for a purchase of a Dominos Pizza in Ipswich!! If necessary, I'll visit the culprit and give him or her a big kiss
|
|
|
Post by Rob Monfea on Oct 28, 2010 9:40:04 GMT
Update From Hannants:
Dear Customer,
Investigations are still on-going but so far no problem area or trace of illegal entry can be found anywhere. How the card numbers were taken is still a mystery. Two firms are still looking at everything and we hope to have their reports in soon. For now we are still not prepared to fully re-open the website.
We have PARTIALLY re-opened the website. We have done this so you can check that we are telling the truth that the card details have been removed and so that you can use all the other parts of the site. We suggest that while you are logged in you also check any items that are on back order and/or in your cart and adjust as required.
Currently you cannot enter new card details at this time or send orders to us but most other facilities are still operating as usual.
We have temporarily stopped sending out back orders just in case sending the data that goes with ordering is where the problem is. We have been told that it is encrypted everywhere and is not a problem area so now we do not think it is but we need to be certain.
TELFORD SHOW ORDERS. To send us an order for collection at the show please add a Collect from show address with your name on as usual, add what you want to buy to your cart as before BUT then email us to say it is there in your cart. We will then download it and have it ready for collection and payment at the show. You do not pay until you collect so we do not need any payment now.
MAILORDERS. WE CAN NOW ACCEPT ORDERS THIS WAY... Please put your order in the cart as normal then TELEPHONE or FAX us with your card details. We will then download your order and attach the card details to the order. We will then be able to process your order. Our email is not secure so we cannot recommend you send your card details that way.
Please be aware that the cart only 'remembers' items if they are actually saved in the cart. Items in the Quick Order only do not get saved.
We will email more information as soon as we can. Quite a few customers have told us that they are on the emailing (Hot News) list but have not received an email from us. We think this is because they are being stopped as spam. Mostly the customers are with Hotmail, Yahoo, AOL and of course BT. If you can pass our emails to any of your modelling friends please do.
Everyone at Hannants would like to say a massive 'thank you' for the emails, and phone calls of support, help and encouragement you have sent us. With the exception of about 8 people your support has been fantastic.
Congratulations should also go to the worlds banking system who seem to have spotted and stopped the majority of the charges before they got to the customer.
Best regards
Hannants.
I think Hannants should be applauded for the open way in which they are dealing with this issue.
Cheers,
Rob M.
|
|
|
Post by brightonrock on Oct 28, 2010 10:26:45 GMT
I am going to pay a huge tribute to my credit card issuer;
They called me to tell me that two 'fraud' looking transactions had been attempted on my card within the past two days. One was for £1-01 the other for £505 both were from O2 and tagged as mobile phone charges. my bank had rejected the charges and called to enquire if they might be genuine.
The card was immediately cancelled and new one being issued. This all coincided with Hannants emailing with their problems/suspicions As my wife took the call from the bank, she did not know that I had had an email from Hannants which might link the issue.
This is how the fraud is done; The first try is a small tester to check the card is valid, then a bigger hit is done
my bank card issuer spotted the potential problem because the security number was not present on the e-charge Credit to them or I would be claiming refunds
|
|
|
Post by amraamrepairman on Oct 28, 2010 19:35:52 GMT
Just to echo Brightonrock post above
Bank spotted it at the same time Hannants did £249 of goods ordered (not by me) from Apple International, who were also suspicious and called me. E-mails from Hannants keeping me up to date. New credit card from the bank in 3 working days.
Overall , the system works and they are all working hard to stop the nasty little s***s who are trying to steal my information and money.
REgards
Colin
|
|
|
Post by foxy on Oct 29, 2010 22:25:08 GMT
Not to echo anything. This will happen with all this new tech(mobiles), someone will find a way to exploit a new tech. there maybe no protection on mobiles for transactions, 'hope not', but this maybe the problem, 'me thinks' .
|
|
|
Post by chadders on Oct 31, 2010 17:08:05 GMT
Well this week I've been busy in America by all accounts. On Monday I paid my mortgage on my house in Chicago, and on Thursday I bought some fishing tackle in Rosedale. One was picked up, one went through. All the money is back now though. What I would say is that the second card has never been used at Hannants, and has no link to the first card (different banks). Mark
|
|
|
Post by cosmosman on Oct 31, 2010 21:32:37 GMT
Seems to be all the rage this week. I had a call from Visa on Friday to ask if I had used my card in the last couple of days. Four small items had been added to my account and i've not registered on Hannants new website. Wish I could visit the little S***s with a baseball bat.
|
|
|
Post by seb on Nov 1, 2010 7:42:36 GMT
Just heard from a fellow member of our local branch (Zurich), his card had been charged with a very small amount first and then a large one. Both were stopped by the card company. Interestingly he last used his card with Hannants in January 2010 - maybe the leak is in a quite different location...
|
|
|
Post by Rob Monfea on Nov 1, 2010 12:23:31 GMT
Interestingly he last used his card with Hannants in January 2010 - maybe the leak is in a quite different location... Quite possibly. Had the following over the weekend from Hannants: Dear Customer,
Two of the investigations into our problem and have come back but failed to find anything significant.
We have analysed a lot (but not all yet) of the information our customers have sent us. We can confidently say that no information was captured as orders were transmitted. This means that we should be able to re-open the website quite quickly.
However it does mean that we still do not know how the data was accessed and so have to recommend that anyone who registered their card details on the NEW website CANCEL the card with their bank. We realise this is annoying, irritating, time consuming and inconvenient but we think it is the safest thing to do under these circumstances.
PLEASE CANCEL ANY CREDIT OR DEBIT CARD THAT WAS REGISTERED ON OUR NEW WEBSITE. (registered on or after March 23rd 2010)
We will re-open as soon as possible with a new system that does not remember the card details. This will be annoying for our customers who order regularly and will not want to enter their card details each time but we think it is the best way to go at the moment.
This will mean that we will not be able to automatically send any back orders. We will NOT be cancelling any back orders and will send you all revised Back Order details as soon as we have decided on the best way to handle them. For the moment you can add any available items to your cart and then phone or fax your card details through. Then we can download the order from your cart and attach the card details. We will charge and despatch as soon as we can.
TELFORD SHOW ORDERS. To send us an order for collection at the show please add a Collect from show address with your name on as usual. Add what you want to buy to your cart as before BUT then email us to say it is there in your cart. We will then download it and have it ready for collection and payment at the show. You do not pay until you collect so we do not need any payment now. The country in the delivery address should be Collect from show NOT United Kingdom or any other country.
MAILORDERS. WE CAN NOW ACCEPT ORDERS THIS WAY. BUT ONLY THIS WAY PLEASE. Please put your order in the cart as normal then TELEPHONE or FAX us with your card details. We will then download your order and attach the card details to the order. We will then be able to process your order. Our email is not secure so we cannot recommend you send your card details that way though we know a lot of you will.
PLEASE DO NOT PHONE OR FAX OR POST YOUR ORDERS TO US AT THE MOMENT. WE ARE GRATEFUL FOR FOR YOUR ORDERS BUT CANNOT LOAD THEM TO THE WEBSITE AS QUICKLY AS YOU CAN.
We are sending this email via 2 methods so as to try and get it delivered. We apologise if you receive it twice.
We are still receiving immense amounts of support and help and we thank you all for it.
Best regards
Hannants.And then the following: Following our recent credit card security issues, we can confidently say that NO information was captured as orders were transmitted. This means that orders can safely be placed at our website.
We have now RE-OPENED this website but modified the way we work. You cannot save any card details now. When you go to check out you will be asked to enter your card details. As soon as you have sent the order the card details are deleted.
Because we no longer have any card details we will not be able to automatically send any Back Orders. We HAVE NOT cancelled any Back Orders and hope to have a modified system available soon. Sagepay have recently developed a new system which is exactly what we were looking for when the new site was being created. For now please add Back Order items to your cart and send the order when you are ready. When you are logged in you can use the Watching facility to be told by email when a kit you are interested in is available.
TELFORD SHOW ORDERS. To send us an order for collection at the show please add a Collect from show address with your name on as shown in Your Account> Change Your Delivery Address Details> Add An Address. Then make this your default address. Next add the items you want to buy to your cart and then go to checkout. You will need to enter your card number to make the system accept your order but it will not be charged. It will be deleted after the order has been sent.
Continuing investigations have ruled out a compromised PC accessing the administration to harvest the card data. The server logs have failed to find any SQL injections. The investigations will continue.Judging by the postings on some other modelling forums, a number of traders appear to be affected, so the cause may be more widespread than previously thought. The joy's of the modern age eh? Here's to spending some real £ notes at SMW in a couple of weeks time! Rob M.
|
|
|
Post by foxy on Nov 2, 2010 10:43:03 GMT
Well I stand corrected from my last post on Mobile's. I do not use a mobile unless traveling away and only to confirm I am coming home(Pay as you go). But have been hit on my card very heavily on the first of this month, lucky my bank is easy for me to contact, and I manged to see the problem before they did. I have only used my card for Hannants twice this year and Paypal for the rest???. Having joint account with my wife not affected, so it has to be transactions from mine alone. Makes me very cautious in using my card over the INTERNET again. The cheeky *So and soes* even gave me a credit of £250, then withdrew over a 1,000 from the account plus others. seems the tactics have changed.
|
|
|
Post by sanguin on Nov 2, 2010 16:21:51 GMT
I was a victim of an attempted internet credit card fraud about ten-twelve years ago. I used the card for the first time in months to book two cheapo air tickets to Ireland. Five days later I got a letter at my home address advising me that my order for a very nice sound system could not be delivered to my son in London as the credit card payment had been declined. I had not ordered a new stereo and my son lived in Northern Ireland. However, the fraud failed and the criminal was probably identified (I wasn't told the final result, only that they were pleased to have a live case with a delivery address for the goods and someone presumably awaiting delivery of nigh on a thousand quids worth of hi fi gear). This was because the attempted fraud exceeded my deliberately lowly credit limit. I have one credit card which currently has a credit limit of £250 and this is for internet use only. Historically it had a £100 limit, but over the years it has crept up.... The bank know why the limit is set and they never try to increase it. I have another 'non-internet' card with a much higher limit for routine use if needed. At present the £250 card hasn't been used by anyone but me, but it is about to be replaced as its details were on the Hannants site and one other retail site. The new card will appear with an initial £1,000 limit, but I will call the issuer and bring it back down to £250 again. It is worth having a card that you keep purely to minimise any losses and maximise the chance of catching someone out.... John
|
|
|
Post by Paul Senter on Nov 3, 2010 22:08:10 GMT
I have been stung for £380 - same method of operation as listed above, small amounts then one big one. Cancelled my debit card but am at a complete loss as I am away from home on a course until Friday. No way to get to a bank before I leave so hopefully I can get from Shrivenham to Chelmsford on 1/4 of a tank!
I am very annoyed and right or wrong sent a snot-o-gram to Hannants basically suggesting they should test their system before it being let loose on the world. I work in finance so I know the importance of personal details like accounts.
I am sure that once I have calmed and put the finishing touches to the 'Stringbag' I am building then I will be fine. Deep breath..........and...relax.
Paul
|
|
|
Post by alfie on Nov 3, 2010 23:23:10 GMT
My card got tested too this week. A small payment of a couple of quid to somewhere in the SW. Luckily, my provider noticed and blocked the charge. I got home tonight to a message on the answering machine requesting me to contact them immediately as a matter of urgency. The card is now cancelled. When this first kicked off, I checked my statements for irregularities and found none. I thought that I was safe, but it would seem that everyone is vulnerable - so if you've used your card at Hannants, I strongly urge you to cancel it ASAP or sooner.
Regards, Alfie
|
|