|
Just read this on the dvdforums in the U.K. Doesn't look good.
Hi all, This is an extract from my local forum page. I confirmed this myself so I hope this helps and saves you some misery ************************************************************************** To all members that have used ABsound in the past you may want to have your credit card details blocked... I logged onto ABsound tonite and only got a page full of symbols and numbers. But if you let it load for a peroid of time it starts to list credit card numbers with names and expiry dates. I sent a 2.6meg section of this page on to Citibank as I found my details for my Citibank mastercard and in the morning will have to pass the same details on for my visacard as I also found those listed. The person I spoke to at Citibank will keep trying to ring ABSound to let them know what is happening. **************************************************************************** I think it is better to be safe, and have your card details changed. |
Just tried to access their site, but couldn't. I have a feeling some hackers did some nast work on them, and they have pulled it down to give them an opportunity to correct.
|
My card issuers number was really busy, but I've cancelled my card now.
ali |
I was on their site 24 hours ago and nothing looked different. Even signed up again for another account (lost my member id)
|
Actually, I was there this morning and there were weird text symbols on the home page and my computer was trying to download something BIG (I stopped the transfer after 30 seconds because I was suspicious of a virus or something; I'm still on dial-up :( ).
Just what information was posted? CC number? Expiration date? Name and billing address? All of the above? I've only ever made one purchase at A&B's online store, and that was monthes ago. Also what steps should be taken with my credit card company? I called mine, but the lady wasn't very helpful (and very rude. I asked her what would stop a hacker from setting up an account at another store with my billing address and other info that was gained from A&B, then using a shipping address to a PO box in another province to recieve the goods, and she said that "that isn't possible" and tried to end the conversation quickly). Obviously this is the first time that anything like this has ever happened to me, and I'm worried. What should I do? Should I panic? Thank you. |
It now says the site is closed for maintenance... I have to check on this as well I guess. I've made one order and later cancelled it, this was around 1 month ago... but they probably still have my info.
|
They had, if you let the page load long enough, credit card numbers, expiry dates and names. All three cards I've used with the company were listed, dating back to early 1999. It's fair to guess that their entire database was posted to the front page of the site (apparently there was some 750MB of data).
Get onto your card companies, folks... S |
Well, here's the official press release from http://www.absound.ca
------------------------------------------------------------ PRESS RELEASE During the early morning hours of May 18, 2001, the security on the web site maintained by A&B Sound Ltd. was breached by unknown persons. A&B Sound Ltd. has reason to believe that credit card information belonging to customers who had open, unprocessed orders on the web site may have been obtained and that unauthorized use of that information may have occurred. The web site, http://www.absound.ca, was immediately shut down by A&B Sound Ltd. pending an internal and police investigation. A&B Sound Ltd. has also retained external computer security experts to assist in the investigation. A&B Sound Ltd. has emphasized that the security breach is limited to open, unprocessed on-line orders and that the security of credit card information belonging to its retail store customers has not been affected in any way. A&B Sound Ltd.’s on-line orders are dealt with independently of its retail operations. On-line orders represent less than 1% of A&B Sound Ltd.’s business. A&B Sound Ltd. is in the process of notifying all customers whose credit card security may have been compromised. It is advising them to immediately report this incident to their credit card issuer as a precautionary measure. Anyone who has placed an order from A&B Sound Ltd.’s web site and has not received the product ordered is advised to immediately notify their credit card issuer. Customer inquiries should be forwarded to [email protected]. A&B Sound Ltd. regrets any inconvenience that this matter has caused its valued customers. ------------------------------------------------------------ So are they telling the truth when they say "that the security breach is limited to open, unprocessed on-line orders" and that those of us who make orders monthes ago shouldn't worry? [Edited by rtiangha on 05-18-01 at 10:52 PM] |
I guess two things aren't clear to me:
1) Is an "unprocessed order" an order that hasn't been authorized yet (meaning orders the last day or so that haven't been checked yet with the cc agencies), or any order that may have already been preauthorized but not fulfilled (not have items sent yet)? 2) For those of us who do have "unprocessed orders" that have been compromised, is it just the open *orders* we have that have been compromised (the one cc used for that order), or our whole account (all cc #'s used on past orders too)? I've warned all three of my CC's that I've used in the past, but I'd like to know quickly in case I need to get a new CC quickly for *all* of them rather than just the one for the open order. A&B Sound has been a decent site, and so has DVD Planet, etc., but I really hope that these sites realize soon that they are in effect operating a "bank" and need to have the ability to project the security of one to keep ecommerce going on the web in general. All it takes is a few screwups and it affects ecommerce for all sites. Not good, especially in tough times like we have right now! I'm going to hate to have to get 3 new CC' no's! |
Originally posted by DVDealer I'm going to hate to have to get 3 new CC' no's! Say, just curious. Do events like these have any effect on your credit rating? |
I had a few open orders at absound.ca, and I'm facing a problem. I don't own a VISA card so I use my parents'. When I started buying DVDs online, it took a while for me to convince my mom that it's really quite safe and after two years, I had finally received her trust in this matter.
Now, this thing with a&b sound has happened. I just checked the VISA details and saw no "unwanted" purchases made with the card. But since it's apparent that our CC details were made available to those scum-of-the-earth hackers who broke into the database, there's still a chance that someone might use our CC for whatever they wish. Of course, the sensible thing to do seems to be to tell my parents about this and change the CC number before anything bad happens. HOWEVER, that would pretty much be the end of my online shopping. No Criterions, no Die Hard box set, etc. And I certainly don't want that. So, what do you guys think? I know this sounds really gullible, but sometimes these hackers just want to show their capabilities and don't want to do anything else than "test the security". But the fact that they posted a list of all the CC information in the database on the site is alarming. Is it likely that if I don't act quickly our CC will be misused? Your opinions will be appreciated. |
Response to T.Durden.
You earned their trust in the last few years by how you handled the use of that card. It is easy to do the right thing when it is easy. To do it when you have something to lose or feel the pressure from other influences is the test. What would you want your own child to do? |
The comments about this only affecting open orders are being questioned in the UK. Users claim it's all purchasers and that A&B are being economical with the truth.(The data dump happened in the afternoon for us so people were trying to shop)
I was pretty relaxed having no open orders and my last purchase was at least a month ago. However my credit card company have contacted me (9:30 a.m. Saturday morning)to say that they are concerned and they have cancelled my card. They would not comment on what they are doing but from other UK postings I get the impression they are cancelling and reissuing the cards of anyone who has shopped at A&B. |
In response to Tyler_Durden:
Just think how worse it would be if you didn't tell you parents about the hacking but somewhere down the line your parents found out that an unauthorized charge DID happen. That would be WAY worse than not telling them. Believe me, I've got the same kind of strict parents, but the best thing to do would be to tell them (I'd tell them anyways even if they weren't too strict). Besides, you could always get your own CC when you reach the majority (a simple one with a $500 limit that they give anyone who is in the age of majority and has some source of income). It's not hard to get one and responsible use helps you get a good credit rating which will help you when buying houses, financing a loan, etc... Originally posted by whitecot The comments about this only affecting open orders are being questioned in the UK. Users claim it's all purchasers and that A&B are being economical with the truth.(The data dump happened in the afternoon for us so people were trying to shop) But here's another question. I assume that you go to your credit card company and tell them that your card was "stolen" right? What happens if you have a balance on it? I have about $230 on it, and according to the budget I set for myself, it I couldn't totally pay it off until July. Would I be responsible for paying it all off before I could get a new card, or would they just issue me a new card and do a balance transfer thing? Thanks! |
I've not had a mail from A&B but my cc company have still cancelled my card. I expect to receive the new card and account number within 7 days and I'm pretty sure they will just update the old account with the new number.
|
I just canceled my card (no charges since 5/05). Thanks for the warning.
|
Just cancelled my credit card. Good thing this didn't happen back when I had 10+ outstanding orders with 7 different sites. The good thing about this: no new charges until I get my new card.
|
Oh, 6 hours after my cc company phones me to say they have cancelled my card I get a copy of the A&B email!
|
i guess this means that i'll have to tell my dad to cancel his credit card then as he ordered from them on the 17th of this month!
we've always had to enter the cc number on each order so how do they have the details on their site? any info on when the site will be back up? thanx |
A&B Sound has been my preferred etailer ever since Express.com went bankrupt, but I doubt I will ever deal with them again, if they ever manage to get back on their feet. Such a thing could happen to any business, of course, but the nature of this particular crack suggests that there might be more to it than meets the eye...
[ Caution: the following is pure speculation! ] Based on my previous experiences dealing with network security, I get the feeling that the cracker might have had access to this information for quite some time. This individual could have been blackmailing A&B, threatening to publicly post their complete database unless they complied with his demands. A&B might have ignored these demands, prompting the cracker to make good on his threats. If that is indeed the case (again, this is pure speculation) A&B would have been aware of this breach in security long before the press release was issued. However, they might have unwisely opted to avoid notifying the authorities, and their customers, until the cracker went ahead and posted the complete database on the site's homepage. At that point, there was obviously nothing left to hide, since thousands of web surfers were greeted by a complete, >750 mb list of credit card numbers when visiting the site. [ End of speculation. ] |
Well, they'll go under next I reckon...
|
I came extremely close to ordering from them on the night of the 17th -- it would have been my first order -- but I wanted to get Sex and the City Season 2 before Tuesday -- and I have been hoarding my money for Madonna tickets for the last several weeks -- I am so glad I ended up getting tickets to a midnight show of Shrek instead.
I seriously doubt A&B Sound will go out of business -- they have been a very successful Canadian retailer for years (I have friends up there who swear by them) -- and probably have oodles of insurance for instances like this -- but I doubt that they will be putting their e-commerce site back up -- that was only an extension of of their retail business anyway -- with the Canadian to US conversion, they just happened to come out really cheap. From everything I've ever heard about them -- they seem to be a VERY reliable company -- and I think they are handeling this the best way possible. As for any speculation about how long they knew about the security risk -- my opinion is that that would be highly unprobable -- they have a lot of retail stores and have been around for years -- I can't see them risking the potential credit information for many of their customers and in effect risking their own business -- but that's just my opinion. |
this has been added to the press release on http://www.absound.ca
MAY 20, 2001 TO ALL OUR VALUED ON-LINE CUSTOMERS: 1. OUR INVESTIGATION CONTINUES WITH THE ASSISTANCE OF EXTERNAL CYBER CRIME EXPERTS. 2. WE HAVE ATTACHED OUR ORIGINAL MAY 18 PRESS RELEASE AND THE MAY 19 VANCOUVER NEWSPAPER ARTICLE FOR THOSE WHO HAVE NOT YET SEEN THEM. 3. IN ADDITION TO INVESTIGATING THE BREACH, WE ARE INVESTIGATING THE STATUS OF INDVIDUAL ORDERS. AS YOU CAN APPRECIATE THIS IS A VOLUMINOUS TASK. WE WILL NOT PROCESS ANY ORDERS WHICH WERE OPEN AT THE TIME OF THE SECURITY BREACH WITHOUT A CUSTOMER’S DIRECT CONFIRMATION. WE HAVE HAD A NUMBER OF E-MAILS REQUESTING US TO CONTINUE WITH AN ORDER AND WE HAVE HAD A NUMBER OF E-MAILS REQUESTING US TO CANCEL AN ORDER. WE WILL RESPECT ALL SUCH REQUESTS THAT INCLUDE CUSTOMER AND TRANSACTION IDENTIFICATION NUMBERS. WE WILL BE IN TOUCH WITH THOSE WHO HAVE MADE A REQUEST WITHOUT IDENTIFICATION NUMBERS TO CONFIRM THOSE NUMBERS. WE WILL EVENTUALLY BE IN INDIVIDUAL CONTACT WITH ALL CUSTOMERS WITH OUTSTANDING ORDERS. WHILE THIS WILL TAKE SOME TIME GIVEN THE SPECIFIC NATURE OF INDIVIDUAL ACCOUNTS, NO ORDERS WHICH WERE OPEN AT THE TIME OF THE SECURITY BREACH WILL BE PROCESSED WITHOUT THE CUSTOMER’S DIRECT CONFIRMATION. WHILE WE UNDERSTAND THAT THIS MAY BE AN INCONVENIENCE TO SOME CUSTOMERS, WE TRUST THAT IT WILL PARTLY ALLEVIATE THE ANXIETY OF MANY WHO HAVE WRITTEN TO US. 4. WE ARE ENDEAVOURING TO IDENTIFY AND CONTACT ALL AFFECTED CREDIT CARD HOLDERS. GIVEN THE TIME THIS MAY TAKE, WE RECOMMEND AS A PRECAUTIONARY MEASURE THAT ALL A&B CUSTOMERS WHO ORDERED ONLINE IN THE LAST NINE MONTHS CONTACT THEIR CREDIT CARD ISSUER AND INFORM THEM OF THIS INCIDENT. 5. WE WILL NOT BE RE-OPENING OUR WEB SITE UNTIL WE HAVE SATISFACTORILY COMPELETED OUR INVESTIGATION AND IMPLEMENTED ANY ADDED SECURITY MEASURES THAT MAY BE RECOMMENDED BY OUR CYBER CRIME EXPERTS. 6. WE SINCERELY APPRECIATE THE INCONVENIENCE AND ANXIETY THIS HAS CAUSED MANY OF OUR ON-LINE CUSTOMERS. WE UNDERSTAND THAT WE HAVE TO RE-EARN THE TRUST OF MANY OF YOU AND MAY LOSE SOME OF YOU AS CUSTOMERS BECAUSE OF THIS INCIDENT. WHILE WE ARE VIGOURSLY PURSUING THIS INVESTIGATION, WE UNDERSTAND THAT IT IS LIKELY, DESPITE OUR BEST EFFORTS, THAT WE CAN NOT DO ENOUGH FAST ENOUGH FOR SOME OF YOU. ON THE OTHER HAND, WE SINCERELY APPRECIATE THE MANY SUPPORTIVE, SYMPATHETIC AND ENCOURAGING E-MAILS WE HAVE RECEIVED. CYBER CRIME IS NOT FUN AND GAMES. IT IS SERIOUS CRIMINAL ACTIVITY WHICH HARMS CUSTOMERS, BUSINESSES, AND THE ONE THING BUSINESSES VALUE THE MOST: THEIR RELATIONSHIP WITH THEIR CUSTOMERS. |
IMHO, there is no reason for etailers to store CC numbers. It may be an inconvenience to type it in every time you place an order, but I'm not sure I believe there *IS* a foolproof way to store that sort of information. There's always going to be someone very clever wanting to hack in. For what it's worth, A&B is a pretty reputable company (I worked for them for about 4 years), but they've blown it by not being more up front about the scope of this attack. M |
I agree with you on that...keep my address and my other stuff but not my credit card number!I still got a few more orders which I cannot cancel with other online dealers
|
| All times are GMT -5. The time now is 05:45 AM. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.