unicycle.com possably hacked

Mojoe · July 14, 2003, 7:01am

I ordered a Viscount seat online from unicycle.com last night. I got the usual confirmation e-mails, then I received an e-mail from a hotmail account, wanting me to confirm my name and credit card number. I called unicycle.com right away and informed them. They said, “No, he don’t work here.”. And I was like," It sure sounded fishy to me. I ain’t sending my credit card info in an unencripted e-mail". I forwarded them a copy of the e-mail too, but I thought I would just warn everyone here. The e-mail I got was like this;

-----Original Message-----
From: Mike Wilson [mailto:unicyclestore@hotmail.com]
Sent: Monday, July 14, 2003 5:32 AM
To: Mojoe’s e-mail address
Subject: Unicycle.com Order Number *****(he knew my number but I deleted it for here.)

Dear Customer,

Thank you for shopping at Unicycle Store.

Due to our experience with credit card fraud we need to verify your credit
card number, exipry date, name on card you are using with this purchase and
the last 3 digits AFTER the credit card number in the signature area of the
card.

Thank you for your co-operation in this matter.

Regards,
Mike Wilson.

Company Unicycle Sales
Export Assistant - WWW.UNICYCLE.COM

Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail

</fishy e-mail>

be careful… Mojoe

system · July 14, 2003, 7:18am

Re: unicycle.com possably hacked

Mojoe wrote:
>
> I ordered a Viscount seat online from unicycle.com last night. I got the
> usual confirmation e-mails, then I received an e-mail from a hotmail
> account, wanting me to confirm my name and credit card number.

Sounds like the confirmation email was intercepted rather than unicycle.com
being hacked.

Which means, as you rightly said, you should never send confidential items
through unencrypted emails.

I used to work for an internet company on (a very good) encrypted email
product. Unfortunately the product died because most people don’t see a
need for encrypted email.

Richard

Mojoe · July 14, 2003, 7:36am

So, is the hacker sniffing unicycle.com’s outgoing e-mail packets, or my incoming ones? Unicycle.com told me that someone else reported it to them too. Maybe they should put some kind of alert notice on their web site, so people don’t reply to malicious e-mails.

watch yer back… Mojoe

paco · July 14, 2003, 9:08am

I just got this in my e-mail. Thought I should share it here.

XWonka · July 14, 2003, 9:17am

I got that same email.

Luckily i paid for my KH saddle with a money order.

perhaps anyone that has bought anything from them in the last such and such perioud of time got one of those e-mails?

jagur · July 14, 2003, 9:52am

i got the same e-mail that Paco posted,i order everything COD.

Dirtsurfer · July 14, 2003, 3:29pm

The first red flag would be “unicycle store”. The second would be a hotmail account. I think it’s so sad what people would do for money. Hope they catch him/her and string them up…

MUNIYETI · July 14, 2003, 6:47pm

Just wanted to add my “me too”…I got the same fishy e-mail only with a different name… Creeps… Maybe they should buy a uni; apparently they could use a new hobby…

bugman · July 14, 2003, 7:31pm

Thanks for the heads up. Fortunately most credit cards have fraud protection. So even if someone got ahold of your card number and ran up a large bill, you wouldn’t be out anything.

jagur · July 14, 2003, 7:43pm

true,but not those check cards.they are direct access to your bank account and not backed by anything.the Visa logo or whatever it may have on it is mearly a spot of advertising.

if someone gets your bank card number and drains your account,you are screwed.

bugman · July 14, 2003, 8:37pm

The very reason the only card associated with my bank account is an ATM card that requires a PIN code. Some banks are now backing up these cards as well, but it still can be a major PITA if you start bouncing checks!

James_Potter · July 14, 2003, 9:19pm

I got that E-mail as well. Could this security breach possibly affect the time it takes for something to be delivered? It usually takes about 1 week for something to get here, but my friend ordered a 29" uni about 3 weeks ago and it’s still not here.

Gilby · July 14, 2003, 9:41pm

The merchant is the one that gets screwed. In this case, both unicycle.com and whoever this person uses the stolen credit card numbers to make purchases for. This results in lost money for the stolen goods/services sold, a chargeback fee, higher credit card processing fees, and possibly even the loss of their merchant account (ie. basically out of business if they can’t accept credit cards).

paco · July 14, 2003, 11:19pm

It sounds from the authentic e-mail I got, that it’s okay to still use unicycle.com. The credit card numbers are secure, but someone else got ahold of the order, but not the billing information. Otherwise, why would they send an e-mail trying to confirm the number?
So please don’t let this experience keep you from using unicycle.com. Just be wary of any fraudulent e-mails after you order. Does this sound right?
Has the problem been fixed yet? When was the last fraudulent e-mail that anyone got?

bugman · July 15, 2003, 6:30am

Fortunately the person doing this scheme probably has no intention of using it at Unicycle.com. As for merchants taking the hit, since I am one I am well aware of that. I have not really had much problem with that sort of thing over 10 years of doing business. I don’t sell the kind of products that crooks tend to go on spending sprees for. I would hate to own a high end clothing store, or stereo shop etc… Obviously theft results in higher prices for everyone.

iunicycle · July 15, 2003, 8:26am

Yes! Direct access to you bank account is very very bad. Never, ever, use a debit card/check card for online purchases.

I was watching a tv program last week given by some government agency, I think the FTC. This advice is the one thing they stressed about online commerce. Internet retailers would do themselves and their customers a favor by explicitly NOT accepting such cards.

<http://www.consumer.gov/idtheft/index.html> has lots of information on this subject.

Jagur’s example of using COD might be a good idea. Maybe negotiate the cod fee from the vendor, since it saves them 2-5% from the credit card charges. There is also the added benefit of making the carrier (UPS) actually find you before they throw the package at your door and drive off. Hmm, maybe I should take this advice myself.

johnfoss · July 15, 2003, 11:27am

Very, very good advice.

The lesson here is not about Unicycle.com, but about Internet fraud and protecting yourself. I have received similar emails from companies claiming to be PayPal.

Your credit card number, especially the three extra digits, should never be sent via email. When ordering products on the Web, make sure the payment pages are using a secure connection. This is indicated the the little padlock in most browsers. Don’t pay for anything by credit card over a connection that’s not secure.

The fraudulent emails should not have any effect on the process of order completion, or shipping your product(s) to you, as they are unconnected to the company you are doing business with. They are merely another form of spam, a very evil one. Spam claiming to be someone else can be tricky.

For the most part, no company will ever ask you for credit card information in an email. In the rare case where a company may need you to verify some information, this should be done through a link to their Web site, and then over a secure connection.

But PayPal has been quick to point out, that even if this happens, make sure the Web site you are on is the one it’s supposed to be. For example, if you’re supposed to be at “paypal.com” an you are redirected to “paypal.co.com” or something similar. run away.

Beware of the ripoffs!

Sofa · July 15, 2003, 6:59pm

Luckily, credit card fraud is (so far) safe. Visa reimbursed me $15,000 worth of fraud with only a few simple phone calls, the story goes a little like this…

Visa calls me saying I’m over my limit.

[oh no…one too many bike purchases?..why couldn’t I have gotten into the cheaper sport of MUni sooner?!?]

‘Well that doesn’t sound right, I’m sure I’m still within my limits’

‘What about this $15,000 purchase last week?’

Mouth gaping, knees growing weak, thinking to myself…oh crap, how high was I last weekend ?!?

‘$15,000 ?!? that’s well beyond my limit, I think this is a case of cc fraud’

‘Well, it’s from so-so company in Ohio. (I’d replace so-so with the real name if I rememberred it)’

‘I never heard of them, what do I do now?’

‘I’ll give you the number of the guy and you can call him’

[call placed to vendor]

‘Hello, I was charged $15000 for something on my visa, and I’ve never heard of you, Visa gave me your number to start the process of cc fraud funds retraction’

‘What’s your name?’

‘Sofa’ (alright alright)

‘Yes (this is paraphrasing, due to bad memory, but the jist of the conversation is 100% true) I got an email from so and so, saying that he wanted to place an order and that you authorized him to use your card’

(?!? What ?!?)

‘I have to ask…what was ordered for $15,000?’

[a low chuckle] ‘Well, he ordered a Wooly Mammoth tusk and had it sent to Indonesia’

long story short, i got the money back, but man what a creepy few hours. I couldn’t help but think what if the guy bought a really expensive bike? Well no Visa, I never bought a bike…well, what are all these other bike purchases?..oh, well, i bought THOSE…yadda yadda yadda, I’m out 15 grand.

GILD · July 16, 2003, 2:56am

is it just me or is it only SOFA who’d be the victim of a credit card fraudster with a taste for woolly mammoth teeth?!?