MonoPrice Hacked, CC Info Compromised?

krupted

2[H]4U
Joined
Oct 23, 2006
Messages
3,244
^ Well, it seems like there's too much correlation from what people have said in this thread to *not* blame MP. They shouldn't have stored CC on their servers, or at least have secured them better. For example, you don't hear about Amazon's servers being broken into, and you'd think they'd be a much bigger and more appealing target for crackers than MP.

thats not really an argument either... but again we just dont know what actually happened and may not ever know. i guess if they send out a press release detailing what went wrong, then it likely isnt their fault... but if they cover it up like toyota inside a closet then all pointing eyes will be sqaurely on them.
 

krupted

2[H]4U
Joined
Oct 23, 2006
Messages
3,244
as noted on their support page, this cc info we give them actually gets handled by multiple 3rd parties...
Sharing
We may employ third party companies to perform various functions on our behalf. These functions may include order fulfillment, package delivery, marketing assistance, postal and e-mail delivery, customer service, data analysis, and credit processing. The third parties we contract for these purposes have limited access to your personal information and may not use it for other purposes.

Authorize.Net Corporation
915 South 500 East Suite 200
American Fork, UT 84003
1-801-492-6450
www.authorize.net

PayPal
P.O. Box 45950
Omaha, NE 68145-0950
1-402-935-7733
www.paypal.com

US Postal Service Headquarters
475 L'Enfant Plaza, SW
Washington DC
1-800-ASK-USPS
www.usps.com

California Overnight
3401 E. Harbour Drive
Phoenix, AZ 85034
1-800-334-5000
www.calover.com

UPS Corporate Headquarters
55 Glenlake Parkway, NE
Atlanta , GA 30328
United States
1-800-PICK-UPS
www.ups.com

We reserve the right to disclose your personally identifiable information as required by law and when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on our Web site.

now i doubt the shipping companies matter much, but note the first organization... i think they would be the ones that actually process our orders.
 

k1pp3r

[H]F Junkie
Joined
Jun 16, 2004
Messages
8,226
Update
3/12/2010 11:00PM PT - Our outside investigators have continued to review log files from our Internet-facing servers. They have not found evidence of any successful attempts to penetrate our computer system. Our internal IT staff found some suspicious files on one of our quarantined Web servers while they were reviewing files to build replacement servers.

We have identified the suspicious files to our outside investigators so that they can extract the files from the image of our servers that they made earlier. We asked them to let us know if the suspicious files are significant. We will post more information here about the investigation when we have it.

We are taking steps to re-launch our site early next week. We will not take credit card payments on the site initially but will take payments through PayPal Express and Google Checkout. We will let you know when the site is available. Thank you for your continued support.

Their site is now up. Does this sound like an inside job to anyone else.
 

The Donut

2[H]4U
Joined
Jan 28, 2003
Messages
3,114
^ Well, it seems like there's too much correlation from what people have said in this thread to *not* blame MP. They shouldn't have stored CC on their servers, or at least have secured them better. For example, you don't hear about Amazon's servers being broken into, and you'd think they'd be a much bigger and more appealing target for crackers than MP.

Crackers are much more likely to attack smaller sites as they likely feel there would be far less consequence should they get caught.

If somewhere like Amazon was cracked; you'd have a much bigger team of people fighting against you as opposed to a smaller store, such as MonoPrice.
 

beowulf7

[H]F Junkie
Joined
Jun 30, 2005
Messages
10,433
thats not really an argument either... but again we just dont know what actually happened and may not ever know. i guess if they send out a press release detailing what went wrong, then it likely isnt their fault... but if they cover it up like toyota inside a closet then all pointing eyes will be sqaurely on them.
True, perhaps we should give them the "innocent until proven guilty" benefit of the doubt. That's a good analogy with Toyota if MP does try to cover something up.

Update


Their site is now up. Does this sound like an inside job to anyone else.
It could be, but I'd hope there are enough checks and controls to prevent a single disgruntled employee from jeopardizing the company.

Crackers are much more likely to attack smaller sites as they likely feel there would be far less consequence should they get caught.

If somewhere like Amazon was cracked; you'd have a much bigger team of people fighting against you as opposed to a smaller store, such as MonoPrice.
I disagree; I think crackers try to attack the big boys, just like Windows is a much bigger target for malware attacks, than say, Solaris or Mac OS.
 

PurduEE

[H]ard|Gawd
Joined
Oct 9, 2000
Messages
1,761
3/12/2010 11:00PM PT - Our outside investigators have continued to review log files from our Internet-facing servers. They have not found evidence of any successful attempts to penetrate our computer system. Our internal IT staff found some suspicious files on one of our quarantined Web servers while they were reviewing files to build replacement servers.

We have identified the suspicious files to our outside investigators so that they can extract the files from the image of our servers that they made earlier. We asked them to let us know if the suspicious files are significant. We will post more information here about the investigation when we have it.

We are taking steps to re-launch our site early next week. We will not take credit card payments on the site initially but will take payments through PayPal Express and Google Checkout. We will let you know when the site is available. Thank you for your continued support.

So they are claiming that no credit card information was obtained from their servers?
 

keenan

2[H]4U
Joined
Aug 5, 2009
Messages
2,695
True, perhaps we should give them the "innocent until proven guilty" benefit of the doubt. That's a good analogy with Toyota if MP does try to cover something up.
I think in this situation they are guilty no matter what - the CC details were released. If they're going to store my CC information, they take responsibility for keeping it secure, period. Any failure of that security is their fault, whether it was indirect or not is irrelevant. Without evidence that it was a third party that caused the security problem, blame falls on MonoPrice IMO.
 

krupted

2[H]4U
Joined
Oct 23, 2006
Messages
3,244
True, perhaps we should give them the "innocent until proven guilty" benefit of the doubt. That's a good analogy with Toyota if MP does try to cover something up.

did you seriously just say we should peg them guilty until they prove their innocence? there are places like china where you would flourish in life i guess:eek:

i think the notion earlier that it might be an inside job is very plausible too. its pretty hard to stop sabotage from the inside, but again we just dont know what happened.
 

thesmokingman

Supreme [H]ardness
Joined
Nov 22, 2008
Messages
6,617
Ah, so that's where this Indian Railways charge came from. I was wondering when I planned a trip to India...
 

jandar

Limp Gawd
Joined
Dec 21, 2005
Messages
309
I wonder if the crackers/hackers saw this through correctly.

Most people who order from monoprice.com are probably techie or audiophile techie.
Most of us are comfortable shopping online and probably keep a good check on our bank account rather than a checkbook, same with our CC accounts.

One would think that we would see charges before they cleared most times and soon enough to get them quickly reversed.
 

keenan

2[H]4U
Joined
Aug 5, 2009
Messages
2,695
With CC fraud you get the goods right away and the merchant or bank is forced to eat the loss. The criminals win either way. Not sure how it works with the weird US conglomerated CC/debit card system, but it's probably similar with a higher probability of the cardholder being screwed.
 

Mr.OppressoLiber

[H]ard|Gawd
Joined
Aug 8, 2004
Messages
1,121
I'm not sure if my fraudulent charges were a result of monoprice, because I did order some cables not too long ago, but I disputed them and changed the card number.
 

beowulf7

[H]F Junkie
Joined
Jun 30, 2005
Messages
10,433
I think in this situation they are guilty no matter what - the CC details were released. If they're going to store my CC information, they take responsibility for keeping it secure, period. Any failure of that security is their fault, whether it was indirect or not is irrelevant. Without evidence that it was a third party that caused the security problem, blame falls on MonoPrice IMO.
I guess the counter argument is we don't know yet if there was a 3rd party that had a security breakdown, but I agree that MP would still be guilty by association if that were the case.

did you seriously just say we should peg them guilty until they prove their innocence? there are places like china where you would flourish in life i guess:eek:

i think the notion earlier that it might be an inside job is very plausible too. its pretty hard to stop sabotage from the inside, but again we just dont know what happened.
LOL, stone them! Or perhaps a simple tar-and-feather would suffice. :p

I saw on SD's home page that someone posted a MonoPrice deal. Let the games begin again! :eek:
 

NACZ3

Gawd
Joined
Mar 5, 2004
Messages
538
Just had a notification of a fraudulent $1 charge to Apple on my credit card that was recently used at Monoprice and nowhere else for the past few months. I had been checking my charges but my credit card company actually caught it first and notified me.

Monoprice is great company. I hope they work this out.
 

Ragenrok

Supreme [H]ardness
Joined
May 15, 2007
Messages
4,457
I wonder if the crackers/hackers saw this through correctly.

Most people who order from monoprice.com are probably techie or audiophile techie.
Most of us are comfortable shopping online and probably keep a good check on our bank account rather than a checkbook, same with our CC accounts.

One would think that we would see charges before they cleared most times and soon enough to get them quickly reversed.

not really, I see lots of people recommend monoprice to every day non tech savvy people (my grandparents for one lol). These people just would of bought a $100 cable from Best Buy if they didn't have the recommendation to go to monoprice and as such aren't very high tech.

just cause we lurk on forums full of fellow nerds doesn't mean everyone is like that, chances are were a small portion of actual online consumers, chances are these guys are getting away with alot of fruad if the credit card companies don't catch them.
 

Jarod888

2[H]4U
Joined
Dec 19, 2005
Messages
2,763
I had a BS charge on my CC after I i purchased some cables from MonoPrice. I contacted my bank and had to wait for it to hard post to my acct before they would do anything about it. I then contacted the company that the charge came from (APPLE) and they CSR told me that the amount; 1$ would not go through because they charge the full amount rather that a 1$ temp charge. The charge fell off my acct on monday, but I still have to pay 12 $ to get my card replaced. I will probably ask to speak to a supervisor, and see if they will void the charge. It really pisses me off because I really like MP. I will probably still shop there though.
 

munkle

[H]F Junkie
Joined
Jan 16, 2005
Messages
11,800
I had my card stolen from them, it was cancled when someone used it in dallas, I just ordered again yesterday from monoprice, but with paypal this time.
 

Dev1ant

Gawd
Joined
Jul 16, 2007
Messages
646
I had a BS charge on my CC after I i purchased some cables from MonoPrice. I contacted my bank and had to wait for it to hard post to my acct before they would do anything about it. I then contacted the company that the charge came from (APPLE) and they CSR told me that the amount; 1$ would not go through because they charge the full amount rather that a 1$ temp charge. The charge fell off my acct on monday, but I still have to pay 12 $ to get my card replaced. I will probably ask to speak to a supervisor, and see if they will void the charge. It really pisses me off because I really like MP. I will probably still shop there though.

The hell...what type of bank charges for a replacement card?
 

k1pp3r

[H]F Junkie
Joined
Jun 16, 2004
Messages
8,226
Well a new message was just posted on their site

Monoprice.com said:
We are unable to accept credit card payments at this time. We plan to accept credit card payment orders beginning next Tuesday, March 23, 2010, after we implement additional security measures. Truly sorry for any inconvenience it may cause you.
Thank you for your understanding and shopping at MonoPrice.com.
 

jandar

Limp Gawd
Joined
Dec 21, 2005
Messages
309
My bank reversed the 175$ charge the same day I filled out the fraud paperwork.
New card too, no charge.


Might be time to change banks if they are charging you.
 

beowulf7

[H]F Junkie
Joined
Jun 30, 2005
Messages
10,433
The hell...what type of bank charges for a replacement card?
Seriously, I was wondering the same thing. :eek:

Well a new message was just posted on their site
Well, this pretty much settles the debate on if CCs were really compromised or not. The fault squarely likes on MP's shoulders (and insecure servers). Perhaps this explains why they were able to sell parts so cheaply - b/c of shortcuts taken in security measures. :(
 

k1pp3r

[H]F Junkie
Joined
Jun 16, 2004
Messages
8,226
Well, this pretty much settles the debate on if CCs were really compromised or not. The fault squarely likes on MP's shoulders (and insecure servers). Perhaps this explains why they were able to sell parts so cheaply - b/c of shortcuts taken in security measures. :(

Well maybe the are working up a contract with a new CC processing company, I know i would just as a secondary measure.
 

bfellow

[H]ard|Gawd
Joined
Dec 20, 2007
Messages
1,082
Hmmm I was wondering why one of my backup CCs got a "suspicious charge" email. Damn you monoprice!
 

Banditfromhell

Limp Gawd
Joined
Oct 9, 2007
Messages
170
I can say I was one of the few that ordered off Monoprice right before this happened. Just recieved a ~$500 in charges overnight. Waiting to see if it goes from pre auth to posting. Then I have to do the paperwork to reclaim the funds.
 

rflcptr

Supreme [H]ardness
Joined
Mar 27, 2008
Messages
6,240
I guess I was lucky with only $45 in fraudulent charges through Dell. :confused:
 

BigD1108

Limp Gawd
Joined
Nov 6, 2008
Messages
165
I ordered from MonoPrice a week or two ago, got hit with some fraudulent charges yesterday, but only about $60 for a hotel reservation in London, and a $1 iTunes authorization. Bank was great, reversed charges and a new card is on its way.

I think I'll be switching to all-Paypal transactions online though. I will order from MonoPrice again in the future, you just can't beat their prices.
 

King of Heroes

[H]ard|Gawd
Joined
Mar 26, 2008
Messages
2,006
I just looked through all my previous orders and some of my ones from 2008 are CC, so guess I have to comb through my online statements when I get home.

I made some orders in 2008 as well. I just looked through my bank account and I did not notice anything out of the ordinary, so you're probably good too. Most of the people who seem to have been hit are people who made orders this year.
 

Met-AL

Supreme [H]ardness
Joined
Apr 9, 2002
Messages
7,889
Read! :)



Two different options. Option 1 is what I have and love - it's a security token. You press a button and it generates a random number - you use it and your normal PayPal password to log in or use your account. OR you can choose Option 2, which is less secure in my opinion since it's sending over SMS to your cell phone. The benefit of Option 2 is you already carry your cell phone with you - you don't necessarily carry your Paypal RSA token with you.

Yep, I use Option 2. My mortgage through Bank Of America has the same system for logging in. Only thing that could go wrong is if I lose access to my cell phone.
 

beowulf7

[H]F Junkie
Joined
Jun 30, 2005
Messages
10,433
Were the CVV #s in the back of the credit card also stored on their servers? Wasn't that introduced to thwart fraudulent on-line transactions? :confused:
 

Dev1ant

Gawd
Joined
Jul 16, 2007
Messages
646
Were the CVV #s in the back of the credit card also stored on their servers? Wasn't that introduced to thwart fraudulent on-line transactions? :confused:

Don't know how it's enforced..for example, one of my cell phone providers doesn't require the CVV # and still manages to charge my card whereas another cell phone provider required it.
 

exlink

Supreme [H]ardness
Joined
Dec 16, 2006
Messages
6,005
My credit card has no charges on it. Called the credit card company and told them to keep my card on watch for any large purchases and to call me the moment anything over $100 is purchased. But apparently Capital One Platinum also has fraud coverage so I'm good.
 

beowulf7

[H]F Junkie
Joined
Jun 30, 2005
Messages
10,433
Don't know how it's enforced..for example, one of my cell phone providers doesn't require the CVV # and still manages to charge my card whereas another cell phone provider required it.
Yeah, it's weird how some require it and some don't. It kind of defeats the purpose if the CVV isn't required all the time. And I suppose CVV can't be stored on a server but sent directly to the CC company for auth.? I never really looked into why CVV made purchasing more secure, so I just figured it isn't stored on an e-tailer's server like the way the CC # and exp. date is.
 
Top