# OK, which one of you stole my credit card...



## raindog308 (Nov 5, 2013)

Got a call from my bank today - one of my credit card numbers was apparently stolen and the thief ran up a bunch of charges, all of which my bank declined.

Funny thing is that the thief apparently used it mostly to sign up for VPS services.  Not with any provider here or anyone I've ever used.

Considering the size of the charges, he must have been trying to build out the next reddit on CloudSigma.com.


----------



## earl (Nov 5, 2013)

Curious, do you always use your credit card when purchasing VPS's?  I always use paypal linked to a card with a very minimal limit, only time I use the card directly is probably when purchasing domain names..


----------



## raindog308 (Nov 5, 2013)

I typically use Paypal.  I don't think my card number was stolen from a VPS provider - more likely a coincidence that the thief who took it also was into VPSes.


----------



## Aldryic C'boas (Nov 5, 2013)

Well, there have been an abnormal number of buyouts lately.  Some of the parties involved not very trustworthy to begin with, too... perhaps someone thought they could make an extra buck after selling their company by selling a backup of the DB with client info and CCs.


----------



## KuJoe (Nov 5, 2013)

Can you call your bank and ask them to allow the Dominos order? I'm hungry.


----------



## MannDude (Nov 5, 2013)

What all companies do you have servers with?


----------



## nunim (Nov 5, 2013)

Very few VPS providers around here actually accept credit cards, even fewer process the cards themselves.


----------



## perennate (Nov 5, 2013)

nunim said:


> Very few VPS providers around here actually accept credit cards, even fewer process the cards themselves.


Most accept credit cards via PayPal (without processing it themselves). Which ones don't accept credit cards at all?


----------



## rds100 (Nov 5, 2013)

He means that VPS providers are generally not receiving and processing / storing your credit card number at all. Paypal does this. The VPS provider doesn't know your credit card number so can't leak or steal it.


----------



## earl (Nov 5, 2013)

Is there a possiblitiy that you have a keylogger in one of your computers? I got the ZEUS virus once, and MBAM tracked it to an add-on I installed for for zpanel.. luckily it was only my shared hosting they hacked..


----------



## drmike (Nov 5, 2013)

Are you sure you weren't a Colocrossing/ChicagoVPS/Hudson Valley Host customer with that card?

Not many companies do the direct card acceptance because it is a HUGE liability and attack target.  That's why all these fully handled processors exist.

Now why did I bring the trio into this?  1.  CC is ongoing target for foolishness, hacks, etc.   2. ChicagoVPS has already been compromised multiple times on large scale, including recently when oh 300 accounts were perhaps compromised in WHMCS.   3. HVH does their card processing through ... ColoCrossing.... or has in the past.   They also have skids known to be associated with HackForums in the mix doing their support and other tasks.

Those are the reasons why I steer clear of a number of providers and why risk level is through the roof with them and unsure how payment processors even allow them to operate.


----------



## MannDude (Nov 5, 2013)

drmike said:


> Are you sure you weren't a Colocrossing/ChicagoVPS/Hudson Valley Host customer with that card?
> 
> Not many companies do the direct card acceptance because it is a HUGE liability and attack target.  That's why all these fully handled processors exists.
> 
> ...


This was my thinking too, which is why I asked what provider(s) he uses.

I suspect all card data would be hashed anyhow. Unsure what the process would be to transform it into anything useful.

It's very strange that his card would be compromised and be used to purchase Virtual Servers if, say, it was compromised from a more traditional method such as an ATM skimmer or something.

raindog308 please let us know what providers you used. Some of us here may use them too and need to know so we can check our statements.


----------



## raindog308 (Nov 5, 2013)

The card was used for a variety of online and offline purchases, so it could very easily be a coincidence.

The only non-paypal providers I've were AWS and Azure, and if those two were hacked it'd be in the news.  All the rest were via Paypal.


----------



## Aldryic C'boas (Nov 5, 2013)

MannDude said:


> I suspect all card data would be hashed anyhow. Unsure what the process would be to transform it into anything useful.


With WHMCS, the CC hash key is stored in configuration.php.  With all of the recent WHMCS exploits, it would've been trivial to see that file as plaintext, and use the key to reverse all of the stored CCs.


----------



## drmike (Nov 5, 2013)

MannDude said:


> It's very strange that his card would be compromised and be used to purchase Virtual Servers if, say, it was compromised from a more traditional method such as an ATM skimmer or something.


Nope, wrong    Seems like carders and associated theft rings are racking up VPS accounts with stolen accounts.

Go back and see the recent Stripe thread on here.  4 accounts, all stolen and all used to buy VPS accounts.   No idea where those folks used their cards or if they were tech-centric people.  

I am thinking it is about time to embark on pre-paid cards for online payments.  Unsure how to facilitate this with say PayPal.  Anyone?


----------



## earl (Nov 5, 2013)

raindog308 said:


> The card was used for a variety of online and offline purchases, so it could very easily be a coincidence.
> 
> The only non-paypal providers I've were AWS and Azure, and if those two were hacked it'd be in the news.  All the rest were via Paypal.


if you are using windows just try scanning your computer with malwarebytes.. I had avast installed and unfortunately it did not detect the virus at all..


----------



## Ruchirablog (Nov 5, 2013)

drmike said:


> I am thinking it is about time to embark on pre-paid cards for online payments.  Unsure how to facilitate this with say PayPal.  Anyone?


We have that here in Sri Lanka  Basically we can get a prepaid card (Visa) by paying about $20 and spend it all. No fees or anything. You can go to the bank and recharge it or if you have a bank account on the same bank the card was issued then you can attach the prepaid card to the online portal and transfer money to the prepaid card from the bank account by just few clicks


----------



## Aldryic C'boas (Nov 6, 2013)

drmike said:


> I am thinking it is about time to embark on pre-paid cards for online payments.  Unsure how to facilitate this with say PayPal.  Anyone?


I remember PayPal used to issue temporary CC numbers that would pull right from the account balance for a single transaction.  Might be worth checking to see if they still do this.


----------



## KS_Phillip (Nov 6, 2013)

Aldryic C said:


> I remember PayPal used to issue temporary CC numbers that would pull right from the account balance for a single transaction.  Might be worth checking to see if they still do this.


They cancelled that program years ago, sadly.


----------



## notFound (Nov 6, 2013)

I have used Entropay with providers which I don't totally trust and with autocharging 'cloud' stuff etc. The fees are quite high though.


----------



## mikho (Nov 6, 2013)

We have a bank here in Sweden (Swedbank) that let its customers make temporary e-cards with a payment limit and a short lifetime.


I used to use that service very often when I was a customer with that bank.


----------



## nunim (Nov 6, 2013)

Aldryic C said:


> I remember PayPal used to issue temporary CC numbers that would pull right from the account balance for a single transaction.  Might be worth checking to see if they still do this.


They don't, which is too bad because it was  an excellent program.  Many banks offering this kind of thing, I know Citibank does. Prepaid cards are a bit more tricky because if you go the regular route and buy prepaid visa's you'll end up with a stack of  cards that each have a tiny balance left that's practically useless.  If you buy a reloadable card then you run the same risk as using a regular credit card since your card number isn't going to change except if your prepaid card does get stolen the policies are probably worse then a regular CC.

It looks like Google  Wallet may offer one time use cards : https://support.google.com/wallet/answer/2740044?hl=en

Seems like Discover, CitiBank and BOA offer disposable accounts: http://itthing.com/disposable-credit-card-numbers

If anyone anyone finds something  else please let me know because I'm still trying to find something that was as good as the PayPal one.  I have Discover and Citibank but it seems to be only for CitiBank creditcards & nobody really accepts Discover, especially in Canada.


----------



## Dylan (Nov 6, 2013)

I've had a debit card number I never even used online stolen, presumably by some unscrupulous employee in a brick-and-mortar retailer. It's not fun, obviously, but disputing a charge (or charges) is stupidly easy -- and that's if the bank doesn't catch the activity before you even see it, which they usually do.

I just always use a credit card for purchases now, rather than a debit card, so there's no chance of me temporarily being out any money. I used to use temporary account numbers but it's such a non-issue with credit cards I don't even bother anymore.


----------

