Reef Central Online Community
Marine Depot

Home Forum Here you can view your subscribed threads, work with private messages and edit your profile and preferences View New Posts View Today's Posts

Find other members Frequently Asked Questions Search Reefkeeping ...an online magazine for marine aquarists Support our sponsors and mention Reef Central

Go Back   Reef Central Online Community > General Interest Forums > Reef Discussion
Register Blogs FAQ Calendar Mark Forums Read

Notices

User Tag List

Reply
Thread Tools
Old 02/25/2015, 11:00 AM   #126
djtuzik
Registered Member
 
Join Date: Oct 2014
Posts: 279
Quote:
Originally Posted by MondoBongo View Post
just a clarification here, are you saying that BRS knew about the breach months ago, but failed to disclose? because that is an extremely serious accusation.

do you have any proof to substantiate this?

generally with these kinds of data breaches, they are silent. many times they're not discovered until a subset of people who have had their information stolen can be used to connect the dots to the point of compromise.

this isn't a brick and mortar store, so there aren't big sirens and flashing lights that go off when someone smashes a window, detecting these kinds of intrusions can be as much art as it is science.

i would caution you to refrain from assumption in this scenario, as is not productive. however if you have proof that this is the case, please do share.

6 month period for a breach is a pretty long time. And instead of sending out a cautionary email right away and posting the info all over the place, they notified via snail mail... I got fraud of 3k!


djtuzik is offline   Reply With Quote
Old 02/25/2015, 11:33 AM   #127
Jone
Registered Member
 
Join Date: Jan 2013
Posts: 519
No not at all,,, I want to rescind what I wrote prior ..It really is bad that these situations happen but is there anything the card companies can do to stop this?? Its a topic that reoccurs to card companies, people and retail vendors..Especially everyone involved that gets caught up in this aggrivating mess it becomes..How does somebody get this private info,,if their not supposed to have it and plus have balls to do illegal activity like this??
Just think of the time and trouble spent by card companies and vendors that have to do damage control in these situations or implement safety standards to these safety privacy issues on a daily business basis....


Quote:
Originally Posted by MondoBongo View Post
just a clarification here, are you saying that BRS knew about the breach months ago, but failed to disclose? because that is an extremely serious accusation.

do you have any proof to substantiate this?

generally with these kinds of data breaches, they are silent. many times they're not discovered until a subset of people who have had their information stolen can be used to connect the dots to the point of compromise.

this isn't a brick and mortar store, so there aren't big sirens and flashing lights that go off when someone smashes a window, detecting these kinds of intrusions can be as much art as it is science.

i would caution you to refrain from assumption in this scenario, as is not productive. however if you have proof that this is the case, please do share.




Last edited by Jone; 02/25/2015 at 11:41 AM.
Jone is offline   Reply With Quote
Old 02/25/2015, 11:35 AM   #128
MondoBongo
Obligate Feeder Obsessed
 
MondoBongo's Avatar
 
Join Date: Oct 2012
Location: Pittsburgh, PA
Posts: 3,957
Quote:
Originally Posted by djtuzik View Post
6 month period for a breach is a pretty long time. And instead of sending out a cautionary email right away and posting the info all over the place, they notified via snail mail... I got fraud of 3k!
you want to notify via real mail for things like this. you assume that electronic communications have been compromised and send instructions via hard copy as a security measure to help prevent future social engineering attacks.

they probably did notify as soon as they were able to. 6 months sounds like a long time for a data breach, but it's not really.

it all depends on the nature of this breach, how they got in, where they got it, what they were doing while there. this isn't the same thing as showing up to your business in the morning and seeing that the door has been forced open and the cash register is gone. it is super easy to hide these kinds of intrusions. unless you get lucky, or have a superhuman sysop watching your network, you generally only find about them long after they've happened.

i would be willing to bet that the system you're on right now has at least half a dozen exploits that could allow an attacker invisible access to you without you ever knowing it happened.

it's scary, but also hilarious, how insecure computers and networks are.


__________________
[Citation Needed]

"You don't use science to show that you're right, you use science to become right" - xkcd

Current Tank Info: A rectangular shaped money pit.
MondoBongo is offline   Reply With Quote
Old 02/25/2015, 11:40 AM   #129
MondoBongo
Obligate Feeder Obsessed
 
MondoBongo's Avatar
 
Join Date: Oct 2012
Location: Pittsburgh, PA
Posts: 3,957
Quote:
Originally Posted by Jone View Post
No not at all but there is a time frame to the letter..I want to recind what I wrote prior ..It really is bad that these situations happen but is there anything the card companies can do to stop this?? Its a topic that reoccurs to often with people and retail vendors..Especially everyone involved that gets caught up in this aggrivating mess it becomes..
Just think of the time and trouble spent by card companies and vendors that have to do damage control in these situations or implement safety standards to these safety privacy issues on a daily business basis....
it is super frustrating. it leaves you feeling absolutely powerless too, which may be the worst part. faceless attackers made off with large portions of your online identity and now have taken over something almost sacred in your life: your money.

i myself have been compromised several times, all in different ways, all from different places. some of the breaches were clear negligence on the part of the entity holding my records, others were inadvertent compromises due to human error, software bugs, etc...

it sucks. totally sucks. no two ways about it.

user soulpatch has posted some really interesting points earlier in this thread, it sounds like there will be enhanced security standards coming to US cards soon, not soon enough, but this is always a cat and mouse game.

as long as there is money to be made, the arms race between white hats and black hats will continue.

locks only ever keep out honest people.


__________________
[Citation Needed]

"You don't use science to show that you're right, you use science to become right" - xkcd

Current Tank Info: A rectangular shaped money pit.
MondoBongo is offline   Reply With Quote
Old 02/25/2015, 02:01 PM   #130
itz frank
Gives Bad Advice.
 
Join Date: May 2006
Location: Ft Lauderdale, FL
Posts: 2,178
http://thehackernews.com/2014/02/Mag...e-User_13.html

please read before destroying BRS.


itz frank is offline   Reply With Quote
Old 02/26/2015, 12:51 PM   #131
rsundstrom
Registered Member
 
Join Date: May 2008
Posts: 2
When I received a letter from BRS explaining they were hacked, and PII (Personally Identifiable Information) was stolen, I like everyone else, was upset at the news.

I wrote a long email to BRS support outlining my concerns, posing some questions, and generally giving my professional opinion of the situation. (I work in the IT industry, and frequently deploy and maintain e-commerce solutions.) My letter was not an enraged flame, but it was in no way laudatory, and I believe I fairly delineated the consequences to businesses and consumers from such an incident, my view of a business' responsibility after such an event, and equally importantly responsibility before such and event, and some suggestions for their way forward. (I shared the message with my wife, and she gave me one of those looks and said "I would not like to receive an angry letter from you." I wasn't being angry, but I get her point.)

A few hours later, I received a call from Ryan, and we had a long conversation about the situation. I respect his initiative in addressing the damage head-on and in a personal, as well as professional and expert, manner. I believed before, and I believe now, this is a small company with integrity as a core tenet. I can't reveal all I was able to glean from the conversation, but will say that they have well and truly made every practical effort to rectify the situation in the best manner available. (Know that doing so is an extremely expensive and painful proposition for them, and as a small company with whom I like doing business, I hope their balance sheet can survive the hit. As much as we as customers may have lost potentially and in fact, BRS has lost far more.)

I empathize with everyone involved in this: myself, other customers, and BRS too. I do not sympathize, however. This sort of attack, while prevalent (anyone a Target customer?), is not unpreventable. I still maintain the best time to close the barn door, is before the horses escape. To mix metaphors, that's water under the bridge now. In talking with Ryan, I am convinced they have learned this very painful lesson. Right now, I have no doubt that one of the safest places to do business on-line is the BRS web site.

"Maybe they will make a youtube video about it....."
I complained that the time it took to communicate the issue was too long. Ryan, I could tell, was as frustrated as we all on this. I agree with him there is no perfect way to communicate, and in balance they did as good as can really be expected. The above quote was written by another poster, in humor, but Ryan shared that was literally his first impulse and wanted to do so immediately. The IT experts they brought in shot the idea down in no uncertain terms, and were right to do so. Immediately after the discovery, there were not enough facts in evidence to craft a coherent message, let alone an effective action plan for the business or consumers. Until they knew the nature and reach of the intrusion and theft, what was the message to be? "We were hacked. Data was stolen." Painful, but better to wait and have a clear message, targeted at the affected parties rather than a vague, ominous broadside aimed at everyone. (If I, for one, want the latter, I'll watch Fox news.)

Nobody will disagree this was an unfortunate situation. Bad things happen to good people. Everyone victimized here, including BRS, are good people IMHO.

I will continue doing business with BRS. Their business model and delivered value is still attractive to me. I will, as will we all, come away sadder but wiser knowing more than we care to about the dark side of doing business on-line. The suggestion to use PayPal as a payment processor backed by a credit card as the payment instrument is a good one. Secure payment processing is not BRS' core competence, it is PayPal's raison e'etre, and we all should be taking advantage of that as a prudent approach to e-commerce.


rsundstrom is offline   Reply With Quote
Old 02/26/2015, 01:08 PM   #132
d2mini
Registered Member
 
d2mini's Avatar
 
Join Date: Nov 2008
Location: Houston, TX
Posts: 10,367
Am I the only one not upset about this?
My bank has to send me a new debit card what seems like several times a year, including a few weeks ago. This is the first time this year.
This has just become normal to me. lol
I've never lost a dime, btw.


__________________
-dennis

Elos Diamond 120xl | Elos Stand | Radion G4 Pros | GHL Profilux Controller | LifeReef Skimmer | LifeReef Sump
Photos taken with a Nikon D750 or Leica M.
d2mini is offline   Reply With Quote
Old 02/26/2015, 01:13 PM   #133
TruReef
Registered Member
 
TruReef's Avatar
 
Join Date: Nov 2009
Location: Fruit Cove, FL
Posts: 654
Quote:
Originally Posted by d2mini View Post
Am I the only one not upset about this?
My bank has to send me a new debit card what seems like several times a year, including a few weeks ago. This is the first time this year.
This has just become normal to me. lol
I've never lost a dime, btw.
Im in your boat too, S happens, get over it and live on.......& yes I was also compromised and sent a new card...


__________________
The Dude abides. I don't know about you but I take comfort in that. It's good knowin' he's out there. The Dude. Takin' 'er easy for all us sinners.

Current Tank Info: AGA 180g mixed reef, 60" Sunpower 8 bulb, SRO-3000int
TruReef is offline   Reply With Quote
Old 02/26/2015, 01:53 PM   #134
GilliganReef
Registered Member
 
GilliganReef's Avatar
 
Join Date: Nov 2013
Location: Minneapolis, MN
Posts: 379
Quote:
Originally Posted by MidwesternTexan View Post
As I sit here at work, I wonder why everyone can't just do honest work anymore?

Why so many have to 'cheat,game' the system?

What's funnier, is that it happens so often, that usually unless it's at least a 5K loss,
they don';t even investigate it. Is that funny or what?
I use to work Fraud for Target. I was able to stop a lady in NY. Who used 8different people CCs to purchase txt G/C's. Where she was in a box store trying to combine the cards onto one G/C. So Target wouldnt be able to trace her activity. I was lucky enough to start tracing 3 out of 8 being used at that time in a store. Had the other 5 cancelled and called the store to have that g/c voided. Its always fun calling a Susan or Lisa who has a really deep voice, Or catch these morons in the act. Red flag are if it is a URL from Eastern Europe or West Afric a. Saddest is when you call an old lady asking her if she purchased a $150 G/C for someone she never heard of.


GilliganReef is offline   Reply With Quote
Old 02/26/2015, 02:38 PM   #135
rsundstrom
Registered Member
 
Join Date: May 2008
Posts: 2
I was behind this old guy at an Walmart ATM who was working the machine for a good 15 minutes before my curiosity and impatience got the best of me and I stepped up to look over his shoulder to see what on earth was taking so long. He had a handful of cards that he was dutifully trying, one by one, to get money from the machine - without much luck I might add.

I kindly suggested he steal higher quality plastic, or at least learn how to steal PINs as well so the process would not take so long, and the rest of us could get on with our day.


rsundstrom is offline   Reply With Quote
Old 03/06/2015, 10:39 PM   #136
Erasmus_Crowley
Registered Member
 
Join Date: Oct 2014
Posts: 2
I know this happened a while ago, but two days ago I got the first of several strange emails. Tonight I was notified via email that someone created an account at McAfee security and paid for it with my credit card. I immediately cancelled that card before any other damage could be done, but I have since tracked down several other accounts created using my personal information and credit card.

These accounts have not been used by the thief and they are all products that auto-renew each month and that are very difficult to cancel. My best guess is that someone is currently running a bot to sign up to these services with the information in the stolen BulkReefSupply data just to be a malicious jerk.

I just wanted to give a heads up to anyone else that hasn't cancelled their cards yet. Be very vigilant and cancel your CC at the first hint of anything you don't recognize.


Erasmus_Crowley is offline   Reply With Quote
Old 04/09/2015, 05:44 PM   #137
jminick2
Registered Member
 
jminick2's Avatar
 
Join Date: Jan 2015
Posts: 1,215
Just like to let everyone know, in good faith I ordered from BRS (AFTER the big incident) I received a letter today that says they have identified more small affected files that were not previously included in the scope of earlier announcement. Potentially affected customers is anyone who logged into the website between Feb 22 and march 16. Apparently this is an on going issue with them. I used paypal so i'm not that worried but be warned.


jminick2 is offline   Reply With Quote
Old 04/09/2015, 06:36 PM   #138
rfgonzo
Registered Member
 
rfgonzo's Avatar
 
Join Date: Sep 2013
Location: Michigan
Posts: 1,272
Quote:
Originally Posted by jminick2 View Post
Just like to let everyone know, in good faith I ordered from BRS (AFTER the big incident) I received a letter today that says they have identified more small affected files that were not previously included in the scope of earlier announcement. Potentially affected customers is anyone who logged into the website between Feb 22 and march 16. Apparently this is an on going issue with them. I used paypal so i'm not that worried but be warned.
Great, hopefully it doesn't happen again.


__________________
210 gal reef, 75 gal Refuge with 55 Gal sump mixed reef
100 gal Reef, 75 gal Refuge with 55 gal sump. SPS/LPS &
100 gal Japanese Dragon Moray eel tank with 40 gal sump
75 gal Brazilian Dragon Mor
rfgonzo is offline   Reply With Quote
Old 04/10/2015, 03:19 PM   #139
oseymour
Euphyllia Addict
 
oseymour's Avatar
 
Join Date: May 2012
Location: Brooklyn, NY
Posts: 1,514
Quote:
Originally Posted by jminick2 View Post
Just like to let everyone know, in good faith I ordered from BRS (AFTER the big incident) I received a letter today that says they have identified more small affected files that were not previously included in the scope of earlier announcement. Potentially affected customers is anyone who logged into the website between Feb 22 and march 16. Apparently this is an on going issue with them. I used paypal so i'm not that worried but be warned.
I got another letter yesterday...Only it didn't have my name on it. It was my address .

I always use paypal so I'm not worried but jeeze.


__________________
Just started Red Sea Reefer 350 (75 Gallon) Build Thread - http://www.reefcentral.com/forums/showthread.php?t=2555495

Current Tank Info: Red Sea Reefer 350
oseymour is offline   Reply With Quote
Old 04/10/2015, 04:30 PM   #140
jamie1981
Registered Member
 
jamie1981's Avatar
 
Join Date: Jul 2014
Posts: 309
Quote:
Originally Posted by oseymour View Post
I got another letter yesterday...Only it didn't have my name on it. It was my address .

I always use paypal so I'm not worried but jeeze.


Got another one today with my address also, but the first and last name was not mine this time eiather.

I don't really understand why some people get so upset over this. It happens, theives will always be one step ahead.


jamie1981 is offline   Reply With Quote
Old 04/10/2015, 07:05 PM   #141
shamus
Registered Member
 
shamus's Avatar
 
Join Date: Feb 2003
Location: WV
Posts: 188
I got the letter and 2 days later got a fraudulent charge on my card. I only used my card at BRS. Sucks but there is nothing you can do about it. This was the second time this has happened in 5 months.


shamus is offline   Reply With Quote
Old 04/10/2015, 07:06 PM   #142
jminick2
Registered Member
 
jminick2's Avatar
 
Join Date: Jan 2015
Posts: 1,215
Quote:
Originally Posted by jamie1981 View Post
Got another one today with my address also, but the first and last name was not mine this time eiather.

I don't really understand why some people get so upset over this. It happens, theives will always be one step ahead.
Because its their God given right, some people don't like the idea of criminals having their information. I betcha if you lost thousands of dollars like this your attitude would be different.


__________________
“Out of every one hundred men, ten shouldn't even be there, eighty are just targets, nine are the real fighters. Ah, but the one, one is a warrior, and he will bring the others back.”

Current Tank Info: 300g sps tank
jminick2 is offline   Reply With Quote
Old 04/10/2015, 07:12 PM   #143
soulpatch
Registered Member
 
soulpatch's Avatar
 
Join Date: Dec 2014
Location: Downingtown, PA
Posts: 4,084
Quote:
Originally Posted by jminick2 View Post
Because its their God given right, some people don't like the idea of criminals having their information. I betcha if you lost thousands of dollars like this your attitude would be different.
I guess that depends on who you expect to direct the rage at. If at the hackers I am with you. If at the retailer then not with you so long as the retailer had security and such.

In this instance BRS uses Magento which a TON of other companies use as their checkout platform. They also have Verisign which again is pretty standard. Magento was what was hacked and many other companies using the Magento platform were hacked as well.


__________________
150 SC tank build: http://www.reefcentral.com/forums/showthread.php?t=2550948

Some have bar tabs. I have a coral tab at my LFS. Life goals.
soulpatch is offline   Reply With Quote
Old 04/10/2015, 07:14 PM   #144
jminick2
Registered Member
 
jminick2's Avatar
 
Join Date: Jan 2015
Posts: 1,215
I rage at the criminals.


__________________
“Out of every one hundred men, ten shouldn't even be there, eighty are just targets, nine are the real fighters. Ah, but the one, one is a warrior, and he will bring the others back.”

Current Tank Info: 300g sps tank
jminick2 is offline   Reply With Quote
Old 04/10/2015, 07:15 PM   #145
christopherjudd
Registered Member
 
Join Date: Mar 2013
Posts: 502
Quote:
Originally Posted by oseymour View Post
I got another letter yesterday...Only it didn't have my name on it. It was my address .

I always use paypal so I'm not worried but jeeze.
just got another letter with the same thing


christopherjudd is offline   Reply With Quote
Old 04/10/2015, 07:17 PM   #146
soulpatch
Registered Member
 
soulpatch's Avatar
 
Join Date: Dec 2014
Location: Downingtown, PA
Posts: 4,084
Quote:
Originally Posted by jminick2 View Post
I rage at the criminals.

THen in 100% agreement with you...


Also instances like this are why you should always use a credit card online not linked to a bank acount. That way you have their fraud working for you and it is THEIR money in the wind vs your own money while you fight with the bank to get it back...


__________________
150 SC tank build: http://www.reefcentral.com/forums/showthread.php?t=2550948

Some have bar tabs. I have a coral tab at my LFS. Life goals.
soulpatch is offline   Reply With Quote
Old 04/10/2015, 09:46 PM   #147
jamie1981
Registered Member
 
jamie1981's Avatar
 
Join Date: Jul 2014
Posts: 309
Quote:
Originally Posted by soulpatch View Post
THen in 100% agreement with you...


Also instances like this are why you should always use a credit card online not linked to a bank acount. That way you have their fraud working for you and it is THEIR money in the wind vs your own money while you fight with the bank to get it back...
Exactly I never use debit cards or bank accounts online unless it is the only option. Use use PayPal or credit cards...much safer, it's much harder to get your money back from a checking account. Credit cards all it usually takes is a chargeback and a new card number.


jamie1981 is offline   Reply With Quote
Old 04/16/2015, 11:05 AM   #148
kissman
Registered Member
 
kissman's Avatar
 
Join Date: Jan 2005
Location: Waynesboro, Va
Posts: 3,087
Not sure if it has anything to do with BRS. I have used my card there recently over the last few weeks. Just got 2 Fraud charges from Salt Life each $705 each. Fruad Protection called me to see if I had made the charges. Looks like they denied it since it hasn't hit my account so far. But, still a pain in the *** to have to cancel the card and wait for a new one.


kissman is offline   Reply With Quote
Old 04/16/2015, 01:01 PM   #149
blrrobinson21
Registered Member
 
Join Date: Jan 2010
Location: Lake of the Ozarks
Posts: 204
I got the same thing. A letter, my address but different name.


blrrobinson21 is offline   Reply With Quote
Old 04/16/2015, 01:22 PM   #150
d2mini
Registered Member
 
d2mini's Avatar
 
Join Date: Nov 2008
Location: Houston, TX
Posts: 10,367
I had fraudulent charges back when this first came out, got a new card, and just this weekend i got more fraudulent chargers to the new card from two places in the UK.
Not sure which one is related to the BRS event, but yeesh! Craziness. Not to mention a pain in the butt. Luckily my bank catches these things instantly.


__________________
-dennis

Elos Diamond 120xl | Elos Stand | Radion G4 Pros | GHL Profilux Controller | LifeReef Skimmer | LifeReef Sump
Photos taken with a Nikon D750 or Leica M.
d2mini is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump


All times are GMT -6. The time now is 12:32 PM.


TapaTalk Enabled

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Powered by Searchlight © 2019 Axivo Inc.
Use of this web site is subject to the terms and conditions described in the user agreement.
Reef CentralTM Reef Central, LLC. Copyright ©1999-2014
User Alert System provided by Advanced User Tagging v3.3.0 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.