|
02/19/2015, 07:53 PM | #26 |
#347, 19 years
Join Date: Dec 1999
Location: Biddeford, ME
Posts: 1,714
|
I haven't ordered from BRS since last March........guess I'm all set.
My LFS got the call the other night from BRS that they had been hacked, so at least word is spreading about it. |
02/19/2015, 09:23 PM | #27 |
Registered Member
Join Date: Feb 2014
Posts: 55
|
Just deleted my cart. Changed my password. I did not see an option to completely delete by account with them. Anyone see an option to do so? I spent over $2,500 with BRS the past year. An apology is not going to cut it with me.
|
02/19/2015, 09:55 PM | #28 | |
Registered Member
Join Date: Dec 2014
Location: Downingtown, PA
Posts: 4,017
|
Quote:
No more Home Depot, Target, BRS, Boscovs, Niemen Marcus, and many more should be off your list...
__________________
150 SC tank build: http://www.reefcentral.com/forums/showthread.php?t=2550948 Some have bar tabs. I have a coral tab at my LFS. Life goals. |
|
02/20/2015, 12:46 AM | #29 |
Registered Member
Join Date: Apr 2014
Location: Bergen County, NJ
Posts: 1,033
|
I had 3 purchases during the timeframe indicated. Luckily all were done through PayPal express. Gonna keep on checking my account regardless, and just changed my password to be safe.
__________________
Eshopps RS100 sump, Eheim 1262 return,Kessil 360WE w/controller, Avast ATO w Litermeter 3, RO Regal 170sss Skimmer, Sicce XStream-e pumps /dc controlled, Spectrapure Dual Reactor Current Tank Info: 65g mixed reef |
02/20/2015, 06:42 AM | #30 |
Registered Member
Join Date: Oct 2007
Location: Morris IL
Posts: 518
|
I used PayPal so hopefully I'm safe
|
02/20/2015, 07:41 AM | #31 |
Registered Member
Join Date: Nov 2013
Location: Madison, Wisconsin
Posts: 51
|
In Information Security here. I do Due Diligence on companies around the country, and people would be shocked at how poorly data is protected. Companies that do PCI self attestations are a joke. At rest encryption isn't even a standard with many online retailers, and when I ask why these people think they are protected from hacks like Target, etc, I often get the response "we have a firewall in place and use SSL". I have no idea if any of this is the case with BRS, not familiar with their security. Just saying from my experience, people just don't know how to protect the data they collect, and don't understand how to take care of the customer's financial or personal information. As long as companies make it easy, breaches will continue. Again, I am not accusing BRS of being lax, as I just don't know anything about them. But never assume a company has their security act together just because they are accepting credit card numbers over a website. Yes, it frustrates me too.
|
02/20/2015, 07:48 AM | #32 | |
Obligate Feeder Obsessed
Join Date: Oct 2012
Location: Pittsburgh, PA
Posts: 4,061
|
Quote:
it's also nice to hear that they're actually putting together some laws for this. when i was working with it a few years back, it was all civil penalties and governed by nothing more than industry guidelines. i saw the talk about samsung bringing out their own pay system, but i don't know that i'm convinced those will be any better. i didn't care for apple pay when it was called google wallet. i get that using the tokens almost like a claims auth has certain value for protection, but that card information is still stored somewhere. so it seems to just shift the target to larger clearinghouses of the data. where as today a subset of people had their information stolen from BRS, it would potentially be much more if samsung or apple were hacked. time will tell i suppose. i assume i will getting my letter from BRS shortly. sadly my girlfriend bought me a vortech for christmas, and her card was apparently compromised. she already had to have it replaced about three weeks ago, and just get her letter from BRS last night when i had got home from work.
__________________
[Citation Needed] "You don't use science to show that you're right, you use science to become right" - xkcd Current Tank Info: A rectangular shaped money pit. |
|
02/20/2015, 07:52 AM | #33 | |
Obligate Feeder Obsessed
Join Date: Oct 2012
Location: Pittsburgh, PA
Posts: 4,061
|
Quote:
they were keeping full customer data (credit card number, cvv2, social security number, address, telephone, birthdate, etc...) in a completely unencrypted database table, in a database that was directly publicly accessible via their classic ASP website, and to put the cherry on top, they had already been compromised by at least one severe SQL injection attack. when i stumbled across it, i freaked. it took me months of beating the drum loudly to get them to clear me even two weeks to do the best i could to encrypt and secure the data. management just didn't think it was important, but finally gave me that small amount of time to at least shut me up. i was able to get everything at least encrypted, and put some better authentication in place, but it was still far from perfect when i left. really, really, scary.
__________________
[Citation Needed] "You don't use science to show that you're right, you use science to become right" - xkcd Current Tank Info: A rectangular shaped money pit. |
|
02/20/2015, 08:01 AM | #34 |
Registered Member
Join Date: May 2000
Location: Union, Ohio, USA
Posts: 6,590
|
I got a letter in the mail from them offering me free membership to Experian's ProtectMyID Alert.
I do know my bank has already changed my card.
__________________
I'm a SaltGeek are You? All LED since 2010. Current Tank Info: 375 Gallon Reef with siporax, all LED lighting, and Red Dragon 3 and Abyzz A200 on 2 closed loops. |
02/20/2015, 08:10 AM | #35 |
Registered Member
Join Date: Jun 2013
Location: Manitowoc, WI
Posts: 607
|
I had 4 accounts breached in early January all of which were used to purchase in excess of $5000 from BRS in the prior 2 months. I figured they had to be connected but could not prove it. The last month has been hell having basically all my accounts frozen, fighting charges, and waiting for replacement cards.
Very unhappy and disappointed it was them!
__________________
220 gallon DT and 90 gallon sump, all DC powered, APEX gold with DOS, feeder, and a few extra modules, Avast Marine swabbie on Skimz Monster 258, 6 Rapid LED Onyx fixtures, BRS dosers, 4 Jaebo RW-15. Current Tank Info: 220 Gallon, 29 Gallon, 2-20L QT, and a 20 gallon tall octogon tank waiting to be setup for a seahorse tank. |
02/20/2015, 08:39 AM | #36 | |
Registered Member
Join Date: Dec 2012
Location: N.Ridgevile OH
Posts: 109
|
Quote:
|
|
02/20/2015, 08:54 AM | #37 | |||||
Registered Member
Join Date: Dec 2014
Location: Downingtown, PA
Posts: 4,017
|
Quote:
Quote:
Quote:
Quote:
How it works is no different then you swiping your card. You hold your phone over the reader and the reader sends the total to your phone which then pings the processor. The processor pings visa/mc to ensure it is an actual card (the card you are trying to pay with) and it pings the bank that you have balance available instantly. Everything comes back ok in a split second and the phone transmits a scrambled card number to the register and you go on your way. Apple/Samsung are just the transmitters for the data and do not store it. It was a huge concern about the storage of data with apple pay for the banking industry for the reasons your brought up. They do not which is why you see so many banks as partners. Should see the same thing when samsung's system comes out as well. Quote:
__________________
150 SC tank build: http://www.reefcentral.com/forums/showthread.php?t=2550948 Some have bar tabs. I have a coral tab at my LFS. Life goals. |
|||||
02/20/2015, 08:56 AM | #38 | |
Registered Member
Join Date: Dec 2014
Location: Downingtown, PA
Posts: 4,017
|
Quote:
Credit cards on the other hand are held to a higher standard and are a bit easier/faster to deal with. And please do not confuse using your debit card as a credit card as the same thing.
__________________
150 SC tank build: http://www.reefcentral.com/forums/showthread.php?t=2550948 Some have bar tabs. I have a coral tab at my LFS. Life goals. |
|
02/20/2015, 09:04 AM | #39 | |
Registered Member
Join Date: Jun 2004
Location: Chicago area
Posts: 1,461
|
Quote:
|
|
02/20/2015, 09:08 AM | #40 |
Registered Member
Join Date: May 2011
Location: PNW
Posts: 713
|
I freaking thought so! We ended up with fraud on multiple cards, and the converging store was Bulk Reef Supply. It was a PAIN to get this cleared up, multiple calls to credit card companies with general ineptitude on the employees part (is this intentional so that the customer just gives up?!?).
Someone in Australia was buying airline tickets and someone else tried to buy stuff at victoria's secret and someone else bought something off hotwire (which I had never heard of) and another online store I also had never heard of. My favorite issue to clear up was a charge to T-Mobile (we have never used T-Mobile) and my credit card company told me that it was a valid charge for additional services on a pre-paid cell phone. Great! Except we never made that purchase!!!! |
02/20/2015, 09:11 AM | #41 | |
Registered Member
Join Date: Dec 2014
Location: Downingtown, PA
Posts: 4,017
|
Quote:
The other companies did not do much else. Seriously though there is not much a company can do when a hacker wants in. Even big banks have been hacked and they spend billions on security and have some of the most complex systems in the world. In today's day and age you have to almost expect it no matter where you shop and be an informed consumer who monitors their credit cards and accounts. Chances are if you were not impacted by this or previous breaches then you will be impacted by one in the future.
__________________
150 SC tank build: http://www.reefcentral.com/forums/showthread.php?t=2550948 Some have bar tabs. I have a coral tab at my LFS. Life goals. |
|
02/20/2015, 09:11 AM | #42 |
greybeard
Join Date: Jun 2007
Location: MD
Posts: 893
|
After having gone down this road a few times now, this - and I really hate to say it - is pretty much routine. A few hints on better ways to do business with what we have right now:
1. Talk with your financial institution about setting up a VISA debit card or somesuch that you will use *only*, and I mean *only* for online transactions. It should be a no-charge account, with no over-draft protection, backed by VISA's fraud protection, that you will fund from a different account at the same financial institution. 2. Whenever you set up an online purchase, opt out of "saving your credit card information" - this will not eliminate the risk (it didn't in my case this time), but it will decrease the risk if the vendor doesn't store your credit (debit) card information. 3. When you go to make a purchase, get all the way to the last step before sending off your order to get the final amount, including shipping and taxes, and then transfer that amount only into the debit account. With no extra funds in the account, any attempt at fraudulent transactions will immediately be bounced. 4. For those accounts paid automatically from a credit card, change them to the debit card and have the funds automatically transferred to the debit account from your regular account. 5. Review your account statements frequently for charges you didn't make. In this instance for me, again, it was an iTunes charge to "test the card". My bank is pretty familiar with this approach and quickly addressed the charge and issued a new card. 6. When you detect (notice I didn't say "if"?) fraudulent activity on your card, notify your financial institution immediately, calmly, and walk them through why you think it's a fraudulent charge. Ask for a new card, and go through the process of letting them know what your most recent charges were to that account. As it was *only used for online purchases* it should be pretty easy to go through both of these actions. Now to start going through the list of companies that I do auto payments to with this card...
__________________
The true sign of intelligence is not knowledge but imagination. Albert Einstein Current Tank Info: 360 degree walk around 300 DD island–4 300W & 2 165W ViparSpectra, 4 Kessil A350W, 2 A360WE, 3 XF150, 1 XF250, 1 XF350 Gyre along with 2 PP40 and 2 IceCap 3K gyre for robust current. Basement 150 gallon RubberMaid sump, SKIMZ skimmer, DCP18000 |
02/20/2015, 09:12 AM | #43 |
Gives Bad Advice.
Join Date: May 2006
Location: Ft Lauderdale, FL
Posts: 2,168
|
Just so that you guys are aware...
There was a huge glitch with Magento eCommerce sites that allowed an attacker to track and gather purchases. I'm not sure if this is a platform that BRS uses or not but there were tons of companies effected by this. |
02/20/2015, 09:14 AM | #44 | |
Registered Member
Join Date: Dec 2014
Location: Downingtown, PA
Posts: 4,017
|
Quote:
__________________
150 SC tank build: http://www.reefcentral.com/forums/showthread.php?t=2550948 Some have bar tabs. I have a coral tab at my LFS. Life goals. |
|
02/20/2015, 09:16 AM | #45 |
Registered Member
Join Date: Jun 2004
Location: Chicago area
Posts: 1,461
|
|
02/20/2015, 09:28 AM | #46 |
Registered Member
Join Date: Dec 2014
Location: Downingtown, PA
Posts: 4,017
|
Target is an outlier since they were the first major breach, had their CC info improperly stored, and in doing so lost the CC info for almost every customer in that time frame.
It is a cost of being the first domino to drop. No one else has offered anything to those impacted other then cheap monitoring services. I think MANY more people were impacted by the Home Depot breach for instance and they only gave monitoring. Yes this is a pain but people need to remember that the retailer is also a victim in this. Demanding that they bend over backwards with offers and such is a bit extreme unless they were negligent which I do not think BRS was. Target however was in how they stored some of their CC info. Heck they did not even mask numbers in some instances on some DBs.
__________________
150 SC tank build: http://www.reefcentral.com/forums/showthread.php?t=2550948 Some have bar tabs. I have a coral tab at my LFS. Life goals. |
02/20/2015, 09:34 AM | #47 |
Obligate Feeder Obsessed
Join Date: Oct 2012
Location: Pittsburgh, PA
Posts: 4,061
|
target also wasn't very forthcoming about the breach either. they had a badly bungled response, and were slow to take any corrective action.
when these types of breaches started, i held firm that i wasn't going to do business with companies that didn't properly protect my data. then, as time moved on, i realized that meant essentially not participating in the economy on any level. and to echo what soulpatch said, many times the retailers are also victims here. you can have a reasonably secure system, take the normal precautions, and still become compromised in a variety of ways. the old adage still holds true: locks are on doors only to keep out honest people. a determined attacker will always find a way in.
__________________
[Citation Needed] "You don't use science to show that you're right, you use science to become right" - xkcd Current Tank Info: A rectangular shaped money pit. |
02/20/2015, 09:49 AM | #48 |
Registered Member
Join Date: Jan 2006
Location: Westminster, CO
Posts: 17,289
|
Those of you freaking out are maybe a bit over the top. Welcome to 2015. Somehow you think reef stores are impervious to shenanigans. Give it a rest... at least they figured it out and can put an end to it. It effected me as well but I dealt with it like I dealt with it the past 10 times.
If it really is that big of a deal start using cash at your lfs and the local produce mart, I'm sure they would enjoy the business. I think you folks are overreacting and nobody actually lost money here but BRS. The consumer gets the money back. You lost some time and cool points.
__________________
Hobby Experience: 9200ish gallons, 26 skimmers, and a handful of Kent Scrapers. Current Tank: Vortech Powered 600G SPS Tank w/ 100gal frag tank & 100g Sump. RK2-RK10 Skimmer. ReefAngel. Radium 20k. |
02/20/2015, 09:59 AM | #49 |
Reefer
Join Date: Aug 2012
Location: Iowa
Posts: 903
|
I ordered 3 or 4 times from them over the time period of the security breach. But I paid through paypal. Am I safe since I went through paypal? That's why I always use paypal even though I pay with credit card because I don't usually trusts websites secure checkouts.
__________________
Reefer Madness! Current Tank Info: 60x24x24 150 gallon reef, 55 gallon sump. |
02/20/2015, 10:00 AM | #50 |
I'm an Addict.
Join Date: Mar 2008
Location: Yorkville, IL
Posts: 3,036
|
Credit card was stolen last night. Odd? I just ordered from brs a few weeks back.
__________________
93 Reef | 220 Reef | Basement Fish Life Support Room | Empty Savings Account |
|
|