I’m writing this hoping other people will come forward with similar stories. (Don’t forget to read the important updates at the end of this post. Additionally, I’ve written out a strategy that will likely help track these scammers down faster.) On 9/16/2014, Josh, a former agent at the “customer service company” at the center of this scam responded.
Yesterday, 8/13/2014, I logged in and checked my credit card statement like I do routinely. I noticed an odd authorization for $49.95 from 888-368-0967.com. This was suspicious because I did not recently buy anything for $49.95 and had never heard of that company.
Visiting the site did not help either. It appears to be a third party site that provides the customer service and, apparently, billing for other websites online.
So I called the number and ended up speaking to two different customer service representatives, who were both very friendly. After explaining the charge appearing out of nowhere on my credit card I was asked to provide a few digits from my credit card number. I did that and my name was verified by them. Kind of weird that my real name was associated with that number in their database but whatever.
I was told that yes, a $49.95 charge was placed on that card on 8/10/2014. (It must have taken a few days to transfer over to my credit card company.) They told me that the Raspberry Ketone Strength vitamins would be arriving shortly.
Woah! Hold on there. Raspberry ketones? I even had to have the rep spell it out for me because he had a slight accent and that’s something you don’t hear in everyday conversation. What the heck are those? I have never even heard of them, let alone buy them!
I then asked him to give me the shipping address. I was planning on giving this information to the credit card fraud department to hopefully catch the criminal. Weirdly enough the agent proceeded to give me my own address! What craziness is this? Why would someone order these weight-loss “vitamins” in my name, using my credit card number, and then ship it to my actual address?
It doesn’t make any sense. If my card number was auto-generated and then used for this purchase, why would my real name and address be used? Wouldn’t the thief want the product shipped to his own address or at least a PO Box that he could secretly pick it up at? Seems like a lot of work just to pick up a 2-month supply of this stuff.
The first customer service representative I spoke with told me that he’d cancel the order. He offered no explanation of how or why this charge happened in the first place since “[they] are only a third-party.” I told him that regardless of canceling the order I still would be talking to my credit card company to dispute the charge.
Next, I did call my credit card company and reported what I described above. Their agent said that she saw the charge and noted that it was allowed to go through because the name and shipping address matched what they had on record for me. She said that my call was documented and that I could dispute the charge if the billing company did not cancel it themselves.
Then I realized that maybe the criminal used a different email address so that he could watch the shipment tracking and possibly intercept the package when it arrived at my door. I called the billing company back and spoke with a second customer service representative.
This new guy told me that they only had my name and address (and credit card number) on record but that there was no associated email address. Dang, there goes that theory! He then said that my product would be arriving in only a few days.
What? I thought the last guy canceled it! Turns out my auto-renewing account was canceled but that the product was still on the way! That was not what I wanted. The rep then told me that when I received the package and did not want it I could send it back with the RMA number he was about to give me. I was not going to do that. I told him that I’d be refusing the package and would dispute the charge with my credit card company regardless. I did not want to deal with an RMA number.
He then talked to his supervisor who did authorize a refund of the $49.95 charge. Supposedly that could take up to 5-10 business days. I also received a cancellation number. Seems fairly legit. I’ll closely be watching my credit card statement for that refund and will be updating this post with any new development.
Has anyone else experienced anything similar?
I’m at loss for an explanation. The Raspberry Ketone Strength website and terms and conditions isn’t helpful. There’s no contact information other than the number for the third party billing company. The only company name is listed as “Puerto Quellon LP.”
A quick Google search of that name does, in fact, bring up something similar. There’s a single recent mention of an entry on Ripoff Report describing a company trying to charge someone a monthly $49.95 to his bank card, which is directly connected to his checking account. (At least in my situation it goes through my credit card, which has better fraud/dispute resolution.)
This guy feels that the Puerto Quellon LP company must have gotten his details from his Amazon account.
I have bought a number of things recently from third party sellers (which were managed through Amazon). Everyone of them has good reviews and the products arrived correctly and in good condition.
The only thing that I can think of is that this Raspberry Ketone Strength company aka Puerto Quellon LP has fraudulently charged my credit card themselves. Not as many people go to the extreme that I have in tracking them down. Scamming the credit card companies out of a little money here and there might be their business model. Maybe the $49.95 charge is too small for the credit card companies to spend the time and money to pursue? This is all just entirely speculation, and it will be interesting to see how this plays out.
Update (8/17/2014): Just checked my credit card statement and the billing company I called did keep their word. The $49.95 charge has been credited back to the account. I’ll be watching my credit statement even closer for the next few months because this does still seem kind of fishy.
Update (8/28/2014): I did a Google search and found another website discussing the exact same thing.
Also, an article from none other than the Cosmopolitan UK describes how people in the UK are finding it very difficult to cancel their trial of the product once they order it. There was an email address listed at the end of the article for victims to email in order to stay apprised of any potential court proceedings. I’ll post updates here if I hear back.
Update (9/2/2014): Andrew suggested that the scheme involves setting up a fake merchant account using stolen credit card information. What happens is that the relatively small charge is cleared by your bank because the name and address are correctly provided. Then, if you happen to notice the charge and call to cancel, the money is refunded. This sounds okay, but this actually allows the scam to keep going. What should be done instead is to keep the charge on the account, dispute it and get the chargeback, allowing the bank’s fraud department to track it down. Once more people do this, then the appropriate authorities will shut them down. Thanks, Andrew!
Update (9/11/2014): Thanks to everyone that has commented so far. Hopefully this blog and comments have been helpful in clarifying this scam and, if nothing else, letting other people know that they are not alone in this. In the comments Patricia has posted a good email that she is using to alert her friends. People have also been contacting various news agencies. Paul suggested contacting the Internet Crime Complaint Center (www.ic3.gov).
I’d also like to suggest a new strategy:
Many of us have actually, believe it or not, had success in calling the 888 number (the “third party” billing company) and asking for a refund. Now that I have read through the advice of commenters who deal with this kind of stuff in their professions, I think the strategy should be to not ask for a refund. As Andrew said (see 9/2/2014 update above), this only legitimizes them and allows them to keep the scam going. Instead, we should cancel the card and dispute the charge with our credit card company or bank. That way the big banks and their fraud departments will be the ones scrambling to find these scammers. As soon as we dispute the charge the $49.95 will be deposited back into our account since we have zero liability.
Update (9/16/2014): Please see the comment by Josh. He is a former employee of this “customer service company” and describes how the scam works. Very interesting and informative comment. He sounds like a great resource! Thanks for the message, Josh!
Several of the articles I have looked at speculate that the Russian hackers were associated with the government, because of the sophistication and complexity of the operation, and were interested in causing an uproar in retaliation for sanctions rather than in getting people’s money, but that once they had the data, they sold all or part of it to normal scammers who then used it. Some people quoted caution against assuming that’s true, but it does appear, from the conversations we all had with the fraudsters’ “customer service agents” that they did not only have our card numbers, but also our names & addresses, right down to zip code.
I’ve been looking, but have not yet found any article that actually lists the other 4 banks besides Chase by name.
I would like to add that I got a call from our bank’s cc fraud dept asking if I made a charge this past Tuesday for some pills called Garciniadiet. Uh….no! So they deactivated my card and said I would have to go to the back to dispute the charges. So as I looked tonight to see if the charge cleared (as I can’t dispute until it clears) I looked back and I too noticed a $49.95 charge for an 888*** .com So I called it just now and like everyone else, got a very nice man with an accent that wanted my name, last 4 digits of my number and date of sale. I gave it to him knowing that the card had been deactivated and he told me it was for Ketonestrength Rasberry Tea supplements. I told him that I didn’t order than nor did I ever receive anything. He offered to cancel my account – never offered a refund but I told him I would be disputing the charge. He just said ok and that he was a 3rd party blah blah blah…..whatever. I just wonder if this Garciniadiet supplement thing that the fraud company caught is the same thing. I’m not as computer savy to find out where its from… but I’m glad to know that this is not just me. I mean, I hate its not, but at least maybe the bank won’t think I’m crazy when I go there tomorrow!
This just happened to me 8/29/2014, the transaction happened at 2:30am EST. I will report to fraud department first thing this morning. Bastards!!
This just happened to me this morning. I found a charge for $49.95 on my bank card. Called the number, the man asked for the first 4 and last 4 digits of my credit card, my name, and date of sale, and said it was Raspberry Ketones, which I have never ordered. He had my address. I told him to cancel the order. He said he would cancel the subscription. I told him I wanted a refund. He said he couldn’t authorize this as he was only customer service for the third part. I reminded him he was not providing me customer service and I would like to be refunded for this fraudulent charge. He told me to hold, supposedly spoke with a supervisor, came back on the line and told me he was now able to refund my charge. I had to ask for a confirmation number, which he gave. Was he making up numbers on the spot? I don’t know. I am going to closely watch my bank statements online for the next few days and the SECOND this refund goes through I am closing the card and opening a new one. If it doesn’t go through, I suppose I’ll suck it up but am still closing this card. What a pain my arse.
USA Today is continuing to report on the large cyberattack against 5 US banks stemming from Russia. The Secret Service is now involved in the investigation in addition to the FBI, and similar attacks are now being discovered against European banks, particularly in Germany and Switzerland. Again, there is nothing specifically stated that “our” bank scam is part of this, but historically, financial institutions almost never publicly reveal the details of these kinds of attacks, both because they don’t want their customers to lose confidence, and because they don’t want to confirm to the perpetrators that they have been successful.
As I mentioned yesterday, I’m at Dragoncon, and coincidentally was planning on attending a panel this morning on the “Heartbleed” security failure that many of you may have already heard of when you got emails from lots of companies telling you to change your passwords, so here is my report. First of all, this panel was meant for system administrators, data security people, etc, and I’m just an ordinary person who has walked by a computer a few times, so I’ll be honest and say that I only actually understood about half of what anyone was saying. But of what I did understand, here goes.
HIstorically, the internet was built on trust, in the sense that each website that connects to another website trusts that they are each who they say they are, and this trust comes from the content of “certificates” (which I assume are little files like cookies) that the websites exchange. The Heartbleed vulnerability exploited a software problem that enabled websites to masquerade as other websites by presenting fraudulent certificates that contain actual (stolen) data, thus enabling bad people to harvest data because the website at the other end thought the bad people were somebody else, e.g. good people. Whether our scam was caused by Heartbleed or some other data lapse seems to be immaterial, because in no case could we as individuals have fixed the problem — software upgrades needed to be done by the IT staffs of the affected websites, which world-wide were (wait for it) 500,000 of them. Yes, 500,000 affected websites. In fact, changing your own password if you suspected there was a problem would not have done any good because until the website’s administrator (at the bank or wherever) made the fix, the site was still vulnerable and you would only have to change it again. In some very large companies, the different parts of the company might have completely different systems running separately, perhaps even in different cities, and each one of those would have to be fixed individually, in such as way as to not break anything else.
There is not yet any confirmation (at least none publicly admitted to) that the Russian hackers used Heartbleed as opposed to some other method of doing their data theft.
If anyone would like to actually read the presentation, it can be found here: http://www.cc.gatech.edu/~krwatson/ which is the website of Georgia Tech University. Scroll down the list for the one entitled Heartburn about Heartbleed.
So, while this was very interesting, it didn’t really produce any enlightenment as to our own particular problem, and the insecurity we now all feel that the same thing could happen to us again, based on what some people are reporting.
Also separately, I think the reason many later posters to this thread are pro-actively getting alerts from their institutions whereas we earlier people had to discover it on our own and persuade the person in the fraud department that it really wasn’t a legitimate charge, is that this is now so widespread that the person in the fraud department hears “$49.95” and goes “here we go again!”
Just found it happened to me too. 08/29/14. UGH!
I just went through the EXACT same thing. but via an online Chat server. He wouldn’t give me a customer service number nor a copy of the transaction or order or copy of the email notification regarding the product I supposedly ordered. After fighting with him he says he ‘refunded’ the amount. Will be refunded in 7-10 business days. I continued with wanting more contact info and copies of orders etc. Suddenly my chat session started having error’s when I’d try to type. HE was doing something on the other end to end my chat session. Finally he ended it abruptly.
I just want to make sure people coming here understand that you need to cancel your card not just monitor your account. This is obviously a scam and they are saying all of us are “subscribed” meaning they claim they have the right to continue charging your card and at this rate who knows how much they will charge the next time. I would guess it’s going to be A LOT more.
We’re having the same issue, this is actually the 3rd time it happened to my wifes debt card at chase, it seems even with getting new cards each month we still get a 49.95 hit from a different phone #.com at the end of each month. we just reported a new one today. we won’t use her’s at all and see how it goes end of next month. If the charge shows up again i’m wondering if it’s not a leak at chase.
First, I’d like to add that I, too, was hit by the 888*.com $49.95 billing for Raspberry Ketone Strength, some sort of snake oil supplement.
I engaged their online chat support and was relatively impressed with the courtesy (as much as can be meant via chat). They asked for the first and last four of the card, my full name, zip, the company name that charged and that amount. I supplied it all and then rep asked for a moment to check on the record.
After a few minutes, the rep returned and said that it appeared I had, only about three hours prior, signed up for this raspberry noise and that it was good for my health blah blah blah. I asked to have the amount refunded. The rep stated that someone had signed up for this “subscription” and requested this order using the correct info referring to my account and the like. I said that as the card holder I could assure the rep it was not me. I then said, “Either we can reverse this charge, or I must contact the authorities” to which the rep quickly acted to, at least cosmetically, process a refund. I got the “7-10 business days” speech. I remained cordial and professional, as did the rep (as much as you can be while likely working in a boiler room with 140 other destitute co-worker/residents attempting to float one inch above Mumbai’s or other similar 3rd-world city’s call center of outsourced squalor) and closed off the conversation.
I will be closing the account and launching a fraud review. I have no idea how they were able to get my card details. I work as a very senior member of an information security team, do independent contracting to large firms for information security handling, and worked DIRECTLY in a PCI (payment card industry) security service provider as their incident response global coordinator. Simply put: I don’t flippantly abuse the sanctity of my card(s) or their numbers. Something else substantially more insidious than simple site-to-site/third-party free-passing of small print abuses in agreements we tend to overlook is going on here. What that is, I do not know, but as I am writing this, I am hearing of many, many reports of this tonight. Cash sounds pretty nice right about now. 🙁
As for the Heartbleed thing Matthew mentioned, it’s a bit more complex than that. It wasn’t Heartbleed that allowed the site impersonation. That certificate issue was based on one of these precious certs being issued to an unknown entity which allowed them to enter into the chain of trust that is created by the certificate holders. This chain works under a “I trust who you trust” rule and somewhere in that chain was/perhaps is a confederate. Heartbleed was a flaw in the way that sites allow users like us to maintain a secure relationship by keeping a “heartbeat” of constancy between the server and the client (user). A specially crafted type of message if sent correctly to a Heartbleed-vulnerable site would encourage that server to return a message to the sender that exposed portions of the data held in the server’s RAM, or its “short-term memory”. Sometimes this memory included huge things like usernames and passwords, and worse yet, the actual keys used to encrypt and decrypt the data they send and receive. These keys are unique to each server and client, but in this situation, the attacker could just repeatedly bomb the server with these specially formed requests and milk the RAM of lots and lots of really sensitive data. And you’re right, Matthew: there are probably 100s of thousands of machines that still today remain unpatched for the Heartbleed vulnerability. It’s really bad.
So, good luck to all of you. Make sure you get new cards. Lock ’em down tight. Stay safe. Consider $49.95 a warning. It could have been much, much worse. Still could be! 😐
Just wanted to add that I also was hit by this ‘raspberry ketone’ thing from this 888-368-0967.com site. It was a charge for $39.95 to my Chase visa. Needless to say the account is now closed and a new card is on the way.
@Bera, how odd — you’re the first to have gotten charged less than $49.95 — the scammers must be having a sale!
And thanks, @Russ, for that follow-up explanation of the Heartbleed threat. It was good to read it in the words of someone who clearly knows what they are talking about. (At least I got some of it right!)
I did get a replacement card from Chase with a new number. I’m going to refrain from using it online at all this month, except for my one automatic donation, and to as limited a degree as possible with local merchants and see if I get hit again. (And if I do, with only that limited use, it will be easier to pinpoint where the problem might lie, including, as @Mike just suggested, possibly with Chase Bank themselves.
Just wanted to throw out there, that none of the 3 times I’ve been hit have been through Chase. I bank at a Colorado bank called 1stBank.
I to just got hit again.. by the same company 888-368-0967.com twice in 6 months. Chase again is closing that card down and issuing me another. No clue how this is happening, I am very careful on which merchants I deal with.
I got hit for 49.95 over the weekend but luckily because of labor day the pending charge didn’t go through before I caught it. I got this on my statement
CHKCARD8883704037.COM PINELLAS PARKFL
I called the company and asked what the name of their company was and the person who could hardly speak English told me that the name of their company was “customer service” and refused to give me any other name unless I first gave him my information. I told him, you are scamming people, why the hell would I give you my information? Then I hung up, called Wells Fargo and now I’m researching it here on the web only to find I am not alone! My bank was very helpful and cancelled my card and denied the pending charge request.
Thanks for this blog! I hope those bastards get their sorry asses thrown in jail for life.
As a follow up to my first post, rather remarkably, they did in fact refund the full amount to my account. I’m still closing the account etc, but they did do as they’d said they would.
I did go ahead and cancel my US Bank Visa card as well. (Still no fraud activity on any of my other cards.) Unfortunately, I had a lot of auto-pays hooked up to that one…oh well, better than continually getting scammed.
Interestly, the woman in the fraud department I spoke with had not heard of this $49.95 scam yet. She said she deals with so many similar scams per day that a single type doesn’t immediately stand out to her.
I also asked her if I could get a card with the pin & chip technology in it (nearly standard in the rest of the world now); it turns out this is available for some of their travel cards but not with the Cash+ card that I’m using. I doubt pin & chip would have stopped this scam, but it would definitely make it harder to fraudulently scan the swipe-style cards.
Scott recently posted…Raspberry Ketone Strength Scam?
Well, I arrived here as I suspect the rest of you did: call the number, have the guy spell out Raspberry Ketone Strength, google it, et voila. Two charges on my card, 8/14 and 9/1 of this year. If the credit card fraud folks haven’t heard of it yet, they will be soon…seems like a rash of this in the past couple of weeks if these experiences indicate a wider trend.
I think i can explain exactly what’s going on here. I have just received same charge on my credit card, checked website and knew right away what it is.
This is not some vitamin company where some “hacker” used your credit card to buy bunch of vitamins on your behalf.
This scheme is called “Fake Merchant Account”. What they do is, they open fake internet store and start charging stolen credit card numbers. If credit card holder notices the charge and contacts them they will provide you with your own information, which will look like either you ordered it or somebody else did on your behalf. Only real reason for that is to make sure your credit card goes thru.
Bandits hope that people will not notice the charge on statements. If person notices it they will issue a refund without any inconveniences to them. This scheme might go on for a long time, until level of chargebacks increases significantly.
To shut them down quickly- ALWAYS CALL YOUR BANK AND REQUEST CHARGEBACK. DO NOT REQUEST REFUND FROM THEM AS IT WILL ONLY ALLOW THEM TO OPERATE LONGER.
@Andrew, Thanks a lot. That information is good to know. I’ll, in fact, reference it in the main post so people see it.
@Andrew, this is good to know, thanks for sharing it. Do you agree, however, that it is also a good idea to get your bank to issue a card with a new number? I’m honestly a little worried about the fact that some posters here have been hit again on their replacement card numbers, and have begun checking all my accounts at least once a day, sometimes more, depending on my level of paranoia!
@Scott, in an earlier comment, you referred to “pin and chip” technology. I agree that the type of physical card we have would not have prevented this particular scam, which appears to be using a list of stolen numbers, but what is pin and chip technology, and how is it more secure in general?
@Matthew, pin and chip it is a type of technology built into a limited number of cards in the United States but is very common throughout Europe and the rest of the world. While here we just swipe our cards, with the pin and chip system you insert your card into a special reader (which isn’t RFID and, therefore, can’t be read wirelessly) and then enter a pin # a la getting money from an ATM. Currently it is incredibly easy steal a credit card and then just swipe it at any number of retailers…some places don’t ask for a signature and even if they did, who really checks that? If you are going to Europe it is pretty much mandatary to get one. Tickets on a train, for example, might require a card with pin and chip.
I have a Bank of America card with the “pin and signature” version and a PenFed card with the true chip and pin. I’ll use the PenFed one if I ever go overseas because there is no foreign transaction fee either.
I’m not sure if pin and chip would have stopped this scam, unless it involved gathering the numbers from a secondary swipe somewhere.
Some articles are here:
Did you all see the news about the possible Home Depot breach? Says it might go back as far as March. I know I shopped at HD a bunch because we sold our house last month.
Happened to me too..so far 8/12/14 being refunded..New card being issued..transaction on 8/31/14 being investigated but we know the outcome! My story ditto to everyone preceding this. Taught me to carefully look at all my bank/credit card statements..also cash is beginning to sound like a good self security system.I am working on this with wells Fargo.
Hi! So glad I can get a little clarity! Something just happened to me the other day September 3, 2014.
Just checked my bank account and $49.95 was debited out of my account. Seems like a little but when you are unemployed it’s sad!
I recently bought a groupon for AMF bowling online.. Wondering if that was a way they got my credit card. I also pay my titithes online. One or the other! So mad!
I spoke with a rep who said they would refund my money but it would take 7-10 days! I don’t even know what that stuff is and would never order it dye to the fact that I didn’t even have that amount in my checking account! They literally took all of my money!
Calling my bank after the refund and shutting that card off!
Good luck and Blessing!!!
I was just charged 49.95 from that same phone number. The charge said it was from Ocala Florida. Thankfully for labor day weekend I caught the charge while it’s pending. I have a credit union card which I’ll be calling in the morning. I also called the number and told them to cancel the order. They said that would be ok and they would cancel it right away. The lady was very polite with an accent and tried to sell me on the ketones. We will see how it turns out tomorrow.
There must be one common thread among us that is the weak point causing us all this trouble. Unfortunately, it wouldn’t be as obvious as a single restaurant or online vendor. It might be as complicated as a breach within some payment processor or acquirer. Look at the following link to understand the complexities involved in what we take for granted as a “mundane” process. As you can see, it’s a lot:
Has anyone had anything other than a Visa card involved?
Let’s start with the top level stuff and work our way down. We have enough people to potential crack the case here.
My card was a Visa.
I’ve seen one other person mention Colorado, So I will add that I’m in Colorado also.
@Russ, Interesting link. Thanks! Mine was a Visa as well, but Ann, a few comments back, said that she had a Mastercard hit with the same thing.
The link that Russ posted was very interesting, and I think points up that if the fraudster makes every attempt to mimic the legitimate process, the weight falls on the consumer (and ultimately their financial institution) to prove that the purchase was not legitimately made. Now that so many instances of this particular fraud are being reported to the banks and c.c. companies, they are believing the people, and even in some cases proactively sending alerts — the early callers had to jump through many more hoops to establish that they did not really order these “vitamins”.
Mine was a Visa, through Chase bank.
Also, I live in Florida, and the description of the charge on my statement said Pinellas Park, FL after the 800 number, which is actually close enough to me that I might have mistaken it for a legitimate charge if I hadn’t been looking closely. Several others here also mentioned that their descriptions said Florida, but not whether they lived there.
Many of us have stated that when we called the 800 number, we gave the “customer service agent” only minimal information and they knew everything about us. e.g. I gave my last name and zip code, and the person knew my full name and street address as well as card number. That tells me that this is a result of customer data stolen from somewhere, rather than our card numbers being skimmed from someone’s credit card device.
Regarding the recent Home Depot breach, as with Target, I do not shop regularly at Home Depot because there is a Lowe’s right down the street from me. I have shopped at Home Depot in that past, possibly even with this card, but not for years, so if it’s that, why now? We are assuming that these store breaches we hear about, if they say for example that it’s been going on since April, then if we haven’t shopped there since April we’re safe, but couldn’t that also mean that the breach itself has been going on since April, but the data that was available to be stolen was all data that had ever been accumulated since that store first opened?
Just wondering, how many people have made a transaction recently through google play? I did and I was also scammed buy this .com site shortly after.
The expanse of possibilities for breach are mind-numbing. My most recent anomaly would be some show tickets I bought via the eTix.com service. I don’t know who their processor is, however. I don’t use Home Depot.
Does anyone here use MaskMe, NetSpend or Western Union?
Every credit card merchant is required to undergo a yearly review of their security. Smaller vendors, like fast food stores, usually do what’s called a Self-Assessment Questionnaire, or “SAQ”. Those are known as “Level 4 merchants”. Level 1 merchants are the super-huge operations like eBay or Amazon. At Level 1-3, they have to undergo a review called a Report On Compliance, or a “ROC”. The SAQs allow the store owner a cost-effective self-examination of their security posture and practices which they attest to being honest and that they as the store owner accept liability if their security *isn’t* sound and/or breached. The ROCs are really expensive, like $50k a year at least, and must be done by an external auditor. If a Level 4 merchant is breached, like Dairy Queen was, then the specific store location or franchise that had the breach then can no longer do their own SAQ and must hire an auditor to do a ROC for the next five years. In most cases, a single store owner of even modestly successful locations will gross maybe only 70-80k per year. The requirement to do a ROC is usually a business killer. There is no recovery for most of these businesses when this happens, even if it is as simple as an employee writing down card numbers and using them maliciously later.
As a key player in the Payment Card Industry services sector early in my security career, I can tell you in my honest professional opinion that 95% of card processors are already breached, but don’t know. The 5% that aren’t just haven’t been targeted. I now work in an extremely high-paced and technologically advanced security space focusing on Advanced Persistent Threat, or “APT”. This is the type of attack that establishes a silent, confederate foothold inside your network or systems and never lets go. These types of attack were more common in attempts to steal intellectual property, such as proprietary designs, schematics, recipes or strategic planning. Now, however, these very, very difficult-to-detect attacks are much more accessible to lower-strength “threat actors” who are using them to pull of card theft in incredibly inventive and circuitous ways. Some of these breaches may exist for years before their effectively understood and countered. It’s really bad, guys. This news and reality has been kept from the public purview with intense effort at the corporate level. Breaches are often mitigated internally, but the state of security as a general practice and skill from Fortune 500 companies down to mom-and-pop drive-thrus is vastly, vastly under-prepared or even technological capable versus the threat actors now coming into the scene. I’ve seen attacks that quite literally left my jaw hanging down. The brilliance of their attacks from the creative means of socially engineering “an in” to planting undetectable, kernel-mode hooks into victimized systems cannot be overstated. This problem is not because the companies are being sloppy in most cases, it’s because the effort to target one system or employee’s credentials inside a vast corporate network are much more effective at a 1-to-1 level than the expanse of endpoint protections that exist. Most corporate defensive systems involve multiple, non-cooperative security vendors (such as firewalls, web proxies, antivirus apps, etc). Security teams are struggling desperately to make sense of terabytes of log data every day with few experts available to tie the data together in a SIEM, or Security Information and Event Management, system. Current popular SIEMs include Splunk ES, Archer and LogVault. But these tools are only as good as their architecture. Again, very few experts that are in massive demand.
I didn’t mean to go on forever about this, but the complexity and grave nature of the reality of data breach in our corporate, private industry and healthcare information security spaces is mind-blowing. Healthcare is arguably the worst. I won’t go into that now, just know it’s a disaster at a near-universal level. Interestingly enough, VA hospitals are among the most secure at the network level.
Thanks for reading this all.
Again, anyone using MaskMe (also known as DoNotTrack Me), NetSpend or Western Union?
Russ, I am using DoNotTrackMe, which was recommended by the president of our local computer club, which means that probably dozens of people in my town are using it as a result of his recommendation. Is it good or bad? If it’s bad, please let me know so I can pass the info on to him.
I have never used either of the other two.
I was charged 9-1-14, it was visa debit from Wells Fargo. The name company Customer Support. agent name Bill Merlowette emp # y298. from Miami. I hope this helps, I don’t use any of web sites mentioned. I have shopped at Lowes.
I have had about 6 calls from a company called Tech Support, sometime a man and sometime woman, real strong accents. They try to bully me into turning on computer and make changes they talk me thru. Of course I refuse them, but they argue with me, claim they work for windows. My computer has serious error problems only they can fix. I’ve e-mailed windows, they never respond back. They wait a while and try again. I tell them I think they a frauds and block their calls, then they use a different number. Anyone else get these calls?
@Diane, the calls you’re getting about your computer from people who claim to be from Microsoft is another well-known scam, but it is unrelated to this bank scam that we’ve all experienced. No one should ever give those folks access to your computer — that will give them the ability to either plant all sorts of malware on your computer, or open a back door where they can later get in whenever they want. (Besides wasting the money they want you to pay them.) This type of call has been received by many members of my local computer club, but as far as I know, none of us have succumbed to it.
I actually never answer my landline at all anymore until the message is done and the person starts to speak to leave a message and I recognize who it is, and I don’t answer my cellphone unless the number belongs to someone I know, and then call back any legitimate callers who leave messages. Anyone of my personal acquaintance who wants to get in touch with me will leave a message.
DoNotTrackMe is actually really a great product. They also make MaskMe, which allows you to submit a fake email address that can be mailed to and it forwards the message on so that your real email address is not exposed. The also have a credit card masking service for their paid version that allows you to submit a proxy credit card in the same way. They charge off your account the amount of the purchase into a temporary card only good for that amount. Since we know these guys have our full addresses and info (the scammers, I mean), then it’s gotta be getting farmed out of a source that also has these details but also the full details of the cards as well. Honestly, we’re on the front edge of a large breach discovery. It’s only a matter of time before the Secret Service gets involved on cases this expansive. Unfortunately, it shows how vulnerable and totally disconnected from the life of our credit cards we are regardless of security appreciation or practice in our own lives. I think we’re going to have to wait this one out to learn how this really went down. The five card brands (Visa, MasterCard, Discover, Amex and Diner’s Club) all take this sort of this extremely serious.
Imagine how the world of e-commerce and revolving credit debt would change if we all started using cash simply because the future is one of boundless theft, uncertainty and empty guarantees. Almost sounds fun. 😉
I’m happy to try to answer any questions anyone has if you’re really needing something clarified. This blog has clearly brought some comfort to some people who probably felt really alone and violated until they found it, me included! 😉
I just went through the same thing and am waiting to see i the credit goes through and then cancel the card. I hope there is a way to catch this group and stop the scam!
On August 8, 2014, a Florida-based company debited $49.95 to my BB&T checking account, using my checking account check (debit) card number. Here’s the charge that appeared on my August bank statement:
8/11/2014 877-290-2004.COM 08-08 515-218-1491 FL 3809 BB&T $49.95
CHECK CARD PURCHASE
I did not authorize this transaction! When I called 1-877-290-2004 to find out the details what this was about, I was informed that I had placed an online order for “Raspberry Ketone,” a weight-loss supplement that I had never heard of. When I informed the C.S. Rep that I did not place this order, he confirmed my name and mailing address, which he said had been submitted with the order! I reiterated that I had not placed this order, informed him that this was a fraudulent transaction, and asked for an immediate refund. I also called BB&T to report the fraudulent transaction and to ask that my checking account debit card be cancelled, and that a new card be issued. Since receiving my new debit card, I have not used it for online purchases, nor do I intend to. So far, I have not experienced any more fraudulent activity with the new debit card. On August 18th, the company’s refund of $49.95 posted to my account.
Information that may be relevant or of interest regarding this is that I used my checking account debit card in conjunction with PayPal purchases and Amazon.com. I am now wondering if perhaps PayPal or Amazon’s accounts have been compromised by a hacker. Therefore, I will not use my new debit card to make any more online transactions. I no longer trust the security of the internet.
Then, on August 30, 2014, a Florida-based company debited $49.95 to my CAPITAL ONE MasterCard credit card ! The charge that appeared on my online credit card statement appeared as:
8/30/2014 888-385-2968.com 8914 $49.95
Again, I did not authorize this transaction! When I called 1-888-385-2968 to find out the details, I was informed that I had placed an online order for “Raspberry Ketone,” a weight-loss supplement—the same product that I had never heard of! When I informed the Rep that I did not place this order, he confirmed my name and mailing address, which had allegedly been submitted with the order! I reiterated that I had not placed this order, informed him that this was a fraudulent transaction, and asked for an immediate refund. I told the C.S. Rep that this was the second time this had happened to me in the span of two weeks! I also called CAPITAL ONE to report the fraudulent transaction and to ask that my credit card be cancelled, and a new card be issued. To date, I am still waiting for this refund.
Information that may be relevant or of interest is that I used my CAPITAL ONE credit card in conjunction with my Amazon.com account. Since Amazon.com has had my BB&T checking account debit card number and my CAPTAL ONE credit card number, I am beginning to wonder if Amazon’s accounts have been compromised by a hacker. When I receive CAPTAL ONE’s new credit card, I will not use it to make any more online transactions. I no longer trust the security of the internet.
I have filed fraud complaints with the following agencies: Internet Crime Complaint Center, West Virginia Attorney General’s office, and the Florida Attorney General’s office.
@Russ, thanks for the info on DoNotTrackMe, I’m glad to know it’s a good product. You said that it’s only a matter of time before the Secret Service gets involved — actually, an article I saw over Labor Day weekend in USA Today said that the Secret Service is already involved in the one involving the Russians and five banks that I previously posted about, which may or may not be related to ours.
@Patricia, I assume you complained to the West Virginia Attorney General’s office because that is where you live? I never thought about complaining to an attorney general’s office, I will look into doing that. I do want to mention though — you referred to the scammers a couple of times as a Florida-based business — my transaction also came through as Pinellas Park, Florida, which is close enough to my actual residence that I almost mistook it for a legitimate transaction because I did do some other local shopping that day, but I can assure you that this is not a Florida-based business — you can pretty much put anything you want in the description field of a credit card transaction. I am quite sure that it is not a business based anywhere except for whatever space they’ve rented for their call center, and they quite possibly have moved a dozen times since any of us spoke to them!
To everyone mentioning Amazon, I will reiterate that my card that got hacked was never used for Amazon, not even once. I have a different credit card registered with them for “one-click shopping” which is used for all my purchases, and has been for years.
But I do agree that I am now quite nervous about the security of the internet — I’m really thinking twice about anything requiring credit card payment online.
@Patricia, Wow. Sorry to hear that you were the victim twice of this scam! I’ve been diligently watching my accounts and so far it has happened to me just once. (I have since received the new card in the mail.) Let us know if you hear anything back from your attorney general’s office. This type of stuff has got to stop! I was really thinking it was something tied to my Amazon account as well…we’re still trying to figure out what ties us all together.
I agree that something needs to be done in order to improve the security of our Internet transactions. While we are technically covered from loss due to fraud, ultimately we are still the ones that will make up for that loss by paying higher costs at some point in the system. What really needs to be done sooner rather than later is a tokenization system, for which a global system was recently proposed in Oct 2013 by Visa, Mastercard, and American Express. I’m really excited about Apple’s announcement tomorrow because their is a rumor that they will use tokens in their mobile payment system.
Just had a new charge come through as:
Still in pending so no way to even call them yet.
Yes, I live in West Virginia. Interestingly, a co-worker has also been hit twice with the Raspberry Ketone Strength $49.95 charge … once through BB&T (also my bank) and once through City National Bank. Interestingly … unlike me, she has not had a good experience with the C.S. Reps when she called the numbers. Both Reps refused to talk to her and would not give her a refund. Her aggressive approach may have had something to do with it. (I’m more patient and diplomatic.) Anyway, she had to fight for her refunds through her banks, whose Reps assured her that no breach in their security had occurred. (Of course, banks will tell you anything.) By the way, she also has shopped at Amazon.com. I personally don’t think that these charges are a result of scanning devices being used at local stores where we both shop (Wal-Mart, Kroger, Lowe’s, etc.). Since the Raspberry Ketone Strength weight-loss product is allegedly available only online, it has to be related to online shopping in some way. Still, the concern of a breach in the security of several banking institutions may have something to do with what’s happening. Interestingly, the thieves don’t appear to have the ability to access my checking/savings accounts and empty those accounts. This has been my concern since they have my name and address. I’m not sure how much information they can obtain using this PII. They seem to be using stolen debit/credit card numbers. But, how are they getting the numbers of new cards that are being issued by banks to replace deactivated cards … unless they are getting them from online merchants such as Amazon, PayPal, etc.? Or, they actually have hacked into several banks. Anyway, I’m not going to use my replacement check (debit) card and replacement MasterCard credit card online anymore. This is my test to see if the “hits” against my account stop. If they continue using my new cards to hit me with this charge, then I will know they have hacked my bank (BB&T). As for my contacting the WV Attorney’s office, I have a retired State Trooper friend who has a connection in that office. Hopefully, this person can do something to expedite the investigation of this scam. I will keep everyone posted.
Here’s an update. This morning when I checked my Capital One MasterCard account online, $49.95 had been credited back to my account by the company that alleges TWICE that I placed an order for Raspberry Ketone Strength! As noted on yesterday’s post, I am not going to use my new (replacement) cards online, to see if these charges continue or stop.
Just happened to me today. $49.95 charge to my debit card for this pink milkshake diet pill. I called and got the same accent customer service third party bit. I couldn’t stand listening to them because I barely understood them so I went to my bank to file the dispute. The charge was in authorization mode so they may be able to block it before it is completed otherwise it will be disputed.
I guess if you have tons of money you won’t notice things like this
The website is there with no real number to call. I weigh 115 pounds wtf do I need this shit for. I am interested to know if anyone actually received these mysterious pills
I use amazon often so this is probably the case but the pills actually exist on amazon with good reviews wtf
Let me update my prior comment.
So the last time I did not cancel my card, and simply called them. They refunded my money, but then I got charged by the new merchant they set up this month.
The name now is Slimdown.
This basically means that if you called and they reversed the charge you are going to be stuck with another company doing the same thing the next time it runs.
So once it happens to you, your only choice will be to cancel the old card and get a new one.
This is will be my 3rd card since the 49.95 charges started 6 months ago.
OK folks. Same incidents, as in four charges to date, have occurred. All supposed because of a subscription to Raspberry Ketones Strength. Something I never got or ordered. I first caught this in June and got the charges reversed. This was the $49.95 charge and a foreign transaction fee of $1.49. I forgot to check on this again, until I saw TWO charges of $49.95 and one foreign transaction fee.in my statement I just received. One for 8/4 and another for 9/1. They were charged to two different companies but when you called went to the same call center. The call center said they handle over 100 companies and are a third party. In both cases. without much argument they agreed to refund the charges and supposedly cancel my subscription. In both cases I got a confirmation number. I called the bank which is Bank America for my Visa. She said she had a call yesterday about this same thing. We spotted another charge for this in July that I had missed. All were reversed by the bank. I have closed this card. My friends are advising me to file a report with the FTC. Is that worth doing. How can these crooks be STOPPED.
@Greg, Are you saying you will continue to get this charge even after you get new cards with new numbers? You said you are on your third card. That really bothers me.
Everyone. I think this could be related to the Target breach. I am pretty sure I use my card in Target. I may have also used it in Home Depot and they just announced a breach there. Does Target and Home Depot keep your name and address along with the credit card information?
Sue, I’m very sorry about your misfortune. Yesterday, I tried to file a complaint with the FTC online, but ran into a problem advancing beyond the 3rd or 4th page of their online complaint form because none of their choices are tailored for this kind of problem/complaint. For example, to answer their questions, you have to choose one response to several drop down box “choices,” none of which pertained to the nature of my complaint. Also, they only allow space for one phone number, whereas my account numbers were “hit” by two different phone numbers. Then, there’s the problem of not having a company name, address, email address, etc. for the “offender.” All of this information is required and since I didn’t have that information, I wasn’t allowed to advance to the next page. I finally gave up, but I have filed a complaint with the Internet Crime Complaint Center. I also filed a complaint with my state’s attorney general’s office and the Florida Attorney General’s office (because the phone number showed Florida), even though the perpetrators are probably not physically located in Florida. I’m also praying that these thieves will make a major mistake that blows their cover and that they’ll be prosecuted and punished!
Again, I disagree regarding Target or Home Depot. I have not shopped in a Target in years as there is not one near me, and I actually looked to see what card I used there way back then and it was not this one. I also never shop at Home Depot with any card as there is a Lowe’s right up the street from my house. The last time I bought anything at a Home Depot was more than 8 years ago when I lived in a different place and did not even have this card yet. The store breach would also not explain how people’s new replacement cards could have additionally gotten hacked — in some cases multiple replacement cards — since the Home Depot/Target breaches were supposedly sealed by the time they were reported in the news.
I believe that this is related to the banking breach by Russians of five banks that was reported in the press over Labor Day weekend (the breach had been happening for a while — Labor Day weekend was just when the story broke) for a particular reason — I’m pretty sure everyone here was hacked on a Mastercard or Visa, which are issued by banks. I don’t recall anyone mentioning a Discover or an Amex, which are not issued through banks and handle their own finances some other way.
Matthew recently posted…The Material Whirl: 01.01.10 — opening remarks