Jump to content


Photo
- - - - -

Chaosium site insecure?


  • Please log in to reply
158 replies to this topic

#1 erickdredd

erickdredd

    Neophyte

  • Member
  • 4 posts

Posted 30 November 2010 - 02:16 AM

Ordered the new Masks of Nyarlathotep book a few weeks ago from the Chaosium site, and then opened my credit card statement today to find over $2800 in charges to godaddy.

Needless to say, this is being disputed and being taken care of, however the Chaosium site is the only one that I really suspect right now, as these charges started just days after placing the order, and the fact that page where you would enter your credit card information is plain http, not https (At least as long as you access it through normal means, it looks like you can manually add the S, but even that has some issues it looks like). So, fair warning for those purchasing new cthulian goodies over the holidays.

Aside from disputing with the credit card company, is there any other recourse that you guys can think of? And what's the best way to contact chaosium about this? Their website isn't exactly the most user friendly from my experience...

Edited by erickdredd, 30 November 2010 - 11:21 PM.
Title punctuation is 50% more appropriate



Log in to remove this video.

#2 jasonw1239

jasonw1239

    Son of Yog-Sothoth

  • Patron
  • PipPipPipPip
  • 873 posts
  • LocationMoncton, NB Canada

Posted 30 November 2010 - 03:15 AM

You should immediately check your computer for spyware.
My first recommendation would be Spybot Search & Destroy.
You can download it at http://filehippo.com/

EDIT:
Use the Chaosium contact info page
http://www.chaosium....p?section_id=11
Either call the provided phone number or contact Charlie Krank at the email address provided.

Edited by jasonw1239, 30 November 2010 - 03:17 AM.
added additional information

Jason Williams

Author of Secrets of Tibet & scenario author in Tales of the Caribbean from GGP


#3 erickdredd

erickdredd

    Neophyte

  • Member
  • 4 posts

Posted 30 November 2010 - 03:17 AM

System has a clean bill of health, spybot and a myriad of other tools and the worst they come up with is a cookie.

#4 necronomiclown

necronomiclown

    Neophyte

  • Member
  • 3 posts

Posted 30 November 2010 - 05:05 AM

For what its worth, the same thing happened to me. I ordered a few books a couple weeks ago, and the card was charged immediately after with a couple hundred dollars of other charges at other sites. Could be a coincidence but I dont use that card for much else. I let them know in an email but didnt get a response. But I know they are a tiny company, so I dont really expect a response especially since there was no way to prove what happened. Im contesting the fraudulent charges of course. I love Chaosium but I'll be buying from amazon next time I think.

#5 FunGuyfromYuggoth

FunGuyfromYuggoth

    Greater Independent

  • Old Patron
  • PipPipPipPipPipPip
  • 5,547 posts

Posted 30 November 2010 - 06:36 AM

Thank you for putting 2+2 together. And yes, my computer is secure, and I find it a little strange that there are at least 2 other people here reporting the same problems after ordering from the Chaosium site. My case: I ordered the hardcover Masks of Nyarlathotep on the 11/23 from Chaosium. The very next day my credit card got dinged for almost $1,200 from an online site for software. The Chaosium site would have have everything it needed to harvest my name, address, and credit card info (which I don't keep on their site).

I called my credit card company and had a Fraud Investigation set-up on it, but this revelation (while not conclusive) makes me very, very suspicious.

I will e-mail Chaosium now and ask that they take their store offline immediately until this issue is investigated and they can guarantee others will not be exposed to fraud. Leaving this issue to fester will just undermine confidence in their online store and force people to take their business elsewhere (Amazon.com). In the meantime...


Everybody who has ordered recently: Check your statements NOW!

Edited by FunGuyfromYuggoth, 30 November 2010 - 07:14 AM.


#6 patrick1971

patrick1971

    Knight of the Outer Void

  • Old Patron
  • PipPipPip
  • 179 posts

Posted 30 November 2010 - 06:37 AM

I've bought stuff several times and never had issues, although I do tend to use paypal whenever I can, it does give another layer of security.

#7 yockenthwaite

yockenthwaite

    Breakfast Clubber

  • Patron Premium
  • PipPipPipPipPip
  • 1,309 posts
  • LocationDundee, Scotland

Posted 30 November 2010 - 06:40 AM

I usually pay by PayPal when buying from Chaosium. But when placing my big order on 24th November I paid by credit card. And several days later that same credit card had a fraudulent transaction on it ... A very small one compared to yours, and it was picked up immediately by the card company, and blocked, and the card cancelled.

But I do wonder if it's related.

#8 yockenthwaite

yockenthwaite

    Breakfast Clubber

  • Patron Premium
  • PipPipPipPipPip
  • 1,309 posts
  • LocationDundee, Scotland

Posted 30 November 2010 - 07:12 AM

Well I've emailed Chaosium. Initially I emailed Customer Services, but I've forwarded it to Charlie too. Hope they look into it urgently.

#9 FunGuyfromYuggoth

FunGuyfromYuggoth

    Greater Independent

  • Old Patron
  • PipPipPipPipPipPip
  • 5,547 posts

Posted 30 November 2010 - 08:27 AM

Same here. There seems to be too much of a coincidence to ignore.

#10 dereese

dereese

    Neophyte

  • Member
  • 1 posts

Posted 30 November 2010 - 11:48 AM

I got hit also. I just cancelled my third credit card. The one thing they had in common was that they had fraudulent purchases 2-5 days after a chaosium website order, so it's a pretty clear pattern. I checked out their website. It appears they use http on the page where credit card info is entered instead of https. This means that the credit card info may get sent in the clear over the internet. I sent email to Charlie (the president).

#11 HGBlob

HGBlob

    Neophyte

  • Member
  • 3 posts
  • LocationConnecticut

Posted 30 November 2010 - 11:59 AM

I got hit as well. The worst part was that the card belonged to my wife. She bought Masks of Nyarlathotep for Christmas, and the next thing you know, $1600 in charges that were not hers. I feel bad her card number got stolen over a Christmas gift.

#12 erickdredd

erickdredd

    Neophyte

  • Member
  • 4 posts

Posted 30 November 2010 - 12:15 PM

I suppose I'm not exactly glad it wasn't just me, but then, it's at least good to know the source of the insecurity. Definitely a good lesson in credit card security, but man, it's a terrible time of year for this!

#13 Donnovan_Sunrider

Donnovan_Sunrider

    Son of Yog-Sothoth

  • Patron
  • PipPipPipPip
  • 619 posts

Posted 30 November 2010 - 12:26 PM

My bank swapped out my card due to some kind of security risk at a vendor I used in the past, but I don't know which one. I haven't shopped at the Chaosium shop in months, so maybe there's some kind of word being passed around by banks about a possible breach.

#14 PoC

PoC

    Breakfast Clubber

  • Administrator
  • 18,405 posts
  • LocationInnsmouth House, Yorkshire Branch

Posted 30 November 2010 - 01:00 PM

Whether it's card related or site related remains unclear, but I'd definitely take FunGuy's advice and check your card statements. I tend to use PayPal for an additional layer of security.

...http on the page where credit card info is entered instead of https. This means that the credit card info may get sent in the clear over the internet.


It's always worth checking for the https:// (SSL security) and the little padlock sign. Never provide financial details without it!

#15 red_bus

red_bus

    Son of Yog-Sothoth

  • Member
  • PipPipPipPip
  • 672 posts

Posted 30 November 2010 - 01:20 PM

Coincidentally - my bank detected an insecure transaction on my credit card a few days after my purchase from Chaosium this month (it was the 2nd last transaction on the account, itunes being the most recent). An unknown company in the US had attempted to deduct $1 from my account.

I am pretty sure it was a fraudulent charge. Although, I think UK card companies are a bit more sensitive on security than in the US (their fraud team called my home, mobile, and work numbers - leaving messages and also emailed me at home and at work!! full marks for contacting me). In the end I had the card reissued. I did wonder at the time whether it was the Chaosium site...

#16 StuartB

StuartB

    Lesser Servitor

  • Old Patron
  • PipPipPipPipPip
  • 1,346 posts
  • LocationShadowy Scotland

Posted 30 November 2010 - 01:22 PM

I'm sorry to hear that so many people have been affected by this.

Chaosium must be horrified.

#17 sunkzero

sunkzero

    Keeper of the Silver Gate

  • Patron
  • PipPip
  • 81 posts

Posted 30 November 2010 - 01:32 PM

An unknown company in the US had attempted to deduct $1 from my account.


That's pretty normal with card fraud - bang through a low charge to avoid suspicion to test if the number is still valid. The banks are wise to it these days though and a low transaction from overseas will often cause a security alert.

It's of greater concern that the bank didn't know who the company was though!
"Teach a man to reason, and he'll think for a lifetime"

#18 trevlix

trevlix

    Breakfast Clubber

  • Administrator
  • 2,470 posts

Posted 30 November 2010 - 01:33 PM

It appears they use http on the page where credit card info is entered instead of https. This means that the credit card info may get sent in the clear over the internet.


Yes, but it also means that the attacker has to be sniffing the traffic somewhere between your server and Chaosium's server. In my experience with investigating computer security incidents, this is an unlikely situation. Its more likely that either your system has been compromised with malware, Chaosium's server is compromised or their credit card processor has been compromised. (I have no knowledge if any of those have been.)

I purchased something from them on the 14th and have had no fraudulent charges (*knock on wood*). I hope everyone is able to take care of this quickly - thats never a fun situation to go through.

erickdredd - Out of curiosity, do you know what was purchased on GoDaddy?

#19 StephanieMcAlea

StephanieMcAlea

    Lesser Servitor

  • Member
  • PipPipPipPipPip
  • 1,440 posts

Posted 30 November 2010 - 02:20 PM

Either call the provided phone number or contact Charlie Krank at the email address provided.


I say this with the utmost respect to Charlie .... don't expect a reply from Charlie via e-mail. He is notoriously difficult to contact via e-mail IN MY OWN EXPERIENCE ;) . Try Facebook or, better yet, call Chaosium. It may be a pain and an expense for those outside the US but I've heard it's quite reliable for contact and Chaosium need to keep on top of who's been defrauded so they can claim on their business insurance.

If you have to e-mail Chaosium then try Dustin (address on Chaosium's web page). I've always found him responding swiftly.

I hope Chaosium and it's customers manage to get through this relatively unscathed and a curse of a thousand retellings on those who abuse trust by stealth. :)

#20 WiseWolf

WiseWolf

    Lesser Servitor

  • Old Patron
  • PipPipPipPipPip
  • 1,720 posts

Posted 30 November 2010 - 06:19 PM

Thanks for the heads-up. I used paypal for my last week order, but checked my account just-in-case. No mysterious charges.
"For the strength of the Pack is the Wolf, and the strength of the Wolf is the Pack”

Listen to us playing in Skype of Cthulhu