Jump to content
Sign in to follow this  
erickdredd

Chaosium site insecure?

Recommended Posts

erickdredd

Ordered the new Masks of Nyarlathotep book a few weeks ago from the Chaosium site, and then opened my credit card statement today to find over $2800 in charges to godaddy.

 

Needless to say, this is being disputed and being taken care of, however the Chaosium site is the only one that I really suspect right now, as these charges started just days after placing the order, and the fact that page where you would enter your credit card information is plain http, not https (At least as long as you access it through normal means, it looks like you can manually add the S, but even that has some issues it looks like). So, fair warning for those purchasing new cthulian goodies over the holidays.

 

Aside from disputing with the credit card company, is there any other recourse that you guys can think of? And what's the best way to contact chaosium about this? Their website isn't exactly the most user friendly from my experience...

Share this post


Link to post
Share on other sites
jasonw1239

You should immediately check your computer for spyware.

My first recommendation would be Spybot Search & Destroy.

You can download it at http://filehippo.com/

 

EDIT:

Use the Chaosium contact info page

http://www.chaosium.com/index.php?section_id=11

Either call the provided phone number or contact Charlie Krank at the email address provided.

Share this post


Link to post
Share on other sites
erickdredd

System has a clean bill of health, spybot and a myriad of other tools and the worst they come up with is a cookie.

Share this post


Link to post
Share on other sites
necronomiclown

For what its worth, the same thing happened to me. I ordered a few books a couple weeks ago, and the card was charged immediately after with a couple hundred dollars of other charges at other sites. Could be a coincidence but I dont use that card for much else. I let them know in an email but didnt get a response. But I know they are a tiny company, so I dont really expect a response especially since there was no way to prove what happened. Im contesting the fraudulent charges of course. I love Chaosium but I'll be buying from amazon next time I think.

Share this post


Link to post
Share on other sites
FunGuyfromYuggoth

Thank you for putting 2+2 together. And yes, my computer is secure, and I find it a little strange that there are at least 2 other people here reporting the same problems after ordering from the Chaosium site. My case: I ordered the hardcover Masks of Nyarlathotep on the 11/23 from Chaosium. The very next day my credit card got dinged for almost $1,200 from an online site for software. The Chaosium site would have have everything it needed to harvest my name, address, and credit card info (which I don't keep on their site).

 

I called my credit card company and had a Fraud Investigation set-up on it, but this revelation (while not conclusive) makes me very, very suspicious.

 

I will e-mail Chaosium now and ask that they take their store offline immediately until this issue is investigated and they can guarantee others will not be exposed to fraud. Leaving this issue to fester will just undermine confidence in their online store and force people to take their business elsewhere (Amazon.com). In the meantime...

 

Everybody who has ordered recently: Check your statements NOW!

Share this post


Link to post
Share on other sites
patrick1971

I've bought stuff several times and never had issues, although I do tend to use paypal whenever I can, it does give another layer of security.

Share this post


Link to post
Share on other sites
yockenthwaite

I usually pay by PayPal when buying from Chaosium. But when placing my big order on 24th November I paid by credit card. And several days later that same credit card had a fraudulent transaction on it ... A very small one compared to yours, and it was picked up immediately by the card company, and blocked, and the card cancelled.

 

But I do wonder if it's related.

Share this post


Link to post
Share on other sites
yockenthwaite

Well I've emailed Chaosium. Initially I emailed Customer Services, but I've forwarded it to Charlie too. Hope they look into it urgently.

Share this post


Link to post
Share on other sites
FunGuyfromYuggoth

Same here. There seems to be too much of a coincidence to ignore.

Share this post


Link to post
Share on other sites
dereese

I got hit also. I just cancelled my third credit card. The one thing they had in common was that they had fraudulent purchases 2-5 days after a chaosium website order, so it's a pretty clear pattern. I checked out their website. It appears they use http on the page where credit card info is entered instead of https. This means that the credit card info may get sent in the clear over the internet. I sent email to Charlie (the president).

Share this post


Link to post
Share on other sites
HGBlob

I got hit as well. The worst part was that the card belonged to my wife. She bought Masks of Nyarlathotep for Christmas, and the next thing you know, $1600 in charges that were not hers. I feel bad her card number got stolen over a Christmas gift.

Share this post


Link to post
Share on other sites
erickdredd

I suppose I'm not exactly glad it wasn't just me, but then, it's at least good to know the source of the insecurity. Definitely a good lesson in credit card security, but man, it's a terrible time of year for this!

Share this post


Link to post
Share on other sites
Donnovan_Sunrider

My bank swapped out my card due to some kind of security risk at a vendor I used in the past, but I don't know which one. I haven't shopped at the Chaosium shop in months, so maybe there's some kind of word being passed around by banks about a possible breach.

Share this post


Link to post
Share on other sites
PoC

Whether it's card related or site related remains unclear, but I'd definitely take FunGuy's advice and check your card statements. I tend to use PayPal for an additional layer of security.

 

...http on the page where credit card info is entered instead of https. This means that the credit card info may get sent in the clear over the internet.

 

It's always worth checking for the https:// (SSL security) and the little padlock sign. Never provide financial details without it!

Share this post


Link to post
Share on other sites
red_bus

Coincidentally - my bank detected an insecure transaction on my credit card a few days after my purchase from Chaosium this month (it was the 2nd last transaction on the account, itunes being the most recent). An unknown company in the US had attempted to deduct $1 from my account.

 

I am pretty sure it was a fraudulent charge. Although, I think UK card companies are a bit more sensitive on security than in the US (their fraud team called my home, mobile, and work numbers - leaving messages and also emailed me at home and at work!! full marks for contacting me). In the end I had the card reissued. I did wonder at the time whether it was the Chaosium site...

Share this post


Link to post
Share on other sites
StuartB

I'm sorry to hear that so many people have been affected by this.

 

Chaosium must be horrified.

Share this post


Link to post
Share on other sites
sunkzero
An unknown company in the US had attempted to deduct $1 from my account.

 

That's pretty normal with card fraud - bang through a low charge to avoid suspicion to test if the number is still valid. The banks are wise to it these days though and a low transaction from overseas will often cause a security alert.

 

It's of greater concern that the bank didn't know who the company was though!

Share this post


Link to post
Share on other sites
trevlix
It appears they use http on the page where credit card info is entered instead of https. This means that the credit card info may get sent in the clear over the internet.

 

Yes, but it also means that the attacker has to be sniffing the traffic somewhere between your server and Chaosium's server. In my experience with investigating computer security incidents, this is an unlikely situation. Its more likely that either your system has been compromised with malware, Chaosium's server is compromised or their credit card processor has been compromised. (I have no knowledge if any of those have been.)

 

I purchased something from them on the 14th and have had no fraudulent charges (*knock on wood*). I hope everyone is able to take care of this quickly - thats never a fun situation to go through.

 

erickdredd - Out of curiosity, do you know what was purchased on GoDaddy?

Share this post


Link to post
Share on other sites
StephanieMcAlea
Either call the provided phone number or contact Charlie Krank at the email address provided.

 

I say this with the utmost respect to Charlie .... don't expect a reply from Charlie via e-mail. He is notoriously difficult to contact via e-mail IN MY OWN EXPERIENCE ;) . Try Facebook or, better yet, call Chaosium. It may be a pain and an expense for those outside the US but I've heard it's quite reliable for contact and Chaosium need to keep on top of who's been defrauded so they can claim on their business insurance.

 

If you have to e-mail Chaosium then try Dustin (address on Chaosium's web page). I've always found him responding swiftly.

 

I hope Chaosium and it's customers manage to get through this relatively unscathed and a curse of a thousand retellings on those who abuse trust by stealth. :)

Share this post


Link to post
Share on other sites
WiseWolf

Thanks for the heads-up. I used paypal for my last week order, but checked my account just-in-case. No mysterious charges.

Share this post


Link to post
Share on other sites
WiseWolf
I'm sorry to hear that so many people have been affected by this.

Chaosium must be horrified.

 

They should, with X-mass around the corner, not good to have a security breach. Worst of all, I bet their core buyers are all reading this thread, meaning the yoggies.

Share this post


Link to post
Share on other sites
AJKM

I brought quite a few things from Chaosium in the sale over the weekend. Although no illegal charges have occured, I have cancelled my card anyway and am getting a new one issued. It's a wee bit of a pain, but not a huge drama. Just means I'll be without one for a few days.

 

It sucks for Chaosium though. It means even I, who wasn't stung, will think twice before ordering in the future. And it may add to the delivery time as well.

Share this post


Link to post
Share on other sites
Fallorn

I ordered stuff for my Secret Shoggoth victim this last Sunday. No fraudulant charges are appearing as of yet (*fingers crossed*), but I'll definitely be checking it out periodically to make sure.

Share this post


Link to post
Share on other sites
neorxnawang

Strangely, this happened to me as well and I am now on a new card. Same pattern, but thankfully the card company blocked everything. I didn't even consider that it might be Chaosium's site. This sort of thing never happens to me so it was a bit of an unpleasant novelty.

Share this post


Link to post
Share on other sites
Kagemusha

Same here. I ordered MoN HB when announced and next thing I know is letter from CC co saying they have some suspicious transactions. TFL congestion charge. Not very expensive. Card cancelled and reissued.

 

I did wonder at the time. I guess I was right. Its a shame for Chaosium.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.