Tackle warehouse scam

[Chris Catignani]

41 minutes ago, Team9nine said:

While not much is known about the attack, a law firm representing the four websites stated that personal information and credit card information, including full CVV, were stolen on October 1st, 2021.

Visa MasterCard regulation specifically state you must encrypt the credit card number....and most certainly NEVER store the CVV code.

[GReb]

I’m not an expert by any means but several years ago at a conference we had an Executive from Visa speak to us. He said credit cards are federally protected and debit cards are not. Meaning that as a user you are 100% protected against fraudulent activity when using a credit card but a debit card is at the discretion of the bank. I’ve never heard of anyone having issues with a bank covering fraud though. 
 

Either way it’s a good idea to only keep a small amount in your checking account 

[MickD]

Too bad this string got titled "Tackle Warehouse scam" since there is no evidence of any misbehavior by Tackle Warehouse.

[thediscochef]

I wonder if this has anything to do with the log4j vulnerability thing? I don't know nearly enough about TW's internal ops nor log4j to positively relate the two. Literally just speculation based on timing and the compromise of encrypted information (log4j vulnerability works with http or https and allows total control of a site's server).

 

[thediscochef]

22 minutes ago, thediscochef said:

I wonder if this has anything to do with the log4j vulnerability thing? I don't know nearly enough about TW's internal ops nor log4j to positively relate the two. Literally just speculation based on timing and the compromise of encrypted information (log4j vulnerability works with http or https and allows total control of a site's server).

 

If TW uses Java in any of its customer apps, I'd be willing to bet this is actually the cause after reading more about l4j. It would make the most sense in my eyes given the lack of info from TW and Co. Naturally it would be hard to acknowledge the issue without knowing what the cause is. All you have to do with L4J is log into any Java app and the vulnerability can command TW's server to send your connected data to a different location. Would be a stupidly simple way to nab a ton of card info.

 

[TnRiver46]

I been telling y’all for years to go into tackle stores……….

 

Just messing I’m sure you can get hacked about anywhere in this day and age 

[fin]

1 hour ago, thediscochef said:

I wonder if this has anything to do with the log4j vulnerability thing?

 

Pretty sure this predates log4j. The article says info was stolen in October. Log4j was first exploited like a couple weeks ago, if I recall correctly.

 

Also, regarding phone calls from banks or card companies, the safest policy is to hang up, look up their phone number and call them back. The scammers are incredibly skilled and have fooled some of the brightest security people. https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/

[pauldconyers]

6 hours ago, Bassjam2000 said:

Anyone know where to get a dobyns champion for the same price ($190ish) as the current tw sale? Staying away from tw until their fraud problem is gone.

Fraud problem?

[MN Fisher]

Just now, pauldconyers said:

Fraud problem?

There was a data breach and a lot of TW's customers have had their credit/debit card info 'stolen'. If you've bought from them...check your bank/credit card transactions for anything 'hokey'.

[PhishLI]

My bud is a TW addict, but not a forum guy, so he was unaware of the situation. Gave him a heads up and sure enough he had to cancel his debit card recently, but didn't know exactly what was going on. He's checking his records again.

[padlin]

This is the 1st time for me. As stated above I keep all my credit bureau accounts locked, but I guess I'll call Visa in the am and see about changing cards, bummer.

[ironbjorn]

4 hours ago, MickD said:

Too bad this string got titled "Tackle Warehouse scam" since there is no evidence of any misbehavior by Tackle Warehouse.

Knowing about it since the middle of October and not warning anyone is wrong. It just recently came to light for the whole public. And it continues to happen. They're aren't the scammers by any means but they aren't innocent either.

[thediscochef]

1 hour ago, fin said:

 

Pretty sure this predates log4j. The article says info was stolen in October. Log4j was first exploited like a couple weeks ago, if I recall correctly.

 

Also, regarding phone calls from banks or card companies, the safest policy is to hang up, look up their phone number and call them back. The scammers are incredibly skilled and have fooled some of the brightest security people. https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/

So the first report of log4shell being used I believe has been tracked to December 1, but that specific vulnerability has been open and present since 2013, so it's entirely possible that it's been used here and there long before now. I'm no expert as I stated above and I may be totally wrong.

The thing that gets me though is how long it seemed to take for them to figure it out - and how the direct information was compromised despite PCI encryption standards. Again I may be wrong (certs have been expired a while now) but that's just kinda what prompts me to suspect that

[K1500]

11 hours ago, gimruis said:

My debit card has the same fraud protections that my credit card does.  It actually has the same VISA logo on the card too.  I know this because when I experience fraud on it, the result is the same: not liable.  So tell me why I shouldn't be using a debit card again please.

That awesome and good for you. The reason has already been stated. Instead of draining your bank account with a debit card (even temporarily) they are accruing charges on a credit card. The difference is draining your bank account can cause all sorts of other issues, such as bounced or declined payments, while racking up a temporary charge on a credit card costs you nothing. You can read more here if you wish, but it sounds like the your mind made up. 
 

https://www.nerdwallet.com/article/credit-cards/credit-card-vs-debit-card-safer-online-purchases

[newapti5]

3 hours ago, MN Fisher said:

There was a data breach and a lot of TW's customers have had their credit/debit card info 'stolen'. If you've bought from them...check your bank/credit card transactions for anything 'hokey'.

 

So that's what happened!  I was wondering who stole/sold my card information. Fortunately, the fraudulent charges didn't go through, but I had to go through the hassle of filing a claim and waiting for a new card. 

[NorthernBasser]

1 minute ago, newapti5 said:

 

So that's what happened!  I was wondering who stole/sold my card information. Fortunately, the fraudulent charges didn't go through, but I had to go through the hassle of filing a claim and waiting for a new card. 

Yup. Same here. 

[adrenalnjunky]

Check your card services online, i know my Citi card has a feature where you can generate a one-time-use card number for online purchases. It ties back to your card, but insulates you from future issues like that. 

[newapti5]

3 hours ago, ironbjorn said:

Knowing about it since the middle of October and not warning anyone is wrong. It just recently came to light for the whole public. And it continues to happen. They're aren't the scammers by any means but they aren't innocent either.

 

Yes, I couldn't agree more.  I got hit on Wednesday, but luckily, my bank detected the fraudulent charges and bounced them back. Without the fraud detection, I'd be hit hard as I don't check my card balance very often. I didn't know what the cause was until now, and a little warning from TW beforehand would've certainly helped. I understand they don't want to scare off the biggest sale of the year, but letting customers know in this way will have a far worse impact on their business in long term. Since they don't care much about losing a small customer like me, I think I'd go somewhere else in the future.  Sure they have the largest selection of tackles, but I'll get by with other vendors. 

 

[newapti5]

I just checked my email account that is associated with my TW account.  There're several DOZENS of unsuccessful attempts to login all around the world! Dating all the way back to Nov.19!  Japan, Korea, Victoria Island, Netherland, Poland, and several US cities... Luckily, my email password is different from the TW account password.   Check your email account activities and change the password!

[islandbass]

10 hours ago, Chris Catignani said:

Visa MasterCard regulation specifically state you must encrypt the credit card number....and most certainly NEVER store the CVV code.

How does one encrypt a credit card? Serious question and sounds like a wise thing to do. Thanks. 

[newapti5]

3 hours ago, adrenalnjunky said:

Check your card services online, i know my Citi card has a feature where you can generate a one-time-use card number for online purchases. It ties back to your card, but insulates you from future issues like that. 

 

That's a great idea, but this TW leak also includes my account associated email address, as well as my TW account password. I just checked my email activities, there're at least dozens of unsuccessful attempts to login my email, dated all the way back to Nov.19 from all over the world.  Thanks to the Lord my email password is different from my TW account password, but just to be sure, I still spent the last two hours changing every online password, including the password of this forum.   

 

Now, the things I can't do anything about, are my name, phone number, and address, which I am sure were leaked as well. 

[schplurg]

1 hour ago, islandbass said:

How does one encrypt a credit card? Serious question and sounds like a wise thing to do. Thanks. 

He is referring to actions that the companies and stores that have your credit info on file should do, not you.

They (Amazon, TW...) need to encrypt your information on their servers.

8 hours ago, fin said:

 

Pretty sure this predates log4j. The article says info was stolen in October. Log4j was first exploited like a couple weeks ago, if I recall correctly.

 

Also, regarding phone calls from banks or card companies, the safest policy is to hang up, look up their phone number and call them back. The scammers are incredibly skilled and have fooled some of the brightest security people. https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/

Similar thing happened with my health care provider. I received a text saying to "call a number if my address had changed in the past two years", which it had.

 

I called the number and first thing they asked for was "please say or type your social security number." The phone number seemed familiar to me.

 

I hung up, looked up the phone number for the place (had a different prefix) and called them myself. It was not a scam. I even asked the woman for the previous address on file and a few other things before I trusted her. She had no problem with that.

 

Good advice.

 

Got a call from "Amazon" a few days ago. Recording: "Your recent order has a problem..." and I hung up. Amazon has never ever ever ever called me, and I have no current orders.

 

Sad thing is people fall for this all the time or they wouldn't try.

 

Oh by the way guys, your auto warranty is about to expire!

[Chris Catignani]

6 hours ago, islandbass said:

How does one encrypt a credit card? Serious question and sounds like a wise thing to do. Thanks. 

This is what you do when you store credit card information.

You have the credit card number; you also have a fabricated key.

You pass the credit card number and key into an encryption function, and it returns some long undecipherable string. You then store this string in the database. Now when someone hacks your database, they can't read the number (unless they also have the key). If the company need to access you card number, they will need to unencrypt it to see it. Like I said earlier...this is a visa mastercard regulation.

Now...there are other ways to hack to obtain data. Someone could, theoretically hack into the place where they store source code and possibly get the encryption key. They could hack the original source files from the original credit card processor (this is not encrypted but is received over encrypted lines). And sometimes (and easier than a hack) someone may have gotten access to an email account where people would send data via email.

 

A good rule to follow is to never send PII data and financial data over an email. If you have to...then encrypt it with something like protonmail .

 

 

[islandbass]

3 hours ago, Chris Catignani said:

This is what you do when you store credit card information.

You have the credit card number; you also have a fabricated key.

You pass the credit card number and key into an encryption function, and it returns some long undecipherable string. You then store this string in the database. Now when someone hacks your database, they can't read the number (unless they also have the key). If the company need to access you card number, they will need to unencrypt it to see it. Like I said earlier...this is a visa mastercard regulation.

Now...there are other ways to hack to obtain data. Someone could, theoretically hack into the place where they store source code and possibly get the encryption key. They could hack the original source files from the original credit card processor (this is not encrypted but is received over encrypted lines). And sometimes (and easier than a hack) someone may have gotten access to an email account where people would send data via email.

 

A good rule to follow is to never send PII data and financial data over an email. If you have to...then encrypt it with something like protonmail .

 

 

Thanks!

[MickD]

Everyone seems to be assuming it takes sophisticated technology to get scammed.  What about handing your card to a waiter/waitress to pay for a meal?  It goes out of sight the info on it can be copied and used.

 

There are a bazillion ways to get scammed, some high tech and some not high tech.  And TW is not scamming and has not scammed anyone.