Fun Publications / TFCC Security Update

Fun Publications / TFCC Security Update

Tuesday, March 27th, 2012 7:16pm CDT

Category: Collector's Club News
Posted by: El Duque   Views: 19,793

Topic Options: View Discussion · Sign in or Join to reply

Fun Publications/TFCC have issued the following update regarding their recent security issues.

Image


Here is the latest update on the credit card security investigation.

The firm we have hired to analyze our former ecommerce server and software has preliminarily determined that we did incur a SQL injection code attack sometime before Christmas. Our ISP did have a commercial product installed that was supposed to defeat these types of attacks, but apparently it failed.

This allowed the hackers access to our order information. While it is still unknown exactly what data they were able to harvest (investigation continues) we need to assume that they were able to extract all of our order information. The security firm thinks that this attack has allowed the hackers to come back periodically and harvest more information. However, once the old server was taken out of service (around February 21st) there was nothing left for them to access.

Once this information was stolen, (no matter if it was back before Christmas) there is no time frame as to when the thieves may sell or try to use the information to purport credit card theft.

What does this mean to me?

We are asking again that anyone who has used a credit card in our old online systems in the past year (NOT THE NEW STORE) to get your card replaced immediately. If you have done this already, there is no action required on your part.

We apologize for the inconvenience, we know this whole thing is a pain, but it is better to replace the cards than have to deal with any issues that may result from this theft of data. Even though the amount of fraud has greatly declined, we are still receiving a customer report every few days of someone else (who hasn’t replaced their cards) getting hit. We strongly encourage you to take this step immediately if you have not done so already. Again, this DOES NOT pertain to any cards that have been used in the new store.

What is the plan?

We are still working on all of the issues and are several weeks away from a final resolution. Our new store is currently offline while we complete the entries and audit the data from the renewals we received last week. Just to reiterate, this new store is a totally different piece of software, at a totally different hosting site. There are hundreds of other retailers using this same software as it is hosted by the software creators.

We hope to have the store online and registration system back online sometime next week. When the store comes back online, we will be adding products slowly so it will take some time to have everything back in the store.

Thank you for your patience and support during this trying issue.

Brian

Credit(s): TFCC


This article was last modified on Tuesday, March 27th, 2012 7:22pm CDT

News Search

Got Transformers News? Let us know here!

Re: Fun Publications / TFCC Security Update (1362974)
Posted by ubertenorman on March 27th, 2012 @ 7:44pm CDT
This is the kind of correspondance that should have happened a month ago.
Re: Fun Publications / TFCC Security Update (1362981)
Posted by triKlops on March 27th, 2012 @ 7:54pm CDT
agreed
Re: Fun Publications / TFCC Security Update (1363010)
Posted by Emperor Galvatron on March 27th, 2012 @ 8:28pm CDT
El Duque wrote:Fun Publications/TFCC have issued the following update regarding their recent security issues.

Image


Here is the latest update on the credit card security investigation.

The firm we have hired to analyze our former ecommerce server and software has preliminarily determined that we did incur a SQL injection code attack sometime before Christmas. Our ISP did have a commercial product installed that was supposed to defeat these types of attacks, but apparently it failed.

This allowed the hackers access to our order information. While it is still unknown exactly what data they were able to harvest (investigation continues) we need to assume that they were able to extract all of our order information. The security firm thinks that this attack has allowed the hackers to come back periodically and harvest more information. However, once the old server was taken out of service (around February 21st) there was nothing left for them to access.

Once this information was stolen, (no matter if it was back before Christmas) there is no time frame as to when the thieves may sell or try to use the information to purport credit card theft.

What does this mean to me?

We are asking again that anyone who has used a credit card in our old online systems in the past year (NOT THE NEW STORE) to get your card replaced immediately. If you have done this already, there is no action required on your part.

We apologize for the inconvenience, we know this whole thing is a pain, but it is better to replace the cards than have to deal with any issues that may result from this theft of data. Even though the amount of fraud has greatly declined, we are still receiving a customer report every few days of someone else (who hasn’t replaced their cards) getting hit. We strongly encourage you to take this step immediately if you have not done so already. Again, this DOES NOT pertain to any cards that have been used in the new store.

What is the plan?

We are still working on all of the issues and are several weeks away from a final resolution. Our new store is currently offline while we complete the entries and audit the data from the renewals we received last week. Just to reiterate, this new store is a totally different piece of software, at a totally different hosting site. There are hundreds of other retailers using this same software as it is hosted by the software creators.

We hope to have the store online and registration system back online sometime next week. When the store comes back online, we will be adding products slowly so it will take some time to have everything back in the store.

Thank you for your patience and support during this trying issue.

Brian


So if they have all of our order information, they also have our names, ages, addresses, etc that was stored on their site.

Well, that's just peachy.

Hey, cancel your credit cards, never mind the identity theft potential. Disregard the man behind the curtain. :HEADHURTS:
Re: Fun Publications / TFCC Security Update (1363014)
Posted by autobot_goldbug on March 27th, 2012 @ 8:32pm CDT
There was also this bizarre occurrence...
http://www.tfw2005.com/boards/transform ... ost7449720
Re: Fun Publications / TFCC Security Update (1363023)
Posted by Stormrider on March 27th, 2012 @ 8:49pm CDT
I am not happy for several reasons. How could their security fail and no one noticed it for several months? I still think they are still down playing the threat. The thieves may have had access to our addresses and DOB. They really should be telling people watch your credit reports like a hawk. Fraudulent charges on your credit card are easy to spot. Identity theft and new credit cards that get opened fraudulently in your name using your stolen DOB is not so easy to spot.
Re: Fun Publications / TFCC Security Update (1363025)
Posted by datguy86 on March 27th, 2012 @ 8:53pm CDT
You can add me to the growing list of people who've been hit. Card's canceled, all items are not my fault - but all signs point to FunPub.
Re: Fun Publications / TFCC Security Update (1363029)
Posted by Rated X on March 27th, 2012 @ 8:58pm CDT
Emperor Galvatron wrote:
El Duque wrote:Fun Publications/TFCC have issued the following update regarding their recent security issues.

Image


Here is the latest update on the credit card security investigation.

The firm we have hired to analyze our former ecommerce server and software has preliminarily determined that we did incur a SQL injection code attack sometime before Christmas. Our ISP did have a commercial product installed that was supposed to defeat these types of attacks, but apparently it failed.

This allowed the hackers access to our order information. While it is still unknown exactly what data they were able to harvest (investigation continues) we need to assume that they were able to extract all of our order information. The security firm thinks that this attack has allowed the hackers to come back periodically and harvest more information. However, once the old server was taken out of service (around February 21st) there was nothing left for them to access.

Once this information was stolen, (no matter if it was back before Christmas) there is no time frame as to when the thieves may sell or try to use the information to purport credit card theft.

What does this mean to me?

We are asking again that anyone who has used a credit card in our old online systems in the past year (NOT THE NEW STORE) to get your card replaced immediately. If you have done this already, there is no action required on your part.

We apologize for the inconvenience, we know this whole thing is a pain, but it is better to replace the cards than have to deal with any issues that may result from this theft of data. Even though the amount of fraud has greatly declined, we are still receiving a customer report every few days of someone else (who hasn’t replaced their cards) getting hit. We strongly encourage you to take this step immediately if you have not done so already. Again, this DOES NOT pertain to any cards that have been used in the new store.

What is the plan?

We are still working on all of the issues and are several weeks away from a final resolution. Our new store is currently offline while we complete the entries and audit the data from the renewals we received last week. Just to reiterate, this new store is a totally different piece of software, at a totally different hosting site. There are hundreds of other retailers using this same software as it is hosted by the software creators.

We hope to have the store online and registration system back online sometime next week. When the store comes back online, we will be adding products slowly so it will take some time to have everything back in the store.

Thank you for your patience and support during this trying issue.

Brian


So if they have all of our order information, they also have our names, ages, addresses, etc that was stored on their site.

Well, that's just peachy.

Hey, cancel your credit cards, never mind the identity theft potential. Disregard the man behind the curtain. :HEADHURTS:



I would think someone would need your social security number to do any real damage in identity theft. That’s how illegal immigrants get legit jobs.
Re: Fun Publications / TFCC Security Update (1363035)
Posted by Stormrider on March 27th, 2012 @ 9:06pm CDT
You are 100% right. A social security # is needed for most identity theft. But acquiring the SS# is not as difficult as most think. The numbers that make it up represent the year and region that you were born in. The remaining numbers can often be deduced.

It's not too difficult to figure out the place you were born, if I know your DOB and full name.

When my identity was stolen. Initially, the thieves opened several small accounts using my name and DOB. They did not use my SS#. (My theory is that they didn't have it at that time). Three months later, they figured it out and the flood gates were opened.


Ryan, or others that deal with website design - isn't mandatory for companies nowadays to properly store credit card numbers? Have some laws been broken on FunPub's part?
Re: Fun Publications / TFCC Security Update (1363036)
Posted by Anonymous on March 27th, 2012 @ 9:08pm CDT
=;
I thought it was going to be something about how they're going to make it up to their members.
Surprised to read them attempting to garner sympathy... again. The fans should come first.

We know their security failed; even they do. What do they expect from this press release, a pat on the shoulder? No, a trust has been broken. How about doing something small like calling up their artists and requesting an emergency 2-page comic based on the Run Bros - and sending the comic to its members via PDF? You know, something...

It's about the effort put into things (based on the hobby) that show you care more about your consumer base than to send out pointless emails that attempt to quell legal action. Report on the issue when the issue is resolved.

Until then, make me feel the membership is more than just a $60 toy and its $40 "freebie" companion - cuz right now, that's the reality.
Re: Fun Publications / TFCC Security Update (1363046)
Posted by GetRightRobot on March 27th, 2012 @ 9:34pm CDT
All well and good guys. Goodluck to you in the future. Personally, I will be shopping from scalpers. Less risk, more cost....and...I can live with that. :D
Re: Fun Publications / TFCC Security Update (1363102)
Posted by Seibertron on March 28th, 2012 @ 12:24am CDT
Stormrider wrote:I am not happy for several reasons. How could their security fail and no one noticed it for several months? I still think they are still down playing the threat. The thieves may have had access to our addresses and DOB. They really should be telling people watch your credit reports like a hawk. Fraudulent charges on your credit card are easy to spot. Identity theft and new credit cards that get opened fraudulently in your name using your stolen DOB is not so easy to spot.


Just offering my opinion from someone who's got a lot of experience with this ...

Imagine SQL injections are similar to a computer virus of some sort ... you usually don't know if your computer has a virus, you usually don't know that someone is taking advantages of SQL injections until after something bad happens. In one scenario, someone finds a weakness in the site's code by manipulating the URL where variables are being passed (such as a transaction ID, a user ID, a store order ID, etc.). They are able to insert a malicious command into the code because the programmer didn't verify that the variable was an integer or didn't include various characters that shouldn't be passed to the query. I know how to prevent it in my code, but I might not be able to best explain in layman's terms.

Wikipedia has a great explanation / summary ...

(I've always said "see-kwell" for SQL, but it is often pronounced by it's letters S-Q-L)

An SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a poorly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.


Wikipedia's article can be found at http://en.wikipedia.org/wiki/Sql_injection
Re: Fun Publications / TFCC Security Update (1363126)
Posted by Seibertron on March 28th, 2012 @ 2:27am CDT
Stormrider wrote:Ryan, or others that deal with website design - isn't mandatory for companies nowadays to properly store credit card numbers?


Not at all. It's best practice for companies not to store credit card information such as the card number and CID, but there's nothing to mandate that. Just best practices. Kind of like it's best practice to look both ways before crossing the street but there isn't a law per se about it, not at least to my knowledge.
Re: Fun Publications / TFCC Security Update (1363239)
Posted by zodconvoy on March 28th, 2012 @ 11:10am CDT
Seibertron wrote:
Stormrider wrote:Ryan, or others that deal with website design - isn't mandatory for companies nowadays to properly store credit card numbers?


Not at all. It's best practice for companies not to store credit card information such as the card number and CID, but there's nothing to mandate that. Just best practices. Kind of like it's best practice to look both ways before crossing the street but there isn't a law per se about it, not at least to my knowledge.


Looking both ways is not a law. The best way to tell is that every person hit by a car isn't counter sued for damage to the vehicle due to pedestrian negligence. Someone getting hit by a car also would not be covered by most insurance (auto or medical) until a legal determination of guilt has been given.

My grandfather and uncle were/are lawyers and it was explained to me this way: "if people aren't sued, ticketed, or arrested for it everyday, it's not against the law."

And my mom worked for Blue Cross (higher than midway up the corporate ladder) so common table talk was how insurance companies screw you and I know from experience that when you get hit by a car, you're covered! :lol:
Re: Fun Publications / TFCC Security Update (1363264)
Posted by Firebird on March 28th, 2012 @ 12:15pm CDT
Thanks for posting the email message!

I haven't been a club member since 2008. I got both of my credit cards that I used previously with the club (for botcon registration and buying club toys from their website) hit with fraud charges last month. If it wasn't for you guys posting the news and the site members that I follow on twitter, I wouldn't have ever known why I had the fraud charges.

It's too bad Fun Pub isn't sending these emails to their previous members too...
Re: Fun Publications / TFCC Security Update (1363278)
Posted by GetRightRobot on March 28th, 2012 @ 12:43pm CDT
Firebird wrote:Thanks for posting the email message!

I haven't been a club member since 2008. I got both of my credit cards that I used previously with the club (for botcon registration and buying club toys from their website) hit with fraud charges last month. If it wasn't for you guys posting the news and the site members that I follow on twitter, I wouldn't have ever known why I had the fraud charges.

It's too bad Fun Pub isn't sending these emails to their previous members too...


Don't feel bad, I am a member and hardly get their emails. You make a valid point though, regarding previous members.
Re: Fun Publications / TFCC Security Update (1363502)
Posted by Rated X on March 28th, 2012 @ 11:45pm CDT
Funny s**t my one of my cards got hit today. So I had the charge removed and cancelled both of my cards. I get e-mail alerts from my bank for possible fraud charges so I got this dealt with real quick. Im gonna have a new card in the mail by Friday, it's all good life goes on. I dont blame TFCC, s**t happens. Just dont let it happen again. >:oP
Re: Fun Publications / TFCC Security Update (1363868)
Posted by joevill on March 30th, 2012 @ 12:25am CDT
Seibertron wrote:
Stormrider wrote:I am not happy for several reasons. How could their security fail and no one noticed it for several months? I still think they are still down playing the threat. The thieves may have had access to our addresses and DOB. They really should be telling people watch your credit reports like a hawk. Fraudulent charges on your credit card are easy to spot. Identity theft and new credit cards that get opened fraudulently in your name using your stolen DOB is not so easy to spot.


Just offering my opinion from someone who's got a lot of experience with this ...

Imagine SQL injections are similar to a computer virus of some sort ... you usually don't know if your computer has a virus, you usually don't know that someone is taking advantages of SQL injections until after something bad happens. In one scenario, someone finds a weakness in the site's code by manipulating the URL where variables are being passed (such as a transaction ID, a user ID, a store order ID, etc.). They are able to insert a malicious command into the code because the programmer didn't verify that the variable was an integer or didn't include various characters that shouldn't be passed to the query. I know how to prevent it in my code, but I might not be able to best explain in layman's terms.

Wikipedia has a great explanation / summary ...

(I've always said "see-kwell" for SQL, but it is often pronounced by it's letters S-Q-L)

An SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a poorly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.


Wikipedia's article can be found at http://en.wikipedia.org/wiki/Sql_injection


The key word in that poorly designed Wikipedia article is a poorly designed website.
Re: Fun Publications / TFCC Security Update (1364854)
Posted by El Duque on April 1st, 2012 @ 9:03pm CDT
Image


Hello all!

This is coming from our new store software to all active members. We have been transferring and cleaning up data in order to use our new system. We want to have one more set of eyes to look at your addresses, and that's you!

Please go to this link and log in using the email address this email came to, and your old club password (unless you have changed it in the new store).

As we continue to bring up new systems and software, this will remain your membership log in and password. You may change either at anytime by logging in. However, each membership you have must have a unique email address as that will be your log in from here forward. If you don't know your password, use the retrieval link and then log in and change it.

After you log in, please check all of the tabs and make sure your information is accurate. You will have until Tuesday at 5 pm central time to make any changes to your address(es). After that time we will lock the files and create the mailing lists for this year's membership figure and your April issue. Your April issue will run about 2 weeks late. Next month, we should be back on our regular schedule.

We have limited the access in this first implementation of the club store. There are still some issues we have to work out this week before we put product in. We want to make sure all of the data is correct before we move forward.

If you have more than one membership and have trouble getting into your second account or if you have accounts in both clubs, please contact customer service and we will assist you. It is more efficient for you to email us. Don't reply to this email, use the links on the bottom of all of our pages.

In addition, approximately 150 of you will expire this next week (check your Bill Date in your profile). The new system automatically renews you on your billing anniversary provided you have a valid credit card on file. If you don't want to leave it on file, you can come back after it is billed (you can see the charge in your account) and delete it.

Thanks for your support and help!

Brian
Re: Fun Publications / TFCC Security Update (1364864)
Posted by VinKlem on April 1st, 2012 @ 9:35pm CDT
someone please help!!!!!!!! i'm about to sanp out :-x sooo i just logged into the "new club" and my purchase history shows my club registration but no "over-run" WTF!!!!!!!! I clearly ordered him have my email conformation and order number, just waiting on him. i'f i get fucked out of this i'll march right up to hasbro or fanspub or both if i have to and raise hell untill i get my battle chargers :CON:
Re: Fun Publications / TFCC Security Update (1364867)
Posted by Mkall on April 1st, 2012 @ 9:40pm CDT
VinKlem wrote:someone please help!!!!!!!! i'm about to sanp out :-x sooo i just logged into the "new club" and my purchase history shows my club registration but no "over-run" WTF!!!!!!!! I clearly ordered him have my email conformation and order number, just waiting on him. i'f i get **** out of this i'll march right up to hasbro or fanspub or both if i have to and raise hell untill i get my battle chargers :CON:

It showed the same for me, and I got my Over-Run and SG Drift, so I suspect you'll be ok. You can always call them and confirm though.

Featured Products on Amazon.com

Buy "Transformers Titans Return Arcee Action Figure Set" on AMAZON
Buy "Transformers Authentics Bumblebee" on AMAZON
Buy "Transformers: Bumblebee Movie Toys, Energon Igniters Nitro Bumblebee Action Figure - Included Core Powers Driving Action - Toys for Kids 6 and Up, 7-inch" on AMAZON
Buy "Transformers Studio Series 10 Deluxe Class Movie 1 Autobot Jazz" on AMAZON
Buy "Transformers Studio Series 11 Deluxe Class Movie 4 Lockdown" on AMAZON
Buy "Transformers Generations Power of The Primes Deluxe Terrorcon Rippersnapper" on AMAZON
Buy "Transformers: Generations Power of The Primes Quintus Prime Prime Master" on AMAZON
Buy "Transformers Generations Titans Return Deluxe Twin Twist and Flameout" on AMAZON
Buy "Transformers Generations Combiner Wars Deluxe Class Firefly Figure" on AMAZON
Buy "Hasbro Transformers: The Last Knight Premier Edition Deluxe Cogman" on AMAZON
Buy "Transformers Generations Titans Return Darkmoon and Astrotrain" on AMAZON
Buy "Transformers Generations Titans Return Legends Class Autobot Rewind" on AMAZON
Transformers Podcast: Twincast / Podcast #278 - The Return of Rodimus Prime
Twincast / Podcast #278:
"The Return of Rodimus Prime"
MP3 · iTunes · RSS · View · Discuss · Ask
Posted: Sunday, June 13th, 2021

New Items on eBay

Buy "Takara Tomy TRANSFORMERS LEGENDS Head Master BRAINSTORM Action Figure MIB" on EBAY
Buy "Transformers Legends LG39 Brainstorm Takara Tomy Japan" on EBAY
Buy "Transformers Legends LG10 Arcee Takara Tomy Japan" on EBAY
Buy "Transformers Angry Birds Gray Silver Rare Energon Lockdown Pig Telepods Works" on EBAY
Buy "Transformers Collectors Club Botcon TFCC 2016 Membership Figure Ramjet" on EBAY
Buy "transformers power of the primes elita-1" on EBAY
Buy "Transformers Kingdom: War For Cybertron Trilogy - Megatron (Beast) WFC-K10" on EBAY
Buy "Transformers Legends series LG10 Arcee Figure Japan Import" on EBAY