Security breach at ft86speedfactory.com
 

Saw this on the ft86 and subaru subreddits today and thought I'd pass the info here as well:

http://i.imgur.com/6XzUT14.jpg

https://www.reddit.com/r/ft86/commen...eedfactorycom/

https://www.reddit.com/r/subaru/comm..._bank_account/

Quite a few folks saying they saw some frudulent charges on their card... Personally, I've used paypal when I purchased from them and have not seen any thing suspicious..


Mods, sorry if this isn't in the right section and please move it :)

Well, isn't that just dandy.

hahahaha!! well I was attacked and they took like 2 grand from my debit(got it all back, everything is good now) so this explains alot!! Sh*t happens so I am not mad at them!

please explain this..... This means if anyone ordered from ft86speedfactory or subiespeed?? or anyone onTHIS FORUM

I usually use paypal for everything and don't put CC info when buying. glad I did.

anyone who ordered from those sites in that time frame. this forum doesn't have a place to enter your CC info so you're good

Got this in the mail today. Explains how my card got nabbed a couple months ago.

ooh damn.

This is exactly why I:
ONLY use paypal.
Have paypal attached to a spare debit card that only has very little money in it at any given time.
I transfer funds when I feel like buying something.

My son will enter his CC info into every online vendor he feels like buying from.
THIS is exactly why I tell him to stop that.

Using a debit card is actually a worse idea. Its harder to make fraud claims and get your money back.

I actually prefer using my CC over PayPal for online purchases because PayPal's dispute process is longer than any of my credit cards'.

Its hard to steal someone's identity without DOB and SSN information as well anyway. And no online retailer should be asking for those things.

Finally, your card info can be easily stolen in real life: evil waiters, evil cab drivers, infected card terminals.

Has ft86speedfactory/subispeed came out and said anything about this? It's not looking that way from the local FB group I found this in, or either posts on reddit. If this is the case, they've lost me as a customer. That's completely unacceptable. I personally didn't get hit, but it seems like a bunch of people did. Making their customers aware of what happened early on could have gave them time to cancel their CCs and not have to deal with disputing fraudulent charges.

Seems like no vendor or store is immune from this crap anymore...

Why use a debit card when you can use a credit card with zero fraud liability and the chance to earn cash back, miles, or points?

I believe they sent out actual letters to people who have used their site during that timeframe. though, I think it would have made more sense to send out an email about it so that everyone receives it ASAP.

Ft86 speed factory probably didn't know until the claims started rolling in

Thanks for the info. I just informed my buddy who ordered some parts recently. Most of the time a merchant does not know that they are part of a security breach. Hackers/fraudsters are savage. Nobody is safe!

This. A lot of breaches go unnoticed until one of the credit reporting agencies, or the credit card companies notice that a bunch of people making fraudulent charge claims have made purchases at one common retailer.

At that point, the retailer gets notified and has a certain amount of time to investigate and remediate (usually hiring a third party consulting firm) as per PCI standards. They have to identify all affected customers, and then notify them AFTER they're confident they have all the names. At that point they also get fined based on how many card numbers were compromised.

Usually they're not allowed to, or are advised against, sending mass notifications that their site is breached immediately since that tips off the attackers as well and makes investigations harder.

Sums up most of what I wanted to say. It is possible that they'll still respond to a post or two now that the word is out, but there are legal obligations to sending notification to the affected customers first. As for snail mail versus email, in addition to possibly compromising any investigation, street addresses are generally more reliable. Fake email addresses and junk mail filters can get in the way. The credit card companies have a valid mailing address or PO box.

Good thing I use a proxy card :lol:

Call me old school but i still use money order for that kind of crap

I just now got my letter. Good thing I already have a new card.

Received the letter yesterday and went to the CU to request for a new card right after reading it.

That explains the weird call I received few months back that there was suspicious activity originating from France (even though these guys had a Russian IP address) regarding my first card - after 5 years of green pastures.

Will I stop buying from them? Things may have changed since I initially was looking into cyber security but the mantra goes: "places are more secure after an attack than before".

However, I'm done with major purchases for the car besides consumables.

I think that's the illusion that places are more secure after an attack. If you look at Lockheed Martin's Cyber Kill Chain, the first step is reconnaissance. We don't know how much information that the cracker (Black Hat) collected. There could me even more attack vectors that they are unaware of and unexploited until later. Same goes for Chase, Target, Home Depot, Sony, etc.

Most cyber attacks are because of human error. That means opening E-mail attachments or clicking links. You can even be hacked by being sent a picture.

Besides, for a company like ft86speedfactory, they don't own their webserver which means they don't own the security of their site. Their web hosting is provided by 1and1.

Domain Name: FT86SPEEDFACTORY.COM
Registrar: 1 & 1 INTERNET AG
Sponsoring Registrar IANA ID: 83
Whois Server: whois.1and1.com
Referral URL: http://1and1.com
Name Server: NS-US.1AND1-DNS.COM
Name Server: NS-US.1AND1-DNS.DE
Name Server: NS-US.1AND1-DNS.ORG
Name Server: NS-US.1AND1-DNS.US
Status: ok http://www.icann.org/epp#OK
Updated Date: 21-mar-2015
Creation Date: 21-mar-2012
Expiration Date: 21-mar-2016

And I hope your password to this forum is different from your bank accounts. When you log in, it's using HTTP and NOT HTTPS, which means your password is NOT ENCRYPTED and can be viewed PLAIN TEXT.

"And I hope your password to this forum is different from your bank accounts. When you log in, it's using HTTP and NOT HTTPS, which means your password is NOT ENCRYPTED and can be viewed PLAIN TEXT."

^this.

The question is, why are the passwords not encrypted in the first place? Is this a vBulletin issue?

And regarding the issue that FT86SF and possibly its sister site Subispeed don't own their own security, does that apply to their checkout page as well? If that's the case, then there probably wasn't much if at all that they could have been done on their end to prevent this.

How did you get my password?! Damn!

lol alright.. calm down guys.

It is weird that passwords arent sent over HTTPS. Doesn't mean that they're not encrypted when stored in the forum's database though. Transferring data over HTTP makes it interceptable if you're on an unsecured network like public wifi hotspots. It is recommended to use separate passwords for your more sensitive accounts though. (i.e. some rando miles away cannot just intercept your password that was sent over HTTP)

And just because the webserver itself is hosted by another company, doesn't mean that FT86SpeedFactory doesn't have any control over the security. More often than not, the security vulnerabilities come from unpatched software being used.

1and1 provides all kinds of web hosting services ranging from turn-key pre-built websites to "here's a server with port 443 and 80 open, deploy whatever you want". I'm assuming a site like FT86SpeedFactory would go with the latter option, meaning they would have full control over their security posture. Even if they did not, I'm sure whatever third-party service they hired to fix this breach would have recommended it.

Shit like this isnt 100% preventable, which is why credit cards have such good fraud protection and you can usually dispute and drop a charge instantly with a phone call. The company will likely get fined for whatever mistakes they made and be required to fix it. Nothing else we can do.

I'm not sure how exactly vBulletin works, but it's most likely because they don't own a SSL certificate.

Also, their sister site is hosted by GoDaddy.

D
Domain Name: SUBIESPEED.COM
Registrar: GODADDY.COM, LLC
Sponsoring Registrar IANA ID: 146
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.MEDIATEMPLE.NET
Name Server: NS2.MEDIATEMPLE.NET
Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Updated Date: 17-sep-2015
Creation Date: 09-oct-2011
Expiration Date: 09-oct-2016

It wasn't me!! :bellyroll:

I just looked at both sites. The WHOIS information is taken from DNS registrars. Looks like they're just using 1and1 and godaddy for the domain name. The servers are hosted by singlehop, which is a IaaS provider. So FT86SF has full control over their servers.

EDIT:

Example for those who care:
Info for ft86speedfactory.com: http://www.tcpiputils.com/browse/dom...eedfactory.com
DNS info points to 1and1, IP is 65.60.44.147

Info for 65.60.44.147: http://www.tcpiputils.com/browse/ip-...s/65.60.44.147
ISP is SingleHop, Inc., WHOIS info for the IP itself points to SingleHop. The IP is also part of a whole block assigned to SingleHop. That page also states that "server2.subispeed.com" also resolves to this IP.

Blah blah blah light recon stuff.

i was literally about to order some parts from them :/

At least for my bank account it is considered a debit card if it is only good for up to the balance on that account (checking #1)

My other accounts (checking #2, #3, etc) have credit cards attached and will automatically extend a line of credit if you overdraft (overdraft protection)

With the checking #1 card the only money that it is possible to steal is whatever measly amount I have in the account.
With the other accounts, they could withdraw thousands even if the account was empty.

Of course I dont need to worry about it either way because they are all protected. Even the "Debit card" is issued by MasterCard.

LOL. I got the letter, and I did have a credit card compromised. I understand why you guys use alternatives and such, like paypal, but honestly I already have fraud protection with my Visa anyways. And yes, after I got the letter, I logged back in and bought some wheels from them. Go @ft86SpeedFactory ! (true story)

I had $60/day being charged by a senior couples meeting/dating site, another one for farmers and international students. New card next day, all purchases reversed, my day goes about unharmed.

P.S. the guys above are right about taking care with passwords, noticing the httpS, and not using your direct bank account for which you rely on like a cowboy his horse when making online purchases.

:word:

Well, this is unfortunate.

Thanks for the heads up, i bought from them on april 2015 and does not fall in that time frame, but still will have my chase credit card replace just in case.

What they're trying to say is that if you have a credit card with fraud protection, they won't get any money. The charges will be cancelled, and you won't be liable for anything. That and you don't need to worry about maintaining a separate account for online purchases. Just use a CC with fraud protection on it. That doesn't mean you shouldn't be smart about where you enter payment information, though.

And what I'm trying to say is that I have fraud protection regardless of which card I use.


It is just there is more potential $$ for them to steal if they get the information for the CC than if I use the Debit card.
It is also less likely that they will steal ANY money if they can see that I have a near zero balance on the card that they just stole my information for....
So it is LESS risky for me to use the debit card.
We can question WHO is at risk, but I am confident that my financial institution appreciates me NOT using the cards that have overdraft protection for internet purchases.


And just because I have fraud protection does NOT mean that they will not get any money.
They will still get the $$ (at least the FIRST time they try it) the fraud protection just means I wont be responsible. It is still a loss for the financial institution.

Not sure about your bank, but my Citibank debit card will happily let itself get overdrawn even without any line of credit linked to it. Attackers also have no way to check your debit card balance without a pin, not that they can even tell its a debit card by just the card number anyway.

Benefit still goes to using a CC since I'm not actually down any money at any time. With my debit card, I could end up with 0 dollars for a while until its refunded, and then I might also need to deal with getting overdraft fees reversed.

My CCs (one from citi/mastercard and one from AMEX) have both caught and denied fraudulent charges multiple times though. I think its happened to me on 3 or 4 separate occasions so far, attackers never got any money out of it.

1st they get tha moneee...

then they get tha poowaaa...

then they get the...

aw forget it.

This is strange to read because I hate PayPal. Why would I worry about putting in a CC, it's protected anyways. I trust my CC company over PayPal.

I'm not worried about the break in, smaller companies don't have the IT resources beyond some automated pen-testing. Please at least take some basic steps though.

As long as there has been money people figured out a way to steal it. The electronic age has not done away with this and never will. People can be as careful as they want and the thieves will just find a new work around. Use whatever methods make you feel better but remember no matter what you do somebody has or will find a way to take your cash.


If you found this post useful please insert your credit card number, expiry date and three didget security code here:____________________________

+1

And that right there is what keeps me employed. :happyanim:

Ummmmm on which side?