Author Topic: Online Stores - Preferences, Feedback  (Read 476 times)

Offline Nicklab

  • Jedi Sentinel
  • *
  • Posts: 13810
  • I saw we fight!
    • View Profile
Online Stores - Preferences, Feedback
« on: September 4, 2022, 09:12 AM »
I thought it would be generally interesting to get people's feedback about the online stores that they prefer.  What are some of the positives and/or negatives associated with some of them, etc.  Are there ones you swear by?  Concerns with another?  Does one have great service except for their shipping policies?  Etc...





My first bit of feedback?

Big Bad Toy Store

I was going through my keychain on my iPhone and noticed that there was a security risk associated with Big Bad Toy Store.  Evidently BBTS has been the subject of a security breach.  I also got a notification this morning of an unauthorized charge on a card that I have not used in a while.  When I checked my spreadsheet of TVC orders I saw that the last time I had used that card was with BBTS on their exclusive Gaming Greats ARC Trooper.  You might want to check your cards as well.

Personally, I am really disappointed that I didn't receive a notification from BBTS about the data breach.

"Call up a Hammerhead Corvette.  I have an idea."

Feedback

Online Jeff

  • Administrator
  • Jedi Elder
  • *
  • Posts: 26321
  • Leave me where I lie
    • View Profile
    • www.JediDefender.com
Re: Online Stores - Preferences, Feedback
« Reply #1 on: September 6, 2022, 03:39 PM »
Personally, I am really disappointed that I didn't receive a notification from BBTS about the data breach.

I've had cases where I didn't get a notice on a breach until 3-4 months after my bank alerted me to a CC fraud attempt.  I wonder if they are still in the assessment phase trying to figure out who/what was compromised?  I'll have to keep an eye on the last card I used at BBTS...
Editor-in-Chief  - www.JediDefender.com
On Twitter?  Follow JediDefender -> @jedidefender

Offline Dave

  • Jedi Master
  • *
  • Posts: 6216
  • Never Trust a Big Butt and a Smile - BBD
    • View Profile
Re: Online Stores - Preferences, Feedback
« Reply #2 on: September 6, 2022, 04:06 PM »
Personally, I am really disappointed that I didn't receive a notification from BBTS about the data breach.

I've had cases where I didn't get a notice on a breach until 3-4 months after my bank alerted me to a CC fraud attempt.  I wonder if they are still in the assessment phase trying to figure out who/what was compromised?  I'll have to keep an eye on the last card I used at BBTS...

Same. 

I think only the super big companies are proactive and reach out.  BBTS is a small, small company.

Offline Ryan

  • Retired Staff Member
  • Jedi Master
  • *
  • Posts: 5871
  • Destiny is all
    • View Profile
    • JediDefender
Re: Online Stores - Preferences, Feedback
« Reply #3 on: September 7, 2022, 01:19 AM »
Personally, I am really disappointed that I didn't receive a notification from BBTS about the data breach.

I've had cases where I didn't get a notice on a breach until 3-4 months after my bank alerted me to a CC fraud attempt.  I wonder if they are still in the assessment phase trying to figure out who/what was compromised?  I'll have to keep an eye on the last card I used at BBTS...

Same. 

I think only the super big companies are proactive and reach out.  BBTS is a small, small company.

It mostly depends on who their CC processor is, BBTS likely isn't handling the vaulting of any cards and should never have access to full card numbers -- unless they are doing something very wrong and are using the payment processor's APIs incorrectly/insecurely -- the breach is likely out of their hands.  I can't tell from their site who that processor would be, they leave it pretty generic. Since BBTS has been around for a while, it could also mean that they are using a much older payment processor that was breached. While it says on the BBTS website that their payments processor is PCI DSS compliant, they don't have links to any certificates or anything on their website to verify that. BBTS themselves also don't make any claims of being PCI DSS compliant as a merchant, so it is definitely possible that they could have some insecurities in their system.

In theory, if everything is set up correctly on BBTS's end, were a hacker to gain access to a bunch of BBTS user credentials like you mentioned Nick, they wouldn't likely have access to any full CC numbers. Those cards should all be vaulted directly with the payments processor, and BBTS should only ever be given a secure tokenized value to store cards on file. That tokenized value would only be good at BBTS. This would leave the hackers with two realistic options: 1} change some addresses to a random P.O. box and attempt to order BBTS merchandise, and then resell it later. (This is risky and is easier for authorities to trace, so it is unlikely that they will try it.) or 2} using the usernames, passwords, addresses, etc available in your BBTS account, they can try to reuse the credentials on other accounts hoping the users use the same PW elsewhere. Often times they are able to gain access to an email account, and then from their they can figure out your exact bank, CC companies, etc, and try their luck there. (PSA to use unique passwords, change them often, and use some sort of a PW manager to keep it all straight.)

All that is to say, if BBTS or their processor were breached I wouldn't expect a message any time soon, especially from such small companies. It would likely have to start with the payments processor investigating any possible breaches on their end first, and then work backward to BBTS.

It's definitely a pain dealing with this kind of stuff. I've had to do it twice this year and never knew where it came from. Neither of my cases was related to cards I used at BBTS, but I'll keep an eye out too. Thanks for the heads-up Nick.

(I worked in online CC processing for the last 6 years so I'm pretty familiar with all of this.)
"This is the way."