So you're saying if our accounts were not in Pre-Authorization, lets say our transaction was complete then the CVV code for the "completed" transaction was purged and didn't pass on?
Smartphone Experts Store Advisory (Incident Notification)
- Thread starter Store Team
- Start date
So you're saying if our accounts were not in Pre-Authorization, lets say our transaction was complete then the CVV code for the "completed" transaction was purged and didn't pass on?
See here is the problem with this statement you keep spouting - it can't be true.
My order was months ago so it could not have been in pre-authorization and yet somehow these hackers still got my info because my card was used at another online vendor that would have required the supposedly purged CVV code. So, either you are honestly mistaken about how your systems work, you are being lied to by your IT staff because they know they should have purged it and want to keep their jobs, or possibly it was an inside job with the hackers getting some help, or possibly a little bit of all of these.
Really, so far no I thing I have read here I can believe except for the part about you being hacked.
-frank
Sent from my Nexus 10 using Tapatalk 2
My order was months ago so it could not have been in pre-authorization and yet somehow these hackers still got my info because my card was used at another online vendor that would have required the supposedly purged CVV code. So, either you are honestly mistaken about how your systems work, you are being lied to by your IT staff because they know they should have purged it and want to keep their jobs, or possibly it was an inside job with the hackers getting some help, or possibly a little bit of all of these.
Really, so far no I thing I have read here I can believe except for the part about you being hacked.
-frank
Sent from my Nexus 10 using Tapatalk 2
Yeah I did not see that a thread was already started about this or I would have not posted another one about this as far as I know I have not had any issues but did get a letter in the mail just letting me know that their system had been compromised so was just letting people know about the incident was all .
I also received the letter but have had no fraudulent transactions appear on my statement to date.
Granted I ordered over a year ago now and maybe the hacker/s did not obtain older DATA.
I called the number on the letter and the woman who answered was extremely nice and did say it appears to have affected newer orders in general rather than those that had been placed a while back.
Dan
PS. While it is very aggravating it can happen to any company and while a coupon or some token of compensation would be nice, I guess they feel as much of a victim as we do.
Granted I ordered over a year ago now and maybe the hacker/s did not obtain older DATA.
I called the number on the letter and the woman who answered was extremely nice and did say it appears to have affected newer orders in general rather than those that had been placed a while back.
Dan
PS. While it is very aggravating it can happen to any company and while a coupon or some token of compensation would be nice, I guess they feel as much of a victim as we do.
bitbear
Member
- Apr 21, 2011
- 8
- 0
- 0
Thank you for ensuring that important distinction.
I was a lead designer for a major international ERP vendor and was responsible for the credit card management and authorization portions of the software. When the statement specifically mentioned that CVV data had been compromised flashlights went off in my head. In 2006 all of the major credit brands instituted a policy that CVV data should NEVER be stored beyond the point that the transaction is authorized (if the charge was to immediately process) or pre-authorized (prior to final authorization on shipment). In most cases this means that the CVV data is stored for at most minutes until the transaction is either approved or declined. Some (very few) systems perform daily batch authorizations of an entire group of transactions, but in those cases they should not be collecting CVV data at all. Immediate processing is encouraged by reducing the vendor fee when CVV is provided. Additional discounts are offered when the AVS system (Address Verification System) is also used. (Those out of the loop will recognize AVS by sites that require your ZIP code to process a transaction).
But even based upon your response about "orders in pre-authorization". If the pre-auth is handled real-time when the customer places the transaction, there is no longer a need to store the CVV data. The final authorization is processed using the card number and pre-auth code returned by the processing agent. There is no need to re-send CVV data. It should be "get it and forget it'.
These are questions that come to mind only because I'm sort of an insider-geek on this topic. The Store team has done the right thing in being forthright with customers about the breach. Publicly exposing the breach makes it less likely that the perpetrators will be able to successfully use the data. Whether or not you get a letter like this from a good vendor like Smartphone Experts, there are dozens of other online businesses that wouldn't bother to admit this happened. That is why its good to be vigilant in monitoring your credit data on a regular basis.
bitbear
Member
- Apr 21, 2011
- 8
- 0
- 0
Just wanted to add a follow-up to this part of my comment. I just got off the phone with the great folks in operations. Its not necessary to go into details, but I now understand how the CVV data may have been compromised and everyone should be assured that they are doing everything by-the-book. If CVV data has been captured (and this would be the case for only a very very small number of customers) there is really nothing Smartphone Experts is doing that is out of the norm for any e-commerce transaction. Its a very unfortunate incident that this occurred, and even giant companies (remember last summer's Playstation fiasco) are not immune to very sophisticated attacks.
I'd actually like to personally thank the folks over there for taking the time to talk with me about this and showing genuine concern for my questions and my relationship with the company as a customer.
I was wondering why I had fraudulent charges on my credit card. Now I know. I'm not angry, stuff happens. That's the risk you take using your cc online.
Back off a little guys, this isn't the first time a company has been hacked.
Back off a little guys, this isn't the first time a company has been hacked.
I received the same letter. Not having a credit card, I use a debit card. Fortunately, I didn't see any fraudulent charges. But to be safe, I went and got a new card today. Pain in the ****, though, because I have recurring charges on it. Had to call each company today and update.
Posted via Android Central App
Posted via Android Central App
I received the email notification, only sort of paying attention to it, as it seemd like it could just as easily be a scam as a warning (though it didn't ask for anything, and just advised to be careful, so that was a hint it was legit). I didn't receive a "letter". Nonetheless, I appreciate Smartphone Experts coming clean about the breach, and notifying affected users.
That said, I still don't understand how this happened. I still don't understand how CVV info was scooped. And the explanations I've seen thus far just don't pass the smell test.
Add to that, last night I got the phone call from Visa that I hoped wouldn't come.
Through my BlackBerry years, and up to now, I've placed a number of orders with Smartphone Experts through this site (or through Crackberry). That all ends with my last order. There's no more confidence.
That said, I still don't understand how this happened. I still don't understand how CVV info was scooped. And the explanations I've seen thus far just don't pass the smell test.
Add to that, last night I got the phone call from Visa that I hoped wouldn't come.
Through my BlackBerry years, and up to now, I've placed a number of orders with Smartphone Experts through this site (or through Crackberry). That all ends with my last order. There's no more confidence.
I'm not trying to "pile on" when something like this happens because in the end the person or persons who stole the information are the ones guilty of a crime but it was irresponsible of smartphone experts to keep such information much, much, much longer than they should have.
I purchased an extended battery for my old Palm Pre nearly 2 years ago and my personal info is still stored by this company? (yes I got the letter which is why I know this time frame is too long)
Claiming that my info was still on record from nearly 2 years ago to help "facilitate order changes, returns and exchanges" is completely unacceptable.
I've now spoken with the good folks at Visa...seems somebody's been having a good time on my card. But travelling Grehound? Really? I would've thought they'd (I'd?) spring for air travel, or at least the train.
I got the letter in the mail -- and then the company that issued one of my cards called to check on some suspicious activity. There was over $1000 in fraudulent charges on my card at the point. Thankfully, the credit card company cancelled those charges and re-issued the card. What a pain though. I definitely think the company should offer free credit monitoring. The perpetrators may not immediately use the info to steal an identity and a one time check on your credit report may not reveal anything.
Last edited:
I notice that there has been no more response from smartphone experts here to all of us who have been victimized by their incompetence.
This is particularly interesting given the fact that through the this thread it has gone from maybe the hackers got our info to only when the transactions were in preauthorization to finally stating that they kept the information for "some time" to facilitate returns. Just how long is "some time" exactly?
Also I would appreciate instructions on exactly how to remove my account and all information from smartphone experts without clearing my Android Central account. I just want to make sure my info is not accessed by the next group of hackers that beak in.
-frank
Sent from my Nexus 4 using Tapatalk 2
This is particularly interesting given the fact that through the this thread it has gone from maybe the hackers got our info to only when the transactions were in preauthorization to finally stating that they kept the information for "some time" to facilitate returns. Just how long is "some time" exactly?
Also I would appreciate instructions on exactly how to remove my account and all information from smartphone experts without clearing my Android Central account. I just want to make sure my info is not accessed by the next group of hackers that beak in.
-frank
Sent from my Nexus 4 using Tapatalk 2
Sorry for the confusion - the statement regarding pre-authorization was specific to CVV. "CVV was always purged after billing, as per processing requirements. However, because the hackers may have been able to access some data from orders in pre-authorization stage it was prudent to include that in the notification." The post-authorization stored PAN, which was generally kept for 90 days (although some records were kept longer in an archive table), appears to have made up for the majority of the compromised data.
All credit card related information has been purged from the database, we can also purge your shipping address and email (it is not tied to your Android Central account).
While we believe the store is now secure, we also realize that we will be under constant attack from hackers and are better off outsourcing the handling of credit cards. In the next few days we plan to roll out a new checkout solution powered by Braintree. What is neat about their solution is that the credit card information is encrypted in your browser before submitting - and we don't have the capability to decrypt it - only Braintree does.
Last edited:
I received this letter last week. Literally the next day my bank's security department called me saying that Mastercard had stopped several fraudulent charges on my debit card totaling an attempted $3000.00+. Five transactions still went through to my account and I lost $250 right off the bat. I'm currently disputing these transactions in an effort to get this resolved. One of them was a "test" transaction of a small amount related to some software company's trail membership. Because they did this test first with the small transaction strategy, my bank think's this is some trail membership I signed up for and just neglected to cancel. So my bank's investigation department is going back and forth with me on giving me credit. I may or may not see this money back at all. I realize Smartphone Experts did the right thing by sending out the letter and they have no control over my bank's lackluster security deparment, but this has caused a number of issues in my life. I am really unhappy about this situation. All this for a cell phone case I bought a while back.... Definitely first and last purchase.
We are sorry that you were affected by this breach. Please let us know if the bank does not reverse all fraudulent charges on your account.
bitbear
Member
- Apr 21, 2011
- 8
- 0
- 0
Well, it looks like this group of hackers were able to rapidly distribute the card numbers. I, too, had fraudulent charges show up on my card and caught it quickly because I only use one card for online purchasing. Its not unusual for companies like Smartphone Experts to store credit card data. Its probably in the terms of service and if you have it save your card for future transactions its definitely going to be there. I'm sure, based upon my conversations, that the company was storing the data properly and the hack was sophisticated enough to generate the decryption key. Its hard to say how they got hold of that, but it looks like they're doing everything to address issues. Completely changing the checkout system as the company is doing is not an insignificant task, and the fact that the company is going this far shows their concern for account security. This isn't the first time my credit has been compromised, and I'm sure it won't be the last. The thing that matters most, at least to me, is how the company's effected react when it happens, and Smartphone Experts is actually an example of how to do it right.
wildblue
Active member
- Aug 17, 2011
- 38
- 0
- 0
Well, it looks like you can add me to the list. My card received $364.50 in fraudulent charges from places ranging from Massachusetts to Estonia, so the information obviously made the rounds after it was obtained. My financial institution is being somewhat difficult, making me do all the leg work before they'll file any fraud claims, so if nothing else this has prompted me to reevaluate my choice in banks.
We are sorry that you were affected by this breach. If we can assist in any way please call 888 599 8998 or email support@shopandroid.com.
As promised above the Braintree powered checkout solution is now live on ShopAndroid. That means our servers never see raw credit card information, only encrypted data which we don't have the capability to decrypt (only Braintree does). You can read more about their client-side encryption here: https://www.braintreepayments.com/braintrust/braintree-js
Similar threads
Trending Posts
-
-
-
-
-
Question This image generation request did not follow our content policy in chatgpt from 24 july 2025 indian standard time.
- Started by pgangwani35
- Replies: 1
Facebook
Twitter
Instagram