Been e-shopping at Paddock recently?

[Lars L]

Lots of Norwegian landroverists have been hit with extra withdrawals from their account and now it was my turn. Obviously, the Paddock webshop has been hacked and the geezers are now testbuying using various card numbers. I had the neat sum of SEK 25,21 drawn three times today, £2 or something.

Go check your account!

[Simon Smith]

Will do.

Last time I used Paddocks was a couple of months back, but my card had not yet been debited when I checked my account last night.

[Simon Smith]

No, nothing taken yet, but will keep an eye on it

[landrover598]

So that could be the source of the card fraud i had this week I've now had a new card and the bank has refunded the money taken from my account.

[kkk2]

Stopped using cedit card on the internet a couple of years ago , use 3v for all small to medium purchases, even if to number is stolen the max that can be nicked is 300 euro.

[jcwcooper]

Just had my card stopped by the bank because of some funny withdrawl. This is the 2nd time its happened this year both time I had used Paddocks it was £2 somthing. Been wondering where they keep picking me up, Im very carefull otherwise (shred statements ect.)

Dave.

[Rich_P]

I've fortunately had nothing additionally withdrawn from my account so far. But thanks for warning, and I will keep an eye out in the future!

[bobed90]

I had the same problem earlier on this week. luckily ive had a replacement card last month so the bank picked the fraud straight away. They tried to buy over a grands worth of stuff over the internet. I have bought loads from paddocks in the last few months. Atleast it is being detected, lets hope they sort out there security.

[Unsworth]

Another reason why I only use cash!

Although I am lucky enough to live 40min away from paddocks

[David Sparkes]

Anyone approached Paddocks about this? What was their response?

[geoflse]

I had £600 stolen from my account last year, and that was after I had purchased some stuff from Paddocks. It wasn't via the internet, though, it was a phone transaction and it showed up on my account as "Avon Shop".

The bank did refund the money after I'd reported it to the police and got a crime number.

Now very careful, and I use Pay Pal wherever possible.

geoff

[jcwcooper]

Anyone approached Paddocks about this? What was their response?

I was going to ask the very same question.

[Dave W]

Never mind telling Paddocks, make sure the CC companies know the source. If Paddocks aren't PCIDSS compliant they can get hit with a hefty fine and possible withdrawal of their CC facility, which might encourage them to sort their security out. After all, what do they lose if someone gets access to your card details ?

There is also a very good statistical chance (about 80%) that the fraud is being perpetrated by one of their staff.

[David Sparkes]

"Never mind telling Paddocks, make sure the CC companies know the source."

The point here, as I see it from the thread comments, is that we don't know the source.

Your comments imply you believe them to be at fault. What proof have you?

"After all, what do they lose if someone gets access to your card details ?".

I'd say they stand to lose a lot, because it's not just going to happen once.

It's because of that 'lose a lot' that it's dangerous to IMPLY they are at fault if they are not.

What is wrong with speaking to the perceived source?

If they are bad uns it makes no difference.

If they are good uns it gives them an opportunity to act sooner rather than later.

The forum management doesn't like people writing that any particular supplier is selling bad parts (I'm not commenting on that policy, merely using it as a comparison).

In my view saying a particular retailer carries an inevitable fraud risk is just as risky. "Inevitable fraud risk" is what this thread implies, and your comments indicate you have accepted that implication.

If it was your business being accused of shoddy practice (in any sphere of operation), would you be upset at the potential loss of business? Especially if no-one had the balls or courtesy to say something directly to you before bad mouthing you on a Forum with a large readership.

I suspect your reaction would be even stronger if it turned out your operation was squeaky clean.

I had better add that although I live close to Paddocks I only know them as a Customer. I don't know any Paddock people at a personal level.

Regards,

[Retroanaconda]

This is why I only use a credit card online and not a debit card, it gives you the protection so that if and when this happens you can claim the money back with relative ease

[DrRob]

My bank called me today to say some fraud around....

I called the bank back just in case it was a fraud fraud call if you see what I mean...

Card now cancelled.....new one in post....

At least bank is on the ball...

Has someone called Paddock yet??

[Lars L]

Yes. Here is a quote from their reply to a Norwegian customer.

It has been brought to our attention that at some point in the last 2 weeks the security on our secure servers may have been compromised. Several of our customers have contacted us to say that their cards have been used fraudulently after placing an order on our website. These incidents appear to be from customers based in Norway, Sweden or Germany.

We take security and credit card fraud extremely seriously at Paddock Spares. As a result we have immediately suspended the use of our previous payment gateway. We have now integrated with Paypal. This will enable you to pay from your existing Paypal account or if you do not have a Paypal account you can enter your credit card details through Paypals secure payment gateway.

If you have placed an order through our website within the last 2 weeks we recommend you check your statement.

If you have any further questions or wish to speak to someone about this please do not hesitate to contact us. We apologise for any inconvenience that may have been caused and wish to reiterate that security will always take priority at Paddock Spares

[dwillcocks]

i've had the bank on the phone couple days ago, £240 of fraud on my card, and ive been using paddock alot, building a new truck.

[pat_pending]

Fraudulent transaction on my card, (done in France) days before Crimbo. Obvious to spot as I'd not been to France.

Used the card at Paddocks the week before though, draw your own conclusions.

Reported it to card co and I'll talk to Paddocks tomorrow.

[simonr]

The situation is fairly bad at the moment - X-Eng's web site has come under sustained attack from Russian IP addresses. Mostly attempting fairly simple SQL Insertion/Injection techniques (that is the most likely way that criminals access card details). Although, if you are aware of it, it's pretty easy to prevent - there are a remarkable number of vulnerable sites!

Fortunately, I have some experience of this kind of thing (mis-spent youth!). Knowing that no system is completely secure - I opted for not storing any card details at all! Address details are stored using public key cryptography - and the site has been penetration tested.

I do worry about sites that store card details permanently - it only takes a minor slip-up to make the data vulnerable.

Although people get very worried about card usage on the web, there is probably more leakage of data from in-house systems than from web sites. Companies often put in good web security and forget about doing the same in house - unencrypted card details stored on a server in an un-secured equipment room for example?

I wouldn't get too paranoid about web companies in particular - they just tend to get more attention when it goes wrong. I tend to be a bit careful of using my card everywhere!

Si

[missingsid]

So as I use PayPal does this mean I am safe as there are no Credit Card details on record?

How PCI DSS will affect Paddocks I am not sure, for some major web based companies PCI compliance can cost around £20M to implement in each country applicable. How much of PCI Paddocks have to implement for compliance would be interesting.

Marc.

[mike4444244]

I had to get a new card as well, after buying from paddocks, in my case it was someone trying to top up their mobile! Bank spotted it immediately and secured my account, wish they'd let me know before I made an embarrassing trip to the cashpoint

Mike

[jbs]

This is sounding more and more like an inside job as to all the symptoms,if my bank suspects any sort of card fraud which they have done a few times when I've been travelling they stop my card and either phone me or drop me a text message to get in touch with them by using the phone number on the back of the card-i'm bloody glad they do as it could've cost me a small fortune if they had'nt been as good to stop my card in the event of someone else trying to use it

EG:I was in the maldives on a job when i tried to draw money out of the HSBC cash machine-it said no so i borrowed some cash off a mate but within half an hour the bank rang me and asked if i'd tried to draw money out of a cash machine in sri-lanka i told them where i was and they re-instated my card, That to me means that the bank are on the ball-well at least the anti fraud dept is anyway

John

[Aragorn]

The previous replies from August suggest that Paddocks ditched their old card processing system and have switched to using a paypal checkout.

If thats still the case, Paddocks themselves do not have your card details at any point of the transaction, and therefore there is nothing for them to leak. If the thefts WERE related to paddock sales, and they're using a paypal checkout, then the issue would lie at paypals door, and if thats the case its a MUCH bigger issue than one compromised online shop.

We use sagepay (previously Protx) at work for our payment gateway, and again, at NO point during the transaction do we see the card details. Our web site hands the customer off to sagepay, with an encrypted form submission containing the transaction description and value, sagepay do all the secure card stuff, and then they send back a reply saying successful or failed, and return the customer to our website for the "thank you for your purchase" screen.

I've had my credit card "defrauded" recently, i dont use the card very often, and the bank caught it before i did, but i have no idea where they got the details. The fact the bank caught it themselves, would suggest to me that something about the transactions didnt add up, ie the wrong address/name etc and would follow the theory of the fraudsters using card number generators.

The numbers used on the cards are pretty easy to calculate, as the formula that generates them is in the public domain. My card was used to register with some catalog and then with carphonewarehouse. Obviously the bank adds extra checks to the card number, such as the CSC (3 digits on the rear), your address details (they use the digits from your address and postcode to produce an address id) and your name, but a lot of these checks can be optional on behalf of the vendor, although if you dont do them, your putting yourself at greater risk for chargebacks etc.

[vexedfoxy]

I would suggest that one of you that has been scammed talks to Paddocks direct, as someone else said it could be a rogue employee, or ex employee, they would rather know than not?