By now most of you should have heard, but RPGnow/RPGshop has been hacked, and hundreds of credit card numbers were stolen.
This after RPGnow's recent and controversial merger, this is not going to be good...
RPGPundit
Part of the reason I've been diversifying outlets and will be adding my own store to my website methinks, but I think this'll blow over reasonably quickly. It's just a bad combination of events.
Yup, not good.
However, it is a good idea to buy online with paypal, then such bad thing wont happen. unless Paypal is hacked.
From what I read yesterday, they weren't even hacked, they just didn't defend their data at all. I beleive the entire cache of credit card data, completely unencrypted was simply searchable by google.
This is why I hate the increased dependence upon electronic money. Other than credsticks that is...:D
Quote from: SpikeFrom what I read yesterday, they weren't even hacked, they just didn't defend their data at all. I beleive the entire cache of credit card data, completely unencrypted was simply searchable by google.
Oops! :duh: :roofle:
P.S. I think by my hardy laughter it should be quite obvious that I haven't bought or sold anything through them. Sorry to those in a different situation. :(
Quote from: GRIMPart of the reason I've been diversifying outlets and will be adding my own store to my website methinks, but I think this'll blow over reasonably quickly. It's just a bad combination of events.
Are you planning on signing on with yourgamesnow.com?
Quote from: SpikeFrom what I read yesterday, they weren't even hacked, they just didn't defend their data at all. I beleive the entire cache of credit card data, completely unencrypted was simply searchable by google.
This is why I hate the increased dependence upon electronic money. Other than credsticks that is...:D
And I bought stuff from 'em earlier this year.
Crap.
Quote from: Dr Rotwang!And I bought stuff from 'em earlier this year.
Crap.
The date you need to be most worried about is before August of 2006. This is the suspected date that the DB was hacked. As I have been told, it was approx. 3000 cc# and associated info some portion of which included expired cards.
This only applies to people who used the "Store my CC#" on RPGNow or RPGShop. DTRPG and ENGs were not involved. Folks, never store your CC# on a site. Not a good design on the part of the site TA and not a good idea for the customer.
In addition, RPGNow sent out emails to those affected accounts last night. If you had your email changed, spam filter on or email discontinued then you can contact James at RPGNow.
This is a bad thing for the pdf industry as a whole. Shakes customer confidence in an otherwise useful shopping experience.
Bill
Wow...I sell credit card processing (among other business-related services) for a living, and the current V/MC guidelines prohibit unencrypted electronic storage of any CC information. This could get their privilege to accept cards pulled if the damage is bad enough; doubt it will, but they'll probably end up having to pay a hefty fine to V/MC if this was what they were doing.
Quote from: McrowAre you planning on signing on with yourgamesnow.com?
My membership there is under discussion for approval at the moment I believe.
It's just a pain in the arse uploading files to all these places. I need a filthy assistant or an Igor.
I'm on E23 if you don't want to go via RPGnow/Drivethru but their selection isn't quite as up to date as they don't have a self-upload function.
I'm not sure where else is worth using, DBB never got back to me really, despite me providing them with some free adventures and Paizo doesn't seem quite the right place for my stuff.
Quote from: SpikeFrom what I read yesterday, they weren't even hacked, they just didn't defend their data at all. I beleive the entire cache of credit card data, completely unencrypted was simply searchable by google.
This is why I hate the increased dependence upon electronic money. Other than credsticks that is...:D
That's not quite what happened.
I believe it was discovered when the hacked information was found on a Brazillian wares site through google.
Let's not kick 'em for things they haven't done, eh?
Quote from: SpikeFrom what I read yesterday, they weren't even hacked, they just didn't defend their data at all.
Link?
If that's true then I hope people file charges for criminal negligence.
Quote from: GRIMPart of the reason I've been diversifying outlets and will be adding my own store to my website methinks, but I think this'll blow over reasonably quickly. It's just a bad combination of events.
Well, anyone who signed up for one of their "exclusivity" agreements, where they can ONLY sell through RPGnow, are pretty fucked by this turn of events.
RPGPundit
All I know can be found in the first 30 or so posts of the RPG.net thread in open gaming and what's been posted here. So I'm hardly the expert, sadly.
What was said was that goggling credit card numbers revealed an entire open cache of RpgNow or whatever card numbers. Obviously some people here have more indepth knowledge
Logan and I were crazy emphatic about the importance of security when we setup comiXpress (http://www.comixpress.com/). We weren't going to store credit card data unless we could be 100% sure of the security -- so we decided to work through PayPal for all transactions including credit cards.
I'm pretty surprised at how sloppy and amateurish leaving Credit Card data unencrypted and searchable by Google is.
Almost makes me want to setup an alternative online business. :eek:
But first... I finish the game. :)
Quote from: StuartLogan and I were crazy emphatic about the importance of security when we setup comiXpress (http://www.comixpress.com/). We weren't going to store credit card data unless we could be 100% sure of the security -- so we decided to work through PayPal for all transactions including credit cards.
I'm pretty surprised at how sloppy and amateurish leaving Credit Card data unencrypted and searchable by Google is.
Almost makes me want to setup an alternative online business. :eek:
But first... I finish the game. :)
Actually, it was an exploit in OSCommerce that did it. The CC# were on a Brazilian hacker's site (presumably the one who did it).
And yes, Your Games Now is set up the same way. We leave the security to the experts. I am setting my own site up on the same principles.
Bill
Quote from: HinterWeltActually, it was an exploit in OSCommerce that did it. The CC# were on a Brazilian hacker's site (presumably the one who did it).
We used OSCommerce as well (we used another program for another project, but OSC is much easier to work with) and while it does have the option to store CC info locally, we thought that was just asking for trouble...
especially if you don't aggressively keep on top of patches.
Quote from: StuartWe used OSCommerce as well (we used another program for another project, but OSC is much easier to work with) and while it does have the option to store CC info locally, we thought that was just asking for trouble... especially if you don't aggressively keep on top of patches.
Definitely. I normally work in the merchant e-commerce solutions and with data management and I don't think I have heard of any design that stored cc# on site except in the "We absolutely must but we don't like it" category.
Just way too much liability there.
Bill
Quote from: HinterWeltThe date you need to be most worried about is before August of 2006.
That's me.
QuoteThis only applies to people who used the "Store my CC#" on RPGNow or RPGShop.
That's not me.
They were using an open source ecommerce solution? That's bright...
I'm assuming it was some kind of SQL injection vulnerability, which are a lot more common than they really should be.
Quote from: WilThey were using an open source ecommerce solution? That's bright...
It is if (and it's a big if) you keep on top of the patches. More eyeballs on the code and all that
I've purchased from RPGNow in the past. Using a credit card, too.
My ex-girlfriend's credit card.
Mwah hah hah hah :D
I shouldn't laugh. I really, really shouldn't.
this will either blow over quickly, or be something much bigger
http://gmskarka.livejournal.com/251567.html?nc=9 (http://gmskarka.livejournal.com/251567.html?nc=9)