Credit Cards Hacked - ECS Tuning

[fender177]

Just a heads up - I was at a local tuner yesterday and they informed me that ECS was hacked recently. And, they were not PCI compliant - i.e. credit card numbers were not encrypted.

Apparently, a few people have received letters in the mail (yup, snail mail). I personally haven't received one, so it may be that only people who store their CC info with ECS are victim to this attack. But, you might want to keep a close eye on your accounts.

 

[A_Bowers]

Been there. Had 2500 charged on my credit card.

 

[Eat_My_Shorts]

Was worried for a bit, just made a recent purchase. Glad it was back in May....sucks for those affected still.

 

[danielj1]

The letter says they are PCI compliant, if they're not tisk tisk. Those who are not should be incurring ongoing fines.

I never store cc info with online vendors.

 

[fender177]

The letter says they are PCI compliant, if they're not tisk tisk. Those who are not should be incurring ongoing fines.

I never store cc info with online vendors.

Read it closely... It says something along the lines of - in addition to being PCI compliant, we've also done x,y,z. They get tricky with their wording.

 

[rs999]

Lots of hacking going on. LinkedIn last week now ECS. Facebook next?

 

[Muskie]

This worries me, and I've had nothing but problems with ECS lately. ECS also was supposed to issue a refund for a warrantied item for me. That was a month ago. According to them it was refunded but I still have not shown it on my statement. They are unable to help at all even after forwarding communication from my bank saying there is no record of and refund attempt on any of my accounts.

Sent from my Galaxy Nexus using Tapatalk 2

 

[fender177]

AFAIK, for PCI compliance, the credit card info does not need to be encrypted while "at rest" -- only while intransit on the network.
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
So if you hack the database (say, sql injection), you get the numbers in plain text.

I would disagree with that statement. The PDF you linked to says:
Requirement 3.4 Render PAN unreadable anywhere it is stored (including on portable digital
media, backup media, and in logs) by using any of the following approaches:
- One-way hashes based on strong cryptography (hash must be of the
entire PAN)
- Truncation (hashing cannot be used to replace the truncated segment of
PAN)
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key-management processes and
procedures

It just wouldn't make sense to allow people to store such information in plaintext. Regardless - it sucks that people are so careless with sensitive information these days.

Although, I don't know this for a fact - I would recommend changing your ECS password and if you happen to share that password with other accounts, change those passwords too.

 

[maskari_gti1]

Same things happened to me. My credit card was charged $1400!
I made two purchases, one from ECS and the other from KefferVW.

 

[Shini]

That really stinks. Hopefully ECS was doing "all they could" to keep the info safe...No one is infallible though. Such is the risk of using our convenient little buddies the credit/debit card!

Why yes ECSTuning...I did not buy that k04...Oh? I never got it...Must have gotten lost in the mail :lol:

 

[grambles423]

Sucks because ECS will probably lose ALOT of service over this. Especially now seeing that the letter shows the same attitude that their customer service shows. THey've gone down hill lately.

 

[slush.puppie]

i got that letter in the mail a couple days ago. super psyched about that. i already monitor my credit card activity regularly, but i don't want to have to hassle with disputes, etc.

 

[Stadpad]

i'll keep an eye on my bank statement.

 

[Niebeendend]

While credit card fraud is certainly a pain to deal with, I think it's important to remember that you have NO liability if your credit card or debit card number is stolen and you retain the physical card. The bigger issue is if your physical card is stolen - there is little liability for credit cards but up to unlimited liability for debit cards depending on when you report the loss.

Credit Card Loss or Fraudulent Charges (FCBA). Your maximum liability under federal law for unauthorized use of your credit card is $50. If you report the loss before your credit cards are used, the FCBA says the card issuer cannot hold you responsible for any unauthorized charges. If a thief uses your cards before you report them missing, the most you will owe for unauthorized charges is $50 per card. Also, if the loss involves your credit card number, but not the card itself, you have no liability for unauthorized use.

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm

 

[TurtleJames]

Sucks because ECS will probably lose ALOT of service over this. Especially now seeing that the letter shows the same attitude that their customer service shows. THey've gone down hill lately.

Couldn't agree more. That letter would just piss me off more. They have a pretty slick website, and lots of items (when in stock), but their customer service and pricing is ridiculous. When you can get parts at a dealer for cheaper and faster, then there's a problem....