First of all, thanks for your understanding with the user account registration requirement. I know it’s an inconvenience. I’m hoping it’s only temporary. It’s necessary to stop our site being spammed by the bad guys.
We had a scripted attempt to use our website as a passthrough – not a data breach or data theft or any of the other awful things you’d have undoubtedly seen on the news. No user information was accessed, and they weren’t even trying to.
What they do is find websites that allow credit card use and then they use that as a way to batch check credit card numbers to see if any of them work. They’re not looking to access any of our data, they’re simply using us as a pathway. Doing this against 100s of websites at a time allow them to test thousands and thousands of stolen numbers in a short time and get around bank API limits and all sorts of other technical jargon.
What do I need to do?
None of your data was accessed. Your credit card/paypal information never touches our servers – not even temporarily. So even if someone did gain full backend access to our systems your credit card and paypal info simply isn’t written here anywhere. All of that is handled during the checkout process by the banks and paypal’s sites.
Site changes for security?
I’ve always kept the website up to date with security patches, site hardening, certificates, etc. There’s only so much you can do at the end of the day without making it difficult for real people to use it. Hacker style groups will always find a new gap, and it’s a constant back and forth security dance between site owners and the “bad actors” as they’re often called.
I’ve changed the order process so that you’re required to have a user account before your order will go through. You can setup an account as part of the ordering process. It may mean you’ll have to click an email and confirm your registration, etc. What this does is put a small lock on the door these script groups are using. I appreciate that it’s also an inconvenience for everyone who’s using our website for its actual purpose!
The only data this will keep about you that isn’t already kept, will be a username and a securely hashed (encrypted) password. With that in mind, don’t use the same password on multiple sites. None of your banking details will touch our servers in this new setup – as always that redirects to secure banking sites.
If you have any problems of course, don’t hesitate to tell me [email protected]
Thanks for your patience and help with this