[mysterick]

I just sent a 40mm lens to Precision in CT on 3/24. I used my credit card to expedite the order. My bank called today and said that my card has been compromised . Not having used my card for anything lately and looking at their website's address, it looks like it is not encrypted. Just wondering if this has happened to anyone else? I contacted Precision, but we all know that works(?)!

[Adam]

I just looked, and the repair service form is not secure. Anyone on your local network, at the same coffee shop, or on Precision's network could have intercepted your submission in the clear, not to mention ISPs, security companies, and so on. If you don't have a password on your home network, anyone nearby can connect and track your traffic.

Never submit any credit card or personal information unless you see "https" and a green lock in the address bar.

[a5m]

Wow....

About a month ago my Amazon Visa was compromised. For the life of me I couldn't figure out how it could have happened since I rarely use it. I figured someone scanned it or something through my wallet when I was out and about. Now I'm pretty sure it was through Precision Camera's website. I've only sent gear to Precision for repair under warranty and I always used that card. But it never got charged so there wasn't any trail for me to link it to Precision.

Thank you for this post. It solved what had become a mystery to me. I'm almost 100% sure it was Precision's website. But Precision has stepped up ther game lately. Bringing this security issue to their attention might actually get it resolved.

I hope everything gets sorted on your end. Credit card companies are pretty good nowadays with fraud protection.

[Adam]

I am forwarding this to Ricoh's corporate office...

Adam
PentaxForums.com Webmaster (Site Usage Guide | Site Help | My Photography)



PentaxForums.com server and development costs are user-supported. You can help cover these costs by donating or purchasing one of our Pentax eBooks. Or, buy your photo gear from our affiliates, Adorama, B&H Photo, KEH, or Topaz Labs, and get FREE Marketplace access - click here to see how! Trusted Pentax retailers:

[geomez]

Wow! I'm following this thread. Too big an issue to not stay updated. I'm sorry to hear of those who's cards were compromised.

[ripper2860]

HTTPS only encrypts over-the-wire as it is transmitted. Other questions come to mind ...

Do they retain CC info on their server? If so, is it encrypted or stored as clear text?

The server may be compromised and if not encrypted, CC information could be harvested and sent to who knows where. If they take security seriously, they'll thoroughly assess their server for a breach. If they didn't think enough to secure their form site, odds are their server security is lacking.

[lightbox]

Excellent advice posted. The enforcement of HTTPS that browsers are starting to push these days is a very good thing for consumer safety. Some more common sense tips:

- Always confirm the address is as you expect. No typos in the address bar.
- Don't follow links. Always type the address manually.
- Check the site's certificate to ensure that a) the domain is correct and b) it's signed by a well-known issuer (i.e., DigiCert). The green lock icon is a visual indication of authenticity.
- If you must use public or unsecured WiFi, look into a VPN service to secure your private traffic from snoops and eavesdroppers.
- Don't ever use any public or untrusted computer / browser to transmit sensitive information.
- Keep a dedicated CC for online use and find one that has very good fraud protection and refunds you in case of unauthorized charges.
- Don't use the same password on all of your accounts, especially financial ones or sites storing sensitive information about you. Change them often, and make them unique and strong passwords. Possibly use a credential management system like LastPass or KeePass.

[GuitarGuru76]

This solved a recent issue I had recently, my card info was compromised and someone made 2 purchases thru Expedia recently. My only recent use of that card was with Precision, for my K-01 repair. It was never charged for the repair, (Ricoh covered the repair).
What a sad situation. Ricoh's corporate office should be notified.

[UncleVanya]

I fully expect those of you with compromised cards are right - but do understand the card can get stolen over 12 months ago and only surface now. The aggregators of this data sell in chunks and stolen card numbers are often quite disconnected in time from the time the theft attempts are made.

[clackers]

I just looked, and the repair service form is not secure.

Amateur hour!

These guys presumably have a contract to deliver an enterprise standard service.

[GuitarGuru76]

I fully expect those of you with compromised cards are right - but do understand the card can get stolen over 12 months ago and only surface now. The aggregators of this data sell in chunks and stolen card numbers are often quite disconnected in time from the time the theft attempts are made.

Yes, this would have been October of last year for me.

[Adam]

Amateur hour!

These guys presumably have a contract to deliver an enterprise standard service.

They're living in the 90's still, it seems.

[SpecialK]

Some years ago, my former and now-defunct employer was required by the bank to change the whole credit card processing procedure. Encrypting, shredding anything showing the CC # (once the transaction was finished), not being able to see the entire number when the order was looked up, putting the server in a locked room, etc. It was a hassle for the IT people I'm sure, and a major inconvenience in my job (processing orders and refunds, and looking for fraud).

[wissink]

Is it possible the CC company says its compromised simply because Precision does not meet security requirements?

[UncleVanya]

PCI compliance requires better than this.