Let's guess which one of these websites (Which I purchased game related things) stole my CC.

So 2 weeks ago or so, I used a CC that I basically *Never* use online to make 3 purchases. And today I find out that card somehow got compromised, with someone at least 3 hours away (As the purchases showed from being from tomorrow on my account) purchasing a 72$ E-Harmony subscription and attempting to buy an 800$ plane ticket. Luckily Capital One's fraud system is pretty good at catching stuff.

So let's figure out what those 3 purchases were.

They were as follows.

Aliexpress.com I purchased a repro(bootleg) copy of Dracula X for the SNES with the intention to reshell and relabel the game as a fun project. (Because i'd really like to have a copy of this game that doesn't cost 2-400$ on real hardware with a nice looking cart).
https://www.aliexpress.com/item/Cas...ge-16-bit-46-pin-USA-Version/32809405096.html

I paid the extra 50c for slightly faster shipping. Still nothing in the mail yet. Not a huge deal.
It's been 13 days or so. It's coming from China, I expect longish transit.

retrogamecases.com I purchased two SNES shells from for this project.
https://www.retrogamecases.com/shop/products/replacement-parts/snes-replacement-parts/
I purchased Black and Translucent Red. Both came super quick within a week.
I was originally going to purchase the labels here too, but I was slightly worried about the quality. The quality of the carts is great. The back labels they came with, are OK. The color is inaccurate, skewing too red. But it's decent.

gamereproductions.com Same day I found this site and they offered holographic labels and higher priced "premium" labels. So I placed an order for 3 labels.
https://abload.de/img/draculaxx8-1copyfjsga.png
https://abload.de/img/draculax1-1copyhasyx.png
https://abload.de/img/draculax7-1edsl9.png (Feel free to use any if you want)
In the order confirmation it says there is a 30-45 day lead time or whatever. Which struck me as odd, then I looked around and found out people have a lot of bad experiences with this guy. Super slow, no communication. I was hopeful if I just waited the month things would be fine.



So which of these 3 looks the most suspicious eh?

gamereproductions.com shows up on my CC statement as gizzygames.com located in Kentucky.
Something that doesn't make sense, and i've never heard of this site before.
Here's the Whois for gg http://whois.domaintools.com/gizzygames.com
And GR http://whois.domaintools.com/gamereproductions.com Some place in Germany?

The other two look accurate and RGC even includes the order number in the statement.


I have zero viruses on my PC or Phone, I use a different PW for every website, both my credit cards are through the same company and I haven't had any issues with my main card I use online.


Think it's coincidence, am I over thinking or did one of these places screw me over. I'm leaning Gamereproductions..

 

This might be a bit of a stretch but I have has a personal experience with this.
At one time a gas station had it's pumps compromised and anyone using it had their information taken. Granted they were caught but they made devices and somehow hooked them into the machines. Those caught had made clones of the cards themselves which was interesting.
If you're only using the CC for these transactions (and i stress those only) then I feel your assumption is correct. HOWEVER, if you do use it other places I would like to have you look into any other transactions.

Others might have more input than I do, but believe me, that can be compromised anywhere, any way.

Those who stole our info were caught trying to sell gas to a competing gas station. They bought like 1500 in gas too. Perhaps not the brightest bunch out there.

 

Take into account the sites themselves may be hacked and depending how vulnerable the site is and how they store your CC information, any old script kiddy can obtain your data without the site owners knowing anything about it.

 

I'd bet on gamereproductions.com.
Just look at the about page : «Wèiyú zhōngguó -Zhang».

On Aliexpress, the seller never gets the money until you get the package.

 

I have bought from retrogamecases before, and deal a lot with ali. So far, never had any (CC-related) issues. Therefore, +1 for gamerepros.

 

I wouldn't suspect Ali, it would be a PR nightmare for them if CC data was stolen by sellers. However the same applied for Sony's PSN......

 

Gee, an about page that just says "Located in China - Zhang". Sounds totally professional and legit to me! (^_^);

 

That's an interesting story. I buy gas maybe once a month, last was at a Costco less than 2 miles from my house using this card. And given we are in OR, we aren't allowed to do it ourselves. Totally plausible. They only take Visa so I had to use this card there.

But yeah, these are the only online purchases I have made with this card and then it gets compromised. I've used my other card at some of the same physical locations and no issues with that one.

I flagged the GR purchase as fraudulent (I didn't see their about page before. That makes it even more suspect) so hopefully they undo that. And I'll just order my labels through RGC.

I received my bootleg in the mail today also. The PCB seems good quality but the shell is poor, one of those Piko snap together shells with some extra metal screws. Way poorer in quality compared to the RGC shells I ordered.

 

I'd also go with GR.com, but as Pixel said you can get your card compromised in physical stores too. There was a big batch of cards that got compromised here, mine included, where everyone that was affected shopped at both the same pharmacy and gas station.
No matter how you shop, you can get hit. Just gotta keep an eye on your CC statements, or keep a low limit so if someone gets your card it will reach the limit and get denied quickly. You'll quickly know somethings up when you get denied

 

We're talking about EMV cards right? Those cards were made to be difficult to copy, so only magstripe cards (or if you swiped your EMV card) can be easily copied.
Over here where I live, the magstripe fallback is disabled to prevent this security risk from existing.

 

The specific part about this was that law officials stated that some device they made had some technique if messing with the cards but only if you printed a receipt. Incidentally that was the only time in 15 years my family printed a receipt at a gas station.

I don't remember the details, but I do remember that it had something to do with receipts that made their thing work.

Costco I wouldn't worry about.

 

My brothers card got cloned via an instore PC world purchase. I wouldnt be so fast to jump to conclusions.

There was an article not long ago about card readers all around the world being shipped to the stores with cloning tech in them. This wasnt put in while the stores had it - it was done at some point in the supply chain. Just because its a big name, doesnt mean it cant happen.

 

You have a brother!?

 

sister too, why is this so strange?

 

I mostly paywave, and even that takes like 2s to copy data. Just be sure whatever bank you're with has a good policy on card fraud.

 

Yes it's an EMV card, most places don't let you swipe it if you have a chip. And some don't let you swipe if the chip doesnt' work either.

This is true. If I had heard about anyone else around here having that happen, It would make sense as well.
I generally shop at the same few places here. I did use the card when I went on a trip back to CA about a month ago at a few chain places. Could've happened there too I guess.

Luckily my bank is super easy to deal with this. They are already sending me a new card and have locked the old one. And they even let me charge back the GR purchase. So no issues there. Very nice.

 

Could you be referring to the man in the middle attack when a purchase is made with a signature? We did a case study on it, during the short security module that I took a few years ago.
It's only possible, if you let somebody tamper with your card (i.e. you lost it) and if that said individual is allowed to hook a computer to it while the card is inserted into the POS terminal.

 

Went to a gas station
Swiped card (chips were not even in early adopters at the time for here in the US)
Got our gas and leave
Somehow a physical copy of it was made with all relevant information. (authorities told us a device was hooked into the machine by a third party; the ones with cloned cards)
Purchases were made with cloned card

The way they explained it was that they had managed to open the pump kiosk with it's special key and lock nonsense (really neat lock personally) and implant a device to log any card info that was inputted.

Point being - fuck magstripe. Just use the damn chip

 

Forgive my ignorance but are you making a Terminator 2 joke or is this something that really exists?

 

I'm pretty sure at this point magstripes are only on cards worldwide to maintain compatibility with the US - everyone else has moved on