Serious problem with Credit Card after an order in LoneWolf's website

[Framses]

I am writing to inform a severe security flaw in its software Herolab and Lonewolf website.

On January 9 a purchase I realized the amount of U.S. $ 29.99 using my license of Herolab HPGCUQ5ERQUY???.

As you know, it is necessary to provide the credit card data is made for the collection. Here is the security flaw, because my data was used to make three purchases of high value in foreign stores just after I made ​​payment on the website of Lonewolf.

Here are the purchases and their values:
SPORT IMPORTS STOURBRIDGE U K U $ 607.38
The Sports U $ 322,778
Crucial.com U $ 476,467

Unfortunately, I am led to believe that someone in your organization with access to these data was purchased, because my computer went through a thorough check and is not infected by any virus and not make purchases on another site earlier in the day.

I contacted the companies named to identify the author of the orders.

My credibility in Lonewolf is severely shaken by this incident and I ask that you try to clarify what has happened and, if possible inform me if you discover something.

Sincerely,
Francis Almeida

[rob]

Well, I don't think it's actually *possible* for someone to steal sufficient credit card information from us to make an online purchase anywhere. The reason is that the charge is processed automatically by the server and critical information like the security code and expiration date are immediately thrown away. They are *never* saved on our server anywhere. So even if someone could hack into the server (or an unscrupulous employee looked at the saved data), the security code and expiration date wouldn't exist anywhere.

Since I've never seen an online website accept a credit card without at an expiration date, let alone the security code, it doesn't seem possible that the information could have come from us.

We take the above steps as a security precaution. If the data is never stored on our server, then our customers' data cannot be compromised. We *do* save the credit card number, since that's required for us to be able to process refunds. However, the card number is heavily encrypted, so access to it would require a complete breach of our server security *and* the ability to decrypt the card number.

The only way someone could get the expiration date and security code would be to directly intercept the information during the time it's transmitted from your browser to our server or from our server to the credit card processing service we utilize. In both cases, the transactions employ SSL, so the likelihood of someone being able to intercept the data is extremely remote. And if someone had that capability, they'd gain significantly more by intercepting charges on Amazon or eBay.

You may want to check who had access to your computer after you placed your order. Depending on how you have them configured, some browsers will retain all the information in their cache. So if someone else accessed your computer and returned to the online ordering process, it's quite possible that the values you entered were remembered by your browser and displayed to someone else.

In addition to the precautions outlined above, we have numerous other safeguards in place to first prevent and, failing that, automatically detect any attempt to access our server by unauthorized individuals. I can go into those details directly with you via email if you wish, but the first thing you need to verify is whether the fraudulent orders were placed with an expiration date and/or security code. If so, that data could not have come from us, since that data is never stored on our server.

I'd be happy to investigate this further for you and to provide you with any information that might assist you in identifying the culprit. Please contact me directly via email to continue this discussion. You can reach me at rob at wolflair dot com. Alternately, you can call the office here at 408-927-9880.