Was marketplace hacked? My credit card info was stolen.

I got a new credit card. I used it at 4 places online (and nowhere else, ever – I’ve had it less than a month):

  • Amazon (Several times, starting mid November, including Dec 1st)
  • A furniture store online, November 16th
  • Unreal Marketplace, Dec 1st
  • Apple (Dec 8th)

On Dec 1st fraudulent activity started. On Dec 10th the credit card company noticed the fraudulent activity, and we got the fraud sorted out from the real purchases and a new card issued.

So now I’m waiting for my new credit card to arrive, but I’m wondering…

Was it Unreal Marketplace that lost my credit card info??? Has it been hacked? If it was Amazon or Apple, I would have expected it to hit the news already. It could have been the furniture store, but that was about 2 weeks before the fraud started happening. The fraud started happening on the same day as my marketplace purchase, shortly after the purchase. It leaves a bad taste in my mouth… :frowning:

Credit card information can be obtained without you ever even using it. I can walk by you and steal your information with a device smaller than a quarter and you’d never know.

Also, if fraudulent activity started on the same day of a purchase, its probably not the service that was hacked but rather your interface with the service, i.e. the pc on your end was/is probably infected with malicious software.

I have (ironically, you might say) spent the last 15 years working in the PCI (Payment Card Industry) security sector for my day job (the UE4 stuff is new for me), so I’m quite aware of the attack vectors. I can rule out some speculations.

  • The card was not RFID equipped, so your RFID reader attack isn’t going to work, no matter the proximity. There was no wireless component to this card.
  • I never used the card at a physical store, so there was no possibility of skimming by a waitress, etc.
  • Never having brought the card out into public also negates the possibility of shoulder surfing or other optical compromises (unless it was at my house).
  • If my computer (a Mac, by the way) had been infected by malware, then I would have expected other compromises with the other cards I use much more often online (I do purchases for my night job, my day job, as well as lots of Christmas shopping online). It seems unlikely that my least-used card would have been my only problem if I had been compromised locally. Not impossible, just unlikely. It’s also unlikely that I have malware at all given my non-risky habits (being boring pays off security-wise), my platform (OS X), and the fact that I’m the guy that helps other people secure their networks, servers, workstations, and devices. It would certainly be a fun twist if it turned out to be local malware, though. Never say never.

I don’t disagree that it’s still likely that the card was compromised from some other attack vector other than a back-end hack of the Unreal Marketplace store. It could have been the furniture store, a disgruntled relative snooping at my home, a compromise at Amazon (small-scale compromises by privileged employees are always possible…), or something else I haven’t even thought of.

BUT, as one of the only 3 places I used the card before it was compromised (the purchase at Apple was after the compromise), I really want to bring this to Unreal’s attention. If other Marketplace patrons also experienced compromises after purchases around the same date, then Unreal will want to take quick action. If it’s just me, then it probably isn’t anything that the Unreal folks need to worry about.

Oh, and of course I’m alerting the furniture place as well. Same thing goes for them. If a whole bunch of their customers have the same problem, well…

I don’t know what I would do to alert Amazon. That seems a lot like trying to find the doorbell on the death star…

I may never find out just how it happened. We’ll have to see.

@SaxonRah: By the way, what’s a “Victory Contributor”?

Ehh, my Google account detected and stopped a login attempt from someone half way around the country using a different browser than I, who had my password yesterday, so I know what you mean. Luckily all of my financial stuff has a much more secure password. Question is, how did they find out my other password? I don’t think my case has anything to do with the marketplace, just thought I’d mention something similar happened to me yesterday.

Edit: Victory contributor means that he contributed code to the Victory Plugin by Rama.

I know! It feels horrible, doesn’t it!

Thanks for filling me in about the Victory Plugin. Looks interesting.

Sorry to hear you’re going through this. I’ve had a run in with stolen information in the past, one of the things I noticed was that it was a couple of weeks after purchasing from the specific place. The chances the information was stolen and then used on the same day are slim, at least in my experience. Is it a reputable online furniture store? I’d certainly like to hope it isn’t Amazon given that I use them as well. If it were them or Apple, I wouldn’t expect to hear much about it until a great many cases are found.

Got hit before too, almost identical scenario: Amazon (online), airline (online), PC retailer (in-store), reputable furniture store (online).

Two-weeks later: bang!!!

I always expect this to happen when travelling around Asia & South America, but so far so good, go figure!

It seems like one to me, but all I really know is that my workplace (day job) has been purchasing desks and equipment from them for a year without incident.

Irrelevant, but I just got an Updesk, 'tis legit.

Good to know. I’ll feel a bit more comfortable when my desk actually arrives…

Thanks for doing the reviews for the Jams, by the way. The MegaJam was the first jam I participated in. “Solid prototype,” you said. :wink: I considered that high praise, considering it’s my second UE4 project ever, and first jam submission. Epic MegaJam Submission Thread! - Events - Unreal Engine Forums

i don’t use my bank card online anymore. i use paypal with my phone setup as a security device where i have to put in a code that is sent to me for every purchase. it’s a pain but i was at work one day and i started getting emails about paypal purchases i hadn’t done. they had emptied my bank account and with each transaction failing would be followed by another attempt at half the amount until they got as much as they could. luckily i called paypal and they dealt with it for me. the money was never really lost it was just in transit to paypal so i got it all back 3 days later. paypal is excellent to deal with when it comes to fraud, i cant speak highly enough of them. i had a regular payment due in those 3 days and paypal paid that themselves for me. paypal gives you a buffer to be able to stop the fraud from completing.

Paypal??? Yikes! They have a god awful reputation in many jurisdictions.
Ideally you should never use a bank card unless its a credit card anyway.
With Visa etc the protections are internationally recognized and much stronger than what Paypal offers…

my bank card is mastercard debit card, it works the same as a credit card but without the debt and interest :slight_smile:

paypal has always been smooth and easy for me.

I’m pretty sure we got more complaints if Marketplace was compromised so I think you should check your other purchases

Hey CleanCut,

Sorry to hear about you are experiencing this issue. We have not seen anything wrong on our end that would leak any information from your account, but we will keep a lookout for anything suspicious.

You should be aware that debit cards generally have no fraud protections at all. So if they’re compromised, your money is usually just flat out stolen, nothing you can do about it. With credit cards they’ll often cover all the fraud costs, though sometimes there’ll be a small charge ($50 or $75 or something). PayPal…does sorta whatever it wants, as far as I can tell. As a seller on PayPal they once siezed a couple hundred bucks straight out of my checking account due to a fraudulent claim by a buyer. Lucky for me I was able to prove delivery via tracking, and they returned the funds after a FEW WEEKS, but I didn’t appreciate being forced to issue them an interest-free loan right out of my checking account for the duration of the dispute.

Okay. Thanks for the official response! That’s what the furniture place says as well, so I guess the actual source of the problem will remain mysterious. Can’t say that I’m surprised, unfortunately.

Ouch! The US seems to have the worst Paypal customer support…

Could have been a payment processing ‘entity’ that consumers don’t know about and aren’t aware is part of the chain of the transaction.
… [Numerous Heartland & RBS ‘massive data breaches’ come to mind etc]…

CleanCut, my bank (BCI/TBANC Chile) block my account when i buy any item in marketplace. But my transaction was not realized and blocked my card (MasterCard). I called to bank and they told me that epicgames was a fraudulent trade. They authorized me per one day to buy in epicgames and unblocked my card D:!

Interesting. I wonder why a Chilean bank would categorize EpicGames that way.

Probably because it was out of the country. My US bank does that when I try to buy games. I end up just using Paypal.