Public service announcement.

I have a card for Internet transactions. The only site it was loaded against was Paypal and Turbine. I do not think Paypal has been compromised so that leaves Turbine.

It only had a small limit and the thieves ran it up to that limit.

The day I heard that DDO was compromised I requested my card was removed from my account (no small task in it's own right). But it would seem that the horse had already bolted.

The lack of info from Turbine on the hacks and what they got was of concern. Now that my card has been stolen I am greatly concerned.

Turbine. You should send emails to all your customers directly stating what actually was compromised, what you have done to resolve it and a general apology. The waffly post about forums only being compromised seems to not be the case. Man up and tell the truth. Tell us exactly what and how you were compromised and how you have fixed that. You ain't ever going to see a dime more from me unless you correct this properly and professionally.

Over to you all how you take this but thought I would share.

I'm not saying it *wasn't* Turbine, but...
You have entirely too much faith in Paypal.

Back in 2004, I was stationed overseas in Korea - had to live off of $300.00 for a month while my new credit card got shipped to me, all because Paypal had a breach that affected hundreds of thousands of their users.

but that was 2004 ... they learned a lot since then plus being hacked is big news and there is no news on paypal being hacked recently. Also I have a second card on paypal so if my account was compromised then likely that card would have had transactions on it as well and it doesn't.

What we do know is DDO was hacked ....... Turbine has not been very forthcoming on what actually occurred and my credit card for the first time in 20 years has been stolen.

There could also be a problem on your end. A virus/keylogger could easily be to blame. And with the sheer volume of paypal phishing scams, are you absolutely certain Turbine's to blame?

This is why I use a pre-paid credit card (https://www.greendot.com/greendot/getacardnow/qualify?offer=C101&utm_source=Google&utm_medium=cpc&utm_campaign=Green-Dot-Brand-Search&utm_content=C101&utm_term=adtext) for DDO, one that only has the amount of money I put on it. You can buy the refill cards at many locations. At least I've never had a problem doing so. And it works just fine with DDO, Steam, Sony Online, and a few others I've tried.


The advantage is, for me, that I know exactly where the money is going and how much. And if the CC number gets nabbed by internet hooligans - the most they'll be able to charge is the spare change that might be on the card after I make whatever game purchase I wanted to make.

I did put highly likely in the thread title.

I run Linux and do all my account management/browsing from there. My only windows PC is for games only and the only game on there was DDO. I do not browse from my games machine except to the ddo forums.

As I put I have 2 cards on paypal and the second card has not been stolen. IF Paypal was compromised (or my account etc) then why would they not take and use both cards? Highly unlikely but possible hence why I have stated highly likely in the thread title.

There are other threads on people believing they have had there cards taken recently. We know for a fact Turbine was compromised.

Hey I don't care now I am sorted. Believe what you will. Trust the hacked company by all means, over to you.

How to get your CC info from a forum account:

1. if your forum name/password are the same as your DDO/turbine account name/password.
2. if you PM'd your DDO/turbine account name to a mod when you applied for Mournlands and saved your PM history, and use the same password as your forum account.
3. probably more that I have not immediately thought of

This is why I use a pre-paid credit card (https://www.greendot.com/greendot/getacardnow/qualify?offer=C101&utm_source=Google&utm_medium=cpc&utm_campaign=Green-Dot-Brand-Search&utm_content=C101&utm_term=adtext) for DDO, one that only has the amount of money I put on it. You can buy the refill cards at many locations. At least I've never had a problem doing so. And it works just fine with DDO, Steam, Sony Online, and a few others I've tried.


The advantage is, for me, that I know exactly where the money is going and how much. And if the CC number gets nabbed by internet hooligans - the most they'll be able to charge is the spare change that might be on the card after I make whatever game purchase I wanted to make.

yup sorting out a debit card now .... my Internet used CC is 20+ years old and had a $1K limit for this reason so they only got $700 and that will be reversed. When I set this CC up for international/Internet use debit cards did not exist and I am very careful so it's never been an issue. I made an exception with Turbine and I've been bitten so my fault. Time to adapt :)

They don't sell refill cards in my country.

They don't sell refill cards in my country.
Ah, that sucks. :(
On all points... sucks that your card # was stolen, regardless of from what source - and that you have had to undergo the hassle of a change.


I hope they didn't get much and that this is the last time it happens to you.

How to get your CC info from a forum account:

1. if your forum name/password are the same as your DDO/turbine account name/password.
2. if you PM'd your DDO/turbine account name to a mod when you applied for Mournlands and saved your PM history, and use the same password as your forum account.
3. probably more that I have not immediately thought of

my turbine account name has always been different to my forum account name. I won't be surprised if they are linked and or recorded in the forum database though.

Turbines lack of transparency on this serious breach of trust is of most concern. We all sit here guessing and it is impossible to ever trust them again unless they come completely clean. Sony made that mistake and look at how much that cost them.

Ah, that sucks. :(
On all points... sucks that your card # was stolen, regardless of from what source - and that you have had to undergo the hassle of a change.


I hope they didn't get much and that this is the last time it happens to you.

Thanks for the kind words. They got $700 which will be reversed. Card is canceled (one phone call) and I don't use it for anything but DDO and the odd Internet purchase via paypal so its no big deal. The only hassle is I have to go to the bank to sign up for a Debit Card as they can't do it over the phone. Going for a walk in the sun can't be that bad for an ex DDO addict :)

Turbines lack of transparency on this serious breach of trust is of most concern. We all sit here guessing and it is impossible to ever trust them again unless they come completely clean. Sony made that mistake and look at how much that cost them.

If there is evidence that financial data was compromised, they are required by law to notify people. Since we haven't heard about that, either Turbine's player account records weren't the target of the hacking or Turbine found out about the security flaw before there was a hacking attempt or Turbine are a bunch of criminals. You, apparently, believe the latter. I don't.

It is monstrously easy to get credit card information, so its not "highly likely" that the theft occurred via Turbine's databases. Its simply "possible" since you don't have any idea what happened to your card. Or to Turbine's forums, for that matter.

Far more likely to be a problem at your end, or at Paypal, than at Turbine's end...

but that was 2004 ... they learned a lot since then plus being hacked is big news and there is no news on paypal being hacked recently. Also I have a second card on paypal so if my account was compromised then likely that card would have had transactions on it as well and it doesn't.


I got shafted in that hack. Paypal balked on the whole thing, and in the end I lost about a thousand bucks- because I'd linked my bank account and my bank refused to waive the massive overcharges. I'm not saying it's paypal; it could just likely be turbine, or your card could have gone through a third party somewhere that you wouldn't even know about.

My point is the best bet is not to gamble on anyone else's security. Get a prepay card.

Sorry to hear that you have had false credit card charge problems. Also, I and probably many others appreciate you putting forward a well argued case that there may have been security issues here. In cases like this where there is a very limited number of possibilities, I think that at the least it makes us all more likely to keep a close track of our charges, which is only a good thing really...

Sorry to hear about the theft. This is one of the reasons I buy Turbine Point cards when I want to get more quests. They're safe from any and all forms of hacking.

Thanks to those that get it. This thread is purely to inform and encourage people to think and check how they operate.

For those talking about Paypal. My Paypal account was not compromised, nothing has come out or been processed through Paypal. I have another card lodged with Paypal and it has not been compromised.

Also ... within Paypal you cant see the credit card number under your own account ... just the last 4 digits. So it cant be a key logger and then someone accessing my Paypal account. It would have to be Paypal's database being hacked and cards stolen.

We know Turbine was hacked and had been for quite some time before they fixed it. We know they never came clean and reported exactly what happened to its customers. It took threats of someone going public with proof before they finally reacted. We have heard nothing about Paypal being hacked recently.

Does this prove it was Turbine ... absolutely not .... but use your brains, decide for yourself and react accordingly.

There is well document procedures/advice for companies that get hacked. What to do and how to handle the situation etc. Turbine has not come close to following this methodology and that is what is worrying. I never thought about it until I have been compromised. And again, for the record, the day I heard Turbine was hacked I started the process to get my card removed from their records. Only the gods know if they deleted it permanently from all their records.

I had a debit card linked to pay pal and lucky for me I only load it when I am ready to do a transaction on ebay they only got 50 bucks I no longer trust or use pay pal

Your point about having two cards on PayPal is null in void alot of time when information is stolen it is in blocks. Your data may or may not have been in the same batch as the other one. You have zero proof against turbine. I am sorry you got hacked you may have been doing your own data management for awhile but just saying most security breaches are human based error.

You have zero proof against turbine.

Fact - Turbine was hacked.
Fact - They took DDO forums down for more than a week.
Fact - The forums returned in a different format
Fact - Logging in and staying logged into the DDO forums is different than before they took them down
Fact - they have not fully disclosed what, how and how wide spread it was.
Fact - they have not disclosed what they did to rectify it.
Fact - they did not notify all individuals who were effected.
Fact - they have not apologised for their incompetence.

Coincidence - my credit card that is only ever used for online transactions and was only ever loaded with Turbine and Paypal was stolen.

I have never stated categorically it was turbine.
I stand by my "highly likely" statement.

When people were talking on the boards about they can hack turbines accounts ... many people made statements like yours about how unlikely it was. Well who was right on that one.

Keep your head in the sand by all means. I don't care at all about my card being stolen, it's canceled, the charges are reversed, I have lost nothing other than a 10 minute phone conversation to get it sorted.

This is not about me .... This is about Turbine security or lack of it and their lack of full disclosure.

Thanks for the neg rep.

Thanks for the neg rep.

Wow, must have been a Turbine employee, the person who hacked your account, or someone who thinks that there is no way that they can ever be hacked.

I'm sorry your information was compromised and I hope that Turbine better holds to its end of the bargain, as far as our security, in the future.

Fact - Turbine was hacked.
Fact - They took DDO forums down for more than a week.
Fact - The forums returned in a different format
Fact - Logging in and staying logged into the DDO forums is different than before they took them down
Fact - they have not fully disclosed what, how and how wide spread it was.
Fact - they have not disclosed what they did to rectify it.
Fact - they did not notify all individuals who were effected.
Fact - they have not apologised for their incompetence.

Coincidence - my credit card that is only ever used for online transactions and was only ever loaded with Turbine and Paypal was stolen.

I have never stated categorically it was turbine.
I stand by my "highly likely" statement.

When people were talking on the boards about they can hack turbines accounts ... many people made statements like yours about how unlikely it was. Well who was right on that one.

Keep your head in the sand by all means. I don't care at all about my card being stolen, it's canceled, the charges are reversed, I have lost nothing other than a 10 minute phone conversation to get it sorted.

This is not about me .... This is about Turbine security or lack of it and their lack of full disclosure.

Sorry to hear that you had fraudulent charges. I can't agree with your logic about the cause though. I could use your same process of elimination logic and say because there are not slews of other posts about people getting hacked, then it is highly likely that the problem is on your end. Or do you think the thieves found that it worked on you but decided $700.00 was enough and didn't repeat it on anyone else? Or that people on these forums don't complain when they think something is Turbine's fault? ;)

If I were to post a PSA, it would be to follow Turbine's advice after the forums came back up and change your password as a precaution.

Public service announcement.

I have a card for Internet transactions. The only site it was loaded against was Paypal and Turbine. I do not think Paypal has been compromised so that leaves Turbine.
Hypothetically the compromise could also have been to your own computer.

Greetings,

Please understand that I am in NO WAY a Turbine representative.

The information you are about to receive is based on how gaming companies generally work.

If you feel your account has been compromised in any way, contact them directly. Don't take your story to the forums. The only thing us chumps can do for you is just comment on your story.

Your story seems fishy to me. As stated by other folks, security issues are often human error related.

Such things as credit card numbers of customers is very sensitive information. ANY gaming company (or any other kind of company) must obey certain laws in the US regarding the protection of sensitive data.

When you use a "real" credit card, you are insured anyways for this type of fraud. With a debit credit card, I am thinking you don't have that protection.

Anyways, if you have a security issue, take it up to Turbine directly. Talking to us about it is just trying to attract the cube...

Have Fun ! (tm)

Darkmotion
Security Board Devil

Fact - Turbine was hacked. So are many other forums and bussniess on any given day
Fact - They took DDO forums down for more than a week. Yep good thing there are other social sites forums to use
Fact - The forums returned in a different format things change thats life
Fact - Logging in and staying logged into the DDO forums is different than before they took them down Login busted, same as the lotro forums has been for over a year
Fact - they have not fully disclosed what, how and how wide spread it was. They don't have to and shouldn't release that info.
Fact - they have not disclosed what they did to rectify it. Yes lets tell the criminals the new security measures to make it easier for them next time
Fact - they did not notify all individuals who were effected. Maybe they were not effected by what happen. or had a old/false/sent to spam email address
Fact - they have not apologised for their incompetence. They don't have to, apologizing is bad, admits guilt and lawsuit which lawyers tell their clients to avoid doing.

Coincidence - my credit card that is only ever used for online transactions and was only ever loaded with Turbine and Paypal was stolen.

I have never stated categorically it was turbine.
I stand by my "highly likely" statement.

When people were talking on the boards about they can hack turbines accounts ... many people made statements like yours about how unlikely it was. Well who was right on that one.

Keep your head in the sand by all means. I don't care at all about my card being stolen, it's canceled, the charges are reversed, I have lost nothing other than a 10 minute phone conversation to get it sorted.

This is not about me .... This is about Turbine security or lack of it and their lack of full disclosure.

I like how people think its a straight path between Customer and Merchant when using a credit card.

There are are about dozens of banks and interchanges which credit card information has to go thru. Your card card info could been compromised at the bank turbines uses, the credit card issuers bank, one of probably dozens of networks between the banks.

Bash,

I have not been online much over the last few days, nor have I heard of your plight. I will be checking my credit card info, bank accounts, and reviewing things in general. Thanks for the update of a potential risk involving Turbine.

As for all of you nay-sayers and negative nancies out there. What about could have possibly been do you not understand? He was trying to do all of us a service by bringing this forward. Do you think he didn't contact turbine? Do you think that he is doing this to slander DDO? What would that possibly accomplish?

Yes, I am a guild mate and fellow officer in the same guild, so before you guys spew your vitriol about us being friends, guildies, or whatever; you need to check your negativity. For those that know me, know that I am diplomatic in all things. Right is right blah blah blah. Bash, is a good guy, has a good heart, and was trying to help others. Why can't you see that?

I agree that there are several ways for things like this to happen, but through the process of elimination he seems to be narrowing in on the culprit. Yes, there are people out there that are more proficient with computers, programming, keyloggers, and so on than Bash; however, he is very accomplished in computing technology.

Why can't people say things like: Thanks for the update or Hey, man it could be Turbine, but have you checked blah blah blah? Why such vitriol? Are your lives so bad that to feel better you have to be so outrageously negative?

uhh... the part I don't understand is the part where he "knows" it was Turbine.

Turbine already made an announcement about forum security and password updating. So that's not news.

The suggestion that his credit card was stolen from Turbine's database and they are illegally concealing this fact (since concealing it is against the law in the US) is just nonsense.

There are many ways his card could have been compromised that don't lead to Turbine. Turbine is merely a possibility and not even the most likely one.

The "logic" he uses to prove his point is a straightforward fallacy asserting coincidence as causation. He's not doing anyone any favors by spreading it.

If there is evidence that financial data was compromised, they are required by law to notify people. Since we haven't heard about that, either Turbine's player account records weren't the target of the hacking or Turbine found out about the security flaw before there was a hacking attempt or Turbine are a bunch of criminals. You, apparently, believe the latter. I don't.

It is monstrously easy to get credit card information, so its not "highly likely" that the theft occurred via Turbine's databases. Its simply "possible" since you don't have any idea what happened to your card. Or to Turbine's forums, for that matter.

Some people can be really gullible... do you honestly think that every time a company gets hacked and gets personal information compromised that they go out and publish that? They almost always try to play it out as a small thing; their goal is to recover with the smallest impact financially and try to avoid an embarassment, see how the stock holders like it when news gets out on the media that their company got some of their costumers personal information compromised.

Also I don't know how this didn't happen sooner(well maybe we just didn't hear some of the cases), but by not letting us being able to remove credit card info from the game withouth closing the account(really what the ****?) they are kind of screwing their customers and its just a dissater waiting to happen, and with Turbines track record of gross incompetence I would be really worried if I had thousands of dollars on my account, I'm just glad that you can purchase time cards for this game.

I had a BoA card that was replaced due to whatever vendor a store (b&m) used being compromised a couple ofyears back. There are probably more links between the card and the retailer than you think.

If nothing else, remember that in this situation the company/bank you hold the card with should be an advocate for you. They should be able to track down the trail and at least discover the point at which the account was accessed. Contesting the charges should go without saying.

Also, in case you didn't know, Paypal is as sketchy as they come. I really wouldn't be surprised if your problem stemmed from them. If it was good luck in trying to recover what was lost.

uhh... the part I don't understand is the part where he "knows" it was Turbine.



I said many times ... I think it is "highly likely" ... it's even in the thread title.

Most naysayers on this thread have not read or are using selective reading.

One of my many cards being stolen is not the issue and not why I posted this. What it did though was highlight for me how serious the Hack that happened within Turbine from a "how they handled it" point of view. Whether my card was or was not stolen because of that Hack is also irrelevant.

What is relevant is that it made me look more closely at what happened to Turbine, how long it took them to discover it after it was reported, their denial that it even was an issue and their shutdown and public statements, or lack of, that followed.

Google "security breaches, advice for corporation" or what ever similar search you fancy .... here's one at random I quickly read http://greatermd.bbb.org/SitePage.aspx?site=41&id=5f6576d6-3867-4037-8d3b-09364dfa1a61

It's Turbine's choice to act however they choose. If you agree with their keep it quiet and sweep it under the carpet methodology then that's cool. I personally don't. I will be dealing with Turbine in a very different way going forward with my financial transactions with them. My choice.

Do you use steam as well?

http://arstechnica.com/gaming/news/2011/11/valve-confirms-steam-hack-credit-cards-personal-info-may-be-stolen.ars

Garth