Anyone having trouble with checkout security at GlobalSugarArt?

Decorating By vcheddar Updated 5 Dec 2012 , 2:18am by costumeczar

Marianna46 Posted 26 Nov 2012 , 10:42pm
post #61 of 110

Well, I'm sorry to say that I'm among those whose cc has been compromised and it certainly could have been from ordering things from GSA. I only order from GSA, Designer Stencils and Amazon, and while it could have happened with any one of them, this thread makes me think it might have been GSA. As much as it pains me to say this - because I'm a big fan of GSA and order lots of stuff from them - I won't be ordering again until the PayPal option is working properly. My bank actually caught the fraudulent transaction and blocked it, but I had to cancel my card. If it were just a question of getting the card replaced, I wouldn't mind so much, but I have to fly from Cancún to Mexico City to pick the card up (my bank doesn't have branches in Cancún - yeah, I know, I'm applying for a local card as we speak, but I don't have one as of now).

julzs71 Posted 27 Nov 2012 , 12:26am
post #62 of 110

I am pretty sure if Alan is redoing his website and credit card information, it is probably a random number generator, which is encrypted.   These are a lot harder to break into.  You really can't blame him for dirt-bags that broke into his website.   Yes, you can blame him for not notifying everyone a little quicker.  Setting up new websites isn't super quick, either.  Before you let thieves ruin a business, let him try to get his new system running.   With an updated secure website system, your information should be secure. 

I also have no affiliation with GSA.  I have been there one time while visiting my in laws.  They are very nice. 

jason_kraft Posted 27 Nov 2012 , 12:51am
post #63 of 110

A

Original message sent by julzs71

You really can't blame him for dirt-bags that broke into his website.   Yes, you can blame him for not notifying everyone a little quicker.  Setting up new websites isn't super quick, either.  Before you let thieves ruin a business, let him try to get his new system running. 

It is unfortunate that GSA was hacked (especially with a time-delayed attack) but as soon as you realize that all credit card numbers submitted through your online checkout system will be compromised, you need to immediately take the checkout system offline and rely on phone-in orders only until the issue has been resolved. Full stop.

vcheddar Posted 27 Nov 2012 , 4:27am
post #64 of 110

Happy to see that Alan came on board and offered a rather detailed explanation and apology. Thank you.

I agree with the comments made about not alerting customers of the security breach. Being proactive goes a long way towards building trust and good Customer Service.  Glad to see that it's fixed now. Let's hope it doesn't happen again.

SweetTzippy Posted 27 Nov 2012 , 5:01pm
post #65 of 110

A

Original message sent by AlanT

To all our GSA customer.  I assure you were are working very diligently on this issue and realize the disruption is causes all of us. Alan

Thank you very much Alan for addressing this forum. I am confident that you are taking measures to resolve this problem and I agree that even banks get hacked and we are all exposed to this type of corruption.

GSA is a great company that offers good products at competitive prices and I am happy to know that it is expanding. I sincerely hope that the new website platform will be 100% secure and we will be able to leave this bitter experience behind us. Good luck!

tracyaem Posted 27 Nov 2012 , 6:36pm
post #66 of 110

While I'm glad steps have been made to make the site secure again, I agree with others that it was not handled appropriately. 

 

Having a breach in security is regrettable, but understandable. But the company obviously knew this was an issue and continued to accept online payments. That is not acceptable and shows poor judgement and awful customer service. There is no guarantee that a site can't ever be hacked, but there should be a guarantee that the site owner will take the necessary steps to protect their customers.

 

This has been an issue for months which, in my opinion, no longer makes it a case of thieves ruining the business - it's a case of a business owner knowingly putting their customers at risk everytime they accept an online payment.

 

Ok, so the new system is secure. For how long? What happens if things go wrong again? Will the site continue accepting payments and not notify customers? 

 

Fool me once, shame on you....fool me twice, shame on me.

 

Sorry, but I'll take my business elsewhere. 

Missy227 Posted 28 Nov 2012 , 2:39am
post #67 of 110

As I was following this thread, I kept wondering how concerned I needed to be since I am a GSA customer.  It sure didn’t take long for me to find out, because I got a call from my cc company about fraudulent charges tonight.  Kudos to my cc company for their vigilance when it comes to fraudulent charges, but two thumbs down for GSA failing to notify their customers ASAP when they knew the safety of their server had been compromised.  That is not acceptable.

virago Posted 28 Nov 2012 , 3:44pm
post #68 of 110
Quote:
Originally Posted by Missy227 

As I was following this thread, I kept wondering how concerned I needed to be since I am a GSA customer.  It sure didn’t take long for me to find out, because I got a call from my cc company about fraudulent charges tonight.  Kudos to my cc company for their vigilance when it comes to fraudulent charges, but two thumbs down for GSA failing to notify their customers ASAP when they knew the safety of their server had been compromised.  That is not acceptable.

was this breach before or after GSA owner AlanT stated website security had been fixed (ref post #59 of this thread)???

 

would really like to know since GSA's login/registration pages are still unsecure (http vs https)...

jason_kraft Posted 28 Nov 2012 , 3:58pm
post #69 of 110

A

Original message sent by virago

would really like to know since GSA's login/registration pages are still unsecure (http vs https)...

If the server itself is compromised the page is not safe even if it is https, since the secure http protocol is only meant to protect data while in transit between your computer and the server.

lyndsayscott Posted 28 Nov 2012 , 4:05pm
post #70 of 110

Me too!  Three separate times!  I really love their range of products, but my goodness, I can't constantly get new cards.  :(

 

I will look into the disposable credit card number.  Very cool!

pinky73 Posted 28 Nov 2012 , 4:27pm
post #71 of 110

Holy Cow!! I am so glad that I saw this thread! A month or so ago, I purchased some fondant cutters from GSA, using my debit card linked to my checking account. Imagine my surprise when a week or so after that, I tried to use my debit card for a very small purchase locally and it was declined. I called my bank, who informed me that they had deactivated my card because of suspicious transactions on my account from the day before. Apparently someone in Australia and someone in Spain, at the same time, were trying to make purchases using my card number. My bank refused the purchases, my money is safe, but they immediately flagged the account and closed my card. I was thankful for my bank recognizing this situation. The only other purchase I had made recently, using that card, was from GSA and I wondered if that may have been the problem. I'm glad GSA is getting the problem fixed as best as they can because I do like their offerings and want to make purchases from them in the future.

virago Posted 28 Nov 2012 , 5:34pm
post #72 of 110
Quote:
Originally Posted by AlanT 

To all our GSA customer.  Firstly, please accept my apologies for any inconvenience you have suffered.  You always have the ability to place internet orders using "Phone Order" as the payment type and calling in your credit card that will be manually processed and NOT placed in any software program.  You can also use Paypal which is very safe as well.

 

We are aware of the issue and have addressed it on a few forums already. Sharon alerted me of this forum thread two days ago.   We have hired a large NY city firm to work with us to rid the site of the hackers (http://www.lloydgroup.com/critical-business-services).  Unfortunately, it has been extremely difficult and we have had to have our entire website software re-written on a new platform and will have to move it to a new and more secure server.  We currently rent server space in a server farm in California called InMotion Hosting.  Last year the entire server farm was hit by a major virus- see story link. http://thehackernews.com/2011/09/inmotion-hosting-server-and-trinity-fm.htmlOur website was not immediately effected so we thought we were secure.  However,  the hackers were able to make entry into our website and deposit code that could move confidential information out to credit card thieves.  It was not activated until recently.    We first became aware of this about 60 days ago and have made numerous changes to secure the site.  Unfortunately, their technology is very sophisticated so we need to rebuild the site from the ground up to ensure it is totally secure.

 

I literally have a team of coders here at Global Sugar Art that are working 10-12 hours a day to re-write the software.  We hope the site will be completely secure within the next 24 hours.  Once the site is secure and all the software is re-written, the website will be moved to a new server.

 

Once again, I apologies for this terrible inconvenience.  Even large world-wide banks get hacked.  We are all very vulnerable in this age of computer theft.  Please do remember that we can securely process your order if you call in your credit card number or use PayPal until the site is secure within the next two days.

 

I assure you were are working very diligently on this issue and realize the disruption is causes all of us.

 

Alan

 

Are you stating the TiGER-M@TE hack was/is more than just a prank "defacement" of multiple websites...that this hack was/is actually a "time-bomb" style breach?

pummy Posted 28 Nov 2012 , 6:21pm
post #73 of 110

Wow my cc was compromised too. I purchased twice from GSA in the last two months. Now I know how they got my info.  I had almost $500 charged on my cc this month.  GSA could of sent out an email to their customers stating that there was a security issue.  BUT they can send out emails stating a product is back in stock!  SHAME!

Missy227 Posted 28 Nov 2012 , 6:22pm
post #74 of 110
Quote:
Originally Posted by virago 

was this breach before or after GSA owner AlanT stated website security had been fixed (ref post #59 of this thread)???

 

would really like to know since GSA's login/registration pages are still unsecure (http vs https)...

virago, the fraudulent charges appear on my cc prior to post #59 by Alan T.  Even if the site is secure now, all the cc account numbers that have been stolen are still out there.  As much as I appreciate the sincerity behind Alan T’s apology, I feel it is too little, too late.  I believe GSA left their customers vulnerable to fraud for months without any warnings, to protect their own financial standing.  Although I have always enjoyed dealing with GSA in the past, I find their lack of business ethics in this particular situation inexcusable.  Therefore, as others have stated, I will no longer patronize GSA with any future purchases. 

IHeartCupcakes Posted 29 Nov 2012 , 7:02pm
post #75 of 110

Yikes, I ordered from them on Monday and I called my bank today to cancel my bank card.  I'm not taking any chances!  They do have great products, but their shipping is extremely high - and I only live 5 hours away.

HeyWife Posted 29 Nov 2012 , 7:53pm
post #76 of 110

My card was first compromised back in June and it happened two more times since then so that's how long I'm aware it's been going on. I had to start ordering elsewhere because I belong to a small bank so if I don't have a ATM/Debit card and I need access to my money when the bank is closed. I'm SOL.
 

Janes Posted 30 Nov 2012 , 9:29pm
post #77 of 110

When a fire is burning for 4 or more months, and you know it but don't do anything to stop it for 4 months, The structure is gone, you can't save it. Same with Alan he should of sent an e mail out, as soon as the company he uses had a hacker, it would of been better to tell people than to assume your company was safe. Alen was more worried about loosing business than saving yours. All it would of taken was an e mail to his customers asking them to please phone or fax there orders in, and I am sure people would of done that. But no, he compromised our saftey for his own benifit. That is unexceptiable. There are other companies out there, Give the other companies a chance, GSA got to big to care about the  smaller business. 

Janes Posted 30 Nov 2012 , 9:34pm
post #78 of 110

Yes the statemen below that Alan made is true, but the bank notify you or stop any transaction on your card.

Alan  the problem is not that we got our numbers stolen, the problem is YOU did not notifiy your customers

 

Once again, I apologies for this terrible inconvenience.  Even large world-wide banks get hacked.  We are all very vulnerable in this age of computer theft.  Please do remember that we can securely process your order if you call in your credit card number or use PayPal until the site is secure within the next two days.

 

nanny4 Posted 30 Nov 2012 , 9:45pm
post #79 of 110

My cc was also hacked  this past summer too and I was so shocked! My cc of course notified me but by them there had been 7 fraudulent charges made on my account! I had to close it & reopen another one.

Now I know where it all came from too!!

justpracticecakes Posted 30 Nov 2012 , 11:48pm
post #80 of 110

APlaced two orders with global sugar art and the next week someone used my card to order diet pills. Thank you for this post we could not figure out how this happened. Now i know.

Sweet Creations Posted 2 Dec 2012 , 2:25am
post #81 of 110

AMy debit card was compromised 2 weeks ago, I canceled it and the new card was compromised yesterday. The only purchase I had made with the new card was to Global Sugar Art last week. They have either been hacked or it's internal - either way they have lost my business.

deuceofcakes Posted 2 Dec 2012 , 6:32am
post #82 of 110

My card was also stolen recently and used for a computer software purchase. I was notified by the bank, which then issued me a new card within the past week and a half.  I placed an order from GSA just after I got the new card, not knowing about this thread, and when I went to check out, I got an error message on my browser (Chrome) saying the certificate for GSA was suspicious and I should not proceed as there was a risk someone was trying to steal my data.  I ended up placing an order by phone for that reason. I really wish they had let consumers know about this breach.  That's irresponsible to continue to take web orders under those circumstances.  I'm not sure other browsers would have picked up the certificate issue, and I'm glad mine did.  I just hope my new card isn't stolen too. 

LoriMc Posted 3 Dec 2012 , 5:25pm
post #83 of 110

Placed an order with GSA 11/26 and what do you know....credit card compromised as of yesterday.  This is deja vu and I'm sick of it! 

megg5 Posted 3 Dec 2012 , 7:54pm
post #84 of 110

I AM DISGUSTED AT THIS POINT!! WHY ARE WE STILL ALLOWED TO MAKE PURCHASES ONLINE???? I have now been hacked twice?!

ApplegumPam Posted 3 Dec 2012 , 8:18pm
post #85 of 110

You need to make them LISTEN by....... NOT purchasing from them

Sorry-  but when people continue to trust them and gve them 'chance after chance' - and STILL the problem persists...... I'm thinking their team of 'IT whizz kids' that are supposed to be correcting the problem/issue  are on a permanent teabreak.....   and to be honest - it really ISN"T impacting on their business - because people continue to purchase.  Compromised cards don't really cause them any grief - they don't have to spend time replacing them - they don't have to go through all the drama with the bank when charges appear on their account.   LUCKY most banks these days are aware of this and make it as painless as possible but sheesh.....  IF everybody that had been stung by GSA was able to poke Alan with a stick - he'd be looking pretty damn black & blue by now

 

The ONLY thing they will listen to is when THEIR bank account is EMPTY!!

megg5 Posted 3 Dec 2012 , 8:34pm
post #86 of 110

Had I known of this issue I would not have purchased from them! And trust me I will no longer purchase from them!

sobanion Posted 3 Dec 2012 , 8:46pm
post #87 of 110

I have to add my name to the list of victims of cc (debit card) fraud after ordering from GSA. After 8 weeks I have finally found the common thread of my NUMEROUS card hackings. Each time I changed my card, and a few days later...fraudulent charges would appear on my account. I agree with everyone else GSA should have let their customers know that there had been a security breach when it happened and not waited for us to painfully discover that it was their website. After contacting them, they assured me that ordering over the phone or through paypal was a secure way to buy from them, but honestly I AM NOT convinced that it is. If they have yet to stop the problem, then they obviously don't know where it is coming from, whether it be internal or outside. I wish I had found this thread 2 months ago..It sure would have saved me A LOT of time, money and hassle. I will be letting my customers know to not order from them as well.

megg5 Posted 3 Dec 2012 , 9:14pm
post #88 of 110

if you read through this thread, someone said they ordered by phone and still got hacked!!! just a heads up!

jason_kraft Posted 3 Dec 2012 , 9:24pm
post #89 of 110

AThe attack involved the servers used to process credit card payments, so anyone who gave their credit card number to GSA over the phone before last week was compromised. The owner of GSA has stated that they are no longer using those servers to process credit card payments so phone orders should be safe.

Of course, the GSA site does not mention any of this, so it's difficult to say how secure they are. It's an egregious breach of trust to not include this information on the site, or at the very least contact customers who are at risk.

It's especially ironic that the GSA FAQ page says this:

Q:Is my credit card secure on your website?

A: ABSOLUTELY! We use secure encryption to ensure your credit card and personal information are secure. Most people don't realize that sending a credit card number on a secure web site is safer than giving it over the telephone. Telephone conversations are much easier to tap into, especially portable and cell phones. You can always choose "Phone Ordering" or "Fax Ordering" for your payment type. Simply submit your order online and call or fax us with your credit card details.

AlanT Posted 4 Dec 2012 , 2:49pm
post #90 of 110

To all GSA customers,

 

In an additional effort to assure our patrons that we are doing everything in our power to secure your personal information we have moved all of our processing to PAYPAL including credit cards for both domestic and international orders. If you choose to use a credit card to make a purchase from our website you will be prompted to give your credentials through the PAYPAL credit card server which is 100% secured by PAYPAL.  You do not need a PayPal account to use your credit card.  We will remain on the PAYPAL server until such time that we have completely rebuilt a new administrative website that is positively secure.  Over the past two months, we have been promised by three different firms that our site is secure only to find out that hackers are still able to get in.

 

I am deeply saddened by all the issues caused to any of our patrons as I realize that our community relies on our business in so many ways and I have personally spent the last 10 years working hard to earn your trust. I know many of my customers personally as I have met you at various events around the world. We have worked tirelessly to create an environment, which we feel offers the very best in both customer service and available product to make your experience with us as pleasurable as possible and want our patrons to know I have always had their best interest at heart.

 

Although we have been assured by various security firms that our servers were secured over the last few months, I want to make an additional point that we will no longer be processing any orders on or through Global Sugar Art servers at this time in the name of their security. In an effort to understand how we can best work with our customers going forward and help repair any damage we have caused, please feel free to email me at alan@globalsugarart.com or my associate Daniel Pfeffer at daniel@globalsugarart.com and one of us will schedule a time to speak with any customer personally, at their convenience, that was effected by this recent unfortunate situation.

Quote by @%username% on %date%

%body%