We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Play.com Fraud - warning
Options
Comments
-
this really is crap guys, it is happening to so many people & no-one gives a toss. the police told me(as in a previous post) they cant do anything unless the bank call them, play dont seem to care, apart from "noticing" the unusual actions & suspending the account. play refunded me directly no probs, so how all of a sudden they cant? i agree about the watchdog idea, because this is getting silly, the phrase !!!! from elbow springs to mind. it is my guess that e-mails are coming through about incorrect account numbers as someone is trying to order more stuff from your accounts, otherwise why do play care if you change your bank details. i havent had any e-mails since i put in a wrong account number. i'm pretty gutted about this all, 1 because i've been done over (got £ back via play) & 2 becasue ive used play for years & always found them great. i felt & still do to an extent feel violated(no offense meant to anyone). if play are sending reset password e-mails, why are we not getting e-mails about them then? we are getting e-mails for dodgy orders & the like. AAARRRGGGHHHHH!
the bar stewards0 -
-
Hi folks,
I've just noticed my account has been hacked too. Somebody called "Tim" at "21 Perth Road, Ilford, Essex, IG2 6BX, United Kingdom" ordered nearly £200 worth of Sony memory sticks and the Godfather II on my account at 3am this morning.
Interestingly it seems they also requested a password reminder (I had an email for that too - which Play obligingly sent unencrypted). I wonder if that's part of the hack.
Unfortunately it was just after 8pm when I checked my email tonight and Play.com's phone lines close at 8pm sharp. I'll be phoning them first thing tomorrow, but I've emailed them* in the meantime in the hope they can stop the orders before they go out and cancel their request for payment.
For me, the transactions haven't gone through yet. On my account settings in Play I can see the items in my "outstanding orders" list, but they're all marked as "packing" so I can't cancel them directly. They were ordered at 3am this morning, so if I'd checked my email (or my account) earlier, I could have cancelled them. Unfortunately I wasn't expecting to be hacked today.
I appreciate that it's a Play.com issue, but my initial reaction was to cancel my debit card all the same just in case. (Better to be safe than sorry.)
When I called my bank (HSBC), they said they could see the pending transactions but didn't know whether or not they'd go through to my account. The money hasn't been taken yet but they couldn't guarantee that it wouldn't be. They've told me that IF the transaction goes through, I need to call their telephone banking hotline straight away so they can register the fraud.
I like Play and have used them for many years since they first launched without any such issue. But this has made me question if I should.
As a precaution, I've changed my Play.com password but can't change or remove my (now disabled) card details. I'll flag that with them tomorrow when I can get through on the phone.
______________________________________
* Incidentally, Play.com no longer have their email addresses on their site, so finding them is a bit of a chore. The [EMAIL="info@play.com"]info@play.com[/EMAIL] address won't receive emails (it's an unchecked box and only used to send order confirmations). Thankfully Google came to the rescue. If you need to email them, any of the below addresses should work (I only emailed them a matter of minutes ago, so I'm not expecting a reply yet): [EMAIL="terms@play.com"]terms@play.com[/EMAIL], [EMAIL="customercare@play.com"]customercare@play.com[/EMAIL], [EMAIL="privacy@play.com"]privacy@play.com[/EMAIL]0 -
Use the phone number I listed above and ask to speak to the fraud team first thing tomorrow. I would also report it to the police, even if they won't do anything, you'll have to be issued with a crime reference number.
Out of curiosity, you don't happen to have a sky email address do you? I ask as the the play rep mentioned to me tonight that apparently sky email addresses aren't very secure.
that's all she said about it during the conversation. Not sure if that's any help or not?? 0 -
I host my own email, so no, I don't use Sky. Having read through the rest of the posts and about half a dozen others elsewhere on the net (some dating back to c.2006, but with effectively identical issues), I feel more confident that this is a Play.com issue rather than something more broadly sinister.
It's the password reminder email I received that caught my interest. The unencrypted password was sent to my email address, but that's not to say it hadn't already been read before it got there.
As a further precaution I've changed passwords for various other online resources and stores that I use, but I do not believe that the risk goes further than Play.com for the moment.0 -
To all those who have been affected have you checked your anti virus software, id still like to know how the OP's card was used when the cv2 number wasnt filled in as i thought the order wouldnt go through if the cv2 was missing. I am sorry its happened to those of you who have been affected, cant be nice0
-
Play.com store everything that is needed for a transaction to be processed. This includes the CV2 number. If you have a card registered with them, you literally need only an email address and password to order as much or as little as you want. Since the hackers have obtained both of these, there's nothing to stop them doing just that.
My recommendation to Play.com would be to remove the CV2 numbers they store and request that a customer completes this at point of order.0 -
'taken directly from play ''Your card’s CV2 number is the rightmost three digits printed on the signature strip. We do not store your CV2 number, but use it to perform a security check when you change your credit/debit card details in any way''
im confused.I am a full time Benefit and Money Adviser for a leading non profit charity and I LOVE my job
Comments posted on this forum do not reflect the views of my employer
Please note forum police I suffer from dyslexia so my spelling and grammar can be dreadful- sorry but I cant help it!0 -
In which case, they're doing something slightly different. When you purchase something from Play.com (which, until now, I did quite a lot) you do not have to enter a CV2 number. You log in, you enter your password and you confirm your order against a card you have stored with them.
If they're genuinely not storing the CV2 number, this would indicate something even more lax in that they're simply validating the card once when you first enter the details and then assuming that this is okay for every purchase. For convenience when purchasing, this is great. But once your account is compromised, the one number that prevents you losing your money simply isn't being asked for.
Incidentally, Play.com aren't the only online store that operate like this. It just seems that it's the one big name store that's being hacked most often. I've been doing some research to find evidence of other stores suffering a similar fate, but while I can find suggestions of the likes of Amazon being hacked, similar frauds don't seem to be commonplace (I couldn't find evidence of them).
I strongly suspect it's something to do with the way Play.com handle password reminders. You simply need an email address (which you type into the username box), then use the 'forgotten password' link to get them to send the full details out to you unencrypted. Hypothetically, our would-be hacker simply needs to set up some software, such as a packet sniffer, to monitor the ports on Play.com's outbound mail server (SMTP port 25) and intercept the email as it passes.
In this way, the 'hacker' isn't actually "hacking" Play.com as such, since they're just using a valid username and password to process an order. The order system and storage mechanism for Play.com's sensitive data may be as secure as Fort Knox, but if their password reminder service is acting as I expect it is, it's all wasted.
They even have a nice big "send me my password" button on their log in page. Just pick an email address and switch on your packet sniffer!
They should at least have a security question (i.e. what is your mother's maiden name / favourite pet's name / etc.) like most other sites.0 -
This scam has been going on a while if you look at some of the other forums so it's obvious Play.con dont give a t**s!
I've emailed Watchdog this am - let's hope they decide to have a look.
Despite telling Play.con to take my debit card details off their server they still havent so after a chat with my bank, the card's gone through the shredder.
Inconvenient and time consuming at the very least. At least it's made me look at all my other accounts such as Amazon, paypal etc and double check the antivrus and spyware on the home PCs0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.2K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.7K Spending & Discounts
- 244.2K Work, Benefits & Business
- 599.3K Mortgages, Homes & Bills
- 177K Life & Family
- 257.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards