Vanguard records compromised

[Pylon]

I have considered using one of those "load me up" credit cards for such transactions.  In anycase, I will likely never use a credit card for it, so long as they accept mail in orders.

I don't know what "load me up" credit card means, but my Mastercard allows me to generate "Virtual Account Numbers".  Every time I shop online, I can have a brand new, one-time-use, disposable credit card number.  Stops potential fraud from database hacks and lost data pretty easily - if they got the credit card number I used, it wouldn't be working any longer.

[Major Carrales]

I have considered using one of those "load me up" credit cards for such transactions.  In anycase, I will likely never use a credit card for it, so long as they accept mail in orders.

I don't know what "load me up" credit card means, but my Mastercard allows me to generate "Virtual Account Numbers".  Every time I shop online, I can have a brand new, one-time-use, disposable credit card number.  Stops potential fraud from database hacks and lost data pretty easily - if they got the credit card number I used, it wouldn't be working any longer.

A "load me up" credit card is the type that are ussually sold at gas stations or grocery stores that allow a person to have the benefits of a credit/debit card but not the account.  You "load up the card" when you use it.  If it gets "jacked" no one is harmed and you only lose the monry you put in.  It seems alot like what you described.

I guess we have a regional dialect difference in what it is called.

[desertengineer1]

The current HTML page as of 8 PM CST for login is nolinkhttps://toad.he.net/~vgaurd/store/index.php. (DO NOT GO TO HIS LINK!!!)

A reverse lookup of this DNS gives an IP of 66.160.205.2, which is registered to Hurricane electric in Fremont, CA?  Not sure what's going on there., but it does look like it's still dangerously spoofed.  DO NOT USE THE LOGIN LINK UNTIL IT IS SAFE TO DO SO.

I would ask that Vanguard release a statement to CAP members IMMEDIATELY.   

I don't care if their poor IT guy accidentally fell asleep and their database got hacked.  It is THEIR responsibility to protect sensitive customer data.  Freaking insane....

FYI the Vanguard website is STILL hacked...go to www.vanguardmil.com and hover your mouse (DO NOT CLICK!!!!) over the Log In link in the upper right corner.  When you do so, you'll see that the link points to another website.  The rep I spoke with found this to be very interesting and said that he would pass the info along to their IT department as well as the FBI.

From what I can tell (and I may be wrong here, but I think I'm pretty close), the hacker got into the Vanguard server and changed any Log In links to point to his site, processed the orders while copying our info, and passed the orders along to the real Vanguard server for fulfillment and billing.

[PHall]

Maybe now Vanguard will let people use Pay Pal for their orders.
No credit card numbers to be stolen.

[SAR-EMT1]

Has paypal ever been jacked ?

[NC Hokie]

FYI the Vanguard website is STILL hacked...go to www.vanguardmil.com and hover your mouse (DO NOT CLICK!!!!) over the Log In link in the upper right corner.  When you do so, you'll see that the link points to another website.

In the interest of fairness, I should point out that others have indicated that this redirect may be "business as usual" at Vanguard.  Although that alleviates some of my fear that the site is still jacked, I must admit that this is (IMHO) yet another indicator of the unprofessional image Vanguard seems to have gone out of their way to cultivate.

[NC Hokie]

Maybe now Vanguard will let people use Pay Pal for their orders.
No credit card numbers to be stolen.

That's why I have a PayPal debit card for my online purchases.

[desertengineer1]

I certainly hope so, but toad.he.net link on the login button, in addition to the warning to verify that you are vanguardmil.com is extremely suspicious.  I sent an email to our members to be cautious and call instead of using the link - at least until something comes from Vanguard that everything is OK.

I sure as heck wouldn't trust it.

FYI the Vanguard website is STILL hacked...go to www.vanguardmil.com and hover your mouse (DO NOT CLICK!!!!) over the Log In link in the upper right corner.  When you do so, you'll see that the link points to another website.

In the interest of fairness, I should point out that others have indicated that this redirect may be "business as usual" at Vanguard.  Although that alleviates some of my fear that the site is still jacked, I must admit that this is (IMHO) yet another indicator of the unprofessional image Vanguard seems to have gone out of their way to cultivate.

[Eclipse]

Hurricane Electric is a Colocation Provider (i.e. an ISP), it's likely that's where the VG stores are hosted.

As to PayPal - I would suggest you look into the dispute process with PayPal before you sing their praises, you will find that they are draconian compared to a regular credit card, I have a PayPal account for eBay use, and never pay out of my checking account - I always use a credit card, which they hate because it incurs fees for them. It also then gives you the full dispute process of your charge card, instead of PayPal's ability to seize money from your checking account, withhold funds, etc.

Since we don't actually know what the nature of the compromise really was, its hard to say who's to blame.  I am currently working on credit card security for a major hospitality chain (implementing PCI-DSS), and frankly if most people knew how vulnerable their identity, credit and related information really is to compromise, they would cut up their cards, invest in gold, and bury it in the backyard.

This is the basis of what any business accepting charge cards is supposed to be doing as of today (the spec changes in September): http://en.wikipedia.org/wiki/PCI_DSS

With that said, and knowing what I know, I still use my cards as I always have, because that is simply the nature of the universe today, and the pros and convenience far outweigh the risks.

[mikeylikey]

MY Chase AF Club and Army Club credit cards (O-Club card) has excellent protection.  Like the time the bartender charged me twice for the same 7 drinks I had.  Chase actually contacted me and told me that they noticed the second charge, and would remove it and contact the club for me.  Plus I get 2 reward points if I shop on Base/ Post and one reward point for everything else I buy off post.  Needless to say, the more you drink on base the more free drinks come your way.        

[desertengineer1]

The kicker for me is Vanguard's statement to verify you are on nothing other than vanguardmil.com, but then you see the toad.he.net link.  I think some kind of guidance or assurance is the least they can do.

Hurricane Electric is a Colocation Provider (i.e. an ISP), it's likely that's where the VG stores are hosted.

As to PayPal - I would suggest you look into the dispute process with PayPal before you sing their praises, you will find that they are draconian compared to a regular credit card, I have a PayPal account for eBay use, and never pay out of my checking account - I always use a credit card, which they hate because it incurs fees for them. It also then gives you the full dispute process of your charge card, instead of PayPal's ability to seize money from your checking account, withhold funds, etc.

Since we don't actually know what the nature of the compromise really was, its hard to say who's to blame.  I am currently working on credit card security for a major hospitality chain (implementing PCI-DSS), and frankly if most people knew how vulnerable their identity, credit and related information really is to compromise, they would cut up their cards, invest in gold, and bury it in the backyard.

This is the basis of what any business accepting charge cards is supposed to be doing as of today (the spec changes in September): http://en.wikipedia.org/wiki/PCI_DSS

With that said, and knowing what I know, I still use my cards as I always have, because that is simply the nature of the universe today, and the pros and convenience far outweigh the risks.

[Dragoon]

Man, if we had to privatize the Bookstore (and I'm still not convinced that was the case), I sure wish we'd have gone with a company that had some internet retail experience, not a manufacturer trying to learn retail on our dime.  These "growing pains" would have killed any business that didn't have a monopoly on the market.

[Hawk200]

Maybe now Vanguard will let people use Pay Pal for their orders.
No credit card numbers to be stolen.

I just got  the PayPal plugin. Allows me to create virtual Visa card numbers, complete with expiration dates and CVV codes. Used it a few times. Once the items are paid for, close out the card, and done.

[TankerT]

Just as a related note, members in my wing have reported for the last few months some "suspicious" charges on some cards.  The common thread was Vanguard.  (Some members had only used the card for CAP purchases...)

[cnitas]

I just put in an order about 2 weeks ago.  This makes me glad that I shop exclusively at the Hock. 

[desertengineer1]

Just as a related note, members in my wing have reported for the last few months some "suspicious" charges on some cards.  The common thread was Vanguard.  (Some members had only used the card for CAP purchases...)

Interesting.  Just contested one of those $9 and some change POS transactions a month ago (EASYTEMPLATESRPO.COM).   And yes, I use this card for Vanguard.

[dhon27]

NJWG was forwarded an email yesterday from NER/CC and NJ/CC referencing the Vanguard situation and also referencing recent alleged improprieties by a CAP member in applying for credit cards using CAP members' names, DOB and SSN's taken from MSA's.  From the email, it is not clear if the credit card matter is related to the Vanguard situation.  The email further references the Vanguard matter as relating to CTWG. 

[dhon27]

Text of email:
_____________________

To all Members,

   

    Please note the following advisory regarding attempted credit card fraud by a CAP member.



Col Robert J. McCabe, CAP

Commander, NJ Wing

--------------------------------------------------------------------------------

Commanders,

I would like to take this opportunity to alert you about an incident with one of our CAP members.  This individual was caught allegedly applying for multiple credit cards. The victims names, date of birth, and social security numbers were taken from different MSA's.

The attachment pertains to an incident in CT Wing regarding Vanguard.

Please share this information with your staff and members.


Col Robert Diduch
NER/CC







--------------------------------------------------------------------------------

Gas prices getting you down? Search AOL Autos for fuel-efficient used cars.
Official Announcement of Activities, Events and Policies of
New Jersey Wing, Civil Air Patrol
United States Air Force Auxiliary
_______________________________________________
NJCAP mailing list
NJCAP@njwg.cap.gov
http://njwg.cap.gov/mailman/listinfo/njcap

To National HQ, Northeast Region HQ and CTWG Officers As a follow-up, the CTWG member contacted Vanguard, and ascertained the following: ///////////////////////// Begin Text //////////////////////////// I spoke to the real Vanguard and they explained to me that the only info that the fake could get was the credit or debit card number. They could not get the expiration date or the security code on the back of the card. It should be safe to purchase from Vanguard. here is the Vanguard contact info.
Dear Valued Customer, You are receiving this message as a courtesy notice because you placed an order with Vanguard Industries East, Inc. (Civil Air Patrol) either on or after July 4th.  We would like to advise you that Vanguard will never contact you requesting personal information after your order has been placed.  Please contact us at 1-800-221-1264 if you have recently received such a request. Thank you, Melissa AlarconInternet SalesVanguard Industries West, Inc.Ph# 1-800-433-1334 ext. 165email:malarcon@vanguardmil.com
/////////////////////////////////////////// End Text //////////////////////////////////////////////

On 7/7/08, Peter Jensen wrote:
For National HQ, Northeast Region HQ, and all CTWG Officers I received the following email from a CTWG member today about the Vanguard website. This website may have been "hijacked," possibly by those seeking to commit identity theft.   Pete Jensen, Col, CAPCommanderConnecticut Wing

---------- Forwarded message ----------
From:
Date: Jul 7, 2008 2:39 PM
Subject: Hijacked vanguardmil website
To: Peter Jensen

It has come to my attention that the website for vanguardmil.com military clothing has been hijacked. If an order is placed you might get a response from vanguardmil.net asking for additional information like photo id such as drivers license, bank statement, etc. Here is what I received from the fake vanguard email. Please disseminate the info to all interested parties.  Hi David, Thank you for your recent Order #070408-163812-1039 at Vanguard Industries, Inc.We regret to inform you that we need further information to verify the status of the transaction that you made through your credit card number XXXXXXXXXXXXXXPlease understand that this also helps to reduce the risk that any other person misuses your credit card. Anybody, who has your credit card number and expiry date, can you use your credit card on the Internet for making payment. For us, it is important to protect our customers and ourselves from fraudulent transactions.To continue processing your order, please provide us following documents:

Front and backside of credit card that you placed this order with.
Photo-ID card (such as driver's license, passport) showing the same name & signature as the credit card.
One recent bank statement or utility bill (optional)
You can send the verification documents by replying or writing a new email to: order@vanguardmil.net
You will notice the .net not .com.

[Redacted various email addresses]

[Eclipse]

The current HTML page as of 8 PM CST for login is nolinkhttps://toad.he.net/~vgaurd/store/index.php. (DO NOT GO TO HIS LINK!!!)

Well that's just great, I though you meant not to not go to the link!
I now have a temporal anomaly in the middle of my living room asking me for my mother's maiden name! 

Thanks a lot!   

[mikeylikey]

Shame on that CAP member for stealing other members identities.  For each offense, 5 years in FEDERAL Prison should do nicely. 

Perhaps that is why we shouldn't be using our Social Security Numbers in CAP. PERIOD!