Call CRPA and report it. Let them know what happened and that you are dissatisfied.

could also be your email host. yahoo somehow knows what I buy on amazon? adelphia and now time warner spam(ed) too.
oh and somehow my misspelled name that my cc company can never fix, is on spam also and they do not haave my email address? how?

oh, it gets better. I got a call from my CC's fraud dept today and it appears someone went on a shopping spree with my CC, including trying to get airline tickets to Swizerland. One CC charge was to the website I mentioned above.

It appears that either CRPA or their CC merchant got compromised and my CC info, email address, and contact info was snagged, or my computer was compromised on my end. I doubt it was my computer. I routinely scan for spyware, and just did scans with HiJack this, ad-aware, and malwarebytes. No issues on my end.

I got a new credit card out of the blue a month ago, issuer claimed one of the transaction companies got hacked and they were canceling all cards and issuing new ones. There was a big hack of the transaction system.

CRPA does not sell information to spammers. Our membership info is highly classified, not unlike NRA and is never made public, sold, sent to anyone, including NRA for any reason.

Secondly, our site is beyond secure. I've been around a lot of company level systems, but CRPA's network security is frankly so complex and secure, it's ridiculous. It is very tightly controlled. The website provider is very secure as well.

I suspect the problem might be your email provider, or a harvester that picked up your email automatically. It happens all the time. There is no such thing as a hidden email, unless you use a third party service to make your email anonymous, which is popular in Europe and becoming more popular in the U.S.

Ralph
CRPA Board Member

A little more on this. I've operated a commercial site for a number of years now and have some experience in CC processing online.

Credit card companies are very concerned about CC fraud for obvious reasons, but they acknowledge through various studies over the past few years that CC fraud is far more likely to occur as a result of an over-the-counter transaction in a restaurant than online. What ends up happening, once they have the number, they use it online, hence the idea that it must have been stolen online, which is almost always not the case. It got lifted when you handed it to a waiter or waitress, or handed it to store clerk and it was very quickly electronically hi-jacked. It's an industry and it's not uncommon for more than one person in a brick and mortar business being involved in the scam. Within 24 hours the card number is out and distributed to another location in the country, or even overseas. It's a big business. Credit card companies acknowledge that online transactions are very secure. Online sites are required to maintain certain security measures or lose their ability to process CC transactions online.

I can't speak for all commercial sites, but I do know the CRPA's URL and shopping cart service well enough to know that their site is very very secure.

As for the other comment made by someone else, yes a card processor back east had its system compromised, which is a prime target for hackers. But, that affects everyone, including brick and mortar stores that use their service to process cards. As I understand it, they weren't intercepting transactions, but hacked into their main system and pulled data out, which can be a result of everything from lousy security, which is unlikely, or an inside job, which I believe as being more likely. These things don't generally happen with one person wearing pajamas in his bedroom hacking into a secure system. There's always more to the story.

I really wish restaurants would employ secure 'at-the-table' transactions instead of handing my card to someone. I really don't like the idea of my CC walking away for several minutes. It can easily be scanned and I'm screwed. This is the number one reason for card number thefts and it's a growing problem.

If CRPA's system was compromised, we would have heard by now of a problem, either through the credit card system or other members. We've heard nothing, so I have to assume your card was compromised somewhere else. I know that doesn't help your situation. I've been there and it is a pain in the you know what to fix. But, if you persist, you might get the answer you need from your CC card company as to how it was compromised, if they know. Sometimes they won't talk about it and they know what the problem is. They don't like the bad press so they make consumers believe it was a random hi-jacking when in fact they had a major compromise in their system or the system of a major CC processor.

I've had my checking account compromised as well, which is even a bigger pain to deal with. Trying to close down a checking account with checks outstanding creates bounced checks all over the place, and you can well imagine how that goes over with various companies you paid with a check.

Ralph

I would agree with you on the bolded part except that one of the on-line orders was placed with a munged up version of my CRPA address, and there is no way that someone could randomly match up my email address, name and billing address, and CC number from an over-the-counter swipe and place an on-line order. All that info had to be captured at the same time. So, it either had to be comprimised on my computer (possible, but no trace of any spyware, spamware, or viruses can be found), or somewhere on CRPA's end. If nobody else reports any problems with their email/credit cards after a CPRA transaction, then I'd assume that somehow it happened on my end.

Jack,

I can't say about your email address hi-jack, but as I recall from your original posts, those were two separate events, though they could be linked.

As for your billing address, who needs it? You don't need a billing address to place an order online. If the system is set up to reject a non-match addresses then the order will not go through, but if the online vendor allows non-matched addresses, it will go through online. They also don't need your name either. Any name will do. There is no name match done when credit cards are processed online.

In essence, some online vendors only require a CC number and expiration date. If they have those two pieces, a lot of places will accept an order.

RW

ok, I'll try to completely lay out the time line.

On Sunday 5/10, I received an email from buydracaiproducts showing I placed an order with them. It had my name and billing/shipping address correct. The email addess used for that order was 6guj.crpa@xxxxxxxxxxxxx.com, while the email address I used for my CRPA membership was ke6guj.crpa@xxxxxxxxxxxxx.com. Notice the similarities in the email addresses that I doubt someone could make up

I then posted this thread in an attempt to see if anyone else had issues with spam from a crpa-used email address. I did not know about any CC fraud at that point.

Then on Monday, I got a call from the CC inquiring about possible fraud on my CC. They read me off the charges, which included $1 charges to itunes and paypal (to test the card), airline tickets, and a charge to buydracaiproducts. That is when I figured out that the "spam" from buydracai that had my crpa address and the CC fraud was related.

It has to be related to my purchase of a CRPA membership. There is no way someone could randomly use that email address along with my address and CC info. Somewhere along the line of that transaction, someone had to be snooping, possibly in my computer, or somewhere on your end, to be able to put all that info together.

If you don't think the problem was on your end, no problem, my CC comany is taking care of the fraud, so it won't directly harm me anymore than the hassle.

Jack,

I understand your concern. I will check, but I just don't know how it could have happened at CRPA's end. The system they use for online orders is housed, URL and all, at a commercial site that I have looked into for their security. It really looks like someone intercepted the information somewhere.

I'll look into it on our end and see if I can see anything that might be a problem.

Ralph

Like KE6GUJ, I use a different email address for *every* contact. Easy when you run your own domains.

I have busted so many web stores and agencies, it's not funny.

For a while, Ameritrade (a stock broker!) was 'leaking' my email address. They denied it vehemently, of course. And again, and again.. after the fourth time, finally using a random jumble of letters for my private email address and getting spam on it, I refused to accept that it was a coincidence. Months later, they admitted they had a rogue employee selling lists..

I run my own mail server, so unless there's a man-in-the-middle or their end is compromised, I don't see a lot of reasonable explanations.

If your credit card processor happens to go through Heartland Payment Systems, then that is most likely the culprit.
Information Week Article
Original Press Release
Heartland's response

This is odd!

I sign up with my C/C and the same day the $22 charge for the CRPA posts, 6 other visa charges post (not my charges) 5 for xboxlive and 1 from a gas station in North Dakota... CRPA is only the 3rd charge I have made with this visa after 1 charge with paypal (last week) and a 6 pack and tortilla chips at safeway (last month).

The fraudulent charges all posted 8/4 along with the CRPA

My bank was great about cxl'ing the cards and giving me my money back (it is a visa debit) but somebody somewhere has a leak... might be time to go back to writing checks and sending things snail mail or just paying with cash.

I have not yet gotten any unsolicited emails from the account I used to sign up for the crpa