PDA

View Full Version : Fun Publications security breach / credit card fraud


Nautilator
2012-02-10, 03:06 AM
Mods: if this is in the wrong area/ not allowed please move/delete/merge as appropriate. I couldn't find any threads about this.

Just a heads up to fellow TF collectors. Some of the other TF websites have members that have had their credit/debit card info compromised after purchasing items, renewing memberships, or ordering Botcon registration packagess from the Transformers Collectors Club.
While it is still premature to point fingers yet, TFCC is getting some heat for a lack of notifying those who may be affected.

So if you have purchased from the TFCC club within the past couple of months, be sure to keep an eye on your bank account and credit cards for fraudulent activity.


Info:
TFCC (http://www.transformersclub.com/)

TFCC statement (pdf) (http://www.transformersclub.com/CCstatement.pdf)


Threads from other TF websites:
tfw2005.com (http://www.tfw2005.com/boards/transformers-general-discussion/543525-fandom-card-issues-2-2012-a.html)

seibertron.com (http://www.seibertron.com/energonpub/viewtopic.php?t=84092)

allspark.com (http://www.allspark.com/forums/index.php?showtopic=85011&st=0&p=2006411&#entry2006411)

Cliffjumper
2012-02-27, 09:41 PM
Not sure if I'm the only one here lucky enough to deal with these ****ers, but
http://www.hisstank.com/forum/g-i-joe-news-rumors/202849-possible-credit-card-fraud-100.html
is worth a read. And it doesn't seem to be limited to anyone who's used FP recently, there are people in that thread getting strange charges on cards they used 2, 3 years ago. Short version is that the hackers seem to be running low-value transactions for $0, $1 etc. as a test then going back for a bigger amount. This doesn't seem to be only effecting people who paid for stuff from Fun Pub recently, in short.

I'm 99% sure I'm covered through HSBC's internet fraud protection stuff, but I'm basically going to be monitoring my account until tomorrow morning, then grabbing some cash after work tomorrow, cancel the card and get a replacement sent (which'll be a pain as it's a month old and I've only just finished updating various accounts after that).

EDIT: Editing topic title to make it a bit more eye-grabbing...

Thunderwave
2012-02-27, 10:18 PM
I'm 99% sure I'm covered through HSBC's internet fraud protection stuff, but I'm basically going to be monitoring my account until tomorrow morning, then grabbing some cash after work tomorrow, cancel the card and get a replacement sent (which'll be a pain as it's a month old and I've only just finished updating various accounts after that).

You should be. I asked about this situation not so terribly long ago. Shit, they locked my account when I bought things locally that was "out of the norm", namely a couch and a new TV, and I had to call them the first year I went down to Pennsylvania for paintball when they locked my card then too.

Cliffjumper
2012-02-27, 10:22 PM
Yeh, HSBC are pretty good about it, I could just do without the hassle of it happening in the first place - especially as we're off to France/Holland in June for a honeymoon, so having my card cancelled or blocked mid-holiday would not be fun.

Denyer
2012-02-28, 12:39 AM
Tell them about it in advance, several times, and take multiple cards and plenty of emergency cash. I've been screwed over by them in the past, as have people I know.

Shit, they locked my account when I bought things locally that was "out of the norm", namely a couch and a new TV
HSBC are also complete ****ers insofar as they seem to consider buying things online in non-English-speaking countries grounds to block a card. I mean, it's 201x, we have this thing called the internet now, and France is only over the bloody channel.

This is actually an advantage to using PayPal -- the bank just sees moderate amounts going out regularly to one institution, rather than everywhere across the globe.

Cliffjumper
2012-02-28, 03:51 PM
They do have a holiday planner on the internet banking which is very good for that, actually - I'll be filling it out when I have an exact itinery. I meant it more as an example of the card getting blocked at an inconvenient time.

Talking of which I cancelled the thing now - can't see the point in waiting for a problem to hit and reacting when I can just get a fresh one instead.

The question a lot of people (at the Joe board; not checked any TF threads, it'll be interesting to see TF fans caught between wanting to suck up to semi-official bods and their precious money... the Joe club members are more toy than fic orientated) are asking is whether FP will survive this without losing the licences.

I'm really torn - it sounds likely that poor security helped the hackers, and their response has been very ****y (taking a long time to admit to a problem - during which lapse many were defrauded; generally trying to point wash their hands and emotionally blackmail the club members; being slow and inflexible with setting up alternate payment methods despite it looking like the security problems aren't actually sorted) too. However, I want/need the FSS figures (https://www.gijoeclub.com/FSSexclusives.cfm). I'm thinking disposable credit card, though, assuming they still actually happen.

What's the biggest relief, though, is that I actually asked a few US members here to join on my behalf to save on the preposterous international shipping charges; for various reasons they couldn't, and I am so ****ing glad they couldn't as otherwise they would have been dragged into this shitstorm.

Thunderwave
2012-02-28, 05:30 PM
The only reason I renewed my TFCC was for Runamuck. I'd already ordered Runabout (and he should be here today), and I'll be Gods damned if I'm going to have only one Runabro until I can scrape up the cash for whatever retarded amount the other will be going for on the secondary market.

Denyer
2012-02-28, 07:16 PM
Re: planner, will bear that in mind for future, but this was all some years back. The most annoying thing HSBC have done recently is have their entire card-handling system fold like a cheap hooker for a few hours during a busy shopping period.

are asking is whether FP will survive this without losing the licences
Was I dreaming, or has it already been an issue in the past and there hasn't been a question of them losing the licenses? Are a large number of people going for blood this time?

Fixed sum cards are more a thing in the US, but it's worth asking over here. And PayPal may do them IIRC.

edit:

Impression from TFW is certainly that a fair number of people (some who only ever used the cards to deal with Fun Publications) have been hit.

Cliffjumper
2012-02-28, 07:44 PM
Mmm, the Joe club seems to be smaller but I've still counted something like 20-30 (seemingly unique) complaints on various boards from them alone - banks seem to be catching a lot of it, but people are pretty pissed. Them having some sort of problem before rings a bell, but how much of it is my brain running 3H's downfall in with that I don't know. Hasbro won't like it one bit, though, that's for sure. I'd say it'll come down to whether anyone else particularly wants to sort the thing, though.

Problem with this sort of thing is how people react... I mean, I'm annoyed at the whole thing, but I want my Footloose, and I want to be in a position to get the girls and Big Boa too. So I'm likely to stay on board as I haven't lost any money and will weigh my options before spending any more (I'd probably get a HSBC credit card that I'd use to buy the figs, pay off and then destroy or cancel/renew, but there was a sense the subscription figs were in trouble anyway). How much of the people reacting feel the same is difficult to tell. And of course TF fans are even worse for this sort of thing (cf. recent apologism for factory conditions).

Am I mis-remembering or did Hasbro opt to not renew the license with Dreamwave for being a general disgrace shortly before they properly folded? Or were unpaid bills the main reason?

tahukanuva
2012-02-28, 08:37 PM
Hurm. It's taken forever for them to finally get around to owning up to it. I remember initially the official TFCC Twitter (which is remarkably unprofessional anyway) initially tried to blame BigBadToyStore for the whole thing. Which, with the overlap in customer base made a pretty effective cover except that no BBTS customers not in the club were hit.

Denyer
2012-02-28, 08:40 PM
IIRC Dreamwave deferred payments to creditors (including Hasbro) for considerable time until the point of no return, taking money out of the company as well as trying to expand operations -- despite diminishing interest in 80s properties and weak original titles.

Since people I've seen are being forced to cancel multiple and family cards and are being put to great inconvenience, I wouldn't be surprised if there were a lynch mob intent on dragging the club to Hasbro's door for reappraisal, and some of those people will know how to get noticed.

Frankly, anyone storing card details needs Amazon-level competence and security. Everyone else should be using reputable payment processors that allow for setting up subscriptions.

edit:
initially tried to blame BigBadToyStore for the whole thing
That's pretty damn scummy right there.

As noted above, the problem is in storing that kind of data in the first place, and doing so is an indicator of poor security practices.

It's like you should always be extremely wary about sites that can send you your password rather than having a reset procedure. Passwords should similarly never be stored by sites.

Cliffjumper
2012-02-28, 08:47 PM
What in retrospect amazes me is that as an overseas buyer I was apparently meant to send them a fax of both sides of my card so they could verify it. I'm not a complete idiot, so I didn't, and they took payment and everything anyway - the idea that I'd sent what's basically a scan of my card to anyone was amazing. **** knows what they'd have done with the thing.

Surely about the only reason they don't use Paypal is to avoid the fees? Sure, Paypal is far from perfect, but at least no weirdos get my card details.

And what could be a big problem for them with Hasbro, thinking about it, is that all the arse-lickers are probably in the TF version. Hell, considering the design team seems to have been colonised by nerds, it's possible some Hasbro employees are.

Cliffjumper
2012-03-01, 07:25 PM
As we continue to work on our systems, you will see some of our services go offline and then come back, so please be patient as we preserve data and clone servers and websites.

We are also taking this opportunity to remove all non-essential services from our ecomerce server. So in the short term in the next day or so, the club forums will be discontinued. It will be several days until we are ready to bring them back under an entierly new piece of software. I know alot of you have been asking for this so, we have decided to replace several of our systems with new packages. This means that you will not have access to the forum for a while at all. We do plan to make the old forum viewable (no posts) in the future. Since we do not know exactly what data was taken, we are recommending that if your have used common logins or passwords with our system and any other system that your change your passwords in those systems immidiately (especially any financial sysstems)! We will be resetting all of the passwords in our system very soon. Please don't delay in changing your passwords in other locations.

In addition, we have found a few recent aticles concerning security issues with other vendors. If you use these services, these issues could possibly impact you. Please read the attached links:
http://www.huffingtonpost.com/2012/02/10/itunes-hack-unauthorized-charges-apple_n_1268593.html?
http://www.greenpois0n.co/itunes-accounts-being-hacked-to-steal-money-from-store-credit.html

Thanks for your support in this difficult time. We will continue to work with our vendors to correct the issues and we apologize for any inconvenience this has caused any of our members.
Brian Savage




I do love those links to iTunes stories - it's a very thinly-veiled way of going "Hey, even Apple get hacked, don't blame it on us", which has been the basic gist of the near-daily emails Savage has been banging out for the past week - though it's worth noting that early messages downplayed the breach and some people were hit by fraudulent charges in the meantime before FP hit the panic button.



Other gems are when they randomly recommended some credit monitoring site that goes paid after 3 months, despite some charges coming off cards years after they were used for FP, and when they asked anyone hit with charges to keep them in the loop and provide a list of details so they could work out what happened - because if you'd just been CC-frauded thanks to FP, you'd want them to have as many details about you as possible.

Denyer
2012-03-01, 07:41 PM
We are also taking this opportunity to remove all non-essential services from our ecomerce server. So in the short term in the next day or so, the club forums will be discontinued.
What software were they using, do you know?

Again, it's obvious -- you keep payment processing stuff (code, databases) away from other apps, or (better) you outsource it to competent third parties. It's usually much easier to exploit holes in a blog or forum as a backdoor than to break a cart system.

TBH, that alone demonstrates that they have no business running an online store.

In addition, we have found a few recent aticles concerning security issues with other vendors.
Not even slightly ****ing subtle...

As far as I know most claimed "hacks" against user accounts for iTunes relate to people brute-forcing weak passwords -- i.e. given a known or worked-out list of user accounts, there'll be a proportion of idiots whose password is "apple", "music" or similar.

Cliffjumper
2012-03-01, 08:19 PM
Mmm, as far as I can see (and I did fiddle with it on a very basic level) Paypal's cart system seems to be pretty much idiot-proof in terms of set-up, and surely should be the choice if they're not going to fork out for experts. Most people seem to be saying they just don't want to pay the fees. Overheads on both Clubs are probably pretty tight, but that's no excuse when you're risking people's personal details. I would suspect they'd actually get a lot more impulse buys from the stores if there was a Paypal option as well; Paypal's not only generally trusted, but a lot of net-nerd types use it as a handy disposable balance from ebay sales and the like.

Nothing I've seen on what they do use, though.

Denyer
2012-03-01, 09:24 PM
The forum software, not the cart.

Some software actually suffers from over-development (bolting on new features quickly, holes introduced in the process) so newer isn't always better unless you update equally quickly and the developers keep on top of things. I doubt that's been FP's problem, though, given the attachment to fax machines.

PP would probably cause them no end of trouble -- the company has a habit of suspending accounts even on fairly large groups when enough people complain. That's trouble for the club, mind.

edit: Also, PP would have to mainly be for things they had in stock, as IIRC there's a limit set on how far ahead pre-orders can be taken.

Cliffjumper
2012-03-01, 09:31 PM
Oh. PoweredForums 2.2, if I'm reading things right (still at http://www.mastercollector.com/pforums/index.cfm at the time of writing). Pretty primitive-looking at least and fairly low traffic - from my quick browse people only really use it to recommend/badger about possible exclusives.

Denyer
2012-03-01, 09:43 PM
What I've found in the last few minutes suggests the authors are/were DKanos LLC, that they may have been a web hosting firm at one point, and www.dkanos.com is now CHEAP BULGARIAN PROPERTIES and REAL ESTATE.

Maybe a host the club had at one point that provided ready-rolled scripts?

http://www.cfcustomtags.com/boards/printdiscussion.cfm?threadparentid=8&boardid=2

This mentions version 2 of the software appearing in 2002, which was before anyone really started taking web security the slightest bit seriously. We're talking UBB era.

edit:

Yeah, can't seem to find a working download that doesn't involve non-archive executables despite a few sites still claiming to sell it.

http://www.consciousone.com/community/help.cfm

Very reminiscent of UBB, in fact.

edit2:

The web host;
http://web.archive.org/web/20020329161108/http://dkanos.com/

Don't be fooled by claims that 2.2 dates to around 2010-2011;
http://web.archive.org/web/20040404160502/http://cfm-powered.com/pforums.cfm

The, er, CafePress t-shirt site, presumably from after the web hosting and apps development concern folded and someone else acquired the domain;
http://web.archive.org/web/20070607174647/http://www.dkanos.com/

Cliffjumper
2012-03-01, 10:31 PM
Jesus, I know basically nothing about this sort of thing but that's terrifying

Denyer
2012-03-01, 11:46 PM
Sounds like they knew about it, too, and edited out a reference to dkanos.com in a template:

http://www.tfw2005.com/boards/transformers-news-rumors/543525-fandom-card-issues-2-2012-a-229.html#post7361856
Please FP. Please do not remove the hidden link to the "Find Your Property in Bulgaria" website in the club forum. It adds charm to the site.

And then there's this from the email...
Since we do not know exactly what data was taken, we are recommending that if your have used common logins or passwords with our system and any other system that your change your passwords in those systems immidiately
Anyone else, you might think they were just using unsalted hashes on the passwords using an old algorithm that'd make them easy pickings for a table lookup, but odds are they've been storing passwords in plaintext.

Cliffjumper
2012-03-02, 12:34 AM
The amount of spelling errors in the emails are worrying too - talk about slapdash. My typing's terrible, but I don't have people's credit card numbers on file.

EDIT: Have emailed Hasbro's customer services, and will snail-mail the UK and US departments on Monday if I haven't heard anything back by the end of the weekend.

inflatable dalek
2012-03-02, 03:39 PM
I'm assuming if it does go to court FP's defence will be to show the jury a picture of Shattered Glass Soundwave as Exhibit A in "Why anyone who'd want this crap pretty much had all the bad stuff in their life coming to them".

I'm guessing Hasbro will officially stick by them till after Botcon, the whole thing collapsing now will just piss off more people, and publically announcing an end to the relationship after the con before it would sort of put a damper on it, and not give them a huge amount of incentive to make much of a go of it.

Jaynz
2012-03-02, 08:53 PM
I'm assuming if it does go to court FP's defence will be to show the jury a picture of Shattered Glass Soundwave as Exhibit A in "Why anyone who'd want this crap pretty much had all the bad stuff in their life coming to them".

Well, Pete on TFW2005 already did the "You had it coming, since you were wearing that red dress on a Saturday night, baby," defense a couple of times. We're seeing a bit of that from "the usual boot-lickers" in the past couple of days as well. It's as if Glen Hallit has returned...

I'm guessing Hasbro will officially stick by them till after Botcon, the whole thing collapsing now will just piss off more people, and publically announcing an end to the relationship after the con before it would sort of put a damper on it, and not give them a huge amount of incentive to make much of a go of it.

It would be unprofessional of Hasbro to say much that they're not liable for at this point. I honestly don't know how this will go out, since it's not like there's a big line of people beating down the door to replace FunPub now, but I can't imagine that Hasbro is remotely happy about any of this, either - particularly since there's now libel and other issues going on.

I'm glad I stopped worrying about this stuff, honestly. The exclusives just were never worth the money, much less the money and the drama.

Cliffjumper
2012-03-02, 09:02 PM
Yeh, I think FP may get away with a bollocking just because of the lack of anyone else being that interested in things, as long as they can convince Hasbro things are now safer. Without wanting to exonerate their amateurism, it's clearly a bit of a poisoned challice - I can't see that Savage or anyone else is making a huge amount of money from the clubs. Their biggest problem is going to be how much damage has been done to buyer faith - when you've only got a thousand or whatever customers and something like this happens things aren't going to go well.

Jaynz
2012-03-02, 09:37 PM
Their biggest problem is going to be how much damage has been done to buyer faith - when you've only got a thousand or whatever customers and something like this happens things aren't going to go well.

Well, I figure that there's probably a 'maximum count' of 5000 people for FubPub's customer base, realistically. There seems to be at least 300 public (from the various forums) complaints of fraud in accounts linked to FunPub from the past four months. That's a staggering hit of 6 percent of your entire customer base being hit! (And this is just a rough count of who actually posted on major forums that they were hit.) Most companies would never, ever, survive such a thing.

Really, though, FunPub's just damn lucky that BBTS are who they are. The effective libel that Pete threw at them early on in their effort to shift blame is easily actionable and not the sort of thing that a professional would do.

inflatable dalek
2012-03-03, 07:34 AM
Surely just taking the conventions in house would be the simple solution for Hasbro? Hire the handful of extra people needed to admin it into the PR department, with taking some extra on during the busy time of the convention itself. There's probably enough Hasbro properties with fanbases to justify having a dedicated group of people on staff to deal with them. Plus, by cutting out the middle man they don't have to split whatever small profits are made by the things.

Denyer
2012-03-03, 11:59 AM
And it isn't as if Hasbro don't have fans of their own brands working for them.

As things stand the organisation will be signing off on everything anyway. The only plus of having the club arms-length is probably that they take the flak for what figures are and aren't produced as exclusives.

Agree that it's got to be a significant percentage in overall terms of people affected by this, if not actually having to get fraudulent transactions cancelled off then having to stop cards that will in many cases be linked to family bill routines and finances.

Handing over enough information for someone's identity to be stolen as a result of weak server security and saying sorry doesn't cut it. It can take years to deal with the fallout. (edit: And most of the TF customer base in this instance are at the "young family" stage and/or first-time home ownership.)

Cliffjumper
2012-03-03, 12:32 PM
As things stand the organisation will be signing off on everything anyway. The only plus of having the club arms-length is probably that they take the flak for what figures are and aren't produced as exclusives.

But that could be a problem... FP releasing Runabout or Footloose or whatever as a limited exclusive is a canny use of the resources avaliable to them to deliver a figure Hasbro probably weren't going to make otherwise. Hasbro doing similar would be Hasbro deciding they were going to only make a ridiculously small quantity of one toy - especially if they charged much over equivalent retail prices.

If no-one comes in for it (agree that FP are dead men walking the more I think about it) I can't see Hasbro being that bothered, TBH. A bit like the comics licence, fan club/con fees probably aren't a vital part of their overall strategy. Sure, if someone's willing to stump up $##k or whatever to run it for them they'll take it, but they aren't going to spend an inordinate amount of time either trying to interest others in the licences or sorting it out in-house.

Random thought on FP - the GI Joe subscription figures surely aren't going to happen now. But the prototypes used for photography are surely in FP's hands, meaning that if/when they fold, whoever swipes them is going to have some seriously desirable items to auction on ebay. Considering the amount last year's exclusive fig (Dial-Tone, ~$300) fetches the money's clearly there from the collectors - a one-off Cover Girl especially could fetch four figures. How's that for justice?

Denyer
2012-03-03, 12:57 PM
The MOTU approach actually seems to be doing quite well -- short runs, but figures get follow-up production if popular. The secondary market prices for the handful I've acquired are reasonable for non-store products.

Comics, no, but toys are a main product for companies like Hasbro and Mattel. It's not much of a stretch to handle that aspect of merchandising and PR to the older part of the customer base without having to deal with people who'll tar the organisation and brands with security leaks, which are bigger in public perception since Sony and Wikileaks.

inflatable dalek
2012-03-04, 07:43 PM
Yeah, I really can't see running the fanclub itself would be that much time or trouble for Hasbro directly.

Do FP actually do anything but work on Hasbro properties? Because if not, I can't see people viewing them as anything but an extension of Hasbro anyway.

Cliffjumper
2012-03-06, 02:16 PM
If it's any time or trouble for them they won't bother. And define 'people' - I think anyone who's heard of FP, let alone deals with them, are in the know enough to be aware of where they end and Hasbro begins. They aren't anything to do with the casual fans that go and see the films and don't buy the IDW comics however crass they make them, they're fans and nerdy fans at that. Which probably means they've been carpet-bombed with boring, pedantic discussions on licensing, trademarks and all the other shit we've had here.



To the G.I. Joe and Transformers fan communities and Fun Publications customers,


Thank you for bringing your concern to our attention and for giving Hasbro the opportunity to respond to a matter that impacts its G.I. Joe and Transformers brands. Please know we take all consumer concerns very seriously and are in regular contact with Fun Publications (our licensee) about the possibility of a breach in security to their online purchasing system for the G.I. Joe and Transformers Collector’s Clubs. Fun Publications is also taking this matter very seriously and is diligently working at identifying any problems, the number of customers affected and ways to ensure it does not happen to any more customers. Hasbro wants consumers to have a positive experience at all touch points for its brands, including transactions with its licensees. As such, we are confident that Fun Publications has detailed instructions and pertinent information available for those consumers who believe they may have been targeted by credit theft via their portals.

Based on our extensive conversations with the Fun Publications team Hasbro wants to convey the following to the fan communities:


Fun Publications has assured us that they are taking necessary measures to curb additional issues, and they are working with third party experts to identify the problem. They anticipate knowing and communicating the cause of the breach as soon as possible to those affected.
They believe that the number of customers affected is low relative to the volume of sales transactions made.
However, if you believe fraudulent charges have been made to your credit card after making a purchase with any portals for the G.I. Joe or Transformers Collector's Clubs, we urge you to contact Fun Publications immediately and provide them with the information requested at<https://www.transformersclub.com/tccccinfo.cfm (https://www.transformersclub.com/tccccinfo.cfm)> or <http://gijoeclub.com/ccinfo.cfm (http://gijoeclub.com/ccinfo.cfm)> by using the "Contact Us" link at the bottom of these pages.
Fun Publications can also be reached at the following number for additional consumer affairs inquiries relating to the G.I. Joe and Transformers Collectors Clubs at (817) 448-9863 during regular business hours.
As more information becomes available, they will be contacting all affected customers who have notified them about the issue. Thank you again to all of the fans of our Transformers and G.I. Joe brands for their continued support and for the opportunity to respond to this matter.tl;dr Hasbro aren't giving much away.

Jaynz
2012-03-06, 02:23 PM
I don't know why this would surprise anyone. Hasbro was never going to say "Yeah, FunPro really sucks and that Brian is a total douchebag. Don't do business with our own licensor!"

What's far more likely to happen is that the license would very QUIETLY not be renewed once BotCon is over.

tahukanuva
2012-03-20, 12:14 AM
Presented without comment. (http://t.co/ZFAmKx3L) Mainly because my only comment is astounded swearing.

Denyer
2012-03-20, 01:08 AM
The way people are talking now, I can't see how the panel can end without the police being called
Mmm. Have only very lightly skimmed the rest of the TFW thread, as it's doubled in size since I last saw it.

Other e-commerce sites do hold payment details, but it wouldn't surprise me if there are specific security requirements that have to be audited or connected legislation that covers this. Not familiar with US law. IIRC there's something fairly restrictive in the UK... if I remember and have chance, will skim relevant policies at work tomorrow... it's probably this; http://www.cornishwebservices.co.uk/articles/technology/what-is-pci-and-pci-compliance.html

edit: Am I seriously reading that right that full card details were printed out and sent packed in with orders?

Jaynz
2012-03-20, 03:09 AM
Presented without comment. (http://t.co/ZFAmKx3L) Mainly because my only comment is astounded swearing.

Whatever you referenced, it's been deleted. What was up?

edit: Am I seriously reading that right that full card details were printed out and sent packed in with orders?

Yes. Yes they were. And, remember, this is all with the current system.

FunPro can definately be held liable in civil court, there's really no question about that. I'm not sure what their criminal liability extends beyond their rather willful negligence in informing their customers of the breach. That's actually a criminal offense in Texas.

tahukanuva
2012-03-20, 03:22 AM
Whatever you referenced, it's been deleted. What was up?

A Facebook conversation. Someone posted a status about this being the last Botcon they go to if FunPub doesn't shape up. Karl Hartman told him not to bother coming. The guy replied with some of the credit card stuff Denyer mentioned, and how FunPub could be in quite some trouble. Hartman told him to cancel his plane ticket.

Karl Hartman, for those that don't know. (http://tfwiki.net/wiki/Karl_Hartman)

Jaynz
2012-03-20, 03:35 AM
A Facebook conversation. Someone posted a status about this being the last Botcon they go to if FunPub doesn't shape up. Karl Hartman told him not to bother coming. The guy replied with some of the credit card stuff Denyer mentioned, and how FunPub could be in quite some trouble. Hartman told him to cancel his plane ticket.

Karl Hartman, for those that don't know. (http://tfwiki.net/wiki/Karl_Hartman)

I'm not sure which way to take this. Did Karl Hartman actually pretty much say that FunPub wouldn't both changing so the guy shouldn't waste his time, or did he just tell a customer (since he's a member of FunPub, technically) to **** off?

tahukanuva
2012-03-20, 04:41 AM
From his very first reply, Hartman started with the "don't come to Botcon" stuff, and stayed with it the whole conversation, so it definitely felt like the latter.

Jaynz
2012-03-20, 04:44 AM
From his very first reply, Hartman started with the "don't come to Botcon" stuff, and stayed with it the whole conversation, so it definitely felt like the latter.

Truth be told, I can't imagine Karl doing that. I know he's gotten more jaded since the whole issue with Glenn, but this is a really big leap... I hate to see it. :(

Skyquake87
2012-03-20, 08:07 AM
Mmm. Have only very lightly skimmed the rest of the TFW thread, as it's doubled in size since I last saw it.

Other e-commerce sites do hold payment details, but it wouldn't surprise me if there are specific security requirements that have to be audited or connected legislation that covers this. Not familiar with US law. IIRC there's something fairly restrictive in the UK... if I remember and have chance, will skim relevant policies at work tomorrow... it's probably this; http://www.cornishwebservices.co.uk/articles/technology/what-is-pci-and-pci-compliance.html

edit: Am I seriously reading that right that full card details were printed out and sent packed in with orders?

I know at my place of work ( i work for a water company) no credit / debit card details are retained at all. Once a payment is made the details are deleted, which oddly annoys quite a lot of customers as regular payers actually expect this information to be retained - they don't seem to realise its for their own (and our) protection.

Cliffjumper
2012-03-20, 03:44 PM
Same here at a convenience store (receipts have most of the numbers asterisked out; leafing through the wallet this seems standard for just about everything here).

Incidentally, got this the other day (the first email I've received from FP for a good fortnight): -


Hello, It seems when it rains it pours. We just found out this morning that our printer has failed to mail you the March issue. This will be going out by Friday so they are incredibly late. If you don't get yours by the end of the month, please let us know. We apoligize for the delay.
Brian
Same shit spelling, same "woe is us" tone, same blame-shifting. It's tempting to go to BotCon and brave the crowds of sex offenders and sweat factories just to call him a c*nt to his face. I could make it my stag night.

Jaynz
2012-03-20, 03:53 PM
Same shit spelling, same "woe is us" tone, same blame-shifting. It's tempting to go to BotCon and brave the crowds of sex offenders and sweat factories just to call him a c*nt to his face. I could make it my stag night.

I've never had a printer mail directly to customers... I don't think that's how things work. (You get the print run, then you distribute to your customers.) I suppose it's possible, but I didn't realize it was the responsibility of the printer to mail out the magazine as well...

inflatable dalek
2012-03-20, 04:24 PM
Though in the unlikely event that the printer is posting the magazines, that's another third party with information on the members.

But as TFV says, that's not a very usual set up.

And the spelling on that is atrocious. True, so's my spelling but I'm not taking your money and delivering crap service for the privilege am I?

And yeah, in the UK anything other people might actually be able to see never has the full card details on it, even my private emails from Amazon or wherever only has the four numbers followed by asterisks.

Denyer
2012-03-20, 05:57 PM
Whatever you referenced, it's been deleted.

http://i41.tinypic.com/mme6wp.jpg

Zero time today to look into things, unfortunately.

Jaynz
2012-03-20, 06:09 PM
http://i41.tinypic.com/mme6wp.jpg

Zero time today to look into things, unfortunately.

Yeah... having read that now.. it really does look like Karl's effectively saying "shut up and quit complaining" with his responses. Even his "was it ILLEGAL?!" seemed to be a weak justification for unethical and outright stupid business practices.

Skyquake87
2012-03-20, 11:17 PM
Having read the thread, Karl's responses really aren't helping.

If FunPub are really that ignorant of such matters, it doesn't reflect well on them. It's now having a knock on effect with BotCon ... I think Vanguard is right and we could see a quiet dropping of FunPub as a lisensee after BC.

They don't seem to be doing much to clear up their mess (and if they are its happening far too slowly), and worse they don't even seem to be acknowledging that they've done much wrong, which is staggering.

Denyer
2012-03-20, 11:52 PM
It's been suggested that since people are still being defrauded on cards that haven't yet been cancelled (not necessarily because they've been blasť about it -- some didn't remember that they'd used a different card a few years back with the store) that there's an unfortunate likelihood that a few convention attendees are going to get stuck with frozen accounts whilst travelling away from home.

The packing slip mistake confirms that full card details were in freer circulation than they should be (or are permitted under the terms of the card issuing industry, if not laws) and it doesn't matter if it's one instance or several; the processes they had in place allowed for it to happen.

Coming at it from a (fairly large organisation) UK local government perspective, in the handful of cases I'm aware that card details have been recorded on paper forms in similar institutions, the best the hopefully well-meaning staff holding those records can hope for is an audit presence standing over them to verify destruction. The legal and reputational risks are huge.

Cliffjumper
2012-03-21, 10:54 AM
They don't seem to be doing much to clear up their mess (and if they are its happening far too slowly), and worse they don't even seem to be acknowledging that they've done much wrong, which is staggering.

Mmm - there's a weird mix of asking for pity and patience, blaming others and at the same time being surprisingly reticent to admit something's actually happened. As I said up-thread, some seem to have suffered fraudulent charges (or attempts at such) after FP were initially aware of the problem because they were so slow notifying members just how serious it was.

Looks like Cover Girl's going to be keeping her weird coat (http://counter-x.net/gi_joe/figures/joes/cover_girl.html) for a while yet :( No, I'm not going to get the Rise of Cobra one.

inflatable dalek
2012-03-21, 11:04 AM
Hmm, I do think people would be more forgiving if there was just a bit more honesty and obvious attempts to deal with the problem sensibly. FP seem hell bent on trying to loose the licence which, if they don't do anything other than Hasbro work (the Wiki doesn't mention anything but it can be myopic) that's basically suicide.

Jaynz
2012-03-21, 12:38 PM
Hmm, I do think people would be more forgiving if there was just a bit more honesty and obvious attempts to deal with the problem sensibly. FP seem hell bent on trying to loose the licence which, if they don't do anything other than Hasbro work (the Wiki doesn't mention anything but it can be myopic) that's basically suicide.

FunPub is pretty much just GI Joe and Transformers... so, losing the licenses would indeed be suicide for them. I'm not going to say that it's inevitable that it'll happen at this point, though, since, as I said, no one else is really beating down the door to counter their offer. But, if I were in Hasbro's position, I would quietly drop the license completely rather than have my brands associated with this mess.

Cliffjumper
2012-03-21, 01:56 PM
Well, the thing with 'suicide' is that I really don't think FP are making a mint from the various clubs; this isn't a manufacturer imploding or something. Obviously without condoning or excusing what's happened I would say the margins certainly require more than a simple desire to make money; it looks like they're crumbling from a situation that's completely beyond a semi-amateur fan-driven organisation to cope with. As said, I can't see a great many people really wanting to run the thing; licence fees alone must be high, let alone that the clubs are based on catering for a membership that is largely made up of demanding, blinkered people with no sense of perspective

. I agree that when FP lose the licence it's quite likely the whole thing will either just lapse or drop back to being a convention without a club.

Don't get me wrong, if they hadn't been complacent and lazy with details the whole thing would never have happened, and I don't feel sympathetic. I just don't think that having the licences for the Club is commercial gold, and at this stage FP can see the writing on the wall and are just shattering under the pressure.

Jaynz
2012-03-21, 08:07 PM
Well, the ever-fun train-wreck of a thread at TW2005 has finally been locked. To be honest, though, I'm very glad that that thread was allowed to go on as long as it did, since it basically served as the hub (ahem) in revealing FunPub's issues to the public. I am really distressed to see FunPub put on the full Nixon when people's mortgage payments were bouncing.

Well, the thing with 'suicide' is that I really don't think FP are making a mint from the various clubs; this isn't a manufacturer imploding or something.

I actually can't help but feel that FunPub saw themselves as a 'collector's toy dealer' more than anything else. Maybe they thought they would be making a lot more money? I'm not sure.. but I never felt that there was an effort to make the club inclusive for Transformers fans. It seemed to be more of an 'elitist' thing, when the most expensive 'rare' toys being made for bragging rights rather than for fun for the fans.

In other words, it's really starting to feel like 2003 again. At least, this time, I'm not actually involved in it, and it's not like the "Powers that Be" would listen to me any more this time than last. Besides, they've got the usual suck-ups firmly attached to their buttocks again... and, yes, the exact same suck-ups as in 2003.

Don't get me wrong, if they hadn't been complacent and lazy with details the whole thing would never have happened, and I don't feel sympathetic. I just don't think that having the licences for the Club is commercial gold, and at this stage FP can see the writing on the wall and are just shattering under the pressure.

Being 'official' didn't seem to add much more than adding more toys (BotCon got exclusives LONG before they were an official licensor, after all) and a whole new schlew of rules and legalese to deal with. IT seems like a lot of the 'smaller con' events are more fun, with trading in having a lot more freedom over multi-hundred-dollar boxsets.

Cliffjumper
2012-03-21, 09:07 PM
Yeh, I think someone, somewhere overestimated the number of people who'd be up for buying exclusive repaints and the like. The rise of kitbashing and general customising (as well as 3rd party material) means that something like, say, the G2 Sideswipe can be got another way. There's also the general amount of 'fan' figures around with stuff like Classics - a lot of the fuss around older exclusives came from them being relatively rare in that aspect - the RiD Prowl as Sunstreaker and Sideswipe, for example, was rare as a modern homage to G1 characters. Now there's a retail line explicictly doing that, meaning we either get obvious rubbish like SG, or made-up characters no different from some random main-line recolour.

There's also just a Hell of a lot more product out there than there was ten years ago. Late 1990s/early 2000s fans could buy up the whole year's releases and have plenty of change to sink into exclusives. Nowadays completists have been basically rendered extinct by the sheer number of new figures a year - all-up there must be about a hundred TFs coming out a year now.

Jaynz
2012-03-21, 09:35 PM
Yeh, I think someone, somewhere overestimated the number of people who'd be up for buying exclusive repaints and the like.

I think it's more that there's been very limited inspiration from FunPro about exclusives, with just a couple of years' being the exceptions. Animated Stunticons, while not a perfect set, was a nice theme. Classics 'jet filler' was largely solidly recieved, even if only for the 'missing' seekers. (The other guys, somewhat less so.)

Four years of Shattered Glass? Not so much. The half-ass G2 'redeux'? Again, not so much. Why not a set of the Axelerators, or Skyscorchers rather than oddball 'throw ins'? Why these oddball choices all the time that REQURIES a fan-fic comic to explain? This take seems awfully familiar, doesn't it? Like, say, the Glen Hallit run?

And, you're right, there's a lot of Transformers product out there now (even if 90 percent of it is Bumblebee). Fan Club stuff needs to be special to seperate it out from the regular-run product, and character repaints to match a fan-fic that no one outside of #wigii even gives a rat's ass about isn't going to do it.

Jaynz
2012-04-04, 02:57 PM
Speaking of the Hallit run, I can't help but be constantly reminded of the fall of his convention with all the shenanigans going on with BotCon now. The 'artists alley' is now forbidden to sell artwork, and there's threats of confiscation of third-party product, etc. And everyone assumes these are edicts from Hasbro.

Yet, Hasbro hasn't said a word about any of these things. We didn't get a press release from Hasbro stating their position, we just got Brian Savage's word about all of it. While this is getting a bit tin-foil hat here, and I openly admit that it is, is it possible that it's FunPro that sees 3rd party toys and Fan Art as competition to their offerings, and not Hasbro?

Or, is it also possible that, like Glen did nearly 10 years ago, FunPro wants to lay the blame for the 'failure' of the convention squarely at Hasbro's doorstep? Are they already losing the convention and this is FunPro's way of burning the bridge?

Yeah, all tin-hat stuff, but I'm just so insanely reminded of 2003 with all this that I can't help but picture it. It doesn't remotely help, other than the owner, nearly all the players are the same...

Cliffjumper
2012-04-17, 12:40 PM
I got Footloose. He's pretty cool, actually. I so have no principles or sense of priority.

inflatable dalek
2012-04-17, 06:44 PM
Does he look like Kevin Bacon?