Hackers
vs. the D&D Community
Slowly
but surely, those of you who read these columns
are probably getting to know me. You can probably
start to predict what I'm going to write about
before I even write about it. You're not at
all surprised to learn that I'm writing about
computer hackers this week.
That's
right. It looks like some hacker might have
grabbed some credit card numbers from people
ordering The Book of Eldritch Might
via Instabill, the company we use to process
orders. Before you panic, however, if you
haven't noticed phony charges on your card
yet, you almost certainly won't. It already
happened a few weeks ago. We just didn't know
about it until now.
But
that's where the story gets interesting.
See,
everyone who's had a credit card has probably
seen a charge they didn't recognize show up
on their card. When this happens, you call
the credit card company and they get rid of
it. It's simple, and we don't hardly think
about it. I imagine that hackers who steal
credit card numbers rely on that fact.
But
this time, the fact that the online D&D
community is so wired together worked against
the thief. A few days ago, a customer who
ordered The Book of Eldritch Might
noticed a big charge on his card thathe didn't
recognize. He had the credit card company
take care of it. The thing is, he hadn't used
that card in a year before his purchase from
Malhavoc Press. He figured it must be linked
to The Book of Eldritch Might and mentioned
it on the DND mailing list. Suddenly, other
people said, "Hey, me too."
See,
that's the thing. Those people, for the most
part, also had noticed incongruous charges
and had their credit card companies take care
of them. Separately, they had no way to figure
out how it happened. Nor did they have any
incentive to. I don't blame them one bit --
it's just what I did when this happened to
me recently. But suddenly, here was a link.
And although as of right now we still don't
know for sure that there was a hack, or that
it was on the Instabill site, it looks like
it -- the phony charges were all similar.
So,
of course I got involved. I don't want to
see anyone hurt because of my product. I need
to know what I can do to help this from happening
again. I contacted Instabill, who was completely
unaware that anything had happened. But of
course they were -- how could they have known?
This kind of thing could happen every now
and again to companies who accept credit cards,
and there's no way to know, because the customer
(who sees the charges on his bill) never talks
to the vendor (in this case, Instabill and
me), he talks to his credit card company.
And credit card companies don't contact the
vendors, because it's easier for them to eat
the cost of the fraud than do big investigations.
It's a system that breaks down because of
a lack of communication.
Except
in this case, it didn't. Because D&D fans
talk to each other, and because I'm not just
a vendor in this case, but also a D&D
fan, I heard about it. I wish I could tell
you that it led to the creep's capture, but
I can tell you this: It led to an FBI/Secret
Service investigation. That's right. The feds
are involved now. That's pretty cool.
So
where do we stand now? Well, even though they
can find no evidence of a hacker break-in,
Instabill has really beefed up their security,
and they alerted the FBI and Secret Service.
No customers are being held responsible for
the fraudulent charges, and in the words of
one of the people affected, "No harm,
no foul." I've resumed selling
my product, confident that this was a
one-time thing, not an ongoing problem, and
that Instabill's new security features will
keep it from happening again.
Unfortunately,
my reputation among gamers is probably a little
tarnished, and some customers likely are leery
of buying my next product, or any online download
for that matter. That's a real shame, and
obviously, I'm bummed. Oh well. It hasn't
changed my opinion of online charging. There's
a lot more credit card fraud going on with
off-line use than online. But that's a topic
for another day.
In
the worst-case scenario -- from my perspective
-- if the thief did get the credit card numbers
from Instabill, he may have known when to
do it because he came to my website. He could
very well be reading this right now. It's
a sad reminder that, as much as I'd like it
to be otherwise, we're not necessarily all
friends here.
That's
the saddest part of all.
