-
All For Sale threads must have a pic showing the knife being sold with written date listed, your username & Bladeforums or BFC to prevent photo harvesting from elsewhere - scammers hate this one trick! The rules for The Exchange can be found here. Please read and follow them. Stop using Paypal Friends & Family and follow our best practices to prevent getting ripped off or having a bad deal.
-
The BladeForums.com 2024 Traditional Knife is ready to order! See this thread for details: https://www.bladeforums.com/threads/bladeforums-2024-traditional-knife.2003187/
Price is$300$250 ea (shipped within CONUS). If you live outside the US, I will contact you after your order for extra shipping charges.
Order here: https://www.bladeforums.com/help/2024-traditional/ - Order as many as you like, we have plenty.
Possible credit card scam
- Thread starter Franciscomv
- Start date
- Joined
- Feb 7, 2005
- Messages
- 2,892
I received a reply from the nice folks at Knifeworks. They explained that this is a new policy for international orders and also told me why the e-mail address wasn't one of their regular xxxx@knifeworks.com but rather a Gmail account.
I hadn't checked the info on their website concerning international orders because this isn't the first time I've bought from them and I didn't think anything had changed. My bad.
I hadn't checked the info on their website concerning international orders because this isn't the first time I've bought from them and I didn't think anything had changed. My bad.
It is a PCI compliance issue, and it could lead to serious problems for them. All transmissions of customer data must be encrypted across open, public networks. It's also questionable whether such a level of physical access to employees (having small image files with cardholder information stored in a gmail address) is an issue itself. That's why I strongly suggest Knifeworks revises that policy ASAP. Even if it wasn't an issue with card processing, it's public record now; a hacker that found this policy couldn't help but try infiltrating it - a Gmail address with a bunch of foreign Credit Card information stored in it?? #IdentityThiefDreams
I don't like seeing small business facing more obstacles than they have to, but security is a requisite of online retail. I wouldn't ever be subjected (domestic customer) to this specific policy, but the low standards bother me and shrugging it off as an acceptable risk leads me to question their ability to create and maintain a secure data flow for cardholder information. Also, a lot of people do not question vendor practices - they would just send the photo. If Franciscomv shrugs it off as an acceptable risk and Knifeworks doesn't feel pressured to develop safer practices or question their policies proactively, those protections fail for the customers that are unaware or uneducated about the risk. Everyone will do what they want (or what they think they can get away with), but right now would be a good time to address a potentially unsafe practice. Everything will work fine until it doesn't.
PCI is designed as a security theater, and does little to actually protect information. Just like most compliances are. Educate the user is the biggest myth ever invented by the security industry. But that's another story for another day.
As of today I am perfectly happy sending my CC image to knife works via gmail.
As I said earlier you should stop using credit card physically at merchants - who knows some malicious merchant may steal all that information and use it for his gains. ;-)
It isn't a bit more (or less) secure either way. And those statistics of breaches only serve the security vendors who thrive on FUD.
I am perfectly happy sending my CC data as image to knife works, given the state of art is equally (in)secure. Compliances are feel good factors and have questionable impact in improving it.
- Joined
- May 14, 2010
- Messages
- 806
Things that are NOT PCI Compliant:
Never send or request credit card information over email.
Never request credit card information over chat.
Do not use web forms on your web site to collect credit card information.
Web sites hosted on shared web servers will never be PCI compliant
Web sites hosted on virtual private servers, and cloud servers will also NOT be PCI compliant unless the underlying host servers are also PCI compliant (and dedicated to you).
Dedicated physical servers will not be PCI compliant unless many additional factors are met.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Section 4.2 I believe
Never send or request credit card information over email.
Never request credit card information over chat.
Do not use web forms on your web site to collect credit card information.
Web sites hosted on shared web servers will never be PCI compliant
Web sites hosted on virtual private servers, and cloud servers will also NOT be PCI compliant unless the underlying host servers are also PCI compliant (and dedicated to you).
Dedicated physical servers will not be PCI compliant unless many additional factors are met.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Section 4.2 I believe
- Joined
- Mar 25, 2012
- Messages
- 9,286
I would just find somewhere else to buy my knives. They are out of their minds if they think I would send my CC info, picture or other wise, in a email to a Gmail account. Where is the crack smoking emoticon ?
I doubt if pci compliance is applicable for knifeworks - they do not handle CC data but use a 3rd party payment gateway for this.
But the pci standards org are nuts - they will extort fines from anyone whom they can, it's organized extortion syndicate in the name of security.
I almost think you don't have the slightest clue what any of this means. You're doing a dis service to everyone that purchases from Knife Works by entertaining the notion (absurd as it is) that sending your CC info through e-mail is as secure as using your card physically at a merchant. Troll much?
Knifeworks doesn't handle CC Data? WTF do you call it when someone e-mails them a credit card number? They have in effect expanded their Cardholder data environment to Un Encrypted Gmail messages.
Is Knifeworks subject to PCI Compliance?
Sending an e-mail with your credit card information is paying the merchant directly, it doesn't matter how they process it. Card companies are in charge of handing out fines or revoking card processing priveleges, and it doesn't matter how many layers of processing companies is between you and Visa, they can reach out and touch you and all those companies are more than willing to give up every piece of data they have . You're defending a notion that doesn't have the slightest bit of truth to it. If you want to complain about PCI, send them an e-mail. It is a fact that Knifework's policy is un secure though, and any reputable security professional can verify that. It almost seems like you have a vested interest in degrading the security of merchants in this industry.
- Joined
- May 14, 2010
- Messages
- 806
I feel like, if they do have to go through PCI compliance, that they are skirting the PCI compliance by using a gmail address to have the cc numbers emailed to, in case their email server gets scanned as part of the compliance audit?
By emailing it via gmail, you make 10 copies enroute, including gmail datacenters. How different it is than handing over your CC in a restaurant to the server, who makes 4 stops enroute (where he has ample opportunity to copy your card data), before handing it over to the counter to be swiped (where it can be copied again)? Absurd ideas have lead to the tiny security improvements we see today, fixated minds don't help much. Let's not get started with the troll bit.
I have a vested interest in letting people know things aren't (in)secure as they think they are. PCI happens to be the case in point here. Being on one side of PCI-compliance, I probably have more stories than you (unless you happen to be on either side), but let's save them for another day.
- Joined
- May 14, 2010
- Messages
- 806
Really?
There is a gmail account sitting out there with a bunch of copies of peoples credit card numbers sitting in it and everyone knows what it is?
Seems like a pretty bad idea to me.
I am pretty sure that no card issuer or bank would approve of that. That is specifically what PIC compliance is meant to protect from.
Also, yes, someone could skim your card number (a waiter or waitress), but someone can't kidnap the person and get all of the credit card numbers that they have ever handled. Thanks for contributing your crap answer to the thread.
There is a gmail account sitting out there with a bunch of copies of peoples credit card numbers sitting in it and everyone knows what it is?
Seems like a pretty bad idea to me.
I am pretty sure that no card issuer or bank would approve of that. That is specifically what PIC compliance is meant to protect from.
Also, yes, someone could skim your card number (a waiter or waitress), but someone can't kidnap the person and get all of the credit card numbers that they have ever handled. Thanks for contributing your crap answer to the thread.
By emailing it via gmail, you make 10 copies enroute, including gmail datacenters. How different it is than handing over your CC in a restaurant to the server, who makes 4 stops enroute (where he has ample opportunity to copy your card data), before handing it over to the counter to be swiped (where it can be copied again)? Absurd ideas have lead to the tiny security improvements we see today, fixated minds don't help much. Let's not get started with the troll bit.
I have a vested interest in letting people know things aren't (in)secure as they think they are. PCI happens to be the case in point here. Being on one side of PCI-compliance, I probably have more stories than you (unless you happen to be on either side), but let's save them for another day.
Maybe KW is well aware of this, and promptly deletes the CC image?
I am not against PCI compliance (if that is the idea you had all along). However, I have seen how overly abstract and confusing the wording of PCI standards is, how PCI controls are implemented, how the compliance is assessed, their changing definition of "in scope" and "out of scope" systems, and how confused the auditors are. It gives me not an ounce of hope after seeing the complexity in PCI. Pray tell me, even with PCI compliance, why do we see security breaches with huge financial institutions day in and out? (today's news has JPMC, yesterday it was a bank in Europe, and the day before an Asian bank, and the list just goes on). I am sure all of them had PCI-compliant systems, but when the exceptions are the norm, things ain't right the way they seem. How many security breaches did KW have (assuming they are not PCI-compliant and request CC images?). Maybe we don't know, but it will be hazardous to guess either way, and cry wolf.
No actually, the restaurant owner maintains this CC data in a diary which is kept in an (un)locked drawer. As I said earlier, sending CC image over gmail is perfectly (in)secure as much as having PCI-compliant systems. As a CC holder you are surely free to decide whom to trust, and make reasonably secure choices that safeguard your financial data. As for me I am perfectly fine sending CC image to KW if they demand it, and worry less about PCI-compliance. Actually in my opinion, "compliance" is for mediocre people who would rather hide behind it, than worry about the actual security of data. No, we shouldn't abandon PCI-compliance, but I feel a blind faith in it should be avoided as well.
Thanks for contributing your answer to the thread. :thumbup:
Last edited: