hornet3d posted at 2:59PM Tue, 18 April 2017 - #4302803

Well I have now set up a prepaid debit card and charged it with a small amount of money but now I have done this I am not sure I want to use even that here. I am not pointing at any individual more at the corporate structure but it appears they are unwilling or incapable of improving the security here.

There is more than one thread here where customer's have stated that they are very concerned about buying from the marketplace here and yet there appears to be little being done to address their concerns. Not everyone who placed an order in the time frame admitted by Rendo got any email and many had to find out from other customers adding the email details to the forum. Yes, the have said that actions have been taken to improve the security, but that was said last time and clearly the measures were not enough.

In this digital age we have to accept that credit card fraud is a fact of life but you also expect the companies to do their best to protect you and inform you when things go wrong. The fact that a breach has happened twice (that they admit to, I believe there were others) in a relatively short period is not acceptable and their response is, in my opinion, not good enough.

I will continue to visit the forums to see if there is a change of heart but I have decided not to reward a company for their apparent lack of understanding of how this affects their customers. Despite the fact I have a prepaid card set up I do not intend to even look inside the market place here until I see some indication that Rendo, as a company, has a better grip on this situation.

The two incidents were this past March and sometime two years ago.

I was not here for the one two years ago, but I know one of the things they did was to completely offload credit card processing. We no longer store credit card information. This defeated any attack that tried to get account information from past purchases.

The only thing they could do is eavesdrop on purchases as they happen. That happened this past March. We have closed that vulnerability. We have also found a few ways to protect against other attacks that have not even been attempted yet.

From previous posts:

After learning of the attack we immediately removed the attacker's work, changed all internal passwords (including admin user accounts), and implemented various protective measures. In the interest of maintaining security I cannot disclose all of the details, but we have added very restrictive filtering on all file uploads and user input as well as new monitoring tools and improvements to existing tools. We stopped all new feature development. We spent 3 weeks intensively reviewing and revising our systems at every level. We were able to trace the attack route, and we closed the vulnerability. We also found a couple other vulnerabilities that the attacker never found. We are continuing to use our new and improved tools to monitor our systems for any suspicious activity.

Since plugging the holes we have seen the attacker come back, but all of his attempts have failed.