Sign in with
Sign up | Sign in
Your question

EA/BF3/Origin/Getsatisfaction.com hacked?

Last response: in Site Feedback
Share
May 21, 2012 8:45:17 AM

Through mobile alerts, I saw two $1 charges against my credit card account for 'Get Satisfaction, Inc., San Francisco CA' this weekend.

I called the bank to see if I could get more info about the pending transactions. They didn't have any. I contemplated canceling my card and asking for them to issue a new one immediately, but Get Satisfaction sounded vaguely familiar.

After I got off the phone with the bank, I got on the PC and began to type getsatisfaction.com. History provided immediately getsatisfaction.com/battlefield3. I then realized this is the company that provides the 'Feedback...' service for battlefield 3 and that's where I had some familiarity with this company. I started up a chat with the chat facility through BF3 and they told me they have nothing to do with getsatisfaction, they are EA support and I need to call getsatisfaction to resolve this issue. So I proceeded to the getsatisfaction.com website and found they had an 877 number, so I called to see what was going on.

When I pressed the option for billing, they had a 'special message' and asked for people to 'please listen...' and proceeded to say that if you have charges on your credit or debit account in the amount of $1 in the name of Get Satisfaction, they are fraudulent and they suggest you cancel your card immediately.

Needless to say, I called the issuing bank immediately and canceled the card.

My only relationship, as far as I know, to the company 'Get Satisfaction, Inc.' is through the black hole that is BF3 support forum through the 'Feedback...' graphic you click on the side of the page. The common link here is Origin. How was someone able to get my credit card info and make a fraudulent charge in the name of this BF3 3rd-party service if the EA/Origin database hadn't been hacked? How would they know to make a charge appear as if it were with regard to the related support service at getsatisfaction.com? Why would Get Satisfaction have a 'special message' recorded under their billing infomation at their 877 number regarding this issue if it wasn't a known issue? It's obvious this is a widespread issue.

Why haven't Origin/BF3 users been notified? How does someone know to fraudulently charge my card using the Get Satisfaction, Inc. name as it is related to a game that I play? How many people is this affecting?

Why aren't the masses being notified of such a breach? If there's a special announcement on the getsatisfaction.com call service, I know I'm not the only one affected. This is where I think the government needs to step in and force companies to send out notifications and make things public so consumers can take action. If they don't, the government should impose large fines on companies not directly disclosing this type of breach.

Thought this might be a news-worthy story worth looking into for the Tom's community as I know many of us play BF3.
May 21, 2012 3:32:25 PM



Maybe US banks should do what mine does here in the UK.

If anyone makes a charge of £1 the banks stops your card automatically on the grounds that it's the usual way of a thief or hacker proving the card works. It happened to me when I made a donation of £1 through PayPal while paying for an e-Bay item. I was pretty annoyed with the bank but can't flaw their logic in thinking they're protecting us.


May 21, 2012 3:51:14 PM

Saga Lout said:


Maybe US banks should do what mine does here in the UK.

If anyone makes a charge of £1 the banks stops your card automatically on the grounds that it's the usual way of a thief or hacker proving the card works. It happened to me when I made a donation of £1 through PayPal while paying for an e-Bay item. I was pretty annoyed with the bank but can't flaw their logic in thinking they're protecting us.


In the States, our most of our gas stations and restaurants put a hold of $1 against the account for whatever reason before they submit the final purchase amount a day or two later. I can see why the restaurant wouldn't know your final amount since you haven't added a tip until after they run the card, but a gas station???

So, it would be kind of hard to differentiate based on the $1 transaction.
Related resources
May 24, 2012 9:41:23 PM

My name is Jeff Nolan and I am responsible for the monthly subscription business (for customers who pay us with credit cards) at Get Satisfaction.

Let me start by providing some background. Approximately 1 month ago we started getting calls from people who were seeing $1 charges on their debit and credit card statements. A search of our account and transaction databases revealed no records with names, email, or other identify information and no $1 transactions through our credit card gateway (the part of the network that actually process credit card transactions to the major cc networks).

On top of that, the people who were calling in had no idea who we were.

We talked with each person that called us about a transaction and pieced together more information, and determined that a criminal had setup a merchant account (what you store credit card information in) and was manually processing debit cards for $1 authorizations and then reversing the charges. The reversed charges show up 24-48 hours after the initial transaction so people who monitor their cards closely were seeing the transactions, while the criminal was using the $1 charges to validate cards for future use.

I want to focus on a specific piece of the above information. Whoever is doing this is using a merchant account named "Get Satisfaction, Inc." to process the transactions, they are NOT using our merchant account or credit card gateway. In this regard we are as much a victim as people seeing the $1 charges, instead of a financial loss we are suffering loss of reputation as someone has been using our company name to conduct an illegal activity... they are not using our systems.

We have taken great expense in recent years to build secure systems and part of that effort was becoming PCI compliant, a critical first step being that not one of our systems actually holds credit card information. Our own merchant account sits inside a credit card processor and has what is called a "vault" to secure user financial information, so the only part of a customers credit card we ever see is the last 4 digits of a credit card number.

Another interesting piece of information that we pieced together is that the majority of people calling us in those few weeks were located in the Santa Cruz area. I contacted the Santa Cruz PD and learned that an active investigation was already underway as a result of a debit card skimming operation that was broken up.

Calls kept coming in and people located in different states were identified as well as credit cards, not just debit cards. The FBI told us that organized credit card fraud rings will buy and sell merchant accounts as well as credit card lists and it wasn't surprising that we were seeing this expand.

The Secret Service got involved and they told me today that they have located the rogue merchant account and are in the process of shutting it down.

To recap:
- this is fraud, you should contact your bank and reissue the card as well as report the fraud.
- our systems were not hacked and point in fact the credit cards that have had fraud reported on them are not people who have a relationship with us (and our customers never integrate with us in a manner that would expose them).
- We have been working with 3 law enforcement agencies and have shared our compiled list of people affected with them, as well as working through bank fraud departments.
- We have been the victim of identity theft and I have personally invested a significant amount of time to get this resolved, as has our entire customer care team. It's not easy getting the attention of law enforcement when you are talking about $1 charges but I am appreciative of the Secret Service for investigating this and sticking with it.


ubercake said:
Through mobile alerts, I saw two $1 charges against my credit card account for 'Get Satisfaction, Inc., San Francisco CA' this weekend.

I called the bank to see if I could get more info about the pending transactions. They didn't have any. I contemplated canceling my card and asking for them to issue a new one immediately, but Get Satisfaction sounded vaguely familiar.

After I got off the phone with the bank, I got on the PC and began to type getsatisfaction.com. History provided immediately getsatisfaction.com/battlefield3. I then realized this is the company that provides the 'Feedback...' service for battlefield 3 and that's where I had some familiarity with this company. I started up a chat with the chat facility through BF3 and they told me they have nothing to do with getsatisfaction, they are EA support and I need to call getsatisfaction to resolve this issue. So I proceeded to the getsatisfaction.com website and found they had an 877 number, so I called to see what was going on.

When I pressed the option for billing, they had a 'special message' and asked for people to 'please listen...' and proceeded to say that if you have charges on your credit or debit account in the amount of $1 in the name of Get Satisfaction, they are fraudulent and they suggest you cancel your card immediately.

Needless to say, I called the issuing bank immediately and canceled the card.

My only relationship, as far as I know, to the company 'Get Satisfaction, Inc.' is through the black hole that is BF3 support forum through the 'Feedback...' graphic you click on the side of the page. The common link here is Origin. How was someone able to get my credit card info and make a fraudulent charge in the name of this BF3 3rd-party service if the EA/Origin database hadn't been hacked? How would they know to make a charge appear as if it were with regard to the related support service at getsatisfaction.com? Why would Get Satisfaction have a 'special message' recorded under their billing infomation at their 877 number regarding this issue if it wasn't a known issue? It's obvious this is a widespread issue.

Why haven't Origin/BF3 users been notified? How does someone know to fraudulently charge my card using the Get Satisfaction, Inc. name as it is related to a game that I play? How many people is this affecting?

Why aren't the masses being notified of such a breach? If there's a special announcement on the getsatisfaction.com call service, I know I'm not the only one affected. This is where I think the government needs to step in and force companies to send out notifications and make things public so consumers can take action. If they don't, the government should impose large fines on companies not directly disclosing this type of breach.

Thought this might be a news-worthy story worth looking into for the Tom's community as I know many of us play BF3.

May 25, 2012 11:28:02 AM

Wow. I would never have expected this response and if you are representative of other employees at getsatisfaction.com, I'm pretty damn impressed.

The thing that worries me is how coincidental is it that the person or people who have committed the crime have done so (in my case) to a person who's a big BF3 player and whose cc info is probably stored somewhere at EA or Origin (knowing that the BF3 support is provided by getsatisfaction.com)? The common link here is EA or Origin wherever the cc information is stored. I'm hoping at some point, we'll find out where the information was stolen from and hopefully the company will send its customers notification of this.
May 25, 2012 1:34:55 PM

Thanks, we are trying to provide as much information as we can because that is what I would want to get if it were my credit or debit card. It's been stressful because, ironically, none of our systems were involved... all the information we have has been pieced together from people calling us.

Like you I am suspicious of coincidence. It is possible tho considering that EA has tens of millions of user profiles, we serve 40 million unique people per month, and the scale of this criminal credit card fraud is significant in the thousands of reported incidents. The odds of overlap gets meaningful (for example, we talked with someone who looked at using Get Satisfaction for their business but decided not to and never signed up for a trial with his credit card).

I will post updates here as I have them but for anyone else finding a $1 charge on their debit or credit card statement:
1) call your bank and report it as fraud, reissue the card
2) closely monitor your statements (the criminal has been buying Experian credit reports after the cards auth successfully)
3) report the incident to your local police and contact that duty agent at your regional Secret Service office (they have jurisdiction on credit card fraud at this level)

May 26, 2012 11:28:19 PM

@ getsatisfaction--Thank you so much for the information. I check all of my accounts every day and noticed a $1 charge holding on my debit card just about an hour ago (I am in North Carolina). I had never heard of your company and so I knew that there was something fishy about this right away. After a bit of poking around on the internet I discovered that this was happening to other people as well. I called my bank right away and cancelled the card and once the charge hard posts (if it ever does), then I will be disputing the charge through my bank. I had read where some people are actually suspecting that these criminals might be getting the card info from iTunes accounts and I do have an itunes account, so it would make sense.

I appreciate your information, especially the bit stating the status of the case (as that is what I was wanting to know---how close are the police and investigators to catching the criminals). So it sounds like they have a pretty good handle on the perps, which is good to know. I am wondering if I should contact the offices of the investigating agencies, or if it is not necessary at this point, since they are close to shutting them down.


getsatisfaction said:
My name is Jeff Nolan and I am responsible for the monthly subscription business (for customers who pay us with credit cards) at Get Satisfaction.

Let me start by providing some background. Approximately 1 month ago we started getting calls from people who were seeing $1 charges on their debit and credit card statements. A search of our account and transaction databases revealed no records with names, email, or other identify information and no $1 transactions through our credit card gateway (the part of the network that actually process credit card transactions to the major cc networks).

On top of that, the people who were calling in had no idea who we were.

We talked with each person that called us about a transaction and pieced together more information, and determined that a criminal had setup a merchant account (what you store credit card information in) and was manually processing debit cards for $1 authorizations and then reversing the charges. The reversed charges show up 24-48 hours after the initial transaction so people who monitor their cards closely were seeing the transactions, while the criminal was using the $1 charges to validate cards for future use.

I want to focus on a specific piece of the above information. Whoever is doing this is using a merchant account named "Get Satisfaction, Inc." to process the transactions, they are NOT using our merchant account or credit card gateway. In this regard we are as much a victim as people seeing the $1 charges, instead of a financial loss we are suffering loss of reputation as someone has been using our company name to conduct an illegal activity... they are not using our systems.

We have taken great expense in recent years to build secure systems and part of that effort was becoming PCI compliant, a critical first step being that not one of our systems actually holds credit card information. Our own merchant account sits inside a credit card processor and has what is called a "vault" to secure user financial information, so the only part of a customers credit card we ever see is the last 4 digits of a credit card number.

Another interesting piece of information that we pieced together is that the majority of people calling us in those few weeks were located in the Santa Cruz area. I contacted the Santa Cruz PD and learned that an active investigation was already underway as a result of a debit card skimming operation that was broken up.

Calls kept coming in and people located in different states were identified as well as credit cards, not just debit cards. The FBI told us that organized credit card fraud rings will buy and sell merchant accounts as well as credit card lists and it wasn't surprising that we were seeing this expand.

The Secret Service got involved and they told me today that they have located the rogue merchant account and are in the process of shutting it down.

To recap:
- this is fraud, you should contact your bank and reissue the card as well as report the fraud.
- our systems were not hacked and point in fact the credit cards that have had fraud reported on them are not people who have a relationship with us (and our customers never integrate with us in a manner that would expose them).
- We have been working with 3 law enforcement agencies and have shared our compiled list of people affected with them, as well as working through bank fraud departments.
- We have been the victim of identity theft and I have personally invested a significant amount of time to get this resolved, as has our entire customer care team. It's not easy getting the attention of law enforcement when you are talking about $1 charges but I am appreciative of the Secret Service for investigating this and sticking with it.

May 26, 2012 11:37:26 PM

@ubercake- This same thing happened to me and I am in North Carolina and have never done any business with Get Satisfaction or any related company. So, it would seem that they are getting the credit and debit card data from somewhere else, as if they had hacked Get Satisfaction Inc. then they surely would not have found my data within that system. I have read where other people are suspecting a breach on the iTunes databse, but I couldnt say how accurate that suspicion is. I do have an itunes account though, so I would say it is possible.

I also called my bank and cancelled the card and will just have to wait until the charge hard posts in order to dispute it. I am just so irritated with this kind of thing! This is not the first time I have had to deal with something like this and it is getting old very quickly!

Hopefully people will keep updating the status of the case, as I would like to know when the criminals involved with this situation are shut down!


ubercake said:
Through mobile alerts, I saw two $1 charges against my credit card account for 'Get Satisfaction, Inc., San Francisco CA' this weekend.

I called the bank to see if I could get more info about the pending transactions. They didn't have any. I contemplated canceling my card and asking for them to issue a new one immediately, but Get Satisfaction sounded vaguely familiar.

After I got off the phone with the bank, I got on the PC and began to type getsatisfaction.com. History provided immediately getsatisfaction.com/battlefield3. I then realized this is the company that provides the 'Feedback...' service for battlefield 3 and that's where I had some familiarity with this company. I started up a chat with the chat facility through BF3 and they told me they have nothing to do with getsatisfaction, they are EA support and I need to call getsatisfaction to resolve this issue. So I proceeded to the getsatisfaction.com website and found they had an 877 number, so I called to see what was going on.

When I pressed the option for billing, they had a 'special message' and asked for people to 'please listen...' and proceeded to say that if you have charges on your credit or debit account in the amount of $1 in the name of Get Satisfaction, they are fraudulent and they suggest you cancel your card immediately.

Needless to say, I called the issuing bank immediately and canceled the card.

My only relationship, as far as I know, to the company 'Get Satisfaction, Inc.' is through the black hole that is BF3 support forum through the 'Feedback...' graphic you click on the side of the page. The common link here is Origin. How was someone able to get my credit card info and make a fraudulent charge in the name of this BF3 3rd-party service if the EA/Origin database hadn't been hacked? How would they know to make a charge appear as if it were with regard to the related support service at getsatisfaction.com? Why would Get Satisfaction have a 'special message' recorded under their billing infomation at their 877 number regarding this issue if it wasn't a known issue? It's obvious this is a widespread issue.

Why haven't Origin/BF3 users been notified? How does someone know to fraudulently charge my card using the Get Satisfaction, Inc. name as it is related to a game that I play? How many people is this affecting?

Why aren't the masses being notified of such a breach? If there's a special announcement on the getsatisfaction.com call service, I know I'm not the only one affected. This is where I think the government needs to step in and force companies to send out notifications and make things public so consumers can take action. If they don't, the government should impose large fines on companies not directly disclosing this type of breach.

Thought this might be a news-worthy story worth looking into for the Tom's community as I know many of us play BF3.

May 27, 2012 12:24:23 PM

I'm in Michigan and I have an iTunes account as well. Hmmmm?
June 3, 2012 2:25:25 AM

Just an update. The $1.00 charge holding on my debit card from the fraudulent merchant account set up under the name Get Satisfaction, finally dropped off on 5/31/2012. I also reported what happened to me to the Secret Service and the FBI Cybercrimes Division and I was told that the fraudulent merchant account had been successfuly shut down. I do not know if the criminals were actually caught, so I would still advise to anyone effected by this, that they cancell the credit or debit card and get a new one issued, as just bc the operation was shut down, if the criminals running it were not apprehended, then they can take all of the stolen debit and credit card info that they obtained and start it up somewhere else down the line. Based on a lot of the other comments and info that I have come across on the internet regarding this situation, I am still very suspiscious of the breach occuring on the iTunes database and moving forward I am not linking my debit or credit card to iTunes. I am just going to use the prepaid cards instead.
June 3, 2012 11:14:10 AM

toxlabrat said:
Just an update. The $1.00 charge holding on my debit card from the fraudulent merchant account set up under the name Get Satisfaction, finally dropped off on 5/31/2012. I also reported what happened to me to the Secret Service and the FBI Cybercrimes Division and I was told that the fraudulent merchant account had been successfuly shut down. I do not know if the criminals were actually caught, so I would still advise to anyone effected by this, that they cancell the credit or debit card and get a new one issued, as just bc the operation was shut down, if the criminals running it were not apprehended, then they can take all of the stolen debit and credit card info that they obtained and start it up somewhere else down the line. Based on a lot of the other comments and info that I have come across on the internet regarding this situation, I am still very suspiscious of the breach occuring on the iTunes database and moving forward I am not linking my debit or credit card to iTunes. I am just going to use the prepaid cards instead.

Good idea. It really seems like the U.S. government almost censors any negative Apple stories or "quiets" them almost immediately.
!