Don't know if this has been talked about here yet, but there are reports on SOCREF-L from just about every state in the country that credit cards used to purchase items from Official Sports have been hacked and had fraudulent charges made against them. One report of someone who paid by check having their checking account hacked. Please check your accounts and protect yourself. Happened to one of my referees, and she just discovered it after I put this message out on FB. Unfortunately, it seems like the common denominator is OSI. If you are finding that this has happened in your nexk of the woods, please spread the word so that our colleagues can protect themselves.
In fact this is exactly what happened to me. I had to replace my and my wife's CCs this past week. A lot of dating site charges, Dell computers, domain sites, etc. Most didn't go through, thankfully, and we challenged a few more, but it was inconvenient. I didn't realize the starting point was OSI. Thanks for the heads up!
I don't want to say for sure that it is them, because if I'm wrong, I don't want to negatively affect their business with a false report. From EVERYTHING that I have read and seen on this so far, the overwhelming common factor is buying merchandise from OSI sometime in the last 12-18 months. I don't usually believe in coincidences.
THANK YOU VERY MUCH FOR THIS INFORMATION. As soon as I saw your thread title, before I even clicked into the thread I had a feeling you were going to mention something about OSI and lo and behold...I was able to make the link in my head because MY CREDIT CARD WAS HACKED LAST WEEK. I've been trying to figure out where I was insecure about my transactions and it just so happens that the last purchase I made on the card was from OSI online for some new college season gear just a week ago. I tried to make a purchase at a retail store this past Saturday and the transaction would not go through. The CC company put a hold on the account and I was forced to call and inquire. They said that the Monday before there were suspicious charges made that they wanted to verify came from me. I gave a hearty "hell no" to the inquirys about: girlsdateforfree.com and benaughty.com. WOMEN'S DATING SITES. FOR $130. CHARGED TO MY ACCOUNT. Had to cancel the card and start an investigation and for the time being I don't have a credit card. And now it is confirmed OSI is the culprit. I think I'll be calling soon and having more than a few words. F*ck this I want some new warm ups and uniforms. Again THANK YOU VERY MUCH FOR SETTLING MY CONCERN WITH THIS INFORMATION.
Sure as hell, just checked mine and there is a pending charge. I am guessing the bastards are testing to see if the card works.
Unbelievable. They got me, too. Through a debit card tied to a bank that I leave a tiny amount of money in... so I'm massively overdrawn. And the last time I used that card was in the early summer, for... OSI. I have two somewhat large disbursements to "RADIO SYSTEMS CORP" and two to iTunes (which I have a different bank account tied to). This just happened on 8/31 and 9/1, too.
Just got off the phone with my bank. I had those 4 transactions posted on 8/31 and 9/1... apparently there were 13 more pending from 9/2 through today (they put a hold on the card, thankfully) so this is happening now.
I've been part of the conversation on SOCREF-L, but thought I'd contribute my information here, too: I was recently contacted by Bank of America on August 27th about suspcious activity on my BofA Visa. They said it was a series of $1 charges for "Napster". They canceled the card and I've received a replacement already. This is not a credit card I use that often. I went back and checked my Microsoft Money data and, in the last year, I've used that card several times online at OSI, twice in person at my dentist of 30+ years, once at the optometrist my family's been going to for more than 5 years, and once to buy Vegas show tickets at MGM Grand. This card was also replaced another time within this last year due to other fraudulent activity so these would be the only charges against the replacement card. I also received an email from a website "HealthBuy.com" where the stolen CC# was used to order a "Dermology Anti Aging Kit". The card was declined since the order was placed on August 29th, two days after the CC was canceled by BofA. Interestingly, this order was set to ship to my own address.. that would've been a weird surprise.. In the e-mail, the billing and shipping addresses were both mine but the phone # looked international with the country code for Romania.
Same thing hapenned to my dad the other day. He had a few purchases from iTunes of over $100 each. Now I know why since we used his card last time to purchase some gear
The mentions of iTunes just reminded me of a ref I know that's on Facebook and mentioned back on Aug 31st that she had two mysterious $50 iTunes charges. I've let her know, also, that it could be from using her card at OSI.
Since I'm not party to the SOCREF-L discussions, I want to ask: has anyone reached out to OSI to see if they are aware of the situation? I imagine they wouldn't admit any culpability right off the bat, but this thread has been going for under 3 hours and the circumstantial evidence seems pretty damning. If they are, indeed, the source of all this, they probably want to identify where security went wrong for their own purposes. And they probably want to gear up for the complaints coming, because we are just a small sample size... the damage to their business could be pretty widespread in the future.
That's exactly what I had. Two $50 charges to iTunes on 8/31. The Radio Systems Corp stuff followed the next day, for ~$165 and $175, respectively.
There have been over 20 in my state who've been affected, myself included. And I may be the one reported check, as I just had my check cashed to OSI recently for my NISOA starter kit, and a week later had fraudulent charges to Napster and a romance novel book club, both of which were caught and cancelled by my bank. My SRA has contacted OSI and are waiting to hear back. Keep an eye out people.
There was a SOCREF-L post saying that someone had tried to contact OSI, but that they were closed for the long weekend.
I forwarded the info to the assignors of the two associations to which I belong in case they want to notify the other referees. Seems like getting the word out to check your credit cards is the best thing to do at this point..
Last week received call from my credit card company regarding suspicious activity and sure enough there were charges not initiated by me. My last OSI purchase on this card was January 2011 (purchase on line on their web site). Not sure if this was too long ago to be related but sounds like it may be.
Our SRA sent out a blast email to all of the referees (after I posted this information on the SRC facebook page) warning all of the referees to check their accounts. Already, the reports have been pouring in about fraudulent charges. This is a really bad time of year for this to happen, and pretty lucrative for the scammers. NISOA and NFHS referees, new and returning, are going to be affected as well, since we are at the beginning of the season and many people have just purchased new uniforms for the season. If you have contacts with your local NFHS or NISOA chapters, spread the work to them as well. EDIT: Massref, if you have any contact information for Rachel Woo, I am pretty sure that she works for OSI. If we can get the word to her, she might be able to get the ball rolling on this. This might be something that we want to get to a particular employee immediately, so that OSI can be notified ASAP rather than leaving a message and waiting for Tuesday. If they find out about this now, they might have some people come in on the holiday to get this taken care of.
I would just like to thank all of you for allowing me to complete my selection of jerseys in all of the colors, short and long sleeves. I bought a few extra shorts, socks, two polo shirts and the fleece jackets. I now have three watches to wear when I do games and 5 whistles on the lanyard in case any of them don't work. On a serious note, contact the security departments for your credit cards and banks if you use a debit card. Let them know that you know of others who were affected through this scam with OSI. Their web site has nothing about this situation.
They got me too, luckily my bank caught on to it and prevented the charges from going through. Still highly inconvenient...
I have had to replace 2 credit cards in the past week because they had fraudulent charges on them. Both had been used at OSI in the past 12 months. $1 charge to Google, a dating/sex site, billing.com. All were done electronically on line. Sounds like I have been gotten to as well. I went in and changed all of my passwords on my accounts today as well. It has been a pain.
Mine was in May, so I don't think it is necessarily too long. Obviously we're engaging in some speculation here, but it would seem that either an OSI employee stole/sold stored credit card information or someone hacked in from the outside. So I wouldn't assume any amount of time is "safe" to have passed. Haven't been in Mass. for a bit, so I'm not in touch with her. That said, I'm not sure what OSI can do to rectify or take care of anything, honestly. Once the information is stolen, you can't un-ring the bell. This is something that individual referees are going to have to deal with their banks to solve, as someone else said. OSI's issues are going to be identifying the source of the problem so that they can be more secure in the future and figuring how to handle angry customers going forward. If this is as widespread as it seems, I would not want to be customer service at OSI starting tomorrow.
Here's another thing I'm also concerned about with regards to the OSI website: If you login to OSI's webpage, and go to My Account and then to Account Information, they show you your account password, in plain text. This means they are storing your password in their database in plain text. This is NEVER a good idea and, as a computer programmer, in my opinion it is something that should NEVER be done. Instead, a one-way hash algorithm (like MD5 or SHA1) should be used and the resulting hash value stored and compared to the calculated hash value of your login information. This is how most online authentication is done, including most web forums like phpBB, vBulletin and probably this forum as well. A person's actual password should NEVER be stored, unencrypted, in a database. What this means is that after all the credit card information which appears to have been stolen from OSI has been exhausted, whoever stole this information could now also have access to a list of email address/password combinations which they could use elsewhere on the internet to gain access to other resources. Since people tend to use the same passwords across multiple sites, how many people's PayPal accounts or online banking accounts could now be violated? In my opinion, once OSI realizes what has happened and secures their website, everyone should probably change their account password as well.
Addendum: In addition to changing your OSI account password, more importantly, you should change your password on any other websites where you've used the same password in conjunction with the same email address.
May not be from OSI but someone who is skimming data. Where I am we have, so far, tracked 80 referees who have been able to trace the issue to the OSI site and purchases they have made using a CC. This is only in the past 2-weeks. Each of them have reported a $1.00 charge of some type happening before the card gets used for a purchase of a significant amount. Probably a test to see if they have the correct information. To date, one referee has had to deal with a bogus charge of $900.00 on one transaction. Serious matter; all need to pay close attention.