A growing number of subscribers to Boomerang Games rental service are reporting fraudulent activity on their credit and debit cards. Many are reporting a couple of small transactions of a pound of so, normally a top up for a mobile phone, before their accounts are hit with larger transactions.
This Reddit thread is full of people who have had unauthorised payments to their cards, and rather worryingly some of them are no longer subscribers to the service. The Boomerang Facebook page also has pages of people claiming their cards have been misused.
“I signed up for a free trial [for Boomerang] last month. Got a text through from my bank asking for an authorization for a £30 top up for O2, so obviously I declined and cancelled that card. This explains it though!” posted one Reddit user.
To their credit, Boomerang are taking things seriously and have took their entire site offline for a few days to investigate but at present they say there is no evidence of a leak of credit card details or any hack.
To date we have still not identified any evidence of a breach of our systems. We are continuing to investigate and take this issue very seriously.
Although there is no concrete proof of a link between Boomerang and the fraud, our own Dom has been the victim of fraud on a card which he only uses for two things – Amazon and Boomerang.
“There were two payments of £1 taken and then refunded before they then started trying to take big payments. Luckily my bank caught it as they tried to put the second and third through so they only got £110,” explained Dom. “I doubt it was Amazon that lost my details,” he added.
I should also mention that I am a subscriber to Boomerang and I do not seem to be affected by any fraudulent transactions. However, I am cancelling my bank cards and getting new ones, just as a precaution.
If you are a Boomerang subscriber then we suggest you keep an keen eye on your bank account and if you want to be 100% sure, cancel your cards and get replacements.
Below is the full press release from Boomerang Games, dated 13th January,
On Friday we were contacted by a customer who was concerned that a fraudulent charge had been attempted on his credit card, and he was worried that our system had been compromised. He quoted another person who had made a comment on Twitter of a similar issue.
What we did
We began an investigation as soon as additional concerns were raised. Credit card data is stored in a strongly encrypted format and not viewable to any internal staff, however, at that stage, we felt we should take the concerns seriously. Over the weekend, we noticed other people online reporting similar issues and we became increasingly concerned. So, based on the information available at the time and conscious of the concern, we made the decision on Sunday afternoon to take the site off line while we continued our investigations.
Where we are
By Monday morning, we had been contacted directly by a small number of additional customers. We contacted the fraud department of our merchant bank, but they knew of no issue. We also contacted our payment gateway provider and they also had no concerns. They are assisting us in a consultative capacity.
By this time we could see lots of people talking about this online, but only a few people had contacted us directly. To date we have not found any evidence of a breach of our systems. We are continuing to investigate and continue to take this issue very seriously. We have also made the decision to very quickly move over to a token method of payment which obviates the need to have encrypted data on our servers, to give our customers further reassurance.
We would not ever wish to be the source of customer card information being compromised, so are making this changeurgently. This work will take about a week, and we have removed the card details in their encrypted form, from our online system, and are removing the facility to update or provide card details until the work is complete.
Subscriptions will be processed daily each weekday morning under further supervised controls. Once the new system is in place, we will be able to collect payments through the token system. We will also investigate the possibility of introducing PayPal as a form of payment as well, to offer our customers further