ADI Resets Passwords After "Very Limited Number Of Suspicious Online Orders"
On Feb 14th, ADI sent out an "Important Account Notice", excerpt below:
ADI responded to IPVM's request for comment explaining:
After identifying a very limited number of suspicious online orders, in an abundance of caution, ADI decided to proactively require a password reset, even though there is no evidence that our internal systems were compromised, nor any evidence of a data breach or loss of customer data. We continue to work to provide an exceptional digital experience for our customers, and part of these efforts includes the implementation of enhanced security measures. The password reset was initiated as a precaution against threats. [emphasis added]
They clarified that they "requested password resets from all users with purchasing ability."
It is hard to know what exactly happened but one common is users reusing passwords (i.e., a person's password for site X is leaked, they use the same password at ADI, and someone can then log in to their ADI account). This was an issue for Ring recently.
One way to mitigate such attacks is 2 factor authentication (even if someone found your reused password, they'd still need to get through the second factor). ADI responded, "We are always looking at further security enhancement, including 2 factor and MFA, but no decision yet. "
For example, IPVM supports 2FA though very few members actually use it.
02/19/20 08:50pm
I was also asked recently to reset mine as well. Wonder if they had a breach or something?
They say no evidence of a breach. If it was, eventually, others would find evidence as that data would typically be shared.
I am curious who submitted fake orders. How would you benefit / make money off of it? Ship yourself products and resell them on Amazon? Anyone have any theories of how to profit from fake ADI orders?
I know a local tri-ed branch that had issues a few years ago with fraudulent orders being placed. Someone would place a large order, bill it to an unknowing company and ship to a new address. The individual could then re-sell the items, the company that was billed would probably dispute the charges and tri-ed would need to pick up the bill.
I'm sure ADI has similar issues. I had to go out of my way to set up a shortlist of people who can purchase on our ADI account. Not sure why the default is that anyone can walk in say the company name and be able to bill it to that company.
Interesting.
Someone would place a large order, bill it to an unknowing company and ship to a new address
But couldn't the defrauded seller figure out who the fraudster was by checking out that address? That's the part I am trying to understand. How do you physically receive goods without leaving a trace to who you are?
| 02/20/20 04:45am
You have a third party receive the goods and forward it to you. Or have it delivered to a vacant property. Or steal it off a neighbors porch that you have it delivered to. Lots of options I guess.
You have a third party receive the goods and forward it to you.
That person than would be identifiable and an accomplice to the crime. I guess they could do it but strikes me as quite risky.
Or have it delivered to a vacant property.
Maybe, I don't know. I read a couple of articles on the topic and I still don't get it.
One idea I saw was using stolen credit cards for gift cards, which because they are virtual are easier to move. Not as sure about guys ordering a pallet of security devices. Curious to understand.
| 02/20/20 05:05am
I’ve read where the man in the middle is an unknowing accomplice. They are duped into helping the criminal in some way.
ADI at one point stated users had to have the account number when walking in and placing an order.
We have guys that stop in at ADI or Anixter and buy stuff with no verification from the counter person to our office. Maybe because they all wear company shirts?
So far all the purchases have been legit, and its convenient for us to tell a tech go by ADI and get a lock, etc. Just wonder who is going to hold the bag if it goes bad one day?
Probably need to sort that out.
I suspect every ADI branch may be a bit different, but you can enforce the need for a P.O. issued from the office. My old company had that. No tech could just stop by and pick something up, a purchase order had to come from the office.
My current employer doesn't seem to care, as long as it gets paid. I happen to have my own account anyway, but if I wanted to I could buy stuff under their account as long as I charge it to my own personal credit card.
If your local branch isn't enforcing that rule, if you have it in place, you may want to consider talking to the district manager, or head office.
I can't speak for Anixter, as I have rarely ever dealt with them.
Newest Discussions
| Discussion | Posts | Latest |
|---|---|---|
|
Started by
Undisclosed End User #1
|
5
|
less than a minute by Undisclosed Integrator #2 |
|
Started by
John Honovich
|
4
|
about 2 hours by Undisclosed Manufacturer #1 |
|
Started by
Dwayne Cooney
|
7
|
about 4 hours by John Honovich |
|
Started by
John Honovich
|
13
|
less than a minute by John Honovich |
|
Started by
Jermaine Wilson
|
3
|
about 1 hour by Ryan King |
