canklecat

Security certificate problems are often transient and can occur with almost any site. I've seen the same thing happen with bike forums. A year or so ago a Google browser update caused security certificate glitches with many sites.

On the rare occasions I've encountered that glitch on a retail site I'll usually wait a few hours or a day to see if it clears up.

Yup, it's usually safest to avoid clicking through any email, even from trusted sources. I receive a lot of email notifications of discounts from trusted retailers, but usually I'll navigate to the site via the browser rather than clicking through the emails.

But when in doubt most computer based email clients allow inspecting the headers to determine whether the sender is authentic or spoofed. Unfortunately that's difficult or impossible with some mobile device email apps.

cudak888 

Someone over there needs to standardize PayPal in the first place (or require all non-PP purchases to be call-ins).

This procedure looks and sounds so much like phishing that it can only hurt their reputation and sales.

-Kurt

Drillium Dude 

Yup. Misspellings and incorrect punctuation (which both reside in the OP's example) are big red flags to those in the know. Annual cybersecurity training while in the USN taught me never to respond to this stuff and instead report it immediately.

DD

Salamandrine 

Yeah, that was the first thing I noticed. Incorrect punctuation and misspellings combined with a request for ID information makes this outwardly appear to be a phishing email. On closer examination however, it appears that it may well be legitimate. I would never send my ID regardless. The risk is too high.

CC card company policies do make it easy to defraud small businesses. It's a real problem. Unscrupulous people reverse charges after 29 days and keep the stuff.

I think the solution from the customer side is to either phone them or use paypal. I've bought wheels from Velomine before and had no problems at all. The company is completely legit.

madpogue 

^^^^^ +1; the wording of the message is far too informal for such a potentially serious cybersecurity threat. Yes, it may be legit, but if so, it sounds like they themselves are a bit flummoxed by the situation. Neither possibility sounds good, so +1 above, I would stick to either PayPal or in-person. Or wait 'til "the dust settles". If indeed they need to improve / threat-proof their process, you don't want to be part of that transition.

And I suppose it goes without saying, but.... keep a daily watch on your credit card transactions for a while.

dweenk

You can never know if an email is from a legitimate source unless you have much more knowledge than the average person. I have received email asking for verification of my bank account and personal information from what looked like PayPal - the scammer had all of the right graphics and logos and included a link that appeared dodgy. I contacted PayPal directly and they confirmed the scam.

Pompiere

I get annual cyber-security training at work, too. Three red flags are:
1. from an address you don't recognize
2. a tone of urgency
3. tells you to click on a link in the email
So every year I get an email from an outside vendor, telling me I must complete the training by the end of the month, and I must click the link to go to the training web site.

ThermionicScott 

The sad thing is, I'm seeing more and more misspellings, bad grammar, incorrect usage ("your" for "you're"), etc in legit communications.

nomadmax 

Let me be clear, I am not saying that the vendor isn't a great guy or the veritable salt of the earth type. I wouldn't make a copy of my drivers license and credit card for my mother or the pastor at church. Once you do something like that you open yourself up to identity theft. I've been down that road and you don't want to travel it; it's a cancer that never really goes away and is a huge PITA. If it happens to you, be prepared to work at it like a job making the calls, emails and contacts to clear it up; for free. I was lucky, I don't have any debt or loans and never will for the remainder of my life. That said, even then it's a stressful, royal PITA.

Having worked credit card fraud cases I can tell you this. If you make a copy of your ID/Credit Card, then give it to someone and a breach happens, I'll give you three guesses who's going to pay for it. Here's a hint, don't waste one of your guesses on the credit card company eating it. Obviously I feel strongly about this practice and that's what I'm on about here, not the vendor. Based on what I've read here I'm near certain he's a great guy and honest to a fault. But, who here can vouch for every employee or how it will be secured at the place where your ID/CC copies will reside?

squirtdad

velomine is legit, but any business,especially small ones ,can get hacked.

noglider 

Ben Cole is the owner of Velomine. It's not hard to reach him by phone, and he's a good guy. I trust him.

Reynolds 531 

Read this article, to walk a kilometer in their shoes.

https://betanews.com/2019/12/05/onli...il-fraud-2019/

mhespenheide 

I can only say that I tried to order a pair of tires from them a few years ago. Basic Continental SuperSports, I think. They called me the next day and said that their system had goofed and they didn't have them in stock, and asked if I'd accept the next level up of tires from Continental instead, no upcharge.

So there's one instance of great customer service right there.

But yeah, I might call them.

KonAaron Snake 

I've bought from Velomine - they were honest, forthright, and fair.

I'm not saying this is a request you should comply with, but I would trust Velomine in general, and they do have integrity. I do think that's a tough request to comply with.

riva

Yep yep, just make it your standard operating procedure to manually type in web links. If you get an email, from paypal, ebay, velomine, whoever.. just note it, then open your browser, then get to the site without any relying on email links.

Email, like caller ID, is inherently insecure by design. There *is* no way to verify if the sender is who they say they are.

Lately paypal, amazon, banks and others use multiple domain names so much so that its difficult to tell based on URL alone if a site is legit these days.

himespau 

Right, I've gotten a great deal on a good wheelset from them in the past, but I'm not sure I'd trust this e-mail.

riva

From what I've seen in the news small businesses are the only ones who have any chance of NOT getting hacked. With the huge ones its just a matter of time.

madpogue 

^^^^^^^ They're all targets. For small businesses, cybersecurity can be expensive, therefore many remain unprotected. For the big guys, small-time fraud may go ignored, simply because they can't justify pouring resources into investigating "minor" losses.

riva

Agree they are all targets, but who is worth spending time and resources infiltrating, the little guy with 1000 card numbers or the guy with 1,000,000 card numbers.

riva

I also do agree the ID and all that requested in the OP's orginal post is too much. I would have just called by phone and figured something out. Paypal or whatever else.

Personally only ever had a problem with nashbar, never any of the dozens of smaller suppliers I've gotten parts through. My cards usually expire out before I get new ones and I support plenty of small businesses in various non bike industries with them. Small business IMO tends to be SAFER than the big guys.

canklecat

While I tend to nitpick spelling and grammar (as a former journalist old habits die hard), I'm less picky nowadays. For one thing, I commit more typos than I used to. Partly age and failing eyesight. Partly auto-miscorrect changing perfectly spelled words into something bizarre. I need to edit my mobile device dictionaries to eliminate the cusswords I've manually entered for my own amusement -- but it ain't funny when shot or shut is auto-miscorrected into something worse in messages to my more prudish friends.

My worst errors usually come from using my phone on breaks during bike rides because my bifocal safety glasses have a 1.5 diopter and I really need a 2 or better to see my phone clearly. And I commit more typos now with my right hand since a right-side shoulder and neck injury last year. I'm a touch typist and often now my hand-eye-brain coordination is way off.

But I learned long ago from working as a tech writer than even people who are highly educated in specialty fields like engineering aren't necessarily good writers.

Also, scam and phishing emails from outside the US tend to have peculiar syntax and wording choices that aren't typical even for barely literate English speaking Americans. Quirks such as "Dear loved one" in the greeting tend to be a clue that the email from Amazon, PayPal or AT&T might be scammy.

But it's easy enough to pick up the phone and call to confirm.

Bill in VA

If they were 'so worried' about fraud, why did they actually charge your card so it would even need a refund if they needed additional info. They should have said they will not process the order and charge the card UNLESS you provide the info, and that SHOULD be clearly stated on their website and ordering instructions and visible BEFORE you press the order button. Not after the fact by some scam-bait email that at minimum has harvested you card number and potentially your mailing and residential address and other identifying info.

With the charging your card BEFORE notifying you, they in essence, got you to give them a potential loan of your charge amount until they decide to 'process' the refund. I would contact the BBB in their location and notify your bank about their amateur 'anti-fraud' operation.

TheLizard

Credit card transactions are easy to reverse. Happens all the time. If you have a payment processor (like all small businesses have to use for ecommerce), they're going to charge the card right away. It's just the way they work.

But, you're right that the business should have known they are going to do this for all transactions from "new" customers, so they need to be up front about it. I encountered something similar ordering some medical equipment, which it turned out required a prescription (WHY? The equipment is NO GOOD without a prescription for the medication!?!?). They charged my card, then sent an email asking for the prescription, or else they would have to refund my charge and cancel the order.

The ONLY organization getting a "loan" of the money is the banks. That's the way it works, because it was the banks that set it up. When they say "The credit will be applied in 7-10 business days," that's the bank holding the money, not the business.

bikestands

Yes, they are right, check the email. Better yet, check the contacts on their website and call them and talk to a real customer service. Better safe than sorry, it maybe a phishing email.

tkamd73 

I’ve ordered from Velomine many times, no issues, but always used PayPal.
Tim