Slashdot Mirror
Cross-Selling Online Scams and Security Issues
An anonymous reader writes "The site 12 Angry Men recently published a discussion of a widely used but little-known online scam called 'cross-selling'. Essentially, after-sale shops cut deals with shady online retailers in an attempt to make a quick buck off of you after you've already bought something. 'What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line.' What makes everything even more interesting is that now the company has responded, with the usual white washing and meaningless statements."
The company gets criticized for monitoring the blogosphere and responding to complaints in the comment right after its response.
"Why would a legitimate company providing quality service have concerns about the blogosphere great enough to monitor it?"
In fact come to think of it, most of those we have seen who practice this and post comments like this are scam artists slightly worse than used car dealers.
Actually, I've seen "respectable" companies do this. When I posted a rant about the stupid ways people bid on projects (or try to bid without bidding) on Rent-A-Coder, there was a response from Rent-A-Coder on my blog within a day.
Monitoring and responding to complaints is a positive, IMO.
Start a happiness pandemic
It's true I tell you, feller at work's next door neighbour read it in the paper.
This is just a Shopsafe AD.
Technical details in the article are slim and misleading.
"If you received a charge to your credit card for us, it is for services that we provided and it is not a fradulent charge."
Now, I never have purchased anything from this company, and even though the total charges were less than $3, I reported it to my credit card company. Some of these fraudulent companies can be very deceptive.
...Anyone notice that the website that this article is on prevents you from navigating away via the browswer back button? I was always suspicious about sites that employed Javascript to prevent people from navigating away. An article about shifty behavior on a site that triest to manage your attemts to leave. Classy!
HA! I just wasted some of your bandwidth with a frivolous sig!
I really hate those things. Many times, when you're filling out some poorly designed form that has information that has to be entered, I usually miss something or enter it the "wrong" way and I end up having to go back and correct my data. Upon going back, guess what, the check-box that "opts-in" to (usually to get spammed by the company) is checked again. Technically, it's "opt-in", but the check box is automatically checked and will be checked again if the page is visited again for any reason. And somtimes, I swear to God, I thinks it's ignored anyway.
I'm getting to the point where unless it's really reputable company that's been around for a while, an online retailer has a snow balls chance of getting business from me.
I prefer Flambe as apposed flamebait.
[As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box. In the United States, drivers have to opt-in to become an organ donor. The relative rates of donors in Europe is over 80% verses 20% in the United States. This is the power of opt-out and why marketeers fight for it so hard.]
The Meaning of Life: Part Five: Live Organ Transplants.
Hello. Uhh, can we have your liver?
"A nation that forgets its past is doomed to repeat it." - Churchill
Card data are usually stored in cookies encrypted under the SSL symmetric key.
I've worked in the web for 8.5 years now, and have worked on a lot of ecommerce sites in that time. I have never seen any, not one, that stores anything at all in a cookie other than a session id. There is absolutely no reason whatsoever to be storing credit card details in them - in fact I would go so far as to recommend avoiding any online store that did this, SSL-encryption or no. It's just begging to be exploited.
Also:
As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.
Sorry, but I have a card in my wallet that proves this wrong. I'm in the UK and you have to specifically register to be an organ donor. You don't have to carry the card they send you, but you do have to be in the database of registered donors.
With these two errors, I'd have to say I'm suspicious of the rest of the article; how much more have they got wrong?
It's official. Most of you are morons.
Webloyalty.com protects its reputation and monitors the blogosphere to insure information posted on our company is truthful and accurate.
That's ensure. It's quite simple:
ensure: make certain
insure: arrange a financial instrument so that in event of some loss occurring you will be compensated for it
Idiots.
I've never seen a shop store the CC number in a cookie, as that makes no sense at all. The proper way to do it (IF you're doing the credit card handling yourself, the company I work for uses a third party to handle this), is to store the credit card in the database as soon as it's sent, and just keep it there (and delete it when you don't need it any more). You can use a regular session id if you ever need it again. There's no reason to send it back to the client.
Even firms that should know better, such as banks, promote such practices. I recently logged into my highly secure bank account, and instead of being greeted with my bank information was greeted with a survey. This is such a fundamental breach of security I wonder why I bank with them. Oh, I know. Because every other bank is selling out customer security to make a buck. it is nothing new. I used to recieve many offers on my banks letter head. When I called to see if they were responsible, the agent said they have nothing to do with. Well, I would reply, it is on your letterhead, should I call my AG and state that someone is representing themselves as you? Nothing was said after that.
IN any case, as long as people are trying to squeeze every dime out of every customer, we are going to have these security issues. I guess the only thing to do is to not conduct business with the worst of the worst, no matter how tempting it is.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I've noticed that CNN does a dirty little trick to trip up the 'back' button - they typically put three instances of the current page on the history buffer. Found that out after using the down-arrow next to the 'back' button, and that allows me to go back to the previous page.
They almost got me twice with a fake "Continue" button on the order confirmation page.
After you type in your credit card info, and authorize the purchase you intended to make, the website pops up a receipt/confirmation page (just as you'd expect). At the bottom of that screen, is a "Continue" button. Below that button, in very small type, almost the same color as the page background, perhaps even below the bottom of the screen, so you'd need to scroll down to see it, is a disclaimer that tells you that by clicking the above button, you're authorizing the transfer of your data to WLI.
The next page you see asks you for a second confirmation (perhaps your email address), and in a way that does not make clear that you are not providing it to WLI...and at NO time are you told that your credit card information has been sent to WLI. You are not explicitly asked to authorize the charge.
The places I caught doing this were unaware of it, and angry about it. The WLI link comes pre-packaged in the "storefront" or "ecommerce solution" that the merchant obtains from their hosting service. My suspicion is that this is a deal between WLI and the storefront software provider, not the merchant.
It's definitely for real and a continuing problem...my experience was several years ago, and at the time, I bookmarked this site, which is still active:
http://adam.rosi-kessel.org/weblog/the_man/webloyalty_aka_wli_reservations_is_a_scam.html/
The other way they get you to click is to offer you a "credit on your next order"...
They say accounts are in the black when they are good, and in the red when they are bad. Obviously white folk don't even deal with money, only those dirty black people and red people, and just as obviously, red people are dirtier than black people. I suppose they don't include yellow people because this all started before they knew about them.
Infuriate left and right
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Not knowing the finer points of crazy English spelling doesn't make somebody an idiot.
Are you adequate?
EVERYBODY in the organ donor chain makes a lot of money off the organs that pass through their hands - except for the estate of the person who they came from. That is why I will never allow my organs to be harvested. Suck on that.
nt
This is possibly the worst summary ever written in Slashdot history. It doesn't make an ounce of sense!!! What page links to what inside of what session? It sounds like they're saying they have to pay per SSL connection while they re-route you to the original manufacturer's page like a click fraud scam but then that somehow charges you extra and then they're somehow making money off not protecting your credit card number...so like they're passing your card number to the product maker? And then they say "the company" suggesting that only one company is behind this and yet it's a widely used scam? Seriously, WTF is this article even trying to say is happening. It's like a bunch of random garbage thrown together into a story.
Here's a little suggestion to the summary writer. It might be a good idea to say who's doing what to who and how for a story about a scam. I'm no more educated now than before I read it.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
I know reservation rewards well! I used to get tons of free food using them through delivery.com (a fast food delivery website). Here's how it would work:
1. Order food online through delivery.com.
2. An "opt-out" cross-sell appears offering you a $10.00 coupon if you don't uncheck enroll box. First 30 days are free.
3. Agree to "free trial" and get $10.00 coupon code. Then call immediately and cancel service you just enrolled for.
4. Use free $10.00 coupon (still good) next time you want to order food through delivery.com.
5. At end of order, an "opt-out" cross sell appears offering you a $10.00 coupon if you don't uncheck the enroll box...
Just over a year ago I probably got $300 in free food delivery that way over a several month stretch before moving to an area where there is no delivery.com service. Too bad.
My card was never charged by these people. All you have to do is be dilligent and pay attention and call the 1-800 number to cancel.
STOP . AMERICA . NOW
I've skimmed the summary, article and comments, and sadly it seems not so many people are clued in on how cross sells actually work.
There's no 'inside session passing' or rubbish. Simply, a cross-sell is a product offered by a company that uses the same billing company as the site.
For example, CCBill - huge CC processing company.
You sign up for a product or a site, X. That webmaster has made a deal w/ another webmaster that has a product / site, Y, processing with CCBill.
When you sign up, there's a box for product Y. If Y is selected, CCBill charges you for X, and Y.
No credit card data is swapped stolen shared or anything of that nature.
It's really that simple.
Webloyalty Named In Class Action Lawsuit
By Melissa Campanelli
September 18th, 2006
Customers of several popular online retailers, including Fandango.com, Priceline.com and Staples.com were victims of an alleged Internet scheme in which their credit cards were charged a monthly fee for a "discount club" membership they had never requested, according to a class action lawsuit filed last week in US District Court in Massachusetts.
The lawsuit accuses Webloyalty.com, an online marketing services company based in Norwalk, CT, of engaging in a "coupon click fraud" scam in which credit card information was automatically transferred to Webloyalty by its dozens of online business partners -- such as Movietickets.com, Petco.com, and FTD.com -- without consumers' knowledge or consent. The lawsuit seeks an injunction on the claims, compensation for consumers and other remedies.
In a statement published last week, Webloyalty.com announced that the lawsuit is without merit. "The lawsuit is frivolous," said Rick Fernandes, CEO and co-founder of Webloyalty.com. "It completely misrepresents the manner in which Webloyalty.com conducts its business. We intend to vigorously defend ourselves and expect to prevail."
Webloyalty supplies more than one million subscribers with reward, discount and protection programs. Webloyalty clients, which include more than 120 e-commerce and travel businesses, benefit from increased revenue and repeat purchases. Consumers benefit from high value subscription services that match their needs and interests.
The lawsuit said when customers bought from one of Webloyalty's partners such as Fandango and clicked on a pop-up window offering a $10 coupon on their next purchase, their credit card information was automatically transferred to Webloyalty and they were unwittingly enrolled in its "Reservation Rewards" loyalty program.
The complaint says that once enrolled in the program, which promises rewards such as movie tickets and shopping discounts, consumers' credit cards are billed up to $10 each month.
"Hundreds, if not thousands, of consumers have complained to Webloyalty and local, state and federal consumer protection agencies about the deceptive nature of its sales of its 'Reservation Rewards' discount club product and its unauthorized access to their credit card information," the complaint said.
The plaintiff named in the lawsuit, Joe Kuefler, bought movie tickets from Fandango and was unknowingly enrolled in Webloyalty's rewards program.
The lawsuit also claims that Webloyalty and Los Angeles-based Fandango, a codefendant in the case, violated consumers' privacy rights by disclosing and using their credit card information and are engaging in deliberately deceptive business practices, illegally netting the company substantial sums of money from the consuming public.
The lawsuit filed by law firms Lerach Coughlin Stoia Geller Rudman & Robbins LLP, Lee & Amtzis, P.L., and Phillips & Garcia, LLP, alleges violations of the Electronic Communications Privacy Act, unfair and deceptive acts and practices, unjust enrichment, invasion of privacy, money received and civil theft.
This has been going on for a long time and people are still falling for it and they are still in business. You should complain to your Congress Critters.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The gist of the story is that the security boundaries of the merchant's server are inherently compromised by hosting 3rd-party content from the same server or domain. Wherever the user's information is stored, it becomes a possibility that the 3rd party now has direct access to it. And of course, the author is correct in pointing out "cookie" headers are the most common way to establish a website session. This is just another facet of the overall problem. The Internet itself was designed a long time ago with a certain security model: "Nobody has access to the Internet, and that makes it secure." Sooner or later that will have to change.
I just read over 70 comments and I noticed that no one stated the obvious answer to the problem. Just dispute the charges on your credit cards. Sure it takes longer than bitching about it but it usually does work. You might have to fill out some paper work and mail some letter but the results are usually far more satisfying. You get your money back and the company that you are bitch'n about, if they get enough charge backs will have their credit card account yanked.
I'm not sure any more, but if the merchant didn't have a signed form that stated they where authorized to charge your account and you disputed the charges, the credit card companies would usually side with the card owner. I don't know how it works any more but it's worth a shot.
Supporting World Peace Through Nuclear Pacification
In marketing, cross-selling refers to the practice of trying to sell customers additional related items in the wake of a purchase they've already made. (Buying a new laptop? How about a shoulder bag to carry it in, a compact mouse, a CAT-5 cable and an extended service plan?) It's easier to sell to someone who is already in buying mode. Contrast this with up-selling, where the seller tries to convert a sale to the higher-priced alternative. (Buying a 42" plasma TV? You could step up to the 50" one for just a few bucks more...)
What the article describes as cross-selling really isn't.
Even reputable places do this. Last year, I bought a lot of tickets through Ticketmaster.com, and each and every time they tried to get me to sign up for a free trial of the Rolling Stone.
Well, all of a sudden I started getting FREE copies of the Rolling Stone, so I knew that something fishy was going on. I kept throwing them in the trash for one year, until I got a notice that they were going to charge my credit card. I called them to cancel, but I really should have alerted my credit card that someone was about to fraudulently charge me for something that I never agreed to purchase.
No, I will not work for your startup