Slashdot Mirror
Cross-Selling Online Scams and Security Issues
An anonymous reader writes "The site 12 Angry Men recently published a discussion of a widely used but little-known online scam called 'cross-selling'. Essentially, after-sale shops cut deals with shady online retailers in an attempt to make a quick buck off of you after you've already bought something. 'What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line.' What makes everything even more interesting is that now the company has responded, with the usual white washing and meaningless statements."
The company gets criticized for monitoring the blogosphere and responding to complaints in the comment right after its response.
"Why would a legitimate company providing quality service have concerns about the blogosphere great enough to monitor it?"
In fact come to think of it, most of those we have seen who practice this and post comments like this are scam artists slightly worse than used car dealers.
Actually, I've seen "respectable" companies do this. When I posted a rant about the stupid ways people bid on projects (or try to bid without bidding) on Rent-A-Coder, there was a response from Rent-A-Coder on my blog within a day.
Monitoring and responding to complaints is a positive, IMO.
Start a happiness pandemic
This is just a Shopsafe AD.
Technical details in the article are slim and misleading.
Card data are usually stored in cookies encrypted under the SSL symmetric key.
I've worked in the web for 8.5 years now, and have worked on a lot of ecommerce sites in that time. I have never seen any, not one, that stores anything at all in a cookie other than a session id. There is absolutely no reason whatsoever to be storing credit card details in them - in fact I would go so far as to recommend avoiding any online store that did this, SSL-encryption or no. It's just begging to be exploited.
Also:
As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.
Sorry, but I have a card in my wallet that proves this wrong. I'm in the UK and you have to specifically register to be an organ donor. You don't have to carry the card they send you, but you do have to be in the database of registered donors.
With these two errors, I'd have to say I'm suspicious of the rest of the article; how much more have they got wrong?
It's official. Most of you are morons.
They almost got me twice with a fake "Continue" button on the order confirmation page.
After you type in your credit card info, and authorize the purchase you intended to make, the website pops up a receipt/confirmation page (just as you'd expect). At the bottom of that screen, is a "Continue" button. Below that button, in very small type, almost the same color as the page background, perhaps even below the bottom of the screen, so you'd need to scroll down to see it, is a disclaimer that tells you that by clicking the above button, you're authorizing the transfer of your data to WLI.
The next page you see asks you for a second confirmation (perhaps your email address), and in a way that does not make clear that you are not providing it to WLI...and at NO time are you told that your credit card information has been sent to WLI. You are not explicitly asked to authorize the charge.
The places I caught doing this were unaware of it, and angry about it. The WLI link comes pre-packaged in the "storefront" or "ecommerce solution" that the merchant obtains from their hosting service. My suspicion is that this is a deal between WLI and the storefront software provider, not the merchant.
It's definitely for real and a continuing problem...my experience was several years ago, and at the time, I bookmarked this site, which is still active:
http://adam.rosi-kessel.org/weblog/the_man/webloyalty_aka_wli_reservations_is_a_scam.html/
The other way they get you to click is to offer you a "credit on your next order"...
A small charge may be someone verifying that the card is still valid - do a small instant transaction which has a good chance of escaping detection and then use the known-good card for a larger fraudulent purchase.
If this was the case Jazz Inc would be an unwitting third party - your bank might have noticed a pattern of a small charge with them followed by a large fraud attempt.
This sig all sigs devours
Webloyalty Named In Class Action Lawsuit
By Melissa Campanelli
September 18th, 2006
Customers of several popular online retailers, including Fandango.com, Priceline.com and Staples.com were victims of an alleged Internet scheme in which their credit cards were charged a monthly fee for a "discount club" membership they had never requested, according to a class action lawsuit filed last week in US District Court in Massachusetts.
The lawsuit accuses Webloyalty.com, an online marketing services company based in Norwalk, CT, of engaging in a "coupon click fraud" scam in which credit card information was automatically transferred to Webloyalty by its dozens of online business partners -- such as Movietickets.com, Petco.com, and FTD.com -- without consumers' knowledge or consent. The lawsuit seeks an injunction on the claims, compensation for consumers and other remedies.
In a statement published last week, Webloyalty.com announced that the lawsuit is without merit. "The lawsuit is frivolous," said Rick Fernandes, CEO and co-founder of Webloyalty.com. "It completely misrepresents the manner in which Webloyalty.com conducts its business. We intend to vigorously defend ourselves and expect to prevail."
Webloyalty supplies more than one million subscribers with reward, discount and protection programs. Webloyalty clients, which include more than 120 e-commerce and travel businesses, benefit from increased revenue and repeat purchases. Consumers benefit from high value subscription services that match their needs and interests.
The lawsuit said when customers bought from one of Webloyalty's partners such as Fandango and clicked on a pop-up window offering a $10 coupon on their next purchase, their credit card information was automatically transferred to Webloyalty and they were unwittingly enrolled in its "Reservation Rewards" loyalty program.
The complaint says that once enrolled in the program, which promises rewards such as movie tickets and shopping discounts, consumers' credit cards are billed up to $10 each month.
"Hundreds, if not thousands, of consumers have complained to Webloyalty and local, state and federal consumer protection agencies about the deceptive nature of its sales of its 'Reservation Rewards' discount club product and its unauthorized access to their credit card information," the complaint said.
The plaintiff named in the lawsuit, Joe Kuefler, bought movie tickets from Fandango and was unknowingly enrolled in Webloyalty's rewards program.
The lawsuit also claims that Webloyalty and Los Angeles-based Fandango, a codefendant in the case, violated consumers' privacy rights by disclosing and using their credit card information and are engaging in deliberately deceptive business practices, illegally netting the company substantial sums of money from the consuming public.
The lawsuit filed by law firms Lerach Coughlin Stoia Geller Rudman & Robbins LLP, Lee & Amtzis, P.L., and Phillips & Garcia, LLP, alleges violations of the Electronic Communications Privacy Act, unfair and deceptive acts and practices, unjust enrichment, invasion of privacy, money received and civil theft.
[blockquote]I have, and I am frightened by the fact that they did not contradict even one word of what I said. Not one.[/blockquote]
I have (ER docs), and they did contradict every word of what you said. Every one.