Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Selling Online Scams and Security Issues

Posted by Zonk on from the keep-it-secret-keep-it-safe dept.

An anonymous reader writes "The site 12 Angry Men recently published a discussion of a widely used but little-known online scam called 'cross-selling'. Essentially, after-sale shops cut deals with shady online retailers in an attempt to make a quick buck off of you after you've already bought something. 'What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line.' What makes everything even more interesting is that now the company has responded, with the usual white washing and meaningless statements."

7 of 101 comments (clear)

  1. At least they responded by gbulmash · · Score: 3, Informative

    The company gets criticized for monitoring the blogosphere and responding to complaints in the comment right after its response.

    "Why would a legitimate company providing quality service have concerns about the blogosphere great enough to monitor it?"

    In fact come to think of it, most of those we have seen who practice this and post comments like this are scam artists slightly worse than used car dealers.

    Actually, I've seen "respectable" companies do this. When I posted a rant about the stupid ways people bid on projects (or try to bid without bidding) on Rent-A-Coder, there was a response from Rent-A-Coder on my blog within a day.

    Monitoring and responding to complaints is a positive, IMO.

    --
    Start a happiness pandemic
    1. Re:At least they responded by gbulmash · · Score: 2, Informative

      Most HR people care about this because holes in your resume, long periods of time with no discernible activity, are worrisome. It's just SOP to put everything in your resume for whatever period you are covering.

      This is a piecework RFP he's responding to. I'm not offering him employment, I'm asking him to bid on a contract. A personal CV isn't appropriate here. Just show me you can do this work.

      Also you seem to think you will get good people by asking them to give you a free estimate. Perhaps that is normal on the sites you mention but how much time are people supposed to spend giving out free estimates to every person who may be a potential client?

      I'm not demanding a free estimate. The way Rent-A-Coder works is that you bid on a project. It cannot be awarded to you until you bid on it. And when you bid on it, you must specify a price... not a range, not an hourly fee, but a price. The more complicated the project and the more work it will be to estimate the time, the more it's going to pay (the greater the risk, the greater the reward). But any sort of marketplace where vendors bid on jobs poses the risk that you'll spend time developing a bid for a job you don't get.

      When it's an open bid... you either bid or go f*** yourself. There is no such thing as getting paid for an estimate. Bid the contract, win the contract, and do a good job. Do that, and the next time I have need of talents like yours, I contact you personally and we have a different process where you might get paid for an estimate. But in an open market place, at risk of being repetitive... you either bid or go f*** yourself.

      I'm not contacting you and asking you for an estimate. I'm listing the job in marketplace. You want it, you tell me how long it will take you, how much you want, and why I should give it to you instead of someone else bidding the same price or lower. Brochures, CVs, form letter introductions, link lists as long as my arm... waste of time. How much, how long, and why are you the best? That's it. In a marketplace like that, that's how you win contracts.

      --
      Start a happiness pandemic
  2. Shopsafe ad by WPIDalamar · · Score: 2, Informative

    This is just a Shopsafe AD.

    Technical details in the article are slim and misleading.

  3. Explanation seems off to me by Tim+C · · Score: 5, Informative

    Card data are usually stored in cookies encrypted under the SSL symmetric key.

    I've worked in the web for 8.5 years now, and have worked on a lot of ecommerce sites in that time. I have never seen any, not one, that stores anything at all in a cookie other than a session id. There is absolutely no reason whatsoever to be storing credit card details in them - in fact I would go so far as to recommend avoiding any online store that did this, SSL-encryption or no. It's just begging to be exploited.

    Also:

    As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.

    Sorry, but I have a card in my wallet that proves this wrong. I'm in the UK and you have to specifically register to be an organ donor. You don't have to carry the card they send you, but you do have to be in the database of registered donors.

    With these two errors, I'd have to say I'm suspicious of the rest of the article; how much more have they got wrong?

    --
    It's official. Most of you are morons.
  4. WLI truly a problem by Peter+Simpson · · Score: 5, Informative

    They almost got me twice with a fake "Continue" button on the order confirmation page.

    After you type in your credit card info, and authorize the purchase you intended to make, the website pops up a receipt/confirmation page (just as you'd expect). At the bottom of that screen, is a "Continue" button. Below that button, in very small type, almost the same color as the page background, perhaps even below the bottom of the screen, so you'd need to scroll down to see it, is a disclaimer that tells you that by clicking the above button, you're authorizing the transfer of your data to WLI.

    The next page you see asks you for a second confirmation (perhaps your email address), and in a way that does not make clear that you are not providing it to WLI...and at NO time are you told that your credit card information has been sent to WLI. You are not explicitly asked to authorize the charge.

    The places I caught doing this were unaware of it, and angry about it. The WLI link comes pre-packaged in the "storefront" or "ecommerce solution" that the merchant obtains from their hosting service. My suspicion is that this is a deal between WLI and the storefront software provider, not the merchant.

    It's definitely for real and a continuing problem...my experience was several years ago, and at the time, I bookmarked this site, which is still active:

    http://adam.rosi-kessel.org/weblog/the_man/webloyalty_aka_wli_reservations_is_a_scam.html/

    The other way they get you to click is to offer you a "credit on your next order"...

  5. Re:Rampant Fraud by mike2R · · Score: 2, Informative

    A small charge may be someone verifying that the card is still valid - do a small instant transaction which has a good chance of escaping detection and then use the known-good card for a larger fraudulent purchase.

    If this was the case Jazz Inc would be an unwitting third party - your bank might have noticed a pattern of a small charge with them followed by a large fraud attempt.

    --
    This sig all sigs devours
  6. Re:12 Angry men by adavidw · · Score: 2, Informative

    [blockquote]I have, and I am frightened by the fact that they did not contradict even one word of what I said. Not one.[/blockquote]

    I have (ER docs), and they did contradict every word of what you said. Every one.