Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Selling Online Scams and Security Issues

Posted by Zonk on from the keep-it-secret-keep-it-safe dept.

An anonymous reader writes "The site 12 Angry Men recently published a discussion of a widely used but little-known online scam called 'cross-selling'. Essentially, after-sale shops cut deals with shady online retailers in an attempt to make a quick buck off of you after you've already bought something. 'What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line.' What makes everything even more interesting is that now the company has responded, with the usual white washing and meaningless statements."

17 of 101 comments (clear)

  1. At least they responded by gbulmash · · Score: 3, Informative

    The company gets criticized for monitoring the blogosphere and responding to complaints in the comment right after its response.

    "Why would a legitimate company providing quality service have concerns about the blogosphere great enough to monitor it?"

    In fact come to think of it, most of those we have seen who practice this and post comments like this are scam artists slightly worse than used car dealers.

    Actually, I've seen "respectable" companies do this. When I posted a rant about the stupid ways people bid on projects (or try to bid without bidding) on Rent-A-Coder, there was a response from Rent-A-Coder on my blog within a day.

    Monitoring and responding to complaints is a positive, IMO.

    --
    Start a happiness pandemic
    1. Re:At least they responded by VGPowerlord · · Score: 2, Insightful

      I thought it was more because white is generally considered by western civilization to represent purity, while black is the opposite of white.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    2. Re:At least they responded by Mister+Transistor · · Score: 3, Insightful

      OK, I'll bite.

      Whitewash was a kind of paint used in the old days for fence and barn painting. It was called that (gasp) - because it was white! Think Tom Sawyer... Anyway, the term "whitewashing" means to cover up (as in with white paint).

      Blacklisting comes from (also) old times, in Hollywood movie studios, if you were allowed on premises, you were on a list the security guards were given. If you pissed off the director or some studio exec, you got a line drawn through your name with a (you guessed it) - black - pencil - and were denied access from then on.

      That's it, no racist overtones or conspiracies - except, perhaps in your mind!

      --
      -- You are in a maze of little, twisty passages, all different... --
    3. Re:At least they responded by gbulmash · · Score: 2, Informative

      Most HR people care about this because holes in your resume, long periods of time with no discernible activity, are worrisome. It's just SOP to put everything in your resume for whatever period you are covering.

      This is a piecework RFP he's responding to. I'm not offering him employment, I'm asking him to bid on a contract. A personal CV isn't appropriate here. Just show me you can do this work.

      Also you seem to think you will get good people by asking them to give you a free estimate. Perhaps that is normal on the sites you mention but how much time are people supposed to spend giving out free estimates to every person who may be a potential client?

      I'm not demanding a free estimate. The way Rent-A-Coder works is that you bid on a project. It cannot be awarded to you until you bid on it. And when you bid on it, you must specify a price... not a range, not an hourly fee, but a price. The more complicated the project and the more work it will be to estimate the time, the more it's going to pay (the greater the risk, the greater the reward). But any sort of marketplace where vendors bid on jobs poses the risk that you'll spend time developing a bid for a job you don't get.

      When it's an open bid... you either bid or go f*** yourself. There is no such thing as getting paid for an estimate. Bid the contract, win the contract, and do a good job. Do that, and the next time I have need of talents like yours, I contact you personally and we have a different process where you might get paid for an estimate. But in an open market place, at risk of being repetitive... you either bid or go f*** yourself.

      I'm not contacting you and asking you for an estimate. I'm listing the job in marketplace. You want it, you tell me how long it will take you, how much you want, and why I should give it to you instead of someone else bidding the same price or lower. Brochures, CVs, form letter introductions, link lists as long as my arm... waste of time. How much, how long, and why are you the best? That's it. In a marketplace like that, that's how you win contracts.

      --
      Start a happiness pandemic
  2. 12 Angry men by Bloke+down+the+pub · · Score: 4, Insightful
    From the linked article:

    As an aside, organ donors in Europe have to opt-out to NOT become an organ donor
    Not so much angry as ill informed. That's certainly not the case in the UK or Italy which, last time I checked, are part of Europe. I doubt the authors could point to either on a map.
    --
    It's true I tell you, feller at work's next door neighbour read it in the paper.
    1. Re:12 Angry men by Pedersen · · Score: 4, Interesting

      It's not as clear cut as that. You see, in the case of severe trauma, there are two basic treatment paths to take: Keep the body warm, or keep the body cold. The colder the body is, the better the chance the victim comes out alive and intact. So, the body should always be kept cold, right?

      Well, if the victim dies anyway, then it's time to harvest. Oh, but the body being kept cold has put the organs closer to death. This reduces the amount of time they can be out of the body before they become useless to a new body.

      So, we need to keep the body warm. But if we do that, then the victim has a much greater chance of suffering severe, disabling injuries out of the accident. Which means it's more likely he dies.

      Think about it. Would you prefer to live, or to die? Oh, and let's not get started on the medical personnel who have a very important job: If there is any chance the person could be an organ donor, pressure the (still in shock) family to allow organ donation.

      As for me, I choose to live. I do not wish to be an organ donor, and have said so to my family.

      --

      GPL made simple: What was my stuff is now our stuff. If you improve our stuff, please keep it our stuff.
    2. Re:12 Angry men by adavidw · · Score: 2, Informative

      [blockquote]I have, and I am frightened by the fact that they did not contradict even one word of what I said. Not one.[/blockquote]

      I have (ER docs), and they did contradict every word of what you said. Every one.

  3. Shopsafe ad by WPIDalamar · · Score: 2, Informative

    This is just a Shopsafe AD.

    Technical details in the article are slim and misleading.

  4. Rampant Fraud by Yahma · · Score: 4, Insightful
    I used to get $1.00 charges on my credit card that would go unnoticed for a few months. When I checked the company, they had a website that stated something to the effect:

    "If you received a charge to your credit card for us, it is for services that we provided and it is not a fradulent charge."

    Now, I never have purchased anything from this company, and even though the total charges were less than $3, I reported it to my credit card company. Some of these fraudulent companies can be very deceptive.

    1. Re:Rampant Fraud by Night+Goat · · Score: 4, Funny

      That was a very moving poem. I particularly enjoyed the vivid description of the twenty dollars.

    2. Re:Rampant Fraud by mike2R · · Score: 2, Informative

      A small charge may be someone verifying that the card is still valid - do a small instant transaction which has a good chance of escaping detection and then use the known-good card for a larger fraudulent purchase.

      If this was the case Jazz Inc would be an unwitting third party - your bank might have noticed a pattern of a small charge with them followed by a large fraud attempt.

      --
      This sig all sigs devours
  5. Funny Aside by TiggertheMad · · Score: 4, Interesting

    ...Anyone notice that the website that this article is on prevents you from navigating away via the browswer back button? I was always suspicious about sites that employed Javascript to prevent people from navigating away. An article about shifty behavior on a site that triest to manage your attemts to leave. Classy!

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  6. Explanation seems off to me by Tim+C · · Score: 5, Informative

    Card data are usually stored in cookies encrypted under the SSL symmetric key.

    I've worked in the web for 8.5 years now, and have worked on a lot of ecommerce sites in that time. I have never seen any, not one, that stores anything at all in a cookie other than a session id. There is absolutely no reason whatsoever to be storing credit card details in them - in fact I would go so far as to recommend avoiding any online store that did this, SSL-encryption or no. It's just begging to be exploited.

    Also:

    As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.

    Sorry, but I have a card in my wallet that proves this wrong. I'm in the UK and you have to specifically register to be an organ donor. You don't have to carry the card they send you, but you do have to be in the database of registered donors.

    With these two errors, I'd have to say I'm suspicious of the rest of the article; how much more have they got wrong?

    --
    It's official. Most of you are morons.
  7. bad habits by fermion · · Score: 4, Insightful
    I wish that security was not so often sacrificed for selling opportunities. When one is going through an online transaction, which is still a risky process due to man-in-the-middle attacks, one should not create an expectation of the user to see things characteristic of such attacks. There are no reason to have ads on such pages. There is no reason to set third party cookies to ad sites, or direct to other offers between the time that user checks out and the time the order is complete. If attacks such as these are successful, it is the fault of the companies that design the faulty web pages, and such companies should compensate the consumer.

    Even firms that should know better, such as banks, promote such practices. I recently logged into my highly secure bank account, and instead of being greeted with my bank information was greeted with a survey. This is such a fundamental breach of security I wonder why I bank with them. Oh, I know. Because every other bank is selling out customer security to make a buck. it is nothing new. I used to recieve many offers on my banks letter head. When I called to see if they were responsible, the agent said they have nothing to do with. Well, I would reply, it is on your letterhead, should I call my AG and state that someone is representing themselves as you? Nothing was said after that.

    IN any case, as long as people are trying to squeeze every dime out of every customer, we are going to have these security issues. I guess the only thing to do is to not conduct business with the worst of the worst, no matter how tempting it is.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  8. WLI truly a problem by Peter+Simpson · · Score: 5, Informative

    They almost got me twice with a fake "Continue" button on the order confirmation page.

    After you type in your credit card info, and authorize the purchase you intended to make, the website pops up a receipt/confirmation page (just as you'd expect). At the bottom of that screen, is a "Continue" button. Below that button, in very small type, almost the same color as the page background, perhaps even below the bottom of the screen, so you'd need to scroll down to see it, is a disclaimer that tells you that by clicking the above button, you're authorizing the transfer of your data to WLI.

    The next page you see asks you for a second confirmation (perhaps your email address), and in a way that does not make clear that you are not providing it to WLI...and at NO time are you told that your credit card information has been sent to WLI. You are not explicitly asked to authorize the charge.

    The places I caught doing this were unaware of it, and angry about it. The WLI link comes pre-packaged in the "storefront" or "ecommerce solution" that the merchant obtains from their hosting service. My suspicion is that this is a deal between WLI and the storefront software provider, not the merchant.

    It's definitely for real and a continuing problem...my experience was several years ago, and at the time, I bookmarked this site, which is still active:

    http://adam.rosi-kessel.org/weblog/the_man/webloyalty_aka_wli_reservations_is_a_scam.html/

    The other way they get you to click is to offer you a "credit on your next order"...

  9. The upside: Free food! by aussersterne · · Score: 2, Interesting

    I know reservation rewards well! I used to get tons of free food using them through delivery.com (a fast food delivery website). Here's how it would work:

    1. Order food online through delivery.com.

    2. An "opt-out" cross-sell appears offering you a $10.00 coupon if you don't uncheck enroll box. First 30 days are free.

    3. Agree to "free trial" and get $10.00 coupon code. Then call immediately and cancel service you just enrolled for.

    4. Use free $10.00 coupon (still good) next time you want to order food through delivery.com.

    5. At end of order, an "opt-out" cross sell appears offering you a $10.00 coupon if you don't uncheck the enroll box...

    Just over a year ago I probably got $300 in free food delivery that way over a several month stretch before moving to an area where there is no delivery.com service. Too bad.

    My card was never charged by these people. All you have to do is be dilligent and pay attention and call the 1-800 number to cancel.

    --
    STOP . AMERICA . NOW
  10. Going on for 5 years by flyingfsck · · Score: 2, Interesting

    This has been going on for a long time and people are still falling for it and they are still in business. You should complain to your Congress Critters.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!