Cross-Selling Online Scams and Security Issues

← Back to Stories (view on slashdot.org)

Cross-Selling Online Scams and Security Issues

Posted by Zonk on Saturday November 3, 2007 @07:41AM from the keep-it-secret-keep-it-safe dept.

An anonymous reader writes "The site 12 Angry Men recently published a discussion of a widely used but little-known online scam called 'cross-selling'. Essentially, after-sale shops cut deals with shady online retailers in an attempt to make a quick buck off of you after you've already bought something. 'What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line.' What makes everything even more interesting is that now the company has responded, with the usual white washing and meaningless statements."

2 of 101 comments (clear)

Min score:

Reason:

Sort:

Explanation seems off to me by Tim+C · 2007-11-03 09:02 · Score: 5, Informative

Card data are usually stored in cookies encrypted under the SSL symmetric key.

I've worked in the web for 8.5 years now, and have worked on a lot of ecommerce sites in that time. I have never seen any, not one, that stores anything at all in a cookie other than a session id. There is absolutely no reason whatsoever to be storing credit card details in them - in fact I would go so far as to recommend avoiding any online store that did this, SSL-encryption or no. It's just begging to be exploited.

Also:

As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.

Sorry, but I have a card in my wallet that proves this wrong. I'm in the UK and you have to specifically register to be an organ donor. You don't have to carry the card they send you, but you do have to be in the database of registered donors.

With these two errors, I'd have to say I'm suspicious of the rest of the article; how much more have they got wrong?

--
It's official. Most of you are morons.
WLI truly a problem by Peter+Simpson · 2007-11-03 09:13 · Score: 5, Informative

They almost got me twice with a fake "Continue" button on the order confirmation page.

After you type in your credit card info, and authorize the purchase you intended to make, the website pops up a receipt/confirmation page (just as you'd expect). At the bottom of that screen, is a "Continue" button. Below that button, in very small type, almost the same color as the page background, perhaps even below the bottom of the screen, so you'd need to scroll down to see it, is a disclaimer that tells you that by clicking the above button, you're authorizing the transfer of your data to WLI.

The next page you see asks you for a second confirmation (perhaps your email address), and in a way that does not make clear that you are not providing it to WLI...and at NO time are you told that your credit card information has been sent to WLI. You are not explicitly asked to authorize the charge.

The places I caught doing this were unaware of it, and angry about it. The WLI link comes pre-packaged in the "storefront" or "ecommerce solution" that the merchant obtains from their hosting service. My suspicion is that this is a deal between WLI and the storefront software provider, not the merchant.

It's definitely for real and a continuing problem...my experience was several years ago, and at the time, I bookmarked this site, which is still active:

http://adam.rosi-kessel.org/weblog/the_man/webloyalty_aka_wli_reservations_is_a_scam.html/

The other way they get you to click is to offer you a "credit on your next order"...