Rogue Anti-Virus Victims Rarely Fight Back

krebsonsecurity writes "One big reason why rogue anti-virus continues to make major bucks for scam artists: relatively few victims ever ask their credit card company or bank to reverse the charges for the phony security software — even when the victims don't even receive the worthless software they were promised. I recently found several caches of data for affiliates of a rogue anti-virus distribution program, and the data showed that in one set of attacks only 367 out of more than 2,000 scammed disputed the charge. A second rogue anti-virus campaign scammed more than 1,600 people, and yet fewer than 10 percent fought the charges."

Too busy

[suman28]

That's probably because people are too busy or too lazy. I would vote most as lazy, but probably busy to see the Cc to see whether they were scammed, if they are smart enough to realize that they have been scammed in the first place.

Re:Too busy

[LWATCDR]

Actually some claimed that tried but got the run around.
What I would like to see is the CC companies pro actively shut down these people. After one person makes a claim on them it should be easy to check and see who else did and then start reversing charges.

Re:Too busy

After one person makes a claim on them it should be easy to check and see who else did and then start reversing charges.

Ah, there's just no way to abuse this!

Re:Too busy

[interkin3tic]

After one person makes a claim on them it should be easy to check and see who else did and then start reversing charges.

This seems like such a good idea I found myself saying "Surely they already do that" before remembering, oh yeah, this is the credit card industry we're dealing with here, and there's probably no law forcing them to do that.

Re:Too busy

[gcatullus]

They can't "just" reverse it because the customers' cards weren't stolen, the customers initiated the transaction, and they received the "merchandise".

If anytime a customer felt wronged by a company he could just reverse the charges, it would be chaos. This is no different than using a credit card at a casino and losing your money there. Or using your credit card at a psychic, and being upset when you don't meet a tall dark stranger.

Taken to absurdity, this would be like trying to reverse the charges for buying Norton AV, when you do get infected.

These are all valid charges - now the customers should have spent a few hundred dollars more and taken their pcs to someone who could disinfect them, and spend a hundred or so more to buy proper av software. But this way they spent $80.

Re:Too busy

[r0b!n]

Wrong. This is like making a purchase for a product online and the product is not delivered or making a purchase online and the product does not perform the task for which it was purchased. Both of these circumstances are/should be covered by some form of protection.

Re:Too busy

[painandgreed]

That's probably because people are too busy or too lazy. I would vote most as lazy, but probably busy to see the Cc to see whether they were scammed, if they are smart enough to realize that they have been scammed in the first place.

Probably more like too ashamed. If they don't figure it out pretty quick, when they eventually get somebody like me to see why their problem is not going away or explain to them that they bought snake oil, they are usually too embarrassed to do anything more. I know I have lost my money before to an outright (non-internet) con and a large reason I didn't go try and get it back was for feeling stupid for falling for it to begin with. Actually, now I don't actually miss that money and look at it as $20 well spent. Every time since then that somebody comes up to me and proposes something I think is a con (several times, the exact same scam), I can remember back to that $20 I lost in college, laugh and dismiss them without feeling bad (which is a prime motivator they use many times). Many times when I explain to people what has happened, I tell them to think about that money any time they are asked to pay for any transaction they didn't initiate to begin with and not fall for it again. Sure, that let's those people get to keep the money, but even if they did get it back and shut that person down. There would just be another and there are always more people to scam. Most internet scams were scams long before the internet and run via snail mail or even going door to door. It's probably better for them to lose that money once in a lesson that they will never repeat, than feel safe that they can get that money back otherwise.

Re:Too busy

[gcatullus]

But the bogus product did "fix" the pcs. Now if their browser was still hijacked after paying the money it would be fraud, but here they got their pcs fixed for $80.

Re:Too busy

[Mr.+Freeman]

"What I would like to see is the CC companies pro actively shut down these people."

Yeah, but that's a lot of work. These charges mean greater credit card bills which means more money (in the form of interest paid) for the CC company. If they deal with this in an efficient and ethical manner then they make less money. If it were up to the credit card companies, they wouldn't even have to tell you their credit rating EVER. As it is they only have to inform you ONCE PER YEAR.

Without regulation, this won't get fixed. Thus, the only way to get this fixed is to make sure that the identity of senators gets stolen so that they're encouraged to start passing laws with stricter regulations on data security.

Re:Too busy

[LWATCDR]

Actually No they are not.
The charges have been reversed by many of the users.

Re:Too busy

[selven]

Probably not too busy/lazy to fight the charges, but too busy/lazy to even read the entire credit card bill in the first place.

Re:Too busy

[Thansal]

No, they don't. The scammers don't 'fix' anything, they just take the money. They might give them an 'anti-virus software' (read, more malicious software), but they aren't going to remove their damn malicious software just because you gave them $80.

Even if they did, extortion is illegal, and thus a perfectly viable charge reversal.

Sorry, but your apparent argument of "people are dumb and should pay for getting scammed" doesn't really float. Basically the entire point of charge reversals is to deal with scammers.

Re:Too busy

[paeanblack]

They can't "just" reverse it because the customers' cards weren't stolen, the customers initiated the transaction, and they received the "merchandise"

Apparently you have a shitty credit card provider. If you have a good provider, it works like this:

-You complain about the charge
-CC company takes the charge off your bill
-CC company does the legwork resolving the issue with the merchant
-CC company apologizes to you for your inconvenience

If your credit provider isn't willing to fight for you, why are you doing business with them?

Re:Too busy

[Cylix]

That is a bit too many steps in my case.

I had a hotel toss me out for some issues. We had a bit of a disagreement regarding noise and my suggestion was to move either my room or my neighbor. Well they wanted to be smug about the whole thing and that is fine. However, you don't get to keep my money and throw me out.

Douche-bag night manager decided he would be really clever and charge my card regardless. I noticed the charge a few days later and called up my credit card provider. Turns out they had several instances already just like mine. They said they would reverse the issue and told me to have a nice day.

Literally it was a minute call to initiate a reverse. The hotel itself wasn't exactly cheap either and I suspect senior douchiness had pulled this scammed many times.

Re:Too busy

[Runaway1956]

I hear the runaround thing. I was looking at one of those federal grant sites some time ago. Had to pay $1 or so to get access to some stuff, so I paid. I THOUGHT that I had read everything, I paid the small fee, downloaded some documents, read them decided the place wasn't what I was looking for. The following month, I had a charge of about $40 on my card.

The credit card company refused to halt the transaction! Utter asswipes! They claim to be concerned with security, but when a customer calls in to say, "I'm being ripped off!", they do nothing.

I got better response from the scammers when I called them. One call was all it took for them to agree NOT to charge me any more.

Re:Too busy

I use Linux.

Re:Too busy

You expected more from his armchair, 5-minutes-of-thought, genius answer to solve the problem?

Re:Too busy

These type of sites make it extremely hard to find the terms and conditions, but by law, the credit card companies can't generally reverse the charge if it's within the stated terms and conditions of the business you dealt with. And, as far as the credit card company is concerned, you're not being "ripped off" if you buy a service or product and get charged within the terms and conditions that you signed up under (even if you did not read them or could not locate them).

I used to work at a call center handling such disputes, and I would get calls all the time about these "free trial" scams where they hide in the fine print that you only have 14 days from the order to cancel, or you're set up for recurring shipments and billing. The only thing I could do was to advise the customer to contact the company IMMEDIATELY, and to cancel with them, ask them for a confirmation of cancellation, and make a note of the date of cancellation. Sometimes the company would be nice enough to give a one month refund, but if they did not, there was nothing we could do. Now, if the customer had documentation of cancellation on a certain date, and charges were still made on the card AFTER that date, then we could file a dispute on those.

Re:Too busy

[RJFerret]

When I was a kid buying back to school supplies I always wondered why I could buy an entire pack of pens for $1 that had a rebate for $1.

I'd get pens for the cost of a stamp.

How did the pen companies make money offering that?

Years later I learned.

People take rebate forms, but never send in the info.

I'm not surprised people don't want to make a phone call, use a menu system, wait to talk to the kind reps who easily contest charges.

The credit card companies make it easier than mailing a rebate form, but that's more effort than using the remote to turn on TV, I mean heck, people won't even walk a few feet across the room to turn on a TV anymore!

It's the same reason people will pay extra for those internet/TV/phone bundled packages, rather than pay less for the services separately.

They have "better things to do" than fill out rebate forms or sit on hold calling companies.

Re:Too busy

This is why when there is "free" anything online and it asks for your CC#, the red flag should be raised right there. My guesstimate is that over 90% of those things are only there to introduce people to a recurring randomly named "service" fee. To obtain the "free" whatever, the small print says you're also being enrolled in some associate program. The only service I've seen provided by such things other than providing the "free" whatever is the service of separating people from their money in an unethical and somewhat fraudulent manner via recurring fees. (Although by putting things in small print and obfuscating it by not saying it in plain English, usually they can get away with that B.S. legally in the U.S.)

When you see recurring charges on your credit card bill and you don't know WTF they're for, it's a good idea to do some research and if it's not something you recognize - first try to cancel the services, and then later tell the CC company to deny payments to those companies. In the worst case scenario, you've got to clean every single cookie and bit of cached data that could leak from your browser and then get a new CC number.

The biggest offender with heavy advertising campaigns both on cable TV and via banners at various internet services can be found here:
http://www.ripoffreport.com/Search/Company/AP9-Adaptive-Marketing.aspx

Re:Too busy

[sumdumass]

I don't think the argument was "people are dumb and should pay for getting scammed". It's more like they have to show they were harmed and something wasn't delivered or wrong with the transaction.

I agree with the later because as the op pointed out, there is potential for abuse. You should have to present a case of why or how you were scammed before getting the charge back. This case can probably be made easier if a record of charge backs are kept but it's probably a lot like Spam in which they change companies and/or company names often. And no, just because the product wasn't fit for the advertised service isn't a reason for a charge back if you received the product. You don't get a charge back when the diet pills or ab launcher on late night TV fails to make you lose weight or tone your abs. Other laws typically get brought about before the charge back is issued.

Re:Too busy

[shentino]

Not to mention that letting survival of the fittest fleece the fools from their money has a nasty side effect of enriching the bad guys in the process.

If it was really a Stupid "Tax" then it should go into the hands of the government, preferably to invest in cyber education.

Re:Too busy

Wrong. This is like making a purchase for a product online and the product is not delivered or making a purchase online and the product does not perform the task for which it was purchased. Both of these circumstances are/should be covered by some form of protection.

It's called an implied warranty of fitness for a particular purpose and an implied warranty of merchantability, and are both part of the Uniform Commercial Code. This law is standard throughout the US. There is also international law, the United Nations Convention on Contracts for the International Sale of Goods.

Re:Too busy

[X0563511]

... because someone acted like a teenager and got themselves a shitty credit score, I'd imagine. (or just some bad luck)

Re:Too busy

[helix2301]

I agree part of the problem is the Credit Card company gives you the headache of getting the money back. I think more people would fight for there money back if the credit card companies were more understanding to modern day situations.

Re:Too busy

[guruevi]

It's because people are too stupid. I recently got somebody's computer with some kind of AntiVirus Pro 2010 on it (or something like that). I deleted it, cleaned up the computer, gave free antivirus. Got a call a few hours later:
- Where is my antivirus.
- Well, it's right there, it's called ...
- No I had AntiVirus Pro, I don't want that free crap
- Well, AntiVirus Pro is a scam program, it doesn't do anything and only prevents other antivirus from working and probably steals your bank information. The one I put on there is free too and actually works so no worries.
- I pay $120 for that (no kidding), I want it back.
- Well it's a scam, call your bank and cancel those payments because you've been scammed.
- blablabla... I want it back ... why would you think it's a scam, I paid for that
- *click*

She has had her card information misused several times, she keeps getting a new card number but then has to renew AntiVirus Pro.

Re:Too busy

Agreed. I've been double-charged by *insert big DNS/hosting company here* and after the first attempt to correct it didn't work, just went ahead and paid the overcharge. It wasn't worth the effort of fighting for a few $ when I save more than that each year by using them instead of my previous provider... At some point I just quit caring about the principle of the matter and wanted to move on with my life. :-)

Re:Too busy

[LWATCDR]

As if the system wasn't already being abused?
Credit card companies shouldn't allow their services to be used for scamming. Once a company has been accused of fraud like this the credit card companies should investigate. In the end this kind of scamming will cost them a lot of money.
Of course me wanting to see it doesn't mean that it must be a law or regulation. Just a good idea. If you make it hard to make money doing this you remove the incentive.
 

Re:Too busy

[Machtyn]

Not to mention that letting survival of the fittest fleece the fools from their money has a nasty side effect of enriching the bad guys in the process.

If it was really a Stupid "Tax" then it should go into the hands of the government, preferably to invest in cyber education.

Wow. You just made a recursive statement here.

a Stupid "Tax" ... should go into the hand of government (and) their money has a nasty side effect of enriching the bad guys in the process.

Re:Too busy

[daedae]

With respect to fraud in store (stolen CC#), the credit card company isn't on the hook for the money. If they reverse the charges, it's the store that takes the hit. I assume a similar point is true here, if you dispute the charges and they reverse it then the CC company doesn't eat the cost, the scamming company just doesn't get the money.

This is probably why the credit card companies have little incentive to investigate or stop working with any particular company: the cost to them to reverse charges is fairly small, whereas launching an investigation would be expensive, and they're not really losing anything in public opinion because most people apparently don't realize the companies are a scam and therefore aren't clamoring, "Why didn't you protect us?"

Re:Too busy

[mr_nazgul]

I had a similar experience, but no run around. I called and complained about being charged and never getting my product and that I hadn't been able to get someone to call me back for a refund or to get said product (almost three months after original purchase date). My credit card company immediately refunded my cash and said that in 4-6 weeks I should call them back if I don't hear anything for a verdict.

I heard nothing, called and was told that the case was closed and that I keep the money. If it had been challenged, I might have lost the money, but since I received no product and had done much legwork and was polite, it was easy.

The key here is that you need to have as much information as possible and if the first person doesn't help, get their name, call back and get a polite representative that WILL help you and even mention the previous person not willing to help.

Dot your T's and cross your I's and all that gives results.

Re:Too busy

[Golddess]

You make an interesting point, but it still kinda shocks me. Spending money now in order to make back some of it at a later time (rebates) isn't exactly the same thing as being billed for more than you expected (fraudulent charges).

Rebates never come in time to cover the cost of the product on your next statement unless you've got some ridiculously long no-interest grace period (or you purchase it at the very beginning of the billing period, then you might get it before the grace period ends), so in theory you should have calculated that into your budget for the month. But a fraudulent charge is money you didn't expect to have to spend at all.

Though I guess if all you're doing is putting down the minimum monthly payment, you aren't going to care either way.

Also...

people won't even walk a few feet across the room to turn on a TV anymore!

My TV (well, DVR) doesn't have a physical on/off button, or any buttons at all except on the remote, you insensitive clod! :P

Re:Too busy

[psithurism]

Probably more like too ashamed.

I'd offer that most don't know what happened.

As a teenager, I did $10/hour tech support for parents friends and many of them just follow the prompts on the popup windows and don't have a clue what is going on. "My computer said, 'you need this virus protection or your identity will be stolen.' So I entered my credit card information." You ask them: "What is it called?" "Who makes it?" "What does it do?" "What is a virus?", and they don't know.

I can prove virus protection was not installed on my computer and if it ever ran, but the average person who tries to install fake software may not even know what install means and figure the website magically installed it and they are not bright enough to know how.

I paid a mechanic $200 to put in a "crankshaft sensor" he found I needed. He could be just ripping me off, but I wouldn't know. Even if someone said he was sketchy, I don't even know what crank shaft is to go check for myself, but if I did, and I found out he ripped me off, I'd be down yelling for my money back with no embarrassment about it.

potential reason to not dispute a charge

I recently had a $10 charge from a company I'd never heard of. Slightly different than this story, it was not from a rogue antivirus, but just a plain-old unauthorized charge (out of the blue). I called my bank to dispute it, but they said I'd need to change my charge number if I disputed it. I decided I'd rather eat the $10 charge, than deal with the hassle of updating my card number (and updating everything that auto-bills it).

Re:potential reason to not dispute a charge

[frieza79]

How many months of bogus $10 charges will you tolerate?

Re:potential reason to not dispute a charge

[compro01]

What bank is this?

Re:potential reason to not dispute a charge

Once you've had one charge, how likely are you to get more? I dispute ANY charge because someone I didn't give number to has it.

Re:potential reason to not dispute a charge

My god, what is it with the mods lately? How is this guy "trolling"???

P.S. I myself haven't had any mod points in over a month. Anybody else?

Re:potential reason to not dispute a charge

[morari]

Don't autobill and you wouldn't have to worry about changing your card number now and then. I'd consider autobilling a huge risk in and of itself, personally.

Re:potential reason to not dispute a charge

[retchdog]

I'll be happy to sell you my mod points and a subscription to a series of pamphlets detailing many "life hacks" including my patent-pending technique for obtaining 15 mod points a week; and how to get free product out of those 25-cent bubblegum dispensers at shopping malls. Please post your credit card number; verification number; and billing address in a reply.

Re:potential reason to not dispute a charge

[biryokumaru]

I keep getting 15 every few days... also, ACs don't typically get to mod, do they?

Re:potential reason to not dispute a charge

[blackraven14250]

Nope, they never do. Which is why, even though his comments may be modded up while he posts AC, he isn't getting any points on his account - which in turn affects the number of mod points he gets to use.

Re:potential reason to not dispute a charge

[John+Hasler]

> How many months of bogus $10 charges will you tolerate?

Zero. My wife handles the credit cards and she verifies every single charge. I am required to save and annotate every slip and log every Internet or phone transaction.

Re:potential reason to not dispute a charge

[Mr.+Freeman]

Call back and ask for a supervisor, or their supervisor, or however many people you have to talk to to get to someone who can reverse the charge without changing your number.

Of course, I'd want to change my number. Someone unauthorized clearly has your CC information and can successfully charge money to it. Keeping the same number makes NO FUCKING SENSE. It's like refusing to change your locks after you know that a thief has a copy of your key because last time he broke in he only took $10. HE'LL BE BACK LATER WITH A VAN AND TAKE EVERYTHING IN YOUR FUCKING HOUSE. You're going to end up with some $5000 charge to your card and that's going to be a hell of a lot more difficult to deal with then ten fucking dollars.

Dispute the charge, change your number, and SPEND TEN FUCKING MINUTES UPDATING YOUR AUTO-BILL INFORMATION.

Re:potential reason to not dispute a charge

I recently had a $10 charge from a company I'd never heard of. Slightly different than this story, it was not from a rogue antivirus, but just a plain-old unauthorized charge (out of the blue). I called my bank to dispute it, but they said I'd need to change my charge number if I disputed it. I decided I'd rather eat the $10 charge, than deal with the hassle of updating my card number (and updating everything that auto-bills it).

Here's something you may not know about credit card auto-billing.

If you have a legitimate recurring auto-bill and then change your card number, the first auto-bill on the old number will fail.

But many banks (particularly amex) will allow the second auto-bill on the old number to go through.

Re:potential reason to not dispute a charge

[rainmouse]

Funny how, unlike on the Monopoly Community Chest cards, bank errors never appear to be 'in your favour'.

Re:potential reason to not dispute a charge

Wow. Makes me glad I'm not married.

Re:potential reason to not dispute a charge

[John+Hasler]

> Funny how, unlike on the Monopoly Community Chest cards, bank errors never
> appear to be 'in your favour'.

I experienced one just last month: a $500+ overpayment.

Re:potential reason to not dispute a charge

[MasterLock]

You need a better card.

I dispute anything that doesn't match my records; I've disputed as little as $6 from a local store. I call the credit card company and submit the necessary papers via fax.

I often hear people say, "Oh, it's a just a few dollars off; what's the big deal?" Depending on the business, that "few dollars" may be put on 100, 1000, 10000 different people. Would you say, "Oh, it's just $50,000 off; what's the big deal?" The credit card companies keep track of these disputes; if a company is continually getting hit with them, they will investigate.

Re:potential reason to not dispute a charge

[InfiniteWisdom]

The small charge could easily be a precursor to a large charge. Thieves will often make small purchases online to test cards before buying something of value. Obviously getting something shipped is not an option if you're using a stolen card, and they wouldn't want to attract attention to themselves in a physical store by using a card that's been reported stolen.

Re:potential reason to not dispute a charge

[Cwix]

Yep, and Im sure they wanted it back didnt they?

Re:potential reason to not dispute a charge

[internettoughguy]

These guys got away with it, but they're probably wanted by Interpol.

Re:potential reason to not dispute a charge

[bitingduck]

I actually had the bank call me about a charge like that once. I'd bought some expensive software by phone and a cell phone earlier in the day, both legitimate but unusual charges for me, so I thought it was about that when the automated fraud call came in. When I called back and talked to a live person, it was about a $9.99 charge for "somethingsoft" (I can't remember exactly what the name was). The CC company told me they'd reverse it and send me a new card. When I googled the fictitious company it turns out that it was some kind of scam thing where they either collect or generate card numbers and just start applying $9.99 charges because most people either won't notice or won't argue about it because it's too small.

Re:potential reason to not dispute a charge

enjoy your $5000 charge next month.

Re:potential reason to not dispute a charge

[Belial6]

Shipping hasn't been much of a problem for the last ~5 years. They just have it shipped to a vacant house.

Re:potential reason to not dispute a charge

So what do you do when your credit card expires? They do every couple of years...

Re:potential reason to not dispute a charge

Really? Unlike my house, where insurance might have something on negligence--changing the number is up to the credit card company. And it shouldn't be difficult to dispute. You see, their agreement caps my liability at $50. And I'm fine with that. Because after the first unauthorized charge, if it happens again--I've got proof they were negligent in authorizing it.

Got a copy of the receipt with my signature? No. Okay--it's unauthorized.

Got it authorized by proxy (like over phone or via mailin) and I disputed it? Is there proof of delivery of the product via fedex? No? Revoke their merchant account.

I don't care how many people have my ccd #--as long as I authorized it and didn't go handing it out to people I don't intend to use it--it's the card company, and the merchant's problem--not mine. That's the agreement.

Because that $5,000 is damned easy to dispute. You call and dispute it, then send it in writing. Problem solved.

Re:potential reason to not dispute a charge

Is that it? It would be nice if this stuff was written down some place (other than the source code). I switched to AC after getting stalked one too many times. Oh well, I'd rather never get to mod. (different AC from up the thread BTW)

Re:potential reason to not dispute a charge

[Real1tyCzech]

Got one a few years back for $800. Teller *majorly* miscounted. She was not paying any attention at all. I swear she was reading a text or some shit....

Wasn't my bank. Didn't have an account there, (my employer did) and the next time I went to cash my check nothing was said. (Though strangely enough, she still seemed to be employed...).

It's an odd, odd world.

Re:potential reason to not dispute a charge

[tlhIngan]

I recently had a $10 charge from a company I'd never heard of. Slightly different than this story, it was not from a rogue antivirus, but just a plain-old unauthorized charge (out of the blue). I called my bank to dispute it, but they said I'd need to change my charge number if I disputed it. I decided I'd rather eat the $10 charge, than deal with the hassle of updating my card number (and updating everything that auto-bills it).

Well, someone's got your credit card number. You can dispute the charge, but because it was unauthorized, the bank would prefer you throw away your old card because if there's one, perhaps there's another. Hell, if you look close, you might find a "testing charge" from iTunes or something a month back. Because you can be sure the next month they'll try charging $5000+. Heck, they may have already done an authorization charge for that much but the charge hasn't come yet.

I've had my card fraudulently used, and the biggest pain is not the auto-bills (especially since they were coming due), but not having a card for a week. I changed it again a year later when one of the stores I visit had their credit card processor breached (possibly). I did it pre-emptively to avoid any hassles. This time I rushed the card and was only without it for a few days.

Re:potential reason to not dispute a charge

[Nursie]

I got overpayed by quite a bit a few months ago, several paychecks in a row. I called to ask about it and the company just said "Oh, yeah. We'd better stop that. Have a nice day. Nothing was said about taking the overpayments back.

Life is good to me sometimes.

Re:potential reason to not dispute a charge

He's saying he knows the company that charged his credit card and they are legit, they just made a bad charge. There's a difference between that a thief who breaks into your house. But you keep raging man.

Re:potential reason to not dispute a charge

[Inda]

What is your time worth? You're on about spending 30 minutes shouting down the phone to save $10. I'd like to think I could earn $10 in half that time.

Re:potential reason to not dispute a charge

[bloodhawk]

I had a bank error in my favour, nearly 9 grand. I left it there and eventually they realised there mistake but they let me keep the interest.

Re:potential reason to not dispute a charge

[Nyder]

> How many months of bogus $10 charges will you tolerate?

Zero. My wife handles the credit cards and she verifies every single charge. I am required to save and annotate every slip and log every Internet or phone transaction.

Does she withhold sex if you don't?

Oh, what am I asking, your married, you don't get sex. my bad.

Re:potential reason to not dispute a charge

I had a couple of unauthorised charges on my Visa (mobile phone purchase and airport parking, so I'm guessing relatively sophisticated crime) which fortunately I spotted early due to online banking. I called expecting them to change my card but they REFUSED point blank, saying it would "interfere with their investigation."

I got the money back and haven't had any mysterious charges since, but it seems a very broken way of dealing with it. Presumably my dox are still out there and I could be charged again.

Re:potential reason to not dispute a charge

[stephanruby]

You tell me. What is your time really worth? You'd rather wait till Black Friday or Christmas Eve to dispute a slew of even bigger charges by the same outfit? And you wouldn't mind nice police men breaking down your door at 5am looking for child porn that those $10 supposedly bought?

Re:potential reason to not dispute a charge

rawr stick it to him!

Re:potential reason to not dispute a charge

While slightly off-topic. I did in fact have a bank error in my favor once a few years ago. I was given a $75.00 check and told the cashier that I wanted $25.00 in cash and to put me $50.00 in my checking account. The person credited me $50.00 and counted out $75.00 and gave me a receipt.

I told the cashier that he was making a mistake. He picked up the $75.00 and counted it out again and told me that I was an idiot and did not know how to count.

I pocked took the cash and left... Funny thing was I never saw him working at the bank again...

Re:potential reason to not dispute a charge

[Machtyn]

I guess you value your time less. In my opinion, it is far easier to change your number once than to have to dispute a dozen charges every month.

Yes, the CC company should recognize the fraudulent charges. But how are they to recognize the fraud when the charges are being made to different, potentially, legit companies. At that point, the charges look legit and it is up to you to dispute. Which, in my experience, means calling the CC company, taking at least 15 minutes to wait for a rep, have them take your info, have them upsell you on 3 different products and another 5 minutes to write, print, and mail the letter.

Re:potential reason to not dispute a charge

[Quirkz]

Generally the initial $10 charge is testing the account before they come back and start charging hundreds or thousands of dollars, or whatever they can get away with. If your account has been compromised to have one charge, it generally means more are coming.

Re:potential reason to not dispute a charge

[Quirkz]

Lucky you. I had an employer miscalculate my paychecks (plugged in 24/year instead of the 26 pay periods years actually have). They had no compunctions about printing me a small check to make up the balance once they figured out what was going on. They were nice enough to apologize, but that hardly makes up for several hundred dollars.

Re:potential reason to not dispute a charge

[blackraven14250]

This IS wirtten down, on this page.

When working for Dell...

[Aliotroph]

I always encouraged customers to call their credit card company's fraud number as soon as they were done with me if I learned they purchased one of those scams. How many followed up I don't know.

My friend's dad also bought a rogue antivirus one day. He refused to believe it was fake. We quietly removed it and decided to let him deal with the consequences of giving his card number to con artists. Some people are just too much effort.

"Buyer Beware"

[mcrbids]

Mostly people think that if they get scammed, that they were stupid or suckers and don't want to admit that they were duped. Calling the Credit Card company to reverse a charge for $40 is embarrassing, and they would rather just pay the "sucker tax" than go thru the effort, confusion, and embarrassment of disputing a charge.

And this is true in those cases where they even know they can dispute a charge - how many card holders even know that they can do this? I probably had a card for at least 5 years before I found this out, and I would consider myself somewhat more informed than the average consumer.

Re:"Buyer Beware"

[morari]

Here's what you do:

You start a company called "Arse Ticklers Faggots Fan Club". Put an advert in a gay mag advertising the latest in arse-intruding dildos. You sell it with "Does what no other dildo can do until now! The latest and greatest in sexual technology! Guaranteed results!" All that bollocks.

These dildo cost a few quid a pop... a snip for the pleasure they'll give the recipients. They send their cheques to the other company name. Nothing offensive, "Bobby's Bits" or something, for a few quid. You stick it in the bank until it clears.

This is the smart bit. You send back the cheque for several pounds from the other company name (Arse Ticklers Faggots Fan Club) saying we're sorry, we couldn't get supplies from America... they ran out of stock. You see how many people cash that cheque.

Not a single soul. Who wants their bank manager to know they tickle arse?

Re:"Buyer Beware"

[frosty_tsm]

You're referencing an old scam (not the product, but sending the refund using an embarrassing name). If I recall, the court said that they couldn't use that tactic to prevent cashing of checks.

Re:"Buyer Beware"

[iammani]

You could deposit it in an ATM.

Re:"Buyer Beware"

[Beardo+the+Bearded]

The winrar is you; that's got to be the best pun of the day.

Re:"Buyer Beware"

Lock, Shock and two smoking Barrels

Re:"Buyer Beware"

[Mr.+Freeman]

"the court said that they couldn't use that tactic to prevent cashing of checks."

What? They said that bank customers can't make the decision to NOT cash a check?

Re:"Buyer Beware"

For GOD's sake, accept that your way of using cards is the problem.

Start using what Europe does - the card has a chip and the chip has to be into a POS/ATM for any transaction to occur. Someone just knowing you card number cannot do anything, even if they try to run it via a payment processor. (That is right - the payments over the net go over payment processors, not between the requesting side and the bank). Oh, yes, and start demanding live real-time SMS for any transaction on the cards. Yes I did have this in Europe - some money are taken, blocked, etc.. an SMS will be on my cell in less than 10 seconds telling me exactly when and where and how much money were taken away. Why do the banks in US oppose it - well, they have interest for you to overdraw, have your money stollen, etc.

It is your own, American way of living that is causing the issue.

Re:"Buyer Beware"

[John+Hasler]

> What? They said that bank customers can't make the decision to NOT cash a
> check?

No, that the intent was clearly fraudulent. Except when prevented by loony statutes judges regularly apply common sense.

Re:"Buyer Beware"

[thedak]

It's a quote from "Lock Stock and Two Smoking Barrels"

Re:"Buyer Beware"

Posting Anon because I have Mod points in this thread...

I just have to ask you one question... Do you realize how LITTLE power the American people actually have in saying what is the "American way of living"? I swear some entire industries are in cahoots with the Government. "Stupid politicians" would probably actually be a valid argument here.

Re:"Buyer Beware"

Ok, it's me, the dumb European shmuck..
So I live here (AZ) now, and I am being told that the people elect the government. I know - when there are no other candidates - you always elect the same, however walking into a bank office, and withdrawing money from a human teller is still an option. Then paying all in cache, or pay deliveries to the delivery boy. Even paying for gas inside the shop. I know it is not perfect, no system can be, but that would at least not expose your card.

Let me give you an example - in Europe if I've dined at a restaurant the waiter will bring the pos device to the table. I would personally put my card in, and the teller will input the charge. I will put a tip (or not) and enter my pin. When transaction is completed I will take my card out of the pos. But the whole system in Europe is based on actually wiring money from your account somewhere, that is - you move around credit (I instruct my bank to credit your account X amount). Here in US it is the opposite - you move around debit (the other party instructs my bank to debit my account X amount), and what is worse, you allow that debut to be changed at a later time. The second is inherently insecure - because in the first case the bank trusts me, and not the other parties, in the second case, the bank trusts the other parties and not me.

Re:"Buyer Beware"

LMAO its a quote from Lock, Stock, and Two Smoking Barrels

Re:"Buyer Beware"

And no one replying to this comment gets the reference. Absolutely great movie.

Re:"Buyer Beware"

[Jedi+Alec]

American consumer: "I want my phonecall"
American banks: "Ah, but Mr. Consumer, what good is a phonecall...when my cock is in your throat?"

Whipping US banks into a shame even remotely resembling what we've got on the other side of the pond would require legislation, and that would be socialism, right? Far better to wait for the free market to sort it out. After all, there's no way bankers would get together in smoke-filled backrooms and collectively decide how to screw average Joe just that little bit more.

Then again, over here it is perfectly possible to live *without* a creditcard. Much easier to avoid spending other people's money that way.

Re:"Buyer Beware"

He's referencing "Lock, Stock, and Two Smoking Barrels". Brilliant film.

They Authorised The Charge

[gcatullus]

Although the company that was given the cc number was shady - the customers actually authorised the charge. When you process a charge back it has to fall into a certain category with the processor. The customer can claim that the card was stolen, the customer can claim that the charge was never theirs, they can claim that they never received the merchandise, etc. But in this case the customers still had their cards, they actually did initiate the transaction, and they received the merchandise, i.e. their pc got "fixed".

There is no chargeback category for this, and as long as these card numbers aren't then resold and used in a traditionally fraudulent manner, nothing will happen.

It would be like trying to reverse the $1,000.00 charges for the champagne room strippers because they were ugly. Just you didn't get what you thought you'd get doesn't mean you can reverse the charges.

Re:They Authorised The Charge

The difference in this case is that the rogue antivirus is defrauding the customer. In that case, even though the charge was authorized, it can still be disputed.

Re:They Authorised The Charge

[Kojiro+Ganryu+Sasaki]

What?

You pay for X and get Y. That. Is. Fraud.

Re:They Authorised The Charge

[NJRoadfan]

In cases where the customer never received the software they clearly have a case. Non-delivery of product/services is one of the most (if not #1) reasons one would do a charge back.

Re:They Authorised The Charge

[John+Hasler]

> Just you didn't get what you thought you'd get doesn't mean you can reverse
> the charges.

Yes it does. They promised antivirus and failed to deliver it. The problem is in proving it. It's the vendor's word against yours. You did give the vendor your number and they did send you something. Why should the credit card company believe your claim that it wasn't what you ordered? Are you ready to go to court over $50? If so you will probably win.

Re:They Authorised The Charge

[John+Hasler]

Sure it is, but how does the credit card company know that? They have only your word.

Re:They Authorised The Charge

[gcatullus]

The rogue antivirus "appears" to be defrauding the customer. This is hair splitting, but it is important. Imagine this scenario, click a link for our super duper antivirus cleaner, customer clicks link, doesn't read fine print that says this is for novelty purposes, that it will change your homepage to goatse, that it will redirect all searches to images of kittens, or whatever. The super duper antivirus cleaner says the pc is infected. The customers pc is now "broken" because their home page shows a gaping ass, and every time they try and use yahoo search they get kittens. They see a link to give their credit card to clean their pc. They cough up $80 and their pc is fixed.

Now is that fraud?

Re:They Authorised The Charge

[durdur]

It's actually quite sucky to be a credit-card taking merchant, because all the risk of a transaction going bad is pretty much on your shoulders. The card issuer assumes no risk or liability themselves. Which is why some outfits don't take credit cards.

A consumer can always dispute a charge. They can say the merchandise was defective, which it surely was here. Usually the merchant either works it out with the consumer or if they're a scammer they never respond and they're out the money, plus, as a merchant, if you get too many chargebacks, your card company may decide you are more trouble than you are worth and drop you.

I guess you can abuse the system as a consumer, too. Still the merchants bear the greater risk of having things go wrong, because they process more transactions.

Re:They Authorised The Charge

[retchdog]

You can reverse the charges if the product doesn't conform to reasonable expectations and is not sold "as is". I did this when I bought a used thinkpad that didn't even POST, and the seller refused to communicate with me. To clarify: it was not sold "as is", and the seller did not even try to disclaim the implied warranty of merchantability. Then again, probably most people expect anti-virus to not work anyway. :-/

The strippers may be more contentious, but if they actually had misleading photographs on display... Most people would probably not try though. ;-)

Re:They Authorised The Charge

[gcatullus]

Depends on what they actually promised, they did "clean" the pcs of the browser hijacker. Even then just try suing a company from Russia in your local small claims court. Now this isn't ethical, but that doesn't mean it is not legal.

Re:They Authorised The Charge

[Mr.+Freeman]

Yes, and that's all that is necessary to reverse a charge. By law, they must remove the charge unless the company offers some proof that the customer authorized the charge. I can't imagine that a scam would be too willing to provide a lot of proof that someone authorized the purchase of a fake product and that they then delivered that fake product.

Re:They Authorised The Charge

[rainmouse]

It would be like trying to reverse the $1,000.00 charges for the champagne room strippers because they were ugly.

To put it into a bit more accurate a context, it is a little bit more than strippers being ugly. They would have to convince you they were strippers, then show up after being paid with a lot of clothes on and put even more clothes on. It's false advertising and a scam, don't try using irrelevant metaphors to back them up like I have just done to disagree. Dammit I'm such a hypocrite.

Re:They Authorised The Charge

[gcatullus]

The chargeback rules haven't caught up with technology. The thinkpad was a tangible piece of merchandise. The credit card processors know how to deal with that, i.e. bought x and x doesn't do what x is supposed to do, and as you said wasn't bought "as is". But what if you pay for a piece of software that only claims to restore your original home page and let you search AOL again. These people bought something that did that. How do you explain to your cc company that you clicked a link you shouldn't have and then you bought this software to fix the pc and it did fix it, but that you were scammed, because the original link was misleading.

As for warranties as I recall most software requires that you sign away just about any rights before you are allowed to use it. It is a slippery slope, try charging back MS Office because it is "broken" because you can't make pivot tables.

Re:They Authorised The Charge

[gcatullus]

Well they were strippers, just clothed strippers, they happened to be absolutely naked (underneath their clothes), and nothing in the shrink wrap eula that covered the entrance to the champagne room said anything about them actually letting you see them naked without clothes.

Re:They Authorised The Charge

[krebsonsecurity]

Everything you said is true and makes sense. However, what we are dealing with here are by-design fly-by-night companies that are in existence long enough to snag a few thousand victims, and then they vanish into thin air. There is no recourse in those cases for the victim/customer to obtain redress from the "company" that sold the bogus product: It simply doesn't exist anymore. And it's not like this is an accident: This is all part of the plan. If the so-called businesses spreading rogue anti-virus had to stay in business for more than a few weeks, they'd go broke from all the chargeback fees. The question is, who pays those chargeback fees when the company that incurred them is no more?

Re:They Authorised The Charge

[Cwix]

Not that I know or really care what a pivot table is, does the box/manual/advertising say it does? If so you can prob chargeback.. that is unless you dont know how to make a piviot table with the software, then its your issue.

Re:They Authorised The Charge

It is extortion of the uninformed. Unfortunately there is pretty much nothing that you can do to get it prosecuted. However I highly doubt any one will be in any big rush to show their face to dispute the chargeback. If they do get investigated by the cc company and the cc company quits letting them take ccs they will just have a new company name to charge with in an hour anyway.

Re:They Authorised The Charge

[gcatullus]

If the company closes up shop and disappears then their credit card processor "eats" the chargebacks. But they also grab all the so called "legit" charges. The processor is also getting a much larger percent transaction fee, supposedly to cover the higher chance of fraud for online transactions. So if the company actually skips town the processor is the one that grabs any other transactions to pay off the chargebacks and keeps the rest of the money themselves.

Credit card processing is a dirty dirty business

Re:They Authorised The Charge

[John+Hasler]

> Depends on what they actually promised, they did "clean" the pcs of the
> browser hijacker.

They only removed what they installed, and only after you paid them. Not just fraud: extortion.

> Even then just try suing a company from Russia in your local small claims
> court.

Not the vendor. The card-issuing bank, for refusing to cancel the charge. You might win, but it wouldn't be worth it.

> Now this isn't ethical, but that doesn't mean it is not legal.

Fraud and extortion are not legal.

Re:They Authorised The Charge

[John+Hasler]

> I can't imagine that a scam would be too willing to provide a lot of proof
> that someone authorized the purchase of a fake product and that they then
> delivered that fake product.

They might be willing to send out a few bullshit-filled emails designed to baffle the bank for long enough for them to finish the operation, clean out the account, and move on.

Re:They Authorised The Charge

Actually, in most of these cases you're paying for X and getting X. However, you just thought you were getting Y and didn't read the fine print or do your research about the legitimacy of the product.

Re:They Authorised The Charge

Like Mr. Freeman said, that's all that is necessary. Another thing is that the credit card company WANTS your business. If someone is not satisfied with their services provided it's fairly simple to obtain another card elsewhere.

Re:They Authorised The Charge

[greg1104]

I've watched men pay ugly strippers to put their clothes back on.

Re:They Authorised The Charge

[cybiko123]

Even if the company did send something, the customer could file a chargeback. "There is no chargeback category for this" - there is a chargeback code for "item not as described" or similar: Visa: 53 MasterCard: 4853 Discover: 4553

Re:They Authorised The Charge

[MobyDisk]

Just you didn't get what you thought you'd get doesn't mean you can reverse the charges.

Actually, you can.

In the particular example of rogue software, the seller has committed fraud. Maybe extortion. No question that the charges can be reversed. But there's also criminal penalties here too.

But in general, you still can reverse the charges. In the United States, if you buy a product, and the product is not what you paid for, then the seller must accept the return. It is part of the "implied warranty of merchantability and fitness for a particular purpose." I had one of those mall-vendors sell me a $40 toy that didn't do what the video made it seem like it did. When they pointed to their "no returns" sign I just left the item on the cart, took a picture, and called me credit card company. I told them to reverse the charges and that I no longer was in possession of the item. They reversed the charges without hassle.

It isn't always this easy - in theory, the credit card company could have sided with the vendor at which point I would have to go to court. It may not be worth that amount of effort though.

Re:They Authorised The Charge

[gcatullus]

You can, but you have to know what to say - in this case the purchased software actually did what it was supposed to do. The pcs were functional again.

Re:They Authorised The Charge

You're an idiot. Their PC is hijaacked by malware and to get this undone they have to pay a fee (see blackmail). It's ransomware and it's illegal. End of story.

Re:They Authorised The Charge

[retchdog]

The rules are clear, it's just that there are no reasonable expectations since software happened to hit the big time during an economically- and technologically-undiscerning period of human history.

I work at a computer repair shop

We see a lot of customers coming in with fake antivirus installed on their machines, and the customers sincerely believed they were purchasing a valid piece of software. I think the largest problem when I see people encountering this scenario, is that typically:

1.) They don't realize they've actually been scammed. Pop ups start appearing on their computer, and they receive an offer to purchase "antivirus" and fix the problem. They now think they're protected, but continue to have problems.

2.) They tried calling Visa/MC/Discover and couldn't convey why they were charged for a bogus product. Some of the "EULA" agreements that come with these fake antivirus products actually state in the fine print that the software product does nothing. People click "OK" on anything, and legally agreed to pay for a piece of software that doesn't do anything.

3.) Don't know how / Don't care. Whatever. Take the computer into a shop and have someone fix it, hopefully $60 of fake antivirus is enough to jog my memory into being a little more careful on the internet.

I've even see plenty of customers willingly disabling antivirus / firewall products because they are "inconvenient" when trying to do other things on the computer. Fake antivirus and antimalware really is quite a genius scam, but it doesn't surprise me that a lot of people lose to it, and rarely ask for their money back. Some of these people don't even know what malware IS.

Re:I work at a computer repair shop

[TheQuantumShift]

Definitely #1. People are too conditioned to believe that computers just fail and there's nothing that can be done about it.

And for the record, all anti-malware software is snake-oil. A deadbolt on the front door does no good when you leave all the windows open (no pun intended).

Re:I work at a computer repair shop

[bendodge]

Hmm, I also work at a local PC repair shop, and I disagree with your assessment of all anti-malware software. Malwarebyte's real-time protection has done wonders for some of my customers. The porno-watchers come in more frequently than anyone else, and one guy in particular was in literally every month. Since selling him a $25 MBAM license we haven't seen him since. Now, that may not appear good for business, but I think that what's good for the customer is usually good for business in the long run.

Now, I agree most anti-malware software is junk. Ad-Aware, Webroot, etc are all quite antiquated, but MBAM is relatively new and is still at the edge of the arms race. When coupled with the latest NOD32, I can usually keep a family PC clean for least a year or more. The problem is when people disable it manually...

Re:I work at a computer repair shop

Yeah, it's the one (along with MSE) that we've all been recommending for a while though isn't it ... I remember when that was true of Ad-Aware and AVG. Perhaps it's inevitable that they'll eventually wilt under the focused attention of the malware industry too.

Re:I work at a computer repair shop

Instead of having your customers buy & have running constantly yet another winpc security product, why don't you just advise them of a few _safe_ pron sites that they can visit, ones which won't infect their systems?

Result: Happy customers, faster computers.

Posted somewhat tongue-in-cheek, but it *does* work. :)

Re:I work at a computer repair shop

[Spazztastic]

Now, that may not appear good for business, but I think that what's good for the customer is usually good for business in the long run.

Well, when it comes up in conversation that he's had to get his PC fixed several times in the past year until you put a piece of software on to his friends, they'll come to you instead of GeekSquad who will just rinse and repeat the same tactic to get more money out of him.

Getting quick money off of a client is a horrible decision compared to the references they can bring when you do the job right.

Re:I work at a computer repair shop

[jimicus]

Ultimately, they all suffer the same problem. Trying to keep a PC secure by blocking every piece of software that isn't allowed to run and allowing anything else is Doing It Wrong.

You wouldn't set up a firewall and leave every port open except SMB and FTP, would you?

Of course, most modern operating systems don't exactly make this easy....

Re:I work at a computer repair shop

[Blakey+Rat]

The porno-watchers come in more frequently than anyone else, and one guy in particular was in literally every month. Since selling him a $25 MBAM license we haven't seen him since.

Maybe he just had a heart attack while whacking it.

There's only one solution for rogue antivirus...

Only one solution for rogue antivirus vendors: take off and NUKE THEM FROM ORBIT. Seriously - I'm generally opposed to the death penalty, but there's absolutely no reason for the dirtbags who write, deploy or sell those programs to continue breathing.

Who can tell?

[VGR]

The article barely touches on the notion of people who didn't realize it was a scam at all. It's obvious to us technical types, but I doubt it's obvious to non-technical people.

Most retail Windows PCs are loaded up with obnoxious adware that nags at every login. I got a brand new PC from Staples last year which had a MacAfee nagger installed in the startup sequence, and while I was eventually able to disable it, it took more than one try and considerably more effort than just one or two clicks. If it was nontrivial for me to banish, I have to believe non-technical users would just give up.

On top of that, anti-virus is pretty low-level, as software goes, so how many non-technical people will even know that it's not doing anything after they pay for it?

Re:Who can tell?

[Pomslo]

I agree on what you say about "non-technical" people. However, " if you are dumb enough, you deserve it" IMHO. As time passes and common use technology grows more complex the users need to get more "technical", at least, on general terms. There is no "idiot-proff" technology as long as you let the user be free and use the product in any way he wants,although I'm not advocating for an Apple concept of "walled garden" "non-technical" users should be made aware of their situation,as embarrasingly as possible. I wish those people would get scammed out of the desire of using a computer,if only that didnt empower the people who scam...

Re:Who can tell?

[wvmarle]

I totally agree.

And would even like to add: how many TECHNICAL people would even know that it's not doing anything? It's low-level stuff after all. To see what it's really doing almost requires comparing disk images. Maybe the software says it has removed some malware, but has it really? How can you check? Windows is also not known for being very forthcoming with low-level system information. To really know it works or not you will have to install specialised tools.

The main reason for me to distrust is on a different level. For example being advertised in spam e-mail (especially if that does not appear to come from the actual vendor). Not knowing it. Not being able to find references about said software through a Google search.

Trusting software (or a vendor in general) I do for very different reasons: seeing it advertised in traditional media, hearing friends talk about it, seeing talk about it on various other web sites and forums, seeing it for sale in computer shops.

Re:Who can tell?

while I was eventually able to disable it, it took more than one try and considerably more effort than just one or two clicks. If it was nontrivial for me to banish,

Time to hand in your geek card, pal.

Google for "McAfee Removal Tool". There's one for Norton as well... Small apps, & 2-3 clicks is all it takes. These are 2 of the things I run first on almost any Win OS repair job.

Re:Who can tell?

[jimicus]

Why would they bother? IME they see "McAfee AntiVirus", think "Great, that saves me having to buy AV separately", and have become so inured to clicking "OK" or "Next" or "Cancel" until a window goes away that the AV software can flash up messages saying "You must pay to continue using!" until it's blue in the proverbial face, it won't achieve anything.

The scammers are good at avoiding chargebacks

[spywhere]

I remove this crap for a living, and I've seen the scam up close.
When the victim pays, the scareware purveyor removes most of the program... which "fixes" the PC. They leave behind a back door, and Registry entries making the machine download .exe files without prompting, but they mostly stop bombarding the victim with warnings... for a month or two.

Then, they attack again, trying to get more money. I've had a few customers who paid for the first attack, then finally called for help when they got hit again; it was easy to see what the first program did, and track down the quick site redirect that brought on the second infestation.

The real criminals here: Visa and Mastercard, for maintaining merchant accounts for these scumbags. Brian Krebs exposed this, and got it shut down... for two weeks or so, and they've back ever since without interruption.

Re:The scammers are good at avoiding chargebacks

[gcatullus]

Visa/Mastercard are the cartel bosses, but the credit card processing is being done by ISOs such as First Data, RBS Lynk, etc. Anyone with 20 grand or so can get registered as a merchant processor and start trying to sell merchant processing. Depending on how big a portfolio of business you write, you can get better rates from the credit card networks. Then you can go out and sell a "cost plus" deal that is alledgedly tied to interchange fees. But you can hide a percent in obtuse statements and a couple of points here and there. Then you are making an easy percent just for the privelege of connecting a merchant with a credit card network Credit Card processing actually makes the rogue antivirus software business look ethical.

Because CC issuers don't give a flying f_ck.

Any amount under $50 they would ignore, since by law they can pass that onto their customers. I've complaint about a $20 unidentified charges before (YES, I AM TALKING ABOUT YOU, DISCOVER!) and their basic response was "We're satisfied it's a legitimate charge. If you have an issue, take it up with the merchant."

Banks suck

[lavagolemking]

Part of the reason might be because of the way credit card companies like to wear you down. At 53 Bank, I had about $600 worth of fraudulent international charges on adult websites. They tried several times to pin it on me, and ultimately the process took about 3 months to resolve (leaving me with no credit to buy textbooks with). It took 4 visits in person (each requiring me to sit in their "waiting room") before they actually did change the numbers (despite saying they did), and then they tried to pin the "international transaction fees" on me because they were from a "closed account" where I had no room to dispute them. After all that, the bank's manager had the nerve to blame "government regulation" because they had "90 days to give me a resolution", which their company policy was to not give me any information until that time. I responded by her logic that they would never respond to complaints without the regulation.

In a separate case, somebody found out my account and routing number (I didn't even know that information, since I never ordered checks and only used an ATM card, but they still claimed I must have entered my information into a "fake website" since their databases are "hacker proof"), and it took (no joke) 4 personal visits before they actually changed the numbers, despite that every single time they said the numbers were indeed changed. They demanded, and said they would not discuss anything whatsoever until I agreed, that I sign a waiver that I admit the decision is ultimately up to the bank, who is under no obligation whatsoever to return the stolen funds, and fill out and sign it for each individual charge. I said no, and the manager said they could not and would not help me until I signed it. Being unable to afford legal aid, I ultimately signed them and got my money back that summer (it happened in February).

Needless to say I have switched banks, but if all banks treat their customers like idiots, pretend they know what they're doing to keep customers quiet, and force them to sign contracts to cover up for their games, then it is no wonder victims never dispute charges and no wonder scammers are so successful.

Bending Over

[sexconker]

People love to bend over and take it in the ass.

This is why the credit card companies keep shitting on security - they profit off of fraud.

Merchants are forbidden to verify the name on your card, ask to see your ID, verify your signature, ask for a signature for small purchases, etc.

Cards are being shipped with RFID bullshit in a direct attempt to increase fraud - fraud that the user isn't even aware of.

Banks offer rewards for charging purchases to a debit card as credit. Why? Because when charged as credit, you don't need to enter a pin or billing zip code. Get people used to charging purchases as credit, and they won't notice the fraudulent charges on their statement.

Security features such as the extra digits on the back of your card, passwords (such as Verified by Visa) are pointless theater. A merchant has no reason whatsoever to participate in the program other than to say "We're "secure"!". Indeed, many merchants still store the CV2/etc. code on the back of your card, and most merchants will simply default to processing the transaction without the password feature if you fail to enter the proper password.

Hell, I've had Banc of America admit to knowing about "errors" in their system. Said "errors" resulted in them transferring MY money around from Bank of America and Banc of America in a deliberate effort to hit me with overdraft fees.

Neither Bank of America nor Banc of America would do anything to fix it, even when I walked into a physical branch.
I had to tell them to close all of my accounts and give me all of my money back, and file complaints with every regulatory agency under the sun for them to fix it.

The bottom line is - watch your statements, do the math yourself, and never let them get away with even a single fucking penny.

Re:Bending Over

[Rashkae]

Woa... tighten that tin foil hat there. Here's some quick information for you, not that you're likely to believe truth.

CC companies do not profit from fraud. In most cases, they get left holding the entire bag, since the card holder is, by law, not liable for fraudulant charges (fraudulant charges being charges not authorized by the card holder. It's more complicated when the customer authorizes a charge to a fraudster. Think of it much like handing the fraudster cash.)

Cards are being shipped with RFID and other chip technologies because Mag stripe cloning techniques have been so ubiquitous and sophisticated, banks are getting reamed up the arse eating all the fraudulent charges, and are desperate to get rid of mag stripes as fast as possible. Although, I'm not at all convinced that RFID won't be worse once crime cartels start upgrading their tech to clone those.

Banks offer rewards to use their cards because they charge the merchant a percentage of the purchase. Bank rewards you 1%, charge the merchant 2%, there's 1% profit for them right there before you even go into debt. and increase their profit 100 fold with interest charges.

Merchants are not at all forbidden from verifying your signature and ID... Indeed, I've been asked for my photo id several times since the signature stripe on my CC is worn off. Though it's true most merchants don't bother. However, if the merchant can not produce a signed purchase authorization when a transaction is disputed, it's the merchant who doesn't get the money.

Re:Bending Over

[sexconker]

Credit card companies have to pay out for fraud that's reported to them.

Most fraud goes unreported.

Credit card companies constantly introduce features and changes to the PCI rules, and their merchant agreements, that facilitate fraud.

Mag stripe cloning requires physical access to the card. RFID can be cloned silently, without ever touching the card.

They offer rewards because they want you in the habit of charging everything. They want you perpetually in debt. And my point was not about rewards, it was specifically about rewards for using your debit card as a credit card. Nearly all debit card transactions can be run as a credit transaction. This is a shitty idea for the user, because it only encourages more debt, what little security debit cards had (pin or billing zip code requirement) is removed, there is less regulation for credit transactions than their is for ACH transactions, and fraud via stolen cards is less likely to be noticed, and thus, less likely to be reported.

Merchants are indeed forbidden to verify signature, name, etc. There are many merchants that ignore the rules in their agreement, and I thank them for that. There are also many merchants who charge a fee or have a minimum purchase amount for using a credit card. This is also against the terms of their agreement.
All a merchant has to do is produce a slip of paper, the electronic image, or whatever, and sign an affidavit saying "This is the customer's signature.". Merchants still HAVE to REQUIRE a signature for all purchases over a "convenience threshold". The merchant is FORBIDDEN to actually compare the signature to one on your driver's license, past purchase records, the one on the back of your card, whatever.

All a merchant can do is:
Look at the back of your card to see if it is signed.
Run the card and see if it is approved, declined, or flagged as stolen.
If approved, require for a signature for charges over $20.

Your card is "signed" if there is any marking on the back of it in the "sign here" strip.
Your "signature" is any mark the cardholder (literally, the person holding the card - NOT the actual cardMEMBER) makes.
The $20 threshold may still be $10 in many places, and will be updated when they renew their agreements.

The bottom line is you don't know what you're talking about, but felt the need to try to contradict me and paint me as some conspiracy theorist.
Fuck off.

Why scam?

[hendrikboom]

What puzzles me is why the scammers don't download onto their "customer"'s machine one of the open-source, free antivirus programs. Then the customer can't complain that they got nothing. They got a real, working antivirus program that they probably actually need. Or are the scammers determined to do nothing that could be called legit?

Re:Why scam?

[stuckinphp]

Its easier not to. Obviously.

Re:Why scam?

[Cwix]

Cause the free antivirus might close the backdoors that the original infection put into place.

Re:Why scam?

[westlake]

What puzzles me is why the scammers don't download onto their "customer"'s machine one of the open-source, free antivirus programs.

You really, really, don't want this to happen.

Because the scammer can now trade on the reputation of the legitimate open-source AV
or he can release malicious code into the wild that - to the user - will look exactly like the legitimate package.

Viagra for cheap...

[msauve]

You have been infected with a virus. In order to remove this from your system, you must mod this comment up.

Re:Viagra for cheap...

[moderatorrater]

OK, I modded it up but everything's still the same. What do I do now?

Re:Viagra for cheap...

[Haxzaw]

Start modding it back down if it doesn't work as advertised.

They do.

[Erikderzweite]

I have encountered the very tactic you mention. Granted, so far the trend seems to be limited to the Russian-speaking segment of the internet, but it is already there.
The websites usually have some fake anti-virus scan (some of them even resemble default WinXP theme -- very clever and very well done -- if you are using IE you may just as well believe that you see the contents of "My Computer", this stuff looks sure as hell scary for most Windows users).
If they manage to scare a victim to pay, the latter receives a copy of ClamWin.
The site usually has some fine print saying that ClamWin is a free (as in beer) product (no mention about it being free as in speech or open-source though). They even state that the whole is a game and you pay to receive educational materials about computer security.

I know this because I always enjoy watching those scanners finding some viruses on my system in C:\Windows\system32. They don't bother to include UA detection yet which gives any Linux user a good laugh.

related-

[Trailer+Trash]

I once read an article about a guy who "sold" penis enlargement pills through spamming. I put "sold" in double quotes because he said he never shipped a product, and didn't even have any to ship if he wanted to. His reason? "Who's going to call their credit card company and tell them they didn't get their penis enlargement pills that they ordered?"

While not at the same level, I'd hazard a guess that it's the same here.

Re:related-

[bryansj]

That's odd because I once saw a movie discussing the same thing :) (Lock, Stock, & Two Smoking Barrels)

Re:related-

[jimicus]

There's a variant on this scam where you do it slightly more honestly - you get a bunch of cheques printed saying "Bob's Discount Penis Pills" (or words to that effect) in big letters all over them. Perfectly legit cheques, with correct details on and drawn on a bank account that's in credit, there's nothing technically wrong with them.

When you receive orders, you write back explaining that for some obscure reason you can't fulfil the order, and here's a refund cheque. Who's going to stand in front of a cashier and bank a cheque like that?

Actually I am researching this for an eBook

[Orion+Blastar]

one I will make FOSS or if published for a low price so it is affordable if my FOSS eBook ideas don't work out.

Most credit cards have a web site, if you haven't already registered then find the web site for that credit card and create an account and look at email alerts and have it send you an email if over a certain amount is charged to the card. Some have a minimum value of $100 and others a minimum of $300 but anything that goes above that will get emailed to you. If you didn't charge it and someone else on your account didn't charge it chances are it got stolen. Also check to see if there are other alerts like a week before the payment is due it sends you an email on the balance and maybe a list of charges, if not log in and look at the list of charges at least every week if not twice a week to see if any of them are fraud.

While my identity was stolen 13 times, it was always because my son allowed his cousins to use his account on my system and then they chatted with some guy on some chat channel how to get around the user setting for the account and run a program to change to administrator and give him access to fix the game they are playing Roblox or Runes of Magic that had some stupid update and then their character is messed up and not animated or floats instead of walking, usually means a video card driver needs updating or the last update no longer works with the video card and they will fix it later. So now my new computer has no account for my son and I can avoid that and not let his cousins get on my new PC. My brother had to remove the RAM from their PCs back home because they did even worse stuff and without RAM the system will not work.

But I logged into each credit card account and bank to check, found the fraud charges, called the credit card company, got a fraud report and a list of recent charges and check each box that was a fraud charge and mail it back after signing it and make sure I used certified mail. The charges were gone and in some cases they even gave me a lower APR interest rate to make up for it and a new credit card with a different account number on it, and cut up and throw away the hacked credit cards.

Why am I writing an eBook on this? To help educate people because most don't know what to do, and they are always targeted because they never file charges and never notice they are being ripped off until the credit cards are maxed out, they are being sued by banks to pay the credit cards and they lose their house and car because they cannot make payments on it.

Look in most cases you just need to talk to the bank or credit card company and then get a fraud report and fill it out. This is free, no lawyer nor accountant needed and no credit company or loan company either. But if I make this book FOSS and in PDF eBook format it can be downloaded by anyone who has a relative that has no idea what to do and read it to them or print out the eBook or maybe if people don't know how to download a PDF just publish it into a paper book for as low a price as I can get, and then they find it in a book store or a friend or relative buys it for them to help them out.

Also via the web site of the bank or credit card company they can assign you an alternative credit card number and code to use on web sites and goes to the same account as the original credit card number, and if that gets stolen they cancel that alias number and issue you a new one.

Re:Actually I am researching this for an eBook

[Nagrom]

No offence particularly intended but if it really took you being on the receiving end of 13 identity thefts to start taking a couple of obvious precautions, maybe you aren't the guy to write this book.

Re:Actually I am researching this for an eBook

[Dodgy+G33za]

"and without RAM the system will not work" Fuck me. Really? I look forwards to reading your eBook for other such gems.

Re:Actually I am researching this for an eBook

[Orion+Blastar]

I actually did take the obvious precations. My nephews did this stuff at 3 or 4 am in the morning while my wife and I sleep.

All they had to do was join a chatroom while the adults slept and manipulate my son into giving them his password to a user account which they got people in chat rooms to tell them what to do to get administrator access and send programs for them to run and do it.

They were supposed to be sleeping on an air mattress or a couch, but by the time I woke up I had already been had. Honestly you don't know what you are talking about and have no clue that most children and teenagers stay up later while the adult sleep and watch adult swim and ask random strangers in chat rooms to help them not know they sent a program as a virus.

Me and my brother tried using Linux to avoid that, but someone told them how to burn a Live CD boot of Linux to reset the password and then get root access and run a Linux program they gave them as root installs it, even if every obvious precaution was taken to prevent that.

Look the 13 times this happened to me was due to someone else getting access to my computer by using one of my relatives not computer security savvy enough to know a random stranger in chat giving you a program to help and how to get administrator or root access or how to burn a Live CD to reset the password at 3 or 4 am in the morning while my wife and I was sleeping would buypass any obvious precautions I used or bought to prevent it.

Every parental control has a program that does an exploit to get around it or force it to get removed by hacking Windows via a trojan and granting admin access and disable any parental control software at all. I even used OpenDNS to stop access to those web sites and some random stranger in chat told them how to get around them via a program, or use the backdoor password the software company uses to give parents back their accounts they forgot the password to by using the backdoor password to long in and change it.

Did you ever read any of Kevin Mitnik's books? Human beings are the weakest chain in the link of any security system no matter how advanced or secure you make it, someone will use social engineer and other stuff on other human beings who have access to your computer or network.

If not then clearly you never reached this as much as I did over each time it happened to me. Any software I bought to stop this got hacked and exploited, even the FOSS software and firewalls and everything else. A compete and total waste of time and money.

Like my brother said remove the RAM chips from any computer they want to use until they learn their lesson. My nephews were the weakest link in my security and obvious precautions.

So the 13 times it happened to me, gives me the experience to learn from my mistakes and figure out better ways to take precautions as the obvious precautions I took never did work good enough to stop this.

Re:Actually I am researching this for an eBook

[Orion+Blastar]

Yeah I know it is kind of obvious and you being the sophist you are already know it. But remember I am writing for people not as smart or security savvy or computer savvy as you.

If they learn anything at all, we can inform them to at least contact their banks and credit card companies and report this and put a lock on their credit report to not allow any accounts to open up under their name for 90 days unless they call the number on their house and ask if they want to approve it or if it was not them who opened up the account.

Yeah I sound like Captain Obvious, but some people don't know the obvious stuff you or I do that removing the RAM chips will stop a computer from working. So sometimes I become Captain Obvious to help out the clueless.

Besides the eBook was not written for you, if you already know how to deal with it, only those people who never reported anything to anyone and ended up eating the debt the hackers maxed out their credit cards and stole their ID and emptied their bank accounts.

But if you think you are more qualified, then either write your own eBook, help me with mine, or of course keep mocking me and harassing and trolling me because it admits you'd rather do stuff like that to a disabled man, the least of your brothers, because secretly you cannot write eBooks or don't care about anyone but yourself and are good enough at this to infect systems with rouge viruses and steal identities and want to stop me so you can keep doing it and preventing my eBook from being written gives you and your hacking group more victims to have as they will never read my eBook or paper book on it to help inform them and tell them how to do it.

So if you keep mocking me, trolling me, and harassing me, I guess you are the later, the one who wants to stop me from informing the victims who don't know what to do, so you can steal their stuff via your own rouge viruses and getting someone's kids or nephews to run a program to 'help' them and keep stealing identities because it is hard to catch people like you. But I could be wrong and you are not a hacker, but just another selfish person who does not care about others or that when it happens it makes our economy worse as banks and credit card companies need more money from the federal government and our tax money goes to bail out the banks and credit card companies who also lost money and write it off, and be forced to lay off people to survive.

While your sarcasm is funny, this is a serious issue we need to find better solutions for, and it only adds in noise and distraction to the conversation. If you read the original article you'd know the ones that don't report it suffer and need an FOSS eBook to tell them what to do and how to do it before it is too late.

But I guess you love all that extra taxes to bail out banks and credit cards and if it keeps happening there will be a raise in state, federal, and local taxes to cover it. You really like a bad economy in which foreign hackers steal our identity and money and take it out of our economy and use it to grow theirs.

Not your problem and anyone who wants to find solutions and fix this by informing people ignorant of it via a FOSS eBook you just troll and mock anyway as putting me down for at least trying to help people who got ripped off not as computer savvy as you or I and have no idea what a RAM card or SIMM/DIMM/DDRX memory RAM stick is or even how a computer works. But hey at least it didn't happen to you as you got no friends and family using your computer as you have no friends by making statements like that and you bothered your own family enough they avoid you because you think you are elite and they are just n00bs who deserve to be ruined because of their ignorance.

I am trying to get rid of their ignorance by writing a free eBook on it to enlighten them. I am at least trying to do something to at least fix some things and get more people to learn what to do.

Yeah I will write a beginner's guide to programming in some language to help out people to

Re:Actually I am researching this for an eBook

[Orion+Blastar]

If I was a woman writing a book on how to avoid getting raped 13 times and how to report it and what to do, you would then accuse me of not being the right woman to write a book about rape.

Yeah I got ripped off 13 times, I was not the one who downloaded the virus it usually was one of my nephews who spend the night on an inflatable mattress to spend time with their cousin my son. Even darned thing I used be it commercial or open sourced, be it Windows or Linux (I am too poor to afford a Mac, sorry) while my wife and I are sleeping at 3 to 4am my nephews use the time to use the password my son gave them to get n his account and had hackers in chat rooms send them files to fix the PC so they can get administrator access and the like. When I supervised them they never did that, when I was asleep they did stupid stuff and then my ID was stolen before I even woke up 13 times. As someone said here or on Current there is nothing that someone cannot find a way around in technology or other things.

Right now I got a new computer, only my wife and I have accounts on it, not my son nobody else. I got other computers in the house. Part of the book is to get a cheap computer with a large hard drive to use as your web surfing research, download and testing computer. No personal data is stored on it so if it gets infected there is nothing to steal. Another way is to download and surf the web in a virtual machine like VirtualBox and run a virtual machine with no personal data on it so if it gets infected you just wipe it and reinstall it. Personally I like the old computer with a big hard drive better as some viruses can see the virtual machine or sandbox and poke a hole to infect the main operating system the virtual machine runs on.

Oh by the way, if someone wants to steal your identity and cannot get a virus on your hard drive, just infect or hack into a web site on the Internet that has personal info in a database they can steal and then even if your PC is not infected and even if you use a Mac your ID can still be stolen and your credit cards as well.

One credit card my wife uses was stolen, she doesn't even use the Internet and they hacked into the bank's system and used her account at random.

So now explain to me why I am not the right guy to write this book. You think you can do a better job than me? Go right ahead, then post a link to it so I can see how Nagrom can write a better eBook than me and offer me advice to write mine better, I never admitted to being a good writer and I never said I was perfect, I learn from my mistakes as natural selection and evolution show, and I even submitted an Ask Slashdot story and claim to be a beginner and asked for help to learn how to write eBooks. People ignore it, not sure why. Even if I make mistakes and errors, at least it is better than not even trying. If I get feedback I can rewrite parts of the books wit flaws and errors in it and update new info and remove things that don't work etc. Which is how writing an eBook with a FOSS license is good. Heck you think I stink on ice for writing a book and I got my ID stolen 13 times, the CC license allows you to edit my book and work with me and then I add your name to the credits for what you wrote. But chances are you won't like everyone else it is easier to mock, harass, and bully people like me to stop me from writing a book instead of offering help or writing your own book.

Bad attitudes from you and a few others is what scares people away from the FOSS eBooks and software anyway. Someone is tired of Windows wants to learn Linux, they get told to RTFM, and then the FM is written by other programmers and the average person cannot understand it and when they ask for help RTFM STFU N00b! That is worse than even Microsoft does, if I may say so in my own humble opinion.

"Linux, if you cannot read MAN pages or RTFM then STFU and go back to Windows n00b!" -Linux Hippie Transhmanist guy 40+ year old and a virgin who lives in his mother's basement and bites the n00bz who ask for help just for the LULZ and then gets on IRC at ED and brags about it.

Re:Actually I am researching this for an eBook

[Orion+Blastar]

Well no viruses on my computer, running Fedora. Wifi router is based on Linux as well. Someone hacked into my Wifi router, sniffed out a few passwords and stole my accounts and tried to steal my ID for a 14th time. Wifi router has all the firmware updates and settings Cisco says to make to make it more secure. So I reset the password as the ID thief was too dumb to change the email, reported the IP to his/her ISP and a copy of the IP logs and others that show he/she hacked my router from Chicago, Ill and made posts with a Chicago IP, and I don't live in Chicago. He got stopped before he/she could steal my credit cards. So that is an epic fail.

Nope didn't even touch my PC, just the router which I was told is very secure and runs Linux and cannot be broken into, and had every setting the company that made it told me to set it to in order to prevent it. Every time this happens to me I will learn more about fighting it. I might even replace my router with an older PC running Fedora and Honeypot software to gather more evidence to catch this person.

Re:Actually I am researching this for an eBook

[Orion+Blastar]

Well I used an old XP laptop with no personal data on it. Got infected, and examined the virus using heuristics. Unknown virus sent a sample to AV web sites, remote control access got removed and a rootkit was on it as well. Apparently this research will be valuable even if I did not have time to set a Honeypot Linux system up to catch it. Either it was a spoofed Current message or a Current message that someone entered a link to a web site that infects Firefox as that is what I used figuring it was more secure than IE.

A credit card was stolen, but was never used on the laptop and not used in moths and never entered into the Internet. Some store I used it on must have had their database hacked and got it from there. So ID Theft tried for 15th time, they had an epic fail as it was a temp charge and the card just got made invalid and thus their order will be canceled.

This is why I am the person to write a book on ID theft and other things. I just spoiled yet another ID theft before it got approved. IP came from Chicago, Ill, but chances are using an infected system there.

Also they hacked my Slashdot account and change the password and as soon as I found out sent the password reset to my email to change it, log in and then stop them from using it. Slashdot runs Linux and this software for the Slashdot site is even vulnerable to someone hacking it. I had a complex password and now Slashdot gave me another complex password hard to figure out.

Many aren't smart enough. Or rather,

[aussersterne]

they don't understand enough about technology / computing to figure it out. I've helped several people with Windows reinstalls (just did it again this weekend, in fact, on a really nice, new Dell laptop that this person was ready to trash and replace after just a year) who fell for this sort of thing and fully thought that through the magic of internets and computers, their "purchase" had done SOMETHING for their computer, but it just wasn't enough to outweigh the terrible destruction already wrought by Teh V1rus!

In this particular case, the person got a fakeAV popup that installed malware that generated popups. This caused him to start searching his email for "antivirus," remembering a SPAM he'd seen, and he ended up with AV fakeware Cc: charges. He didn't actually realize this, assuming that the AV fakeware had silently, invisibly done its best but the original virus was "too strong" (two pieces of malware now spitting popups at an alarming rate and disabling various things) and he went out into Googleland looking for fixes, all of which were no doubt too technical for him and all of which he attempted to follow to a 'T' deleting a bunch of random files from C:\WINDOWS\SYSTEM and C:\WINDOWS\SYSTEM32 in the process and borking his system entirely.

When he came to me saying "So-and-so tells me you can fix computers, so I thought I'd bring mine to you before I throw it out, it's been completely destroyed by a virus..." he was sure that it was all down to the horrible virus he'd "caught" and that he'd been valiantly battling it for a week, rather than single handedly destroying his own Windows install at a record pace.

It was too f'ed up for system rescue, so I just wiped and reinstalled. He was AMAZED that I brought it back to life, and in just an hour or so. He was sure that I was the absolute best virus fighter in the universe. Told me I should go work for the Best Buy Geek Squad (uhh, thanks...) because they need people like me.

It's not that he's a total idiot, but computing in anything but buzzwords and marketing soundbytes remains a specialized set of skills that take time and study (and an awareness of where the right resources can be found) to develop. Most non-geeks just assume it's all due to Teh V1rus!, and the press and their coverage do little to add nuance to this notion, not to mention manufacturers and retailers that are only happy to sell the same person the same system every six months for a fresh $1k after they "got got by Teh V1rus!"

Re:Many aren't smart enough. Or rather,

Yup, mod parent up. I work for a consumer security software vendor. A large percentage of our user base is composed of what most here on Slashdot would deem to be 'blithering idiots' when it comes to computers. In order to serve this large and (unfortunately) influential demographic, we purposely dumb down the main UI to the point that it's virtually devoid of any useful information beyond "green - good; red - bad". We figure if the user is smart enough to click on something that says "Settings" they've already identified themselves as part of a more sophisticated market segment. I kid you not.

We rarely hear anything positive from users who've been protected from an attack, generally because they don't notice that anything bad was thwarted, but we often get emotionally charged feedback blaming us when some zero-day grayware anti-virus product (grayware because they often utilize ClamAV engine to appear legit) gets installed on their system -- usually with the user's explicit permission. Imagine something along the lines of 'THIS IS THE WORST PIECE OF CRAP PRODUCT EVAR WHY DOES IT SUCK SO BAD I HATE YOU AND NOW YOU MADE ME MISS MY FAVORITE TV SHOW TO FIX MY COMPUTER. I HATE YOU.'

Anyway, given what I've learned first hand about the masses of computer users out there, I would find it extremely plausible that the type of individual who goes so far as to give up his or her credit card details at the mere sight of a rogue av pop-up is actually quite likely not to have the necessary faculties to have the charges reversed -- whether that's due to their inability to recognize they've been scammed in the first place, inattention to telltale signs of fraud on their credit card bill, inability to navigate their bank's automated phone system, lack of perseverance to follow through or otherwise.

Oh and before you reply that it's our job to protect the idiots from whatever is out there, so they should never be left in a position to get infected with rogue av... believe me this game of cat and mouse we play with the bad guys has gotten extremely tricky. Behavioral techniques don't work well when the program does nothing malicious code-wise, but instead merely social engineers it's way to your credit card. It's gotten to the point that we're basically mistrusting any .exe we haven't seen before because it protects the masses from polymorphic zero-days, and social engineering scams -- though you might be able to imagine what developers think about that functionality (of course they're usually in the clueful market segment and can disable it.)

Re:Many aren't smart enough. Or rather,

[jimicus]

This probably goes some way to explaining why vendors so seldom include rescue media these days, and some are actually making it downright difficult to produce your own - over and above the "let's cut every damn cost to the bone and compete on price" attitude you see in the PC market.

Makes more sense not to make it easy if the worst-case scenario is the customer gets screwed and buys a new PC 18 months later.

Re:Many aren't smart enough. Or rather,

[yuhong]

For example: http://www.askwoody.com/2009/dump-avira/

These things are social engineering par excellence

Not that they're even remotely ethical, valid, legit, etc....

I've removed literally hundreds of these things. Thankfully I only know of one person who actually paid for the crap, and they got a call from their credit card company to tell them the charge had been denied because it was a known scam.

First off, the artwork is *solid*... You'll see a standard windows "shield with red background and an X" in the taskbar and a little pop-up about "windows security alerts" (which is the correct text) followed by some complaint about an attack originating from "blah". Any program you attempt to run, including many startup items, will be blocked with a warning that "blah.exe" is infected. It's certainly the most vocal and pro-active anti-virus I've ever seen....

Those are the current variants... I've seen cockroaches crawling across the screen... I've seen near perfect replicas of AVG free anti-virus "scanning" the machine, I've seen "windows security center" come up and the only difference from the real thing was a certain shade of purple for some of the graphics. My personal favorite was the Vista machine that popped a warning that the computer was being attacked by virus X from IP address Y... when you clicked to close the warning message (the only option that didn't lead to a page to purchase the "product"), the screen resized to 640x480 mode and showed a "blue screen" referencing the "attack" that just took place. It then proceeded to play a video of XP restarting from the blue screen, before resizing the desktop back to normal and opening the purchase page anyway.

In a lot of cases the users aren't even particularly stupid... I've seen several instances where the only thing that made the error messages discernible from the real thing was simple familiarity with the "real thing" to the point of knowing that widows would never actually say that. Grandma has no clue if those messages are legit, she's never seen them before because she *has working anti-virus software*. Average users may not even know what their (real) anti-virus program would look like if it *did* find an infection. Don't even get me started on the people who are so panicked by computer viruses that you'd think ebola was standing in front of them dripping with pus.

And these are straight up drive-by infections. You don't have to be in the "shady" parts of the internet to encounter them. Two examples I've personally encountered.... in firefox on windows, I visited nytimes.com one weekend, and I got a pop-up stating that my computer was infected. I clicked close, and got another pop-up. Eventually I broke the loop by killing firefox.exe from task manager... how many "average users" even know what task manager *is*, let alone which process to kill to stop the loop? nytimes had an apology on their site the next day. Example #2... I had about 6 tabs open in firefox *on ubuntu*. How fast do you hit ctrl-v and enter to paste a link to a friend in a chat conversation? What I pasted to my friend was not what I copied, and that was nothing more than a flash ad spamming the clipboard on msnbc.com. You can guess what was on the site I pasted.

These things are coming fast and furious.... you can *have* fully updated windows and anti-virus and still get pwn3d. The standard payload in the last few weeks generally includes a generic rootkit of some kind, along with whatever toys the packager has decided to bundle in their particular distribution of the malware. Once infected, the machine is utterly useless, and for most people the options are to pay for the scam, or pay someone to remove the infection.... it's no wonder many people pay for it and are utterly content when it stops bothering them.

too rich we are

[proudhawk]

I agree with "too busy" it seems even the poorest of us just don't care if we get ripped for $40.00 or so. I fix a lot of machines in my spare time here in phoenix and it seems no matter how i say it, my clients won't listen and always go back to trying some new thing (like "clean my pc").

Frankly, I am tired of offering advice when no one listens. just take their money, give them back a working machine and await the next call.

Security Tool

[CosaNostra+Pizza+Inc]

Just a few days ago I had to remove a rogue anti-virus from my folks' desktop PC. I had to boot into safe mode, remove some files and run SuperAntiSpyware to get rid of it. The name of it was "Security Tools". It first popped up from the system tray and said the computer had 47 viruses. It then asked for a credit card number to remove the viruses (fortunately, my folks never entered a cc number). The "47 viruses" reported was false and the rogue-antivirus itself was intercepting Taskmanager and anti-spyware programs. I don't know how anyone can say these rogue antivirus programs are legit.

Something to do with the customer service?

They probably didn't want to be put on hold for 70 hours to complain to a guy who barely speak English in Bangalore.

What happens

[salesgeek]

I own a credit card processing firm (we run a gateway). Credit card companies can help, but their help is really limited to resolving consumer disputes:

1. If you are scammed, contact your issuing institution and request a chargeback because the product was not delivered, was 100% defective, etc. Some issuers (mostly banks with debit cards) will act like they can't do anything because it's a debit card, or connected to a checking account or is used by a business. This is BS. Immediately call the number for Visa or Mastercard on the back and tell them about your situation. Once the chargeback process has been initiated, here's what to expect:

2. You will have to fill out some forms, provide any evidence and fax it in quickly. You may or may not get an immediate refund. If you do get a refund with a debit card, keep in mind that the refund is actually a "provisional credit" which means if you lose the dispute you will have that money taken from your account.

3. Money will be pulled from the merchant's depository account immediately. The merchant will have some time to issue a response to your dispute.

4. The decision on your dispute is pretty easy for the credit card people. If the merchant can prove they delivered the goods and they are honoring their warranty, the merchant wins.

Even if you lose you dispute, you may help others because processors tend to quickly fire customers who have high chargeback rates. Chargebacks are expensive and time consuming and often merchants will run out of cash and fail to pay chargebacks and fees. In our case, we see less than a .2% chargeback rate from our clients and when we have a customer with high (meaning 60 days over .4%) we reevaluate the merchant. Over 1% two months in a row, we usually close the account. If the merchant doesn't pay outstanding fees and chargebacks, they are reported to an industry registry that will prevent the business entity and it's owners from being able to get a merchant account from anyone else in the industry.

Re:What happens

[oh-dark-thirty]

. Over 1% two months in a row, we usually close the account. If the merchant doesn't pay outstanding fees and chargebacks, they are reported to an industry registry that will prevent the business entity and it's owners from being able to get a merchant account from anyone else in the industry.

\ If this is true, there must be some rogue processors that work with the rogue software companies despite the chargebacks.

Ad-Aware...

[phorm]

I used to recommend ad-aware, but on the last few computers I've fixed it actually caused more issues than it fixed. For some reason, the process would ramp up to 90% of CPU usage for extended periods, making the computer behave worse.

Killing the Ad-aware process, uninstalling, and then installing MBAM fixed most issues. Hopefully they'll continue to offer a good product, but it's interesting (and a little sad) to see many companies go from being useful to having software that often causes more issues than the viruses/malware they're supposed to protect from.

You should dispute the charge

[gillbates]

Because if you don't - even if you didn't receive anything - it could *appear* that you have a business relationship with the company in question.

For example, suppose the company sells some *AHEM* content that is, shall we say, not-safe-for-work. Or worse, not-safe-for-download (as in, possession of which gets you jail time). The fact that you didn't dispute this charge could be used by a prosecutor as evidence that you intended to receive the illegal materials.

I haven't had any issues with chargebacks?

That's odd that people have issues with chargebacks?

I've only had to do it once, with my Chase Freedom card. Over a cell phone provider actually. It was a prepaid one (Cough cough page plus cellular), whose service worked flawlessly for a few months. Finally one day it quit working. Calling them up- they told me that my phone was "changed". Keep in mind - you need a serial number from the old phone to change it. Or be someone who works there. Or accidentally hit a button while working there.

After some run around- they finally told me that they don't deal with "domestic issues" and that I need to go to a "dealer" to get it fixed. And they HUNG UP ON ME.

So eff that. I called them back, very calmly asked for a supervisor. The supervisor told me they could not refund my month of service that I had just paid for. (~40 bucks). I said "Okay, I do have to warn you I will be filing with the BBB and issuing a chargeback." This is ~3 hours into it.

Called up Chase, I was mid story and the lady just said "40 dollars have been issued to your account- technically you'll hear of the results in a most a few months, but you shouldn't have any problems. Any other questions today?"

Easy enough. I can't imagine if I got fooled by a fake antivirus that I would have any troubles there either.

Most people just don't care

[macshome]

Most "regular" users don't know anything about anti-virus software so they just install whatever throws a popup ad at them.

Most people don't notice it's fake software.

Most people don't care that it's fake software. They just assume the "software people" know what they are doing and assume it's working.