Online Retailers Cruising Tor To Hunt For Fraudsters

Daniel_Stuckey writes "This week, the verification company Service Objects announced a new tool to help websites detect 'suspicious' visitors using Tor and other anonymous proxies. Its updated DOTS IP Address Validation product identifies 'suspicious' discrepancies between the user's home location and the location of the IP address the order's coming from. It joins a handful of other tools on the market promising Tor-detection for retailers. It's a logical strategy: If you're trying to buy something with a stolen credit card, you're obviously going to want to block your real identity and location while doing it. But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."

LOL wut?

"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"

Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.

Re:LOL wut?

[petteyg359]

Why are they only allowed to attempt anonymity in relation to the store? Perhaps they just want to remain untracked by their ISP, and foul up any GeoIP-based advertising.

Re:LOL wut?

[tattood]

"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"

Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.

That statement was not about normal people using TOR for online purchases. It was about people using TOR to hide their identity when doing things like posting to a controversial website, or whistleblowing. If this software catches on, and websites start using it to block TOR users, then it would make TOR less useful for posting anonymously.

Re:LOL wut?

[fluffy99]

"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"

Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.

But you certainly have a crowd that likes the idea of tor and has their browser always configured to use it. I don't think that raising the risk level associated with a transaction based on the client using tor is unreasonable. If this were a brick and mortar store, they'd probably be a little bit wary of doing a credit card sale to someone wearing a disguise that covered their face.

Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on the cc for example. The credit card company also checks where the card was used, for things like buying gas at 1pm and then buying it again at 2pm 100 miles away. They also consider the type of merchandise as online purchase of electronics is rife with fraud, but very few people use a stolen card to buy socks.

Re:LOL wut?

[lxs]

So they trust nobody and in turn expect stores to trust them? I don't think so. You can't have it both ways. Either behave like a normal customer and be treated as such or behave in an erratic paranoid manner and expect to receive the same treatment from your retailer. Just for fun, walk into a department store wearing a balaclava and look around three or four times before you pick up something. See how long it takes before security takes an interest in you.

Re:LOL wut?

[myowntrueself]

"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"

Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.

But you certainly have a crowd that likes the idea of tor and has their browser always configured to use it. I don't think that raising the risk level associated with a transaction based on the client using tor is unreasonable. If this were a brick and mortar store, they'd probably be a little bit wary of doing a credit card sale to someone wearing a disguise that covered their face.

Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on the cc for example. The credit card company also checks where the card was used, for things like buying gas at 1pm and then buying it again at 2pm 100 miles away. They also consider the type of merchandise as online purchase of electronics is rife with fraud, but very few people use a stolen card to buy socks.

Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.

Re:LOL wut?

[93+Escort+Wagon]

If this software catches on, and websites start using it to block TOR users, then it would make TOR less useful for posting anonymously.

If people are trying to stay anonymous, yet at the same time they're entering their mailing address into web forms, Tor probably isn't going to do much for them.

Re:LOL wut?

[crutchy]

it would make TOR less useful for posting anonymously

or it would make controversial websites less popular, and whistleblowers would find some other means

if (when) tor is broken, something else will have already taken over as alternative... its always the way

Re:LOL wut?

[Z00L00K]

I agree - no need to hide who you are when you go shopping. But you may want to hide your identity when you are writing something controversial as an AC.

Re:LOL wut?

[Z00L00K]

Just use AdBlock for that. Then they can do GeoIP all they want - I don't see their crap anyway.

Re:LOL wut?

[TapeCutter]

Indeed, all trade is ultimately built on trust .

Re:LOL wut?

Some people have figured out how to use multiple email accounts on the Internets.
Set one up using Tor and never ever visit the account outside of Tor.

Re:LOL wut?

Why is not like going to the shop and paying with cash?

So instead of blocking TOR they should offer things like Bitcoin?

Re:LOL wut?

How is protecting your privacy acting erratic and paranoid? It's not paranoia to want to defend civil liberties. I question the motives of anyone who says otherwise.

I also find your analogy of acting suspicious in a department store inane. With the exception that goods and services are exchanged for currency, shopping online is nothing like shopping in a physical store.

Re:LOL wut?

Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.

No it isn't, stop being overly dramatic. It's similar to giving your friend some cash and asking them to pop into the store for you.

Re:LOL wut?

Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.

Well, this is a problem actually. Think about it. Apart from esotheric but valid scenarios where you're traveling or for some weird reason restricted in your network access and having to use some proxy or other or any of a host of other scenarios--because this sort of arbitrary restriction will make it harder for the casual user but the fraudster will have a strong enough incentive to cook up yet another fix to bypass the restriction.

You don't strictly need to give all that information to show you're good for the money as by itself it doesn't say anything except that it is how the system is set up and thus you have to. And the system doesn't really deliver, because it is easy to defraud. And so fraudsters do that a lot. And so retailers are getting sick of having to essentially pony up for the broken credit card system through chargebacks and penalties and so on. And so they look for ways to be more sure that won't happen. And so they end up looking for ever more information that by itself doesn't guarantee anything, but might possibly indicate something maybe, they hope. Hoping they do a lot because the system doesn't actually guarantee them much of anything except costs and chargebacks. And so the legitimate user ends up under much more scrutiny than would be necessary if the system was any good. That gathering of data itself then becomes a liability, see for example the recent experian flap.

Thus, this is the wrong fix and we need a better online payment system. One where you don't have to give enough information to the merchant to expose you to abuse should someone filch that information. Note that credit cards have had these problems for years, but at least offline usually the card is present and that cuts down on the most blatant of abuses. But also note that the system having been broken since it existed is no excuse to forego thinking of better systems.

Re:LOL wut?

[mlk]

Not if you are using your CC to buy the goods or using your home address to have the goods delivered.

Re:LOL wut?

[fatphil]

"This video contains content from Chaser Broadcasting Pty Ltd and The Australian Broadcasting Corporation, one or more of whom have blocked it in your country on copyright grounds. "

Can someone in a country that is trusted please make an illegal copy and upload it elsewhere? I promise I won't make any further copies, as I'm a good law-abiding citizen.

Re:LOL wut?

So they trust nobody and in turn expect stores to trust them?

That is a good question but misses the GP's point: Maybe he doesn't mind trusting the store, but does mind trusting all the parties shipping traffic between him and the store. Maybe he's traveling and a public wifi of uncertain provenance is all that's available.

But now that you mentioned it, well, that is the problem, isn't it? If I go there and pay in cash all they need to be sure of is that the cash isn't counterfeited. Easy check. No need to leave a massive paper trail.

When paying by credit card they trust the credit card company who in turn expects the money back from you. That's "convenient" because now you don't have to carry cash -- but exposes you to risk of overspending and such.

But because it "needs" much more customer data to be retained, over and beyond some incontrovertible proof of credit --not identity!-- it also exposes you to lots of risk of defrauding, something the credit card companies have the retailers suck up, who then want to protect themselves any which way. They can't afford to trust you, and by the same token (TJX, Heartland, shockingly many more if you think about it) you can't afford to trust them.

And the reason? The payment system is broken and apparently the only fixes they can come up with is to look at still more data to "detect" fraud somehow. You don't hear about it in a big way but it also causes a lot of false positives and blocked legitimate transactions as a result. And at the end of the day, no matter how good their approaches, they're sloppy handwavy fixes for a fundamentally broken system.

Re:LOL wut?

[fatphil]

It depends if you trust the shopkeeper. If you do, then there can be a benefit from haing your identity only known to yourself and him. If you don't trust him, then you must presume that as soon as he knows who you are he announces it to the world, and indeed, any secrecy you maintained on the way to the shop was futile.

Believe it or not, it is possible for two parties who trust each other to trade.

Re:LOL wut?

However, I could well order something while abroad, which would also cause my IP to be far away from home. OTOH, if IP location checking becomes commonplace, the fraudsters will certainly have no problem to find an exit node close to the real address of the victim (whose address they know, after all). Indeed, if they got the data through a trojan running on the victim's computer, they may even use that trojan to place that order from the very same computer the victim uses.

Re:LOL wut?

[myowntrueself]

Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.

No it isn't, stop being overly dramatic. It's similar to giving your friend some cash and asking them to pop into the store for you.

Rubbish. If you buy with cash you don't have to give your name and address and, oh yes, credit card number.

If you buy with a credit card that assumes a level of non-anonymity.

If you want to buy with credit card *and* you don't want your identity associated with the credit cards identity and then I assume that something dodgy is going on.

Its like here on slashdot you are posting as anonymous coward; I don't care about that, I have no reason to trust you so you can be anonymous and I don't give a flying FUCK. But if you came to me as an anonymous coward and want to buy something with a credit card then I'm suspicious, I care because it makes a difference to me.

What? Do you think that merchants lose NOTHING if you pay with a stolen credit card?? This is a BIG problem. If I can prevent stolen credit cards being used to pay for my services I will; if I can stop them before they even make a transaction thats a big win.

If turning away customers who use TOR reduces the number of stolen credit cards used to pay for services then thats what will happen.

Re:LOL wut?

[myowntrueself]

I agree - no need to hide who you are when you go shopping. But you may want to hide your identity when you are writing something controversial as an AC.

Or anonymously use a stolen credit card in an online store.

Re:LOL wut?

[myowntrueself]

It depends if you trust the shopkeeper. If you do, then there can be a benefit from haing your identity only known to yourself and him. If you don't trust him, then you must presume that as soon as he knows who you are he announces it to the world, and indeed, any secrecy you maintained on the way to the shop was futile.

Believe it or not, it is possible for two parties who trust each other to trade.

If you don't trust the shopkeeper, its not a good idea to use a credit card at all (they can save the details and use them to continue to make transactions on your account).

If the shopkeeper doesn't trust you, its a good idea for them not to accept your credit card (dealing with transactions from stolen credit cards isn't free for the shopkeeper).

If you don't trust the shopkeeper and want to use a credit card anonymously then the shopkeeper now has good reason not to trust you either. So its cash only, please. And don't ask for credit as refusal often offends.

Re:LOL wut?

[basecastula+]

Indeed, all trade is ultimately built on trust .

ha ha ha, This what youtube said. This video contains content from Chaser Broadcasting Pty Ltd and The Australian Broadcasting Corporation, one or more of whom have blocked it in your country on copyright grounds. I am in the east sf bay area. lol

Re:LOL wut?

Again with the dramatics.

"If you buy with a credit card that assumes a level of non-anonymity."

No actually, it doesn't. Pre-paid credit cards are nicely anonymous.

The stolen credit card is not a problem of Tor, and should not be combated by violating people's privacy. Credit Card verification needs a better method.

Re:LOL wut?

[myowntrueself]

You can be an anonymous coward on /. and say whatever you want, it doesn't affect me so I don't care. If you want to be an anonymous coward and use a CC via TOR you can get lost at the merchants discretion.

Its none of their business why you are going to their shop through TOR and its none of your business why they decline you.

Re:LOL wut?

[nospam007]

"Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity."

If this tech catches on the crooks just use Tor to get stolen credit card numbers, then go to Starbucks WIFI to buy stuff without Tor with that stolen credit card.
So just privacy-conscious real customers get driven out by moronic shop owners because they use Tor or use a VPN at Starbucks as everybody should.

Re:LOL wut?

Except I'm not trying to hide from the people I'm buying from. I live in a communist country where all traffic is logged, and I don't think it's any of the government's concern that I want a subscription to this or that perfectly legal website. The company I'm buying from can store as much of my information as they want.

Re:LOL wut?

[myowntrueself]

Except I'm not trying to hide from the people I'm buying from. I live in a communist country where all traffic is logged, and I don't think it's any of the government's concern that I want a subscription to this or that perfectly legal website. The company I'm buying from can store as much of my information as they want.

You don't have to use TOR for that.

TOR is specifically an anonymising service. Its purpose is more to hide your origin from the site you are visiting more than your local ISP or government.

If I wanted to use a stolen credit card I'd use TOR, hoping the merchant sites were stupid enough to allow it. I wouldn't use a VPN service.

Re:LOL wut?

[surmak]

Why is not like going to the shop and paying with cash?

So instead of blocking TOR they should offer things like Bitcoin?

Exactly, the problem (from the seller's POW) with credit cards is that the transaction can be reversed if the buyer complains. If you have a physical delivery address, and you send the cops there to investigate. If your goods are delivered electronically, then there is no recourse. A scammer could give the billing/shipping address associated with the card, receive the stolen goods, and everything would look kosher until the card owner receives their monthly bill and complains. At this point, the store would get a chargeback, and be screwed over.

With Bitcoin (or other cash-like on-line services) there is no possibility to reverse the transaction, no fraud protection, so once the store completes the transation, they have their money, and it cannot be taken away.

Re:LOL wut?

[coinreturn]

I agree - no need to hide who you are when you go shopping. But you may want to hide your identity when you are writing something controversial as an AC.

Or anonymously use a stolen credit card in an online store.

But if you're having the goods shipped to you, doesn't that reveal at least WHERE you are?

Re:LOL wut?

Why are they only allowed to attempt anonymity in relation to the store? Perhaps they just want to remain untracked by their ISP, and foul up any GeoIP-based advertising.

Close, it's greed. They need a way to "catch" those fraudsters which are trying to cheat them by paying the cheap US price instead of the 2x European price or the 4x Australian price. After all, everyone knows it takes four times as much to manufacture bits and ship them to Australia over the Internet during a software download.

Re:LOL wut?

[smooth+wombat]

But if you're having the goods shipped to you, doesn't that reveal at least WHERE you are?

Not necessarily. I guess you've never heard of fraudsters using the address of someone else, tracking the shipment then picking it up at the other address. It's quite common.

With the amount of abandoned houses in the country, it is quite easy to find a drop house to use.

Re:LOL wut?

It never takes more than 10 posts for someone to come up with a totally nonsensical "walk into a store and try this" parabel.

If I hand over my credit card to a store clerk to pay, I'm never asked for a driver's license or passport, nor does the clerk ask me to which stores I went before I walked into theirs, what I bought there, and what I asked the clerks at the other stores. There, that's an actual correct analogue of what online stores (can) do if I don't anonymize myself.

If I give them my credit card info, that's enough, that's all the trust they legally need. If they fish for anything more, they are invading my privacy, likely breaking several laws in more sensible nation states, and just being general asshats.

Re:LOL wut?

[devman]

Mailing address as in a physical address that people send things to like things you bought online.

Re:LOL wut?

[pla]

So they trust nobody and in turn expect stores to trust them?

They haven't asked the store to trust them. They have offered a valid form of payment in exchange for goods or services. Whether or not the buyer has the right to use that particular form of payment has no bearing on the validity of the transaction as a whole.

More to the point - If I pay for delivery of a physical product with a credit card and have it sent to the card's billing address - Explain where the possibility of fraud comes into play there? I mean, okay, I suppose someone who really hates me could sign me up for a subscription to "dildos of the animal kingdom" or something stupid like that, but realistically people card for personal game, not to play expensive practical jokes on strangers.

Re:LOL wut?

Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.

You mean like wearing a hijab, chador, or burqa?

Re:LOL wut?

omg... you're a genius. free socks for life, nobody will ever find out!!

Re:LOL wut?

Or they just don't want anyone besides the site, the credit card company and the shipping company to know about it.

For instance lets just say that a church going person living with their parents (or perhaps they are in a convent) and they don't want anyone else there to know about it... nor do they want their isp to know about it... wants to make a large purchase of adult toys...
Tor would be warranted in that situation and other situations like that.

Lets go with a more realistic example... you are buying something for your tech savvy spouse that monitors all traffic to keep your kids safe... tor will let you surprise them... if you can keep the cc statement away from them long enough.

There are all kinds of times when it is a legit purchase.

Common sense people.... get some.

Re:LOL wut?

The trick is to find a way to have an anonymous account with a VPN service. Then you use Tor, but the exit node then routes the traffic through the VPN.

Result: A semi-trusted outgoing IP (VPNs get on blacklists, but not as quickly as TOR exit nodes.) Other than someone connecting the VPN account with a real identity, the VPN provider only can reveal the TOR exit node as where traffic came from.

Re:LOL wut?

If you want to stay annonomous using a credit card, buy one of the fucking prepaid cards that carries the Visa/MasterCard Logo and uses their system. Pay cash and you don't have a problem. Furthermore, these cards do not have the charge reverse feature of a standard card, thus the merchant shouldn't give a fuck what's bought with it or where it's shipped as they've got their money (same as cash).

Are they useful? depends on the country. In the U.S. they're limited to $500 for the cards I've seen - Anti-Terrorism requirement. Keep in mind that the U.S. wants everyone to pay by plastic (why do you think the disability system and food stamps system now use a EBT card - plastic).

Re:LOL wut?

[fast+turtle]

if you want to keep something away from a tech savy spouse, then use a god damn VPN - your connection is routed through the VPN and they don't know what in hell the traffic is. If they're so paranoid that they block VPN access, then they'd go as far as blocking TOR to boot and that's a spouse that you need a club and spade for as the two hearts didn't work.

Re:LOL wut?

[TheCarp]

> So they trust nobody and in turn expect stores to trust them? I don't think so

They trust nobody is a pretty wild assumption to make. I use tor, I trust lots of people with lots of things. Why would you assume I trust nobody just because I don't blankly trust my ISP, their ISP, and everyone else down the chain that I don't even know to know everyone I talk to and do business with?

Re:LOL wut?

I live in Texas, and went to college in Mississippi. Once, while traveling home, I got stuck at a gas station in Louisiana because somewhere along the line of banks involved, something flagged the transaction as suspicious. I had no cash, and it took half an hour on the phone with my card's bank's support, and then another half hour waiting for their manual approval to go through before I could turn on the damn pump. The gas purchase was at the same gas station I stopped at twice a year (once going home, once going to school) for the past three years. That same card (through two different numbers) has mysteriously been used for purchases I had nothing to do with three times, in areas I've never been to. Anti-fraud systems don't seem to work very well.

Re:LOL wut?

If the only way a business will conduct transactions is to enforce that individuals release their human rights (eg 4th amendment right in the US) than that is very much everyone's business. Refusing to conduct business with someone based on them protecting their privacy is a civil rights violation (Tor, VPN, etc), and lawyers will very much indeed get involved.

Re:LOL wut?

Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on the cc for example. The credit card company also checks where the card was used, for things like buying gas at 1pm and then buying it again at 2pm 100 miles away. They also consider the type of merchandise as online purchase of electronics is rife with fraud, but very few people use a stolen card to buy socks.

It is more about "local price gouging" than about fraud. Stores do not like proxies because they never know which price you should see on their web page.
Try to use outside us web/vpn proxy and access US online stores with foreign ip address. You may try with Steam, Amazon, Sears
Fortunately in my job I got access to whole multinational company network and it is nice to use different exit points when I try to purchase electronics, dvd, ebooks ... together with company offices in different countries shopping is much nicer experience. :-)

Re:LOL wut?

[oreiasecaman]

Can't watch this in Brazil, blocked because of copyright

Re:LOL wut?

[gregor-e]

It's all about money. There are a number of variables that can reliably predict the probability that a particular transaction is fraudulent. Connecting by an anonymized path is one of them. Probably a damn good predictor, at that. I'm sure they can show you on powerpoint slides exactly how many millions of dollars their predictive model that uses that variable is saving the company. If a sufficient volume of legitimate shoppers connect using anonymized path, the predictive value of that variable will decline, and only then will businesses stop using it.

Re:LOL wut?

Internet shopping is nothing compared to normal shopping in store - internet shopping is similar in going to shop and loudly, so everybody involved or just someone happened to be nearby(like mining data for advertisement), could write down your name, address, mobile number, credit card number, probably also your IP, OS, browser, language you use on system and browser and lots of additional information and also what you are buying - this is really sensitive information and as it is not enough your banks are already selling packages of clients information to advertisement companies - including your buying habbits as well. So, there is nothing that can protect you from Google(except if you use some Adblocks) or some other information gathering scripts - the best way not to worry there is to use tor, as even ISP can't tell what and where you have bought something, that is going to your address anyway and also your shop can't tell anything about your system, that they actually do not need to know.

Re:LOL wut?

[myowntrueself]

Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.

You mean like wearing a hijab, chador, or burqa?

yeah in those cases I'd want to see some photo ID as well thanks

Re:LOL wut?

[myowntrueself]

If you want to stay annonomous using a credit card, buy one of the fucking prepaid cards that carries the Visa/MasterCard Logo and uses their system. Pay cash and you don't have a problem. Furthermore, these cards do not have the charge reverse feature of a standard card, thus the merchant shouldn't give a fuck what's bought with it or where it's shipped as they've got their money (same as cash).

Are they useful? depends on the country. In the U.S. they're limited to $500 for the cards I've seen - Anti-Terrorism requirement. Keep in mind that the U.S. wants everyone to pay by plastic (why do you think the disability system and food stamps system now use a EBT card - plastic).

Only a terrorist would need to spend more than $500

Don't Go On Vacation Then

[Jane+Q.+Public]

So... it's going to see my address is Florida but I'm making an online purchase from Toronto? And disallow it?

That's probably the last time I'd do business with that company.

Re:Don't Go On Vacation Then

Or, you have a SSH service in Toronto, live in Florida and is going on holiday with your relatives in Bermuda and want the stuff shipped there. This type of short sighted security is very annoying to millions of expats all over the world.

Re:Don't Go On Vacation Then

Just use a Florida-based Tor end-node. Problem solved.

Re:Don't Go On Vacation Then

[Z00L00K]

Depends on your source address in Toronto, also on the delivery address. It's more suspicious if you use a TOR node in Toronto than a more normal address.

But it's to some extent also the fault of credit card companies that don't offer the best possible verification and resort to the stupid CVV.

Re:Don't Go On Vacation Then

[sociocapitalist]

So... it's going to see my address is Florida but I'm making an online purchase from Toronto? And disallow it?

That's probably the last time I'd do business with that company.

There are services (Netflix comes to mind) that just plain don't allow streaming/downloading/purchasing outside the US or charge a whole lot more depending on where you're buying from. Buying a game online in the EU can cost twice as much as buying the same thing online in the US.

Re:Don't Go On Vacation Then

As an expat that has not lived at home for over 10 years I have to agree with you. There is so much stupidity that makes life hard for not real gain, I do not get this. I feel it is just some company trying to create a market for something that they have got and want to sell. So many people are going to find out how hard it can be to use their credit card in another country. I have often fallen foul of the problems that can be created when you visit 3 countries in one day... In a foreign country with your passport etc. (good ID) but your cards are frozen... OTP passwords do not work because the mobile hardly ever works as roaming is never as good as claimed so I can never log into my online banking to sort anything out... and now they are going to blacklist people for being routed through somewhere they may not know about.

Re: Don't Go On Vacation Then

Banks, and services like PayPal, already do this. If you make a payment from PayPal while logged in from a node listed on torexit.dan.me.uk DNSBL it is very, VERY likely to be flagged for fraudulent activity review and held for an extended period of time. Same with payments from some banks to overseas retailers.

This is a little half-assed in implementation however. What they need is out-of-band authentication. Text a registered phone number with an authentication code/notification, perhaps?

Re:Don't Go On Vacation Then

[RobHostetter]

I am an online retailer. I lost $8,000 in one season from credit card fraud. When the cards are stolen, the frauders use it at a store. The cardholder then does a chargeback. The bank will refund the cardholder and take it from the retailer, so the retailer assumes all risk. Many online sales have 15% margins from which you have to pay advertising and labor costs. A single fraudulent sale can take 10-20 legitimate sales just to break even! Most of the frauders are from countries like Vietnam, China etc. they will ship often to a US address and the cardholder is a US address as well. The only thing us retailers have to go by is the location of the IP address. If that's from a country other than the cardholder's that's a very strong signal that it's a fraudulent order. Size of order, fake phone number are also good signals. If you don't want an order flagged, then don't look like a frauder! Place your order from your actual IP address.

Re:Don't Go On Vacation Then

[coinreturn]

I am an online retailer. I lost $8,000 in one season from credit card fraud. When the cards are stolen, the frauders use it at a store. The cardholder then does a chargeback. The bank will refund the cardholder and take it from the retailer, so the retailer assumes all risk. Many online sales have 15% margins from which you have to pay advertising and labor costs. A single fraudulent sale can take 10-20 legitimate sales just to break even! Most of the frauders are from countries like Vietnam, China etc. they will ship often to a US address and the cardholder is a US address as well. The only thing us retailers have to go by is the location of the IP address. If that's from a country other than the cardholder's that's a very strong signal that it's a fraudulent order. Size of order, fake phone number are also good signals. If you don't want an order flagged, then don't look like a frauder! Place your order from your actual IP address.

Would you like to block my purchase under these conditions?

1) My Internet IP address at work is about 1500 miles from my actual location at work. This is some sort of side-effect of how my employer (a very large corporation) has its connections to the Internet.

2) When I'm on vacation, perhaps 3000 miles from home, I play a game with friends and love it. I go online to buy it and have it shipped home so I can play after vacation.

Re:Don't Go On Vacation Then

[digitaltraveller]

Did you know your name is an Aptronym? Especially for this post.

Re:Don't Go On Vacation Then

This happened to me. I'm from NY, but my friend living in Chicago had me in his wedding. So I'm in Illinois, I take my card out to pay for my tux, and boom fucking denied. Thankfully my other card worked, but I really didn't want to use it.

Re:Don't Go On Vacation Then

[intermodal]

If you don't want an order flagged, then don't look like a frauder! Place your order from your actual IP address.

You seem to think users of privacy software care whether they get flagged on online orders. Generally speaking, these are users who do not stop and realize that they are reducing rather than increasing their privacy in this case. If they even realize at that moment that they are still using Tor. Most of them have probably not made the connection to the fact that they aren't protecting their privacy by using an anonymizing service to send you their order information that would have been sent via SSL anyway. All they do is make their order stand out more.

If you really want to increase your privacy by using Tor, use it for stuff you aren't attaching personal information to, and don't use it where you're already completely exposing yourself.

Re:Don't Go On Vacation Then

[Jane+Q.+Public]

"The cardholder then does a chargeback. The bank will refund the cardholder and take it from the retailer, so the retailer assumes all risk."

I understand all this. But when you refuse a huge percentage of purchases because a small percentage of them are fraud, you hurt your business.

Repeat: I won't do business with you. If you don't like that, find some other way to change your business model.

Re:Don't Go On Vacation Then

Speaking as a frequent Tor user myself, I'd seriously doubt it if Tor users comprised a "huge percentage" of legitimate purchases to any retailer. Realistically, the number of legitimate purchases coming from Tor users probably is in the realm of a fraction of a percent. If that is indeed the case, losing your potential couple hundred dollars of business is well worth it to prevent $8000 worth of loss.

OTOH to those that say you lose all of Tors inherent anonymity by shopping online with it, so why use it- Thats completely false. You deanonymize yourself to the store of course (assuming its a legitimate transaction and you're providing legit info), but you still remain anonymous to all those between you and the store- your internet provider, the stores internet provider, any routers in between, your DNS provider, etc.

Back to the question though- I suppose one way of dealing with the fraud problem would be to only allow non-chargeback-able transactions from Tor users- BitCoin for example

Re:Don't Go On Vacation Then

[Jane+Q.+Public]

"Speaking as a frequent Tor user myself, I'd seriously doubt it if Tor users comprised a "huge percentage" of legitimate purchases to any retailer."

I was replying to GP. I was not referring specifically to TOR.

"Back to the question though- I suppose one way of dealing with the fraud problem would be to only allow non-chargeback-able transactions from Tor users- BitCoin for example"

Fraud is a risk you take when you do retail business. I understand that, and I sympathize. BUT... if you make doing business with you inconvenient, you lose business. That's just the way it works. I didn't invent the free market system.

Re:Don't Go On Vacation Then

[peawormsworth]

I am an online retailer. I lost $8,000 in one season from credit card fraud.

Credit cards are insecure. They have weak fraud prevention built into them. This is by design, because the credit card company never pays for the cost of fraud.

Here is the order in which fraud is paid for: 1) the customer doesnt notice and pays for fraudulent charges on their card. 2) the customer complains, but the card company accuses them of not following their agreement to secure the card and the customer pays for it. 3) the merchant is accused of accepting a card without properly verifying the integrity of the purchase and the merchant pays.

Notice that in all cases the card company pays nothing for fraud. This is the reason that credit card are insecure. The card companies always make money from fraud.

The final reason that card companies like fraud is because they use fraud as a marketing tool. First they make an insecure system that allows fraud to take place, and then they tell the customer that they will secure them against it by refunding them. But as you can see above, they never pay for it, the merchant does, and subsequently the customer does by paying for higher margins built in by the merchant to cover the percentage of fraud orders.

You see, the card companies want you to believe that online purchasing is insecure by nature. This is not the case. Instead, it is designed into the credit card payment system, because there are no competing options for customers to pay for goods online AND the card companies make more money when fraud occurs. IMO: this is a huge mistake, and the card companies are setting themselves up for a secure payment system to take away their total online business (like: bitcoin)

Come on...

[Mr+Krinkle]

". But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."

Seriously?

Why would you ever need to "protect your privacy" via Tor etc, from an ONLINE SHOPPING SITE that you are GIVING YOUR CREDIT CARD AND SHIPPING INFORMATION TO?

I mean, I'm as much anti NSA crap as the next guy. but come on. That said, cool tech. It would make sense that retailers would do this. I see this is a good thing, not a reason to slam the lizards running our government.

Re:Come on...

[Hangtime]

I was thinking the same thing. Kudos sir.

Re:Come on...

The idea when spending stolen credit cards is to ship it to someone else's house, like an abandoned crack den or a little old lady who only checks the mail on Friday. Then they swoop in on a Thursday, take the parcel, and make off with their illicit gains.

Re:Come on...

What credit card and shipping info?

- My corp card amex that gets things shipped to a local PO BOX?
- My single use randomly generated number on another card?
- The reshipping address I used to have in another state? (yes, that costs cash...)

Look shithead, just because you work without privacy doesn't mean the rest of the world does. Some of us really can't risk having having extensive profiles built up.

That includes where our connections originate from, our user name, our date of birth, our shipping address, zip codes, and even phone numbers.

Hell, I have three phone numbers all associated with different areas codes -- only one of which correlates with the appropriate zip code.

No, there's no drugs or porno or hitmen going on. Yes, there's still a reason. No, what the reason is is none of your fucking business.

So no, zero kudos are due. GPs observation is shallow and nearly devoid of merit.

Re:Come on...

[Bite+The+Pillow]

Because cracking the onion has to be harder than https?

I'm sure buying piles of fertilizer would set off alarms, but what if I want a variety of inflatable barnyard friends, rubber sheets, that 55 gallon drum of lube, and a celebrity masturbator(male)? I don't want to get that dossier started.

Re:Come on...

Congratulaition, you personified slashdot group think.
Fools seldom differ...

Re:Come on...

Yep. I know some guy who thought his daughter was a maiden before she Germanicised her name.

Re:Come on...

[mfwitten]

You really didn't think this one through, did you...

What do credit card and shipping information have to do with your IP address?

Perhaps you do other, legitimate things with your IP address that you'd like to keep dissociated from that very information.

Re:Come on...

[Z00L00K]

Not if you live in the boondocks of Montana. :p

Re:Come on...

Furries do all that and worse. There hasn't been a government crackdown on furries even though the rest of the internet wishes it would happen. You've got nothing to worry about.

Re:Come on...

[umghhh]

Come to think of it we have technological progress in almost any branch of human activity yet the inflatables are still inflatables. I think it is the time that scientists. engineers and geeks spend some time on those so that they can become an actual subject of passion not an object of a (usually drunk) male student stunt. There seems to be a genuine need. I mean anime is OK but one would like to fetch a real stuff but without all these flowers, courtship and other nonsense that otherwise emancipated ladies require (after they verified your financial status of course). I mean seriously: the use of steam machines and electricity to fight female hysteria back at the beginning of last century (and following development of less hassle vibrators that ladies of today can use) shows that society in general but inventors too care very much for needs of a lonely female. What about a lonely geek in his mama's cellar?

Re:Come on...

Because the store HAS NO RIGHT to know where you are. Not at your friends house, your work, your school, the coffee shop, the park downtown, or in your mom's basement buying another jar of vaseline.
And because all those places AND their ISP's HAVE NO RIGHT to know what sites you are visiting.

Re:Come on...

[sociocapitalist]

". But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."

Seriously?

Why would you ever need to "protect your privacy" via Tor etc, from an ONLINE SHOPPING SITE that you are GIVING YOUR CREDIT CARD AND SHIPPING INFORMATION TO?

I mean, I'm as much anti NSA crap as the next guy. but come on. That said, cool tech. It would make sense that retailers would do this. I see this is a good thing, not a reason to slam the lizards running our government.

Today it's the credit card transactions, then it's the cash transactions, then it's the bitcoin transactions. It's a step against privacy regardless.

Re:Come on...

[pspahn]

No, what the reason is is none of your fucking business.

And to be quite honest, it is none of your fucking business if a retailer chooses not to sell to a certain sub-set of customers because they represent a high-risk for fraud.

There are plenty of retailers that choose not to ship to PO boxes, sometimes it's because of the associated risk of fraud, and sometimes it's because they sell chocolate and don't want to ship to a PO box in Phoenix in July. Which one is it in the case of the retailer you're buying from today? You got it... none of your fucking business.

If you want to extend this to those who use Tor, well that again is the retailer's prerogative. There are no laws that say a retailer is obligated to serve customers when those customers can't be identified.

(This is not even going into scenarios where the retailer's CC processor refuses a transaction because of too many red flags.)

Re:Come on...

Who said you were giving your shipping information? I'm buying an e-book about successful gay people because Im a 14 year old LGBT living in the rust belt, and want to have some hope that I can grow up and have a happy life. If my Mom finds out I have anything to do with LGBT and she's been drinking....

I bought the ebook with a pre-paid debit card, and used Tor to make sure my parents dont find out.

NOTE: this was entirely hypothetical. Im neither 14, nor LGBT, nor would my mom care if I was. Please start thinking of the bigger world view. Privacy is VERY important to some people, for perfectly good and legal reasons. Just because YOU dont have to be private, doesn't mean everyone has the same luxury.

Re:Come on...

[fatphil]

Bollocks.

I travel for work. There's precisely *no* reason why an online retailer should expect to have the right to know the locations of my clients. They can know my home address whither things should be delivered, but their need to know anything else about location ends right there.

Re:Come on...

because you don't want your static IP to get associated to your CREDIT CARD NUMBER and ADDRESS?

Re:Come on...

The real point is Tor being identify-able then Tor users might easily be blocked from any corporate or non-corporate and forced to use their real address, hence becoming traceable, and only *then* locate them. The real point is Tor being block-able. Not in the context of online shopping, which makes no sense as you hinted but in a more general context with the inevitable abuses we might expect.

Re:Come on...

[coinreturn]

And to be quite honest, it is none of your fucking business if a retailer chooses not to sell to a certain sub-set of customers because they represent a high-risk for fraud.

That's exactly the reason I give when them darkies come into my store. Gawd damn civil rights bullsheeeet.

But seriously, I think that excluding customers because they are taking actions to protect their fourth amendment rights of privacy might be grounds for a civil rights action.

You're going to have to find a better way to verify the credit card.

Wrong. Denying service because of race is against the law. Denying service because the buyer is anon is not.

Re:Come on...

[masmullin]

Wrong. Denying service because of race is against the law. Denying service because the buyer is anon is not.

It's not as black and white as that (no pun intended). Denying service is based on class of people. While the wording of the act certainly lends itself to denying service based on race (or other similar visible discrimination), the legal definition has been argued with a much wider interpretation. A good lawyer could argue that people wanting to protect their 4th amendment right are a class of people and should therefore not be discriminated against.

Do I think it would win? Not really. But I certainly think there is an argument to be made.

This 'stolen credit card' problem is not the fault of people wanting to protect their privacy, and doing this TOR blocking is simply a lazy and error prone protection method. A real solution should not involve forcing people to give up their human rights in order to shop.

Open wifi routers

So thieves will quickly find an open wifi router near the delivery point, and normal people who happen to be using Tor or a VPN will run into problems. But at least this company has a product to sell that PHBs won't be able to think of any problem with.

vpn use triggers the 'cancel the order' logic

[TheGratefulNet]

I was trying to buy something from an online merchant. I happened to have been using my vpn at the time but I paid using my paypal account and the merchant accepted my order.

an hour later they canceled it. gave no reason. I emailed them and they asked 'are you on vacation?'. no. they still canceled it.

this has happened more than once.

its annoying as hell. the world is slowly becoming vpn-unfriendly.

Re:vpn use triggers the 'cancel the order' logic

This is extremely old. Pretty much every CC processor does a location lookup on the IP. If it's not within a certain distance of the card address, it brings the risk number up. Too high, and they deny it. Your fault really for using VPN anyways when it's shipping to your home with your name attached. Zero anonymity there genius.

Re:vpn use triggers the 'cancel the order' logic

I have had numerous problems while doing ecommerce transactions on VPNs due to this type of correlation. My VPN software allows for numerous exit nodes, so I select an exit node close to home to ensure a transaction goes through.

Re:vpn use triggers the 'cancel the order' logic

I've experienced exactly this. I'll even name names. NewEgg not only canceled my order but locked out my account when I placed an order while using an overseas VPN.

I've also experienced the exact opposite of this. A few years ago when I was overseas in a third world country, the only way I was able to log in to my bank's webpage without instantly having my account locked was to use a U.S. based VPN.

Re:vpn use triggers the 'cancel the order' logic

if newegg and other stores keep having orders blocked due to vpn use maybe they will place a notice about vpn use.

newegg does not ship internationally anyway, why would they bother having a globally accessible website (unless they like ddos)

Re:vpn use triggers the 'cancel the order' logic

[Jah-Wren+Ryel]

vpn use triggers the 'cancel the order' logic

That's one of the main reasons I use a VPN. Since I have to give the merchant my shipping address and name I don't want them selling that info to the profilers like BlueKai or DoubleClick in conjunction with my real IP address because any traffic that leaks out via my real IP address would then be easy to cross-reference.

If a merchant is going to require that I give up the privacy of my internet usage just to do business with them, I will just spend my money elsewhere.

Re:vpn use triggers the 'cancel the order' logic

I was on vacation in Mexico a few years back during the Steam Holiday sale and I couldn't SAVE SO MUCH MONEY unless I used a U.S.-based VPN. Why not just check if my card's info or my last gazillion communications to Valve's servers indicated that I was a U.S. user?

I did end up saving all that money though. :D

Re:vpn use triggers the 'cancel the order' logic

Probably using a work VPN and forgot to disconnect.

He may also not trust the network he is on (think about it, we travel, vacation, etc).

I always use my SSH server to protect myself from untrusted networks. While SSL/TLS is already doing that not everything I do has it (partly my own fault). Anyway. SSH protects mein those situations and when I set it up it is annoying to disconnect or easy to forget. Usually I would just forget. It's not hard to use a different browser. Even that though won't fix the problem because if I'm in Boston and shipping to NJ and the filters are in excess.... but I think usually it isn't a problem due to the fact the address being shipped to is the billing so it would go through anyway.

Long story short if the transaction is minor ($50) and the margins are high (I'm talking 4x or more our cost for something) we ship anyway. If it's low margin high ticket items (things fraudsters go after, and consumers notice on the bill) we kill the deal. It's a big risk and more often than not it is fraud. We have even talked to the fraudsters. Now we do get legit orders. There are ways to tell from our orders usually when a customer is shipping to a different address than the billing that it is probably legit. In some instances we will let the order slip (even high margin). However most merchants don't have the luxury of being able to test based on a particular niche question that your typical fraudsters wouldn't know the answer to. Some of our customers don't either, but its a red flag if that gets combined with IP geo-location differences, billing/shipping differences, and more. One thing fraudsters always do is get overnight shipping. Insanely expensive and very infrequently done except for business purchases. Those get sent to business addresses though and we usually get a phone call anyway about it in advance because the customer has questions. You don't see that from most fraudsters. However you never want to assume because a customer has called that it is legitimate either.

Basically- use your head and you won't get f'd. In 5 years we have only lost one high ticket item. We shipped one other out too once but managed to pull it back. There were no signs at first of fraud. Then we realized he logged in from systems all over the place. So he was very careful at first and then not-at-all careful once it shipped.

Re:vpn use triggers the 'cancel the order' logic

[Firethorn]

What about purely online services? I haven't encountered this yet, and I'm sort of surprised. I'm using a public wifi outside of my home country, and that triggers me using my private VPN times two. I have a VPS I mess around with, set up VPN on it. I've used it to access things like Netflix, which isn't available in my current country, get the 'correct' steam pricing, etc... If anybody really wanted to they could track me down from that IP address, but it'd probably require a warrant.

But my VPS isn't even in the same time zone as my home, and I've recently changed addresses along with the move.

I guess that if anybody asks I might not respond with 'no' to whether I'm on vacation, but with 'close, I'm on a business trip'.

Re:vpn use triggers the 'cancel the order' logic

If someone stole your CC info and successfully made a bunch of fraudulent purchases online, you'd be here on Slashdot whining that the merchants should have implemented a system to flag suspicious transactions.

Re:vpn use triggers the 'cancel the order' logic

[ninlilizi]

This stuff drives me insane too.

I live off-grid. I'm reasonably mobile and don't have an address. Any address, nor does any of my family... To complicate things my internet is via a satellite link that at times can terminate half a continent away.

Places like Amazon and Ebay don't present any trouble at all... But any smaller or more specialised businesses is like playing russian roulette. Worse, every so often I encounter a jobsworth who doesnt seem to have anything better to do with his week then cause me as much hassle as he can creatively manage.
So I find myself having to learn to think and behave like a fraudster. So I can spend my own money without having to deal with all that drama.

Re:vpn use triggers the 'cancel the order' logic

No, chances are the VPN the OP is referring to is one of those out of the country bittorrent anonymizing services. An out of the country IP will immediately set off a red flag. If the IPs from that block the VPN service is using has been associated with fraudulent activity in the past it could get flagged as well.

For 99% of legitimate home/business VPN use there will be no problem as the IP geolocates to a sane location. Paid VPN services, it won't.

Re:vpn use triggers the 'cancel the order' logic

[DNS-and-BIND]

I'm in China getting things delivered to my U.S. address either to pick up the next time I'm home or to have drop-shipped to me here. Lots of places refuse to ship internationally or are idiots about it. Try ordering online from a Chinese IP address and let me know how that works out for you.

Re:vpn use triggers the 'cancel the order' logic

I'm reasonably mobile and don't have an address.

I'm sure that gives interesting problems when filing taxes ...

Re:vpn use triggers the 'cancel the order' logic

Crap -- I didn't even think of the merchants selling me down the river. Time to change the MAC address and reboot the cable modem again. Aargh.

Re:vpn use triggers the 'cancel the order' logic

And that is the retailers right to deny the purchase in the interested of preventing fraud. If you want things that badly, you should look into setting up an SSH or VPN back to your home connection when you are out of country. I've worked for an online etailer, and I've heard every excuse in the book. Simply put, we don't give a shit. We would rather lose the business than lose the product. Just because you are trying to buy something, doesn't mean it has to be sold to you.

What's the problem?

[FireballX301]

If you use your card online, you're telling the retailer who you are and where you generally are, and having them do their homework is nothing but a good thing. Making people go through more verification steps if red flags are thrown is nothing but a good thing. If you use Tor and then buy something with a personal credit card or debit card, you're doing it wrong.

If you want to stay anonymous, load a pre-paid debit card and jump through the anti fraud hoops. Nobody said staying off the grid was going to be easy.

Re:What's the problem?

[marxzed]

or your trying to buy something your own, possibly less than enlightened, government doesn't want you to buy... you know like a banned book or DVD . you know stuff like that.

Re:What's the problem?

[FireballX301]

Sure, in which case you would have to be an idiot to use a personal card. Load a throwaway debit card or buy and use BTC. Anonymizing services do not help if you declare your identity at the other end

Re:What's the problem?

[marxzed]

not really the card details are often at the "land of the free" end rather than their homeland, from students I talk to from these countries, the credit card is set up with a relative some where in the US/Europe/Australia, so often it's a credit card in the UK or Australia buying goods in the US to go where the student is at home with his computer - somewhere like Burma etc.

Re:What's the problem?

[Jah-Wren+Ryel]

If you use Tor and then buy something with a personal credit card or debit card, you're doing it wrong.

Bullshit.

Nowadays every little fucking detail that a merchant can glean from you goes into multiple databases that you have zero control over. It is preposterous that I should have to risk giving up my name and address to every website I've browsed from the same IP address that I placed an order from.

Until merchants are legally prevented from sharing your personal information with whoever the fuck they want, it is morally reprehensible for them to expect customers to not take measures to protect their privacy.

Re:What's the problem?

[thegarbz]

No it's not. It's not ever the retailer's job to verify credit cards are valid. That's the job of the credit card company and surprise surprise that already happens. Not only does shopping online present me with a 2 factor authentication option (mobile SMS or in my bank's case an RSA token), but any out of the normal purchases still get flagged for followup, like the other day I entirely legitimately ordered a computer via paypal from Israel. Got a call from the bank about 15min later asking if the transaction was valid. I ask them if the flag was the country and they said yes, but also stated that it would have been flagged anyway since I've never spent more than $100 on paypal before so this spend was out of the ordinary.

The only point of this is to enforce geo-caching.

Re:What's the problem?

[thegarbz]

Err Geofencing, not geocaching.

Re:What's the problem?

Retailers get penalized for chargebacks. Period. The credit card companies are not their friends and are more than willing to let them eat the cost of a fraudulent charge as often as they can can get away with it. If the retailers on their own initiative can stop fraud before the card gets charged it reduces their risk of getting stuck with the loss later.

Re:What's the problem?

[gmack]

You are so wrong it's not even funny. The retailer is almost always held responsible for any fraud. If a charge is determined to be fraudulent the retailer is out the money plus a chargeback fee and on top of that, the event is kept track of so if the overall total gets too high, the merchant account gets terminated.

Re:What's the problem?

If the shipping address matches the billing address, where on the Internet the connection came from shouldn't be considered much of a risk factor in an intelligent risk model. As VPN use becomes more common for people to attempt to avoid spying by their ISPs and their national police state agencies (e.g. NSA), merchants and processors who use risk models that assign high risk scores to low risks will be pushing business to their smarter competitors who don't.

Re:What's the problem?

[fl!ptop]

If a charge is determined to be fraudulent the retailer is out the money plus a chargeback fee

Plus almost certainly the inventory sold...

Re:What's the problem?

If a charge is determined to be fraudulent the retailer is out the money plus a chargeback fee

Plus almost certainly the inventory sold...

If I have $5
Buy some item for $5 and sell to "you" for $6
Find out it wasn't you and return your money ($6) I'm not in the hole $11

It doesn't really make sense to count both, either you should look at the loss as the lost revenue ("out the money") or lost asset ("inventory sold").

Re:What's the problem?

[thegarbz]

No the only thing funny is that you think that a) the laws are the same everywhere and b) that I didn't fact check before posting.

The retailer is NOT liable in a chip and pin transaction or in a CNP transaction that uses the 3-D Secure protocol online.

And think logically for a second, why should a retailer be liable for use of a credit card which has been checked by the issuer using 2-factor authentication?

Re:What's the problem?

[gmack]

What does logic have to do with it? I work for a company that uses 3d secure and it has changed nothing about how the bank treats us when a chargeback happens.

Is that really going to work?

[duke_cheetah2003]

Um.. last time I checked, exit nodes are not a stable thing. They come and go. Kind of hard to block/detect a moving target, I'd think.

Re:Is that really going to work?

Well, the "fraud hunters" sure as heck missed the likes(ilk) of Meyer Lansky, Bernie Madoff, Leonid Nevzlin, Jeffery Epstein, Guy Rosen, "E"-lie Gelman, et al, et horribilis, to name a few...

it juST BOGGLES THE MIND TO THINK THAT SOME OF THOSE LISTED ABOVE HAVE THEIR PAWS IN THE I.T. "security" sector!

Re:Is that really going to work?

It's actually pretty easy since the Tor Project maintains a list of active exit nodes:
https://check.torproject.org/cgi-bin/TorBulkExitList.py

Re:Is that really going to work?

[gmack]

Thankfully tor exports a handy list of exit nodes. This list is also kept in other places and it came in handy a few months back when someone used tor to flood my ssh server with a massive amount of ssh logins. You can even find some scripts that parse the list and turn it into an iptables ruleset.

WTB 99x potions, deliver behind starbucks

Go to starbucks, use tor, ask to deliver behind starbucks. Seems legit.

You dont understand identity theft

Drop locations my friend.

You have a lot of learning to do.

Re:You dont understand identity theft

Wow, that went from "you kinda have a point" to "batshit crazy" in 3 sentences.

Not about catching fraudsters on Tor

It's all about regionization and the merchants wanting the ability to charge what the market wil bear. They don't want people from Australia or Canada or New Zealand paying the same price as people from the US. Or maybe it's all about the credit card companies wanting to charge more interest to you than those people over there. Ummm, I think I'll wander off and polish my tinfoil hat now.

Re:Not about catching fraudsters on Tor

[jonwil]

Not really, they use the shipping address to detect foreign purchases. (and more and more online retailers are detecting and blocking the use of re-shippers)

Question. A quick acid test for fake websites?

For example, look at this address (http://www.niytkic.com/) for Louboutin shoes which was advertised to me on Facebook. The advert kept changing that niytkic bit but always redirected to the same main website, and this made me really suspicious! I also changed its http to https but Firefox said their SSL certificate was no good or self-signed just like this new site I found: http://www.77sell.co.uk. Despite having a .co.uk the latter address doesn't have a physical address in the UK but sells to UK customers! Surely that's a red flag?

Flat earth view of the world

The annoying thing with this retarded kind of alert system is world citizens like me who have credit cards from one country, mostly live in another country and want things shipped to a third country, because I have assets in 4 countries. And if you were wondering, there are many, many millions of people is this situation.

This approach assumes a landlink

I am on 10mbit sattellite in a rural area of Canada. Four times per day my downlink changes: Early morning it is New Jersey, by evening it is one of 3 places in California. I use ABP, but when I disable it for certain site (like this one, but except for this one) I get barraged by ads of/from women who live only 4-6 miles away (nevermind that we use the METRIC system in Canada, and that the nearest civilisation, building, payphone etc is 48km away).

This tech, if adopted globally, would cripple my online purchasing. Keep in mind that there are more ppl using sat internet than you imagine.

Moving along:

This is BS. These folks should pull their heads out of their behinds, stop scamming VCs and go to school and learn how the internet works. Then try to implement a similar solution on the unobscured internet and cut their teeth on it, before printing business cards and selling their -if-they-use-tor-they-are-criminals-and-for-a-lot-of-money-we-will-pretend-to-help-you-cut-down-on-fraud- solution to ppl/companies that are tech illiterate.

I liken ppl who are tor users to ppl who cup their hand over the pinpad at the grocery store while they punch in their pin, and one should not assume that a tor user has something to hide.

BTW, I have never used TOR, but I totally agree with the need for it.

ChaOS

Re:This approach assumes a landlink

You have a very valid point. You also have to consider large companies with restricted internet gateways. When I was with AT&T, 20 years ago, they had internet gateways in New Jersey (and elsewhere up north), but none in Atlanta, so all of my internet traffic looked like I was in Holmdel or Murray Hill.

Only works for basement dwellers

[flyingfsck]

Tor is a simple way to protect yourself from the bloke running Kismet and Ettercap behind you in an airport coffee shop. Geeks who design this kind of crappy 'security' systems should get out of their mom's basements more.

IP doesn't really mean anything geographically

So what if I don't hide it, but my IP shows Norway, USA, or wherever the hell else the oil rig's satellite link comes out at, and I live in Canada, I can't buy stuff online? Out there for weeks, can't always "just wait until I get home".

Good

[NoKaOi]

I can't seem to find anything in the article that says they're automatically blocking all orders from Tor users. It's just one tool. If they're using it like most spam filters, then it's like saying they're detecting emails with the word "Viagra." It doesn't mean it's being blocked, it means it's a red flag that should signal further scrutiny, and presumably if there are many redflags than it would warrant more detailed scrutiny by a human. Frankly, having an online retailer assess the risk of each order to determine if further scrutiny is warranted seems like a GOOD thing, but in the summary's myopia all it's seeing is the spin that this is anti-Tor and therefore evil.

All that said, why would anybody think that using Tor when placing an online order with a credit card would protect them from NSA spying? The retailer obviously knows who are because you're giving them all your credit card info, and if you think it's to protect you from the NSA knowing what you're ordering, all you're doing is redflagging yourself by going through Tor, and I'm sure they're more likely to get your purchase info from Visa or your bank than from off the wire.

You want my money, right?

[Opportunist]

Oh, you don't? Well, ok, nice not doing business with you.

NEXT!

Re:You want my money, right?

Yeah, I'm sure losing the huge militant TOR shopping market is going to cause retailers far more trouble than protecting the other 99.999% of their users from cc theft ;)

Re:You want my money, right?

[westlake]

Oh, you don't? Well, ok, nice not doing business with you.

Let me see if I understand this:

Rather than bury your strangest, most suspect, purchases beneath a billion routine online sales, you want to give them a blood red flag by routing them through TOR? Remember that your suppliers will be demanding a valid shipping address, etc.

Re:You want my money, right?

[Opportunist]

Probably not, but that's a sale someone else will make.

Re:You want my money, right?

Yep, and the retailer will be quite happy with that.

Let's pretend 2% of their orders are fraudulent, and that 75% of the fraudulent orders come through Tor, while about 1% of their "good" orders come through Tor (I think I'm being generous here as I work in IT and have never met or spoken to a single person who uses Tor as a matter of course).

Now, you can plug some numbers in here about profit margin, cost of goods and shipping etc - but ultimately unless you live in a fantasy world, the retailer preventing a significant number of (very high cost) fraudulent orders massively outweighs them losing a similar number of (only marginally profitable) genuine orders.

And nothing of value was lost.

Re:You want my money, right?

Says someone who has never had to deal with large scale online CC fraud.

Re:You want my money, right?

I think you misunderstand, Opportunist is right, while the Tor market is tiny, give the recent Snowden-gate revelations, combined with the Pirate Browser bundle, Tor use has been skyrocketing. If they want to be so dumbtarded and turn them away, more power to them when they hit chapter 11.

Re:You want my money, right?

[coinreturn]

I think you misunderstand, Opportunist is right, while the Tor market is tiny, give the recent Snowden-gate revelations, combined with the Pirate Browser bundle, Tor use has been skyrocketing. If they want to be so dumbtarded and turn them away, more power to them when they hit chapter 11.

Skyrocketed? You mean like doubled or tripled, from 3 users to 6 or 9?

Re:You want my money, right?

Skyrocketed? You mean like doubled or tripled, from 3 users to 6 or 9?

I was actually being serious, mind you this is slashdot.

Re:You want my money, right?

[Opportunist]

Nah, I only audit companies for PCI DSS...

Yes. Wouldn't you?

[SmallFurryCreature]

Blame the criminals. Security, especially effective security is ALWAYS inconvenient. It would be much easier if I come home to simply push open the door but thanks to those who can't keep their hands of other peoples stuff I have first open two locks.

Dutch banks recently started blocking ATM access by default, you have to unlock the card if you want to use it anywhere in the world. It stops east europeans from withdrawing money on your card in their country. Same reason there is withdrawal limit on most cards per day. If it is stolen they can't empty your entire account in one day and hopefully the next day you will have had it blocked.

This is inconvenient but do you really want to use a system that ignores obvious warning flags because losing your money is preferable over losing a sale?

Remember they are protecting you just as much as themselves.

Now your particular example will probably pass if you ordered from them before because the delivery is to your registered adres. But what if someone ordered with your card at your regular webstore but wanted the item shipped to Nigeria with the idea that you might be going on holiday there and wanted the item to arrive there with you? It is feasible, and in court you would lose your money because you made the deal as far as the store could now and you insisted online there be no security.

Re:Yes. Wouldn't you?

[sI4shd0rk]

Blame the criminals.

Blame the terrorists for the government violating our rights! The government has nothing to do with it; really!

No, I'm not going to blame the bogeymen; I'm going to blame the people who are inconveniencing me, and if I believe their security is unreasonable, I simply won't buy anything from them.

Re:Yes. Wouldn't you?

[Jane+Q.+Public]

"Blame the criminals."

Not just no, but HELL NO. I blame the retailers (and credit card industry) for failing to find a convenient and yet secure way to make my payment.

If you make it inconvenient for me, I won't buy. It's that simple. So get on it.

IPv6 tunnels

[alanw]

I've been getting up to speed on IPv6 and have a tunnel from he.net (tunnelbroker.net). It seems to pop out somewhere on the other side of the Atlantic, judging from geographically targeted advertising. Several big sites are already IPv6 enabled (Firefox plugin SixOrNot), e.g. Facebook, Google, Youtube.

Geo-fencing, nothing more.

[thegarbz]

Ever ask yourself why the merchant would spend money on this? I mean there's no risk to the merchant. If stuff is bought with a stolen credit card then the credit card company or the bank bears the risk. Not to mention the amount of security already in the credit card system. For instance my bank requires 2-factor authentication for any online order over $50. The Verified by VISA window pops up and asks for my RSA token, or optionally an number that gets SMS'd to my mobile if I don't have the token on me. On top of that orders that are verified by VISA still go through the standard fraud identification process, i.e. they look at purchasing patterns and then flag anything out of the norm such as a country you don't normally do business in or a merchant you don't normally spend that amount with.

So if the merchant bares no risk then the question remains why would they do it? Oh that's right geo-fencing. It would be screwing the company out of their not at all hard earned dollars if I were able to buy something from the USA rather than pay the extortionate prices locally.

Re:Geo-fencing, nothing more.

[hankwang]

"If stuff is bought with a stolen credit card then the credit card company or the bank bears the risk."

I highly doubt that; the thief could have a friend set up an online merchant, make $2000 purchases of virtual goods and split the profit.

The reason merchants are so careful is that the merchants will have to eat the loss in case of a fraudulent transaction.

Re:Geo-fencing, nothing more.

[kinko]

Ever ask yourself why the merchant would spend money on this? I mean there's no risk to the merchant. If stuff is bought with a stolen credit card then the credit card company or the bank bears the risk.

No, it's the merchant who bears all the risk. If someone disputes a charge, the merchant's acquiring bank writes a friendly letter asking for proof of the card-holder's authorization, eg a signed receipt. If you can't offer evidence that it was authorized, then you get a chargeback (ie they deduct the purchase amount from your account) and you are out of the value of whatever you mailed out to the customer.

When we sold stuff online, obviously we don't get physical signatures, but normally we could convince the customer that they had made the purchase (normally they forgot, or didn't recognise our name on their credit card bill) and the customer cancelled the dispute.

Why would the bank voluntarily eat the loss for fraud/disputes? :)

Re:Geo-fencing, nothing more.

[thegarbz]

In card not present scenarios the authorisation is given by VISA / Mastercard themselves via the issuing bank (i.e. my RSA token / SMS 2-factor check)

By the way I never said the bank "voluntarily" eats the loss. :-)

You're half right though. Turns out the rules vary by country. Where I live the merchant is covered providing the transaction is Chip & PIN for card present payments, and an additional authentication scheme (i.e. Verified by VISA) in a Card-Not-Present transaction.

Re:Geo-fencing, nothing more.

[thegarbz]

Hmm you're half right. Turns out in the USA merchants are not protected. Where I live the merchant is protected if the transaction is Chip & PIN. For online purchases they are covered if they use 3-D Secure such as Verified by VISA.

Re:Geo-fencing, nothing more.

Well, in the US, nothing ever makes sense. We refuse to use any advanced technology in credit cards (i.e., chip & PIN). Furthermore, the credit card companies have made merchants responsible for all chargebacks or instances of fraud. Merchants particularly hate this because they lose the item without earning any money on it.

Re:Geo-fencing, nothing more.

[coofercat]

No - not true. The merchant bears most of the risk. It's entirely wrong, and I'm amazed it's even legal, but that's how it is.

If you set up an online shop, you'll find that you are asked to take on the risk of fraud, yet you don't get the card number or card address from the purchaser. That means you have no reasonable way to verify if the purchaser is fraudulent - even if you had a list of all the stolen cards or whatever, you still couldn't make that judgement. Instead, the card company does that fraud check for you, and tell you the card is good to go. You'll then ship product, after which they come back to you to say "sorry, that card was stolen". They then take their money back off you, and you're left without product and without money.

I wonder if this sort of thing is even legal in the UK any more. Financial companies now have to treat customers fairly (under FSA/FCA rules), and I'm left wondering if this would hold up as "fair" if it was challenged. However, until such a time, the merchant is almost entirely liable for any card fraud.

Are you an actual moron?

[SmallFurryCreature]

The parent wrote it down for you. You are placing an order with your credit card and shipping address. What MORE could they possible need in your "dossier"? Or do you think a webstores order database is magically of limits? Or that the NSA is only snooping on your internet connection and not the webstore?

If you don't want people to know your weird hobby, don't pay it online with your registered credit card and home address. The moment you do, privacy doesn't exist anymore.

And you do deserve being called a MORON because clearly you have no clue about security and/or TOR and/or anonimity.

Remember the Silk Road story? How was he caught? By sleuthing, by connection anonymous messages together through identifiers.

You want to use TOR to place an order, a MESSAGE, with in that message your CREDIT CARD and HOME ADDRESS? Why not also include that amazingly funny nick you thought of that you also use in all your "lets blow up the government" posts and make their job extra easy?

This stuff should really be obvious, if you use an anonymous message service, don't include personal identifiers. The general advice is to avoid any mention of GENDER, TIMEZONE, use of slang, catchphrases etc etc. And you think it is a good idea to include your fucking HOME ADDRESS and credit card details.

Tor has one use, to hide your IP, and you just gave them your address instead. If you don't get the stupidity of your idea, you really just shouldn't bother with TOR, you are just going to screw up anyway.

You are not alone in this, the other responder below also just doesn't get it. What does your IP have to do with your credit card? Both are registered to the same person?

Security, it is a LOT harder then people think.

Re:Are you an actual moron?

digital content + pre-loaded debit = me not needing to give MY credit card nor MY address.

Now, when it comes to a physical object, Im not sure how one can remain truly anonymous. But you still have plausible deniability if using Tor + pre-loaded debit. This might be important for such purposes as divorce court in case the wife finds those tickets you purchased for you and the mistress to go to maui.

Re:Are you an actual moron?

[myowntrueself]

Thats the thing; if you are using an anonymising service like TOR to use a de-anonymising service like a credit card something doesn't add up and you should be flagged as suspicious! It only makes sense to wonder wtf is going on with this person.

Re:Are you an actual moron?

[AmiMoJo]

It's more of a convenience thing, which will result in lost sales. I use VPN almost all the time, and if a site doesn't work with it then it has to be pretty special to make me disconnect just to use it.

It's one more barrier to making a sale, along with no displaying postage prices before registering and nonsense like that.

Re:Are you an actual moron?

[coofercat]

I'm sorry, I have to pick you up on this.

I use Tor for shopping, banking whatever. The reasons I do this are many and varied, but I don't see why the retailer needs to know my IP address and therefore current location for me to order something. Sure, they know where to send it, and they know where I live, but they have no business knowing that I'm at the dog track, or visiting my mistress or goofing off at work, or out of town for a few days on vacation or anything else.

And so, yes, there are very good reasons to hide your IP address, even if you're subsequently giving away personal details.

Re:Are you an actual moron?

You are placing an order with your credit card and shipping address. What MORE could they possible need in your "dossier"?

Your IP address. The store records your IP address and your physical address - and then anyone to whom they sell that information gains the ability to tie your IP address to your physical location.

More fundamentally - why are you asking me why I want my privacy? I'm supposed to be allowed to have it for its own sake.

It isn't so black & white

[AlienSexist]

I've seen these techniques in production merchant systems and really it is just another point of data by which businesses can scrutinize orders for risk. What truly is amazing is how many different data facets are available to merchants to compose their rules for fraud risk tolerance. I have not yet personally observed a merchant having a rule that rejected orders solely based upon proxy, VPN, or Tor detection. Some legitimate merchants, in fact, cater to a highly paranoid demographic where a significant number of their customers do this (like doomsday preppers).

Now if a shopper is using some sort of IP concealment, is using a credit card issued by a bank known for lax consumer validation, the card has been used 20 times across 8 other merchants in the past 3 hours, and the shopper is using a disposable email address then they may be declined. I've once seen a rule based upon if the individual has been evicted from a property, having had any judgements against them, or have had any felonies.

Coincidentally, I saw a press release from a solutions provider announcing having been awarded a patent for their technique of penetrating a proxy's concealment to establish the user's true origin. I know how much /.ers love patents. Sure this all sounds terrifying as a consumer. As an online merchant it is an invaluable tool to help prevent being robbed out of business. Now that LexisNexis was hacked and Experian sold SSNs data to thieves... expect new waves of crime.

Anonymous Proxy and Tor Detection

[tgotchi]

I think it is not something new to screen online frauds behind Tor IPs. I'm using a free FraudLabs Pro screening service which already has the IPs detected as proxy. It surely reduced the number of frauds in online business.

Re:Anonymous Proxy and Tor Detection

[leuk_he]

Tor has a service to detect exit points.

Besides that, block everything, and no complaints will reach you as well. The sales will be lower because of this. fraudlabs deny any responisblity in their ToS... so it will become your problem again in the end.

Re:Anonymous Proxy and Tor Detection

name names named by servers.... did it "detect" Guy Rosen`s, Eli Gelman`s, and Paul Sagan`s IPO addresses?
they seem to be located near where they deposited all their fraudulently obtained monies; the little (big-ass) tax-wormhole israel.

Asking for problems

Its updated DOTS IP Address Validation product identifies 'suspicious' discrepancies between the user's home location and the location of the IP address the order's coming from.

If it uses city based geolocation, then that isn't accurate, unless you also happen to live in the same city as your ISP, or have a dedicated IP block allocated for your city. Unlikely if you live in the UK.

Well...

The number of " harmless Tor users " shopping online is so miniscule compared to the overall online population that is shopping, it doesn't matter much. If they want to protect their privacy and all, then they will appreciate retailers doing these extra checks and causing them to jump through a couple of extra hoops. Since the retailers are trying to protect themselves, and their customers.

not new, and a little more complex. CVV2, etc.

[raymorris]

If you're asking that something be shipped to Toronto and you want to charge someone living in Florida, that's -3 points. If you enter the CVV2 from the back of the card, that's +3 points and they balance out.

If you've had prior transactions at least 90 days ago that weren't disputed, that's +2 points. Using an OPEN proxy -4. Business CC +1.

Depending on the value of the transaction, it could be immediately approved, you could be asked for more information, or the merchant could manually check and approve or decline. For example, the merchant can ask for the bank phone number that's also printed on the back off the card.

Re:not new, and a little more complex. CVV2, etc.

[tlhIngan]

If you're asking that something be shipped to Toronto and you want to charge someone living in Florida, that's -3 points. If you enter the CVV2 from the back of the card, that's +3 points and they balance out.

If you've had prior transactions at least 90 days ago that weren't disputed, that's +2 points. Using an OPEN proxy -4. Business CC +1.

Depending on the value of the transaction, it could be immediately approved, you could be asked for more information, or the merchant could manually check and approve or decline. For example, the merchant can ask for the bank phone number that's also printed on the back off the card.

You missed one - shipping address is on record with card holder. Your credit card has a billing address that is checked for matches, and you can put in a number of additional addresses on your card, so when a retailer does an extended address verification (only the billing shows up on a normal verification), the shipping address can be matched to one already on the card.

It's easy to do (just call your card company and ask to add addresses, and remember to delete old ones). That information is propagated to card processors so it takes around 24 hours to sync up.

Having the shipping address on your card certainly helps a lot - transactions can get flagged if you're suddenly shipping to a new address.

And yes, some banks even allow you to add in non-local addresses - I have a US address, and that's on my card as well.

Even if the online system doesn't check automatically, retailers are free to call the provider and ask to verify the address as per manual checks.

Re:not new, and a little more complex. CVV2, etc.

[Jane+Q.+Public]

"If you're asking that something be shipped to Toronto and you want to charge someone living in Florida, that's -3 points. If you enter the CVV2 from the back of the card, that's +3 points and they balance out.

If you've had prior transactions at least 90 days ago that weren't disputed, that's +2 points. Using an OPEN proxy -4. Business CC"

Making doing business with you inconvenient for me: -10.

I'll buy from the other guy.

Masked face in a shop: Not exactly

[DrYak]

Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.

I don't agree with this metaphor. See what the parent poster mentionned:

Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.

It's like a guy, who usually drivers around with a all-black, no-marksign vehicle with smoked glass. Gets out of it while wearing a stocking over the face.
Then while wainting on queue, suddenly removes the stocking, smiles at the cashier, pay, puts immediatly his stocking back, and drives away.

(Note: Except in some places in Europe that have specific laws against covered faces)

It's a much more pertinent parallel:
- At first glance, wanting permanent anonymity, might seem as much silly online (having Tor turned on 100% of time) than IRL (buzzing around the town on mundane chores while having constantly masked face)...
- ...until you realise how much your privacy is invaded both online (constant monitoring by advertisers and/or government) and IRL (camera almost everywhere, all on-line and abuse, including by government itself) to the point that you *NEED* silly measure (tor always online, or - for exemple - having Dazzle-makeup).

- Also, vis-a-vis the store, in both situation, the masking is similarily futile. Both IRL (the masked individual completely un-covers in front of the cashier and the cover is blown at that moment) and online (even if the *connection* is anonymized with tor, the transaction require full disclosure of almost any detail. If the credit card is fraudulous, it's easy to send a policement instead of a package at the users' address)
- Anonymity is *still* somewhat preserved to others, though. Both IRL (as long as the government isn't tapping into the store's on-line security cams, the cover won't be blown) and on-line (as long as the store's communication [SSL] and database are not compromised, no 3rd party will be able to track the user, even if the user isn't anonymous to the store itself).

I don't think that raising the risk level associated with a transaction based on the client using tor is unreasonable.

No, IT IS COMPLETELY unreasonable and asinine.
The purposed "Tor test" is done by comparing the geolocalisation of the incomming IP, with all the data of the transaction.
There's actually way much more cases where a discrepancy would be detect even when tor isn't actually used:
- think about people ordering from their workplace's computer (or from university, from library, from starbucks', etc.) stuff to be delivered at home using their private credit card.
- and that's discounting all the badly configured ISP which don't report a correct address. My ISP reports as a nearby village, because that's where their datacenter is located and thus that's the address with which their IP range is associated. So that would be an "always false positive" for your test. My mobile ISP has an IP range for the whole country, thus it's not possible to track the IP down to a tower, only the "somewhere in the country". So both I and a potential thief will be reported as being in the same country. So that would be an "always false negative" for your test.

To get back to the masked face equivalent, it would be to introduce a policy of suspecting anyone having covered face... except that there's a mime school in the same building as your shop and on the other site of the street there is a clown circus, so 90% of your clients do wear make-up on a regular basis.

Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on the cc for example. The credit card company also checks where the card was used, for things like buying gas at 1pm and then buying it again at 2pm 100 miles away. They also consider the t

Re:Masked face in a shop: Not exactly

[myowntrueself]

A couple of only tangentially related things pop out of me from this;

In 'The Prisoner' series people go around wearing capes and carrying umbellas; there is ubiquitous surveillance and people like to feel that they can don some sense of privacy. The people in control don't care about these because really its useless and doesn't mask their identity but it makes them feel better.

In Moorcocks 'Hawkmoon' series EVERYONE in the UK wears masks ALL THE TIME.

I am sure other retailers will profit...

It is not a good business strategy to block your customers, regardless of the good intentions.

more anti-anonymity security stupidity

I have an old server at my parent's place; figured I'd let it run a Tor relay, since they don't use hardly any of their bandwidth anyhow. Note, this is just a relay, not an exit node. About a month or so later i get a phone call from my parent asking for help: they'd been on the phone with their bank all morning trying to figure out why the bank won't let them login and just give them a mysterious error message. The support drones had walked them thorugh every browser configuration issue imaginable, and can not figure out what is going on. I had an idea.

I tried to access the bank from my location. Worked fine. Then I fired up "Tor browser" and tried to access the bank. What do you know, I got the same error message my parents reported. (Just a white unbranded page, with something like a connection refused message and an event number.)

So I'm thinking that the bank has gotten a list of IPs of relay nodes and has blacklisted it as a Tor site; even though relays (of course) do not directly access the bank.

I tell my parents to (and how to) reboot their router. The router comes back up with a new dynamic IP address from the ISP. And like magic, the bank works fine again... at least perhaps until the next time they update their blacklist IPs.

What security does bank get for blacklisting Tor-related IPs (even relays)? Virtually none. It's just sad that they apparently are so incompetent as to think they do. It almost seems just vindictive that they'd ban relay IPs. But it probably just is incompetence and lack of understanding, and hysteria.

Of course it could just be a coincidence and they banned that IP for some other reason. I can't know for sure. But no other reason seems likely, as that IP had been assigned for quite a while before the event. And now some other unfortuante random ISP customer may find themselves blacklisted....

Geolocation sucks

[ad5mqesj]

I am not concerned about an inability to use TOR when shopping on line, I am concerned about using IP geolocation to try to match my physical address. I live in a rural area of Colorado, when I first moved here 6 years ago, Googles automatic geolocation decided I was in Spain and insisted on showing me everything in Spanish; eventually I was able to convince them I speak English but then they decided I was in Seattle since my ISP is there. They offer unlimited, unccapped connection for a flat rate that none of the local ISP's will match = since I am a software developer who works from home and frequently needs to video conference or stay connected to many remote machines 24/7 I can't tolerate data caps. Now I have a fixed IP supplied by the nearest peering company (Mammoth in Denver) which is at least in the same state, but still a hundred miles away. Worse, many companies use an address verification scheme that seems to think my street address doesn't exist - anyone trying to "verify" my shipping address, especially by IP is not going to do business with me..... Sadly they are unlikely to care since people like me are a tiny minority, bit it's damn irritating nonetheless. Still this sort of "verification" is likely to be highly unreliable, and make many many people angry and frustrated when their routine checkouts fail - perhaps if enough people complain they'll drop this nonsense.

Re:Geolocation sucks

"They offer unlimited, unccapped connection for a flat rate that none of the local ISP's will match"
What's the company?!

Re:Geolocation sucks

[madhi19]

Yeah same here when I changed from DSL to Fiber it totally fucked up my Geolocation probably because Bell main "Fibe" servers are in Montreal.

good point. Several other checks.

[raymorris]

That's a good point. Re "you missed one", I left out quite a few. There are checks we do as soon as you land on the page, before you even fill in form.

"Fraud" is just a boot wedging the door open

[Catbeller]

"Fraud protection" is just the opening pretext for this kind of service. People hare off debating retailer rights and all that, but what we are looking at here is a new commercial service which will offer a handy blacklist to any government, employer, store or random schmuck which will be used to remove internet privileges from anyone who doesn't want a giant "HERE HE IS" Google Earth arrow floating over his location. Another deanonymizer. Another goddamned bar in our prison cage. No one gets to be anonymous, or hide their location, not if they want to actually *use* the internet.

In other news, Isn't Dick Cheney's house location still classified, and removed from Google Earth? (used to be). How does that work? The rabble live in goldfish bowl, but the powerful get to remove the metadata of their very existence from the internet. This is about POWER, kids, not about vendor protection or security. Knowledge of what you do, what you say, where you are - that's power that gods have. Some people get to be gods, and spend their lives off-grid, like Cheney did, and the rest are goldfish in the gods' aquarium.

Not inconvenient 99.99% of the time, your info

[raymorris]

> Making doing business with you inconvenient for me: -10.

9,999 out of 10,000 people will never see anything from the scrubbing. When / if you've purchased things online, have you noticed we're geoip matching against the CC address? Probably not.

For most people, the only time you'll ever notice is when you either get an authorized charge from someone who didn't do anything to confirm
who is using your card, or get a call letting you know that likely fraud was detected.

> I'll buy from the other guy.

I understand that TRENDnet makes zero effort at security, leaving their IP cameras wide open for anyone to watch your home.
I bet they also make no effort to protect your credit card from fraudulent charges, so you may want to shop with them.
For myself, I'm glad that for credit cards, "the other guy" is most likely using the exact same fraud scrubbing system.
As an example, 80% of paid subscription sites use the same scrubbing on the backend, and 40% of paid subscription sites use
the same front end security to make sure it's actually you logging into your account (specifically, they use our system on the front end).

Re:Not inconvenient 99.99% of the time, your info

[Jane+Q.+Public]

"9,999 out of 10,000 people will never see anything from the scrubbing. When / if you've purchased things online, have you noticed we're geoip matching against the CC address?"

Well, I guess I am that 1 out of 10,000. Because yes, I have noticed, because I was refused on that basis (incorrectly, by the way). And guess what? I no longer do business with that company.

In fact, I have considered writing about it, when I have some spare time.

typo s/authorized/unauthorized/

[raymorris]

That should read:

For most people, the only time you'll ever notice is when you either get an UNauthorized charge from someone who didn't do anything to confirm
who is using your card, or get a call letting you know that likely fraud was detected.

No, I just don't care about anonymity in this case

[Bite+The+Pillow]

My transaction is between me and the retailer, who will know my name and address. I don't care if that person or company knows it. I do care that HTTPS is probably easier to crack than HTTP plus multiple onion encryptions.

I don't have any "let's blow up the government" posts. And if they are monitoring the store, my activities are legal so I'm not worried. So your straw man argument holds no water.

I would, however, prefer to keep it as quiet as possible, and TOR allows me to at least attempt that. Once again, I don't care about anonymity to the retailer. I'm using onion routing to provide me:

1) multiple layers of encryption
2) external anonymity between me and the retailer

I realize that anyone running an exit node could be intent on revealing my secret, but HTTPS on the last hop is better than a direct connection from my home.

I'm not sure why you felt the need to reply so angrily to this post, especially when you simply misunderstood it. Sounds like either projection or a blind knee-jerk response to what you see as a misuse of TOR. Maybe in a previous life you were an inflatable animal and didn't like being raped. It's no matter to me, but you might want to look into it. The first step to getting better is apologising - I can wait.