Online Retailers Cruising Tor To Hunt For Fraudsters

← Back to Stories (view on slashdot.org)

Online Retailers Cruising Tor To Hunt For Fraudsters

Posted by samzenpus on Thursday October 24, 2013 @04:33PM from the behind-the-curtain dept.

Daniel_Stuckey writes "This week, the verification company Service Objects announced a new tool to help websites detect 'suspicious' visitors using Tor and other anonymous proxies. Its updated DOTS IP Address Validation product identifies 'suspicious' discrepancies between the user's home location and the location of the IP address the order's coming from. It joins a handful of other tools on the market promising Tor-detection for retailers. It's a logical strategy: If you're trying to buy something with a stolen credit card, you're obviously going to want to block your real identity and location while doing it. But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."

31 of 188 comments (clear)

Min score:

Reason:

Sort:

LOL wut? by Anonymous Coward · 2013-10-24 16:42 · Score: 3, Interesting

"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"
Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
1. Re:LOL wut? by petteyg359 · 2013-10-24 16:44 · Score: 2
  
  Why are they only allowed to attempt anonymity in relation to the store? Perhaps they just want to remain untracked by their ISP, and foul up any GeoIP-based advertising.
2. Re:LOL wut? by tattood · 2013-10-24 17:20 · Score: 2, Insightful
  
  "But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"
  Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
  That statement was not about normal people using TOR for online purchases. It was about people using TOR to hide their identity when doing things like posting to a controversial website, or whistleblowing. If this software catches on, and websites start using it to block TOR users, then it would make TOR less useful for posting anonymously.
  
  --
  WTB [sig], PST!!!
3. Re:LOL wut? by fluffy99 · 2013-10-24 17:48 · Score: 2
  
  "But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"
  Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
  But you certainly have a crowd that likes the idea of tor and has their browser always configured to use it. I don't think that raising the risk level associated with a transaction based on the client using tor is unreasonable. If this were a brick and mortar store, they'd probably be a little bit wary of doing a credit card sale to someone wearing a disguise that covered their face.
  Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on the cc for example. The credit card company also checks where the card was used, for things like buying gas at 1pm and then buying it again at 2pm 100 miles away. They also consider the type of merchandise as online purchase of electronics is rife with fraud, but very few people use a stolen card to buy socks.
4. Re:LOL wut? by lxs · 2013-10-24 17:59 · Score: 2, Insightful
  
  So they trust nobody and in turn expect stores to trust them? I don't think so. You can't have it both ways. Either behave like a normal customer and be treated as such or behave in an erratic paranoid manner and expect to receive the same treatment from your retailer. Just for fun, walk into a department store wearing a balaclava and look around three or four times before you pick up something. See how long it takes before security takes an interest in you.
5. Re:LOL wut? by myowntrueself · 2013-10-24 18:04 · Score: 4, Funny
  
  "But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"
  Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
  But you certainly have a crowd that likes the idea of tor and has their browser always configured to use it. I don't think that raising the risk level associated with a transaction based on the client using tor is unreasonable. If this were a brick and mortar store, they'd probably be a little bit wary of doing a credit card sale to someone wearing a disguise that covered their face.
  Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on the cc for example. The credit card company also checks where the card was used, for things like buying gas at 1pm and then buying it again at 2pm 100 miles away. They also consider the type of merchandise as online purchase of electronics is rife with fraud, but very few people use a stolen card to buy socks.
  Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.
  
  --
  In the free world the media isn't government run; the government is media run.
6. Re:LOL wut? by Z00L00K · 2013-10-24 18:46 · Score: 2
  
  Just use AdBlock for that. Then they can do GeoIP all they want - I don't see their crap anyway.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
7. Re:LOL wut? by TapeCutter · 2013-10-24 19:20 · Score: 2
  
  Indeed, all trade is ultimately built on trust .
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
8. Re:LOL wut? by fatphil · 2013-10-24 20:38 · Score: 2
  
  "This video contains content from Chaser Broadcasting Pty Ltd and The Australian Broadcasting Corporation, one or more of whom have blocked it in your country on copyright grounds. "
  
  Can someone in a country that is trusted please make an illegal copy and upload it elsewhere? I promise I won't make any further copies, as I'm a good law-abiding citizen.
  
  --
  Also FatPhil on SoylentNews, id 863
9. Re:LOL wut? by myowntrueself · 2013-10-24 20:52 · Score: 2
  
  I agree - no need to hide who you are when you go shopping. But you may want to hide your identity when you are writing something controversial as an AC.
  Or anonymously use a stolen credit card in an online store.
  
  --
  In the free world the media isn't government run; the government is media run.
10. Re:LOL wut? by TheCarp · 2013-10-25 03:42 · Score: 2
  
  > So they trust nobody and in turn expect stores to trust them? I don't think so
  They trust nobody is a pretty wild assumption to make. I use tor, I trust lots of people with lots of things. Why would you assume I trust nobody just because I don't blankly trust my ISP, their ISP, and everyone else down the chain that I don't even know to know everyone I talk to and do business with?
  
  --
  "I opened my eyes, and everything went dark again"
Don't Go On Vacation Then by Jane+Q.+Public · 2013-10-24 16:43 · Score: 3, Insightful

So... it's going to see my address is Florida but I'm making an online purchase from Toronto? And disallow it?

That's probably the last time I'd do business with that company.
1. Re:Don't Go On Vacation Then by RobHostetter · 2013-10-24 23:38 · Score: 5, Informative
  
  I am an online retailer. I lost $8,000 in one season from credit card fraud. When the cards are stolen, the frauders use it at a store. The cardholder then does a chargeback. The bank will refund the cardholder and take it from the retailer, so the retailer assumes all risk. Many online sales have 15% margins from which you have to pay advertising and labor costs. A single fraudulent sale can take 10-20 legitimate sales just to break even! Most of the frauders are from countries like Vietnam, China etc. they will ship often to a US address and the cardholder is a US address as well. The only thing us retailers have to go by is the location of the IP address. If that's from a country other than the cardholder's that's a very strong signal that it's a fraudulent order. Size of order, fake phone number are also good signals. If you don't want an order flagged, then don't look like a frauder! Place your order from your actual IP address.
2. Re:Don't Go On Vacation Then by coinreturn · 2013-10-25 01:10 · Score: 2
  
  I am an online retailer. I lost $8,000 in one season from credit card fraud. When the cards are stolen, the frauders use it at a store. The cardholder then does a chargeback. The bank will refund the cardholder and take it from the retailer, so the retailer assumes all risk. Many online sales have 15% margins from which you have to pay advertising and labor costs. A single fraudulent sale can take 10-20 legitimate sales just to break even! Most of the frauders are from countries like Vietnam, China etc. they will ship often to a US address and the cardholder is a US address as well. The only thing us retailers have to go by is the location of the IP address. If that's from a country other than the cardholder's that's a very strong signal that it's a fraudulent order. Size of order, fake phone number are also good signals. If you don't want an order flagged, then don't look like a frauder! Place your order from your actual IP address.
  Would you like to block my purchase under these conditions?
  1) My Internet IP address at work is about 1500 miles from my actual location at work. This is some sort of side-effect of how my employer (a very large corporation) has its connections to the Internet.
  2) When I'm on vacation, perhaps 3000 miles from home, I play a game with friends and love it. I go online to buy it and have it shipped home so I can play after vacation.
3. Re:Don't Go On Vacation Then by intermodal · 2013-10-25 02:15 · Score: 2
  
  If you don't want an order flagged, then don't look like a frauder! Place your order from your actual IP address.
  You seem to think users of privacy software care whether they get flagged on online orders. Generally speaking, these are users who do not stop and realize that they are reducing rather than increasing their privacy in this case. If they even realize at that moment that they are still using Tor. Most of them have probably not made the connection to the fact that they aren't protecting their privacy by using an anonymizing service to send you their order information that would have been sent via SSL anyway. All they do is make their order stand out more.
  If you really want to increase your privacy by using Tor, use it for stuff you aren't attaching personal information to, and don't use it where you're already completely exposing yourself.
  
  --
  In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Come on... by Mr+Krinkle · 2013-10-24 16:44 · Score: 4, Insightful

". But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."
Seriously?
Why would you ever need to "protect your privacy" via Tor etc, from an ONLINE SHOPPING SITE that you are GIVING YOUR CREDIT CARD AND SHIPPING INFORMATION TO?
I mean, I'm as much anti NSA crap as the next guy. but come on. That said, cool tech. It would make sense that retailers would do this. I see this is a good thing, not a reason to slam the lizards running our government.

--
I am 31337 or something.
1. Re:Come on... by Bite+The+Pillow · 2013-10-24 17:49 · Score: 2
  
  Because cracking the onion has to be harder than https?
  I'm sure buying piles of fertilizer would set off alarms, but what if I want a variety of inflatable barnyard friends, rubber sheets, that 55 gallon drum of lube, and a celebrity masturbator(male)? I don't want to get that dossier started.
2. Re:Come on... by fatphil · 2013-10-24 20:47 · Score: 2
  
  Bollocks.
  
  I travel for work. There's precisely *no* reason why an online retailer should expect to have the right to know the locations of my clients. They can know my home address whither things should be delivered, but their need to know anything else about location ends right there.
  
  --
  Also FatPhil on SoylentNews, id 863
vpn use triggers the 'cancel the order' logic by TheGratefulNet · 2013-10-24 16:45 · Score: 3, Informative

I was trying to buy something from an online merchant. I happened to have been using my vpn at the time but I paid using my paypal account and the merchant accepted my order.
an hour later they canceled it. gave no reason. I emailed them and they asked 'are you on vacation?'. no. they still canceled it.
this has happened more than once.
its annoying as hell. the world is slowly becoming vpn-unfriendly.

--

--
"It is now safe to switch off your computer."
1. Re:vpn use triggers the 'cancel the order' logic by Anonymous Coward · 2013-10-24 16:54 · Score: 2, Informative
  
  This is extremely old. Pretty much every CC processor does a location lookup on the IP. If it's not within a certain distance of the card address, it brings the risk number up. Too high, and they deny it. Your fault really for using VPN anyways when it's shipping to your home with your name attached. Zero anonymity there genius.
2. Re:vpn use triggers the 'cancel the order' logic by Anonymous Coward · 2013-10-24 17:37 · Score: 2, Informative
  
  I've experienced exactly this. I'll even name names. NewEgg not only canceled my order but locked out my account when I placed an order while using an overseas VPN.
  I've also experienced the exact opposite of this. A few years ago when I was overseas in a third world country, the only way I was able to log in to my bank's webpage without instantly having my account locked was to use a U.S. based VPN.
3. Re:vpn use triggers the 'cancel the order' logic by Jah-Wren+Ryel · 2013-10-24 18:06 · Score: 2
  
  vpn use triggers the 'cancel the order' logic
  That's one of the main reasons I use a VPN. Since I have to give the merchant my shipping address and name I don't want them selling that info to the profilers like BlueKai or DoubleClick in conjunction with my real IP address because any traffic that leaks out via my real IP address would then be easy to cross-reference.
  If a merchant is going to require that I give up the privacy of my internet usage just to do business with them, I will just spend my money elsewhere.
  
  --
  When information is power, privacy is freedom.
What's the problem? by FireballX301 · 2013-10-24 16:50 · Score: 3, Interesting

If you use your card online, you're telling the retailer who you are and where you generally are, and having them do their homework is nothing but a good thing. Making people go through more verification steps if red flags are thrown is nothing but a good thing. If you use Tor and then buy something with a personal credit card or debit card, you're doing it wrong.

If you want to stay anonymous, load a pre-paid debit card and jump through the anti fraud hoops. Nobody said staying off the grid was going to be easy.
1. Re:What's the problem? by marxzed · 2013-10-24 16:54 · Score: 2
  
  or your trying to buy something your own, possibly less than enlightened, government doesn't want you to buy... you know like a banned book or DVD . you know stuff like that.
2. Re:What's the problem? by gmack · 2013-10-24 21:01 · Score: 4, Insightful
  
  You are so wrong it's not even funny. The retailer is almost always held responsible for any fraud. If a charge is determined to be fraudulent the retailer is out the money plus a chargeback fee and on top of that, the event is kept track of so if the overall total gets too high, the merchant account gets terminated.
Good by NoKaOi · 2013-10-24 18:01 · Score: 2

I can't seem to find anything in the article that says they're automatically blocking all orders from Tor users. It's just one tool. If they're using it like most spam filters, then it's like saying they're detecting emails with the word "Viagra." It doesn't mean it's being blocked, it means it's a red flag that should signal further scrutiny, and presumably if there are many redflags than it would warrant more detailed scrutiny by a human. Frankly, having an online retailer assess the risk of each order to determine if further scrutiny is warranted seems like a GOOD thing, but in the summary's myopia all it's seeing is the spin that this is anti-Tor and therefore evil.
All that said, why would anybody think that using Tor when placing an online order with a credit card would protect them from NSA spying? The retailer obviously knows who are because you're giving them all your credit card info, and if you think it's to protect you from the NSA knowing what you're ordering, all you're doing is redflagging yourself by going through Tor, and I'm sure they're more likely to get your purchase info from Visa or your bank than from off the wire.
You want my money, right? by Opportunist · 2013-10-24 18:47 · Score: 3, Insightful

Oh, you don't? Well, ok, nice not doing business with you.
NEXT!

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
IPv6 tunnels by alanw · 2013-10-24 18:54 · Score: 3, Informative

I've been getting up to speed on IPv6 and have a tunnel from he.net (tunnelbroker.net). It seems to pop out somewhere on the other side of the Atlantic, judging from geographically targeted advertising. Several big sites are already IPv6 enabled (Firefox plugin SixOrNot), e.g. Facebook, Google, Youtube.
Are you an actual moron? by SmallFurryCreature · 2013-10-24 19:04 · Score: 3, Insightful

The parent wrote it down for you. You are placing an order with your credit card and shipping address. What MORE could they possible need in your "dossier"? Or do you think a webstores order database is magically of limits? Or that the NSA is only snooping on your internet connection and not the webstore?
If you don't want people to know your weird hobby, don't pay it online with your registered credit card and home address. The moment you do, privacy doesn't exist anymore.
And you do deserve being called a MORON because clearly you have no clue about security and/or TOR and/or anonimity.
Remember the Silk Road story? How was he caught? By sleuthing, by connection anonymous messages together through identifiers.
You want to use TOR to place an order, a MESSAGE, with in that message your CREDIT CARD and HOME ADDRESS? Why not also include that amazingly funny nick you thought of that you also use in all your "lets blow up the government" posts and make their job extra easy?
This stuff should really be obvious, if you use an anonymous message service, don't include personal identifiers. The general advice is to avoid any mention of GENDER, TIMEZONE, use of slang, catchphrases etc etc. And you think it is a good idea to include your fucking HOME ADDRESS and credit card details.
Tor has one use, to hide your IP, and you just gave them your address instead. If you don't get the stupidity of your idea, you really just shouldn't bother with TOR, you are just going to screw up anyway.
You are not alone in this, the other responder below also just doesn't get it. What does your IP have to do with your credit card? Both are registered to the same person?
Security, it is a LOT harder then people think.

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Re:Geo-fencing, nothing more. by hankwang · 2013-10-24 19:31 · Score: 2

"If stuff is bought with a stolen credit card then the credit card company or the bank bears the risk."
I highly doubt that; the thief could have a friend set up an online merchant, make $2000 purchases of virtual goods and split the profit.
The reason merchants are so careful is that the merchants will have to eat the loss in case of a fraudulent transaction.

--
Avantslash: low-bandwidth mobile slashdot.
not new, and a little more complex. CVV2, etc. by raymorris · 2013-10-25 00:34 · Score: 2

If you're asking that something be shipped to Toronto and you want to charge someone living in Florida, that's -3 points. If you enter the CVV2 from the back of the card, that's +3 points and they balance out.
If you've had prior transactions at least 90 days ago that weren't disputed, that's +2 points. Using an OPEN proxy -4. Business CC +1.
Depending on the value of the transaction, it could be immediately approved, you could be asked for more information, or the merchant could manually check and approve or decline. For example, the merchant can ask for the bank phone number that's also printed on the back off the card.