Online Retailers Cruising Tor To Hunt For Fraudsters

Daniel_Stuckey writes "This week, the verification company Service Objects announced a new tool to help websites detect 'suspicious' visitors using Tor and other anonymous proxies. Its updated DOTS IP Address Validation product identifies 'suspicious' discrepancies between the user's home location and the location of the IP address the order's coming from. It joins a handful of other tools on the market promising Tor-detection for retailers. It's a logical strategy: If you're trying to buy something with a stolen credit card, you're obviously going to want to block your real identity and location while doing it. But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."

LOL wut?

"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"

Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.

Re:LOL wut?

[myowntrueself]

"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"

Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.

But you certainly have a crowd that likes the idea of tor and has their browser always configured to use it. I don't think that raising the risk level associated with a transaction based on the client using tor is unreasonable. If this were a brick and mortar store, they'd probably be a little bit wary of doing a credit card sale to someone wearing a disguise that covered their face.

Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on the cc for example. The credit card company also checks where the card was used, for things like buying gas at 1pm and then buying it again at 2pm 100 miles away. They also consider the type of merchandise as online purchase of electronics is rife with fraud, but very few people use a stolen card to buy socks.

Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.

Don't Go On Vacation Then

[Jane+Q.+Public]

So... it's going to see my address is Florida but I'm making an online purchase from Toronto? And disallow it?

That's probably the last time I'd do business with that company.

Re:Don't Go On Vacation Then

[RobHostetter]

I am an online retailer. I lost $8,000 in one season from credit card fraud. When the cards are stolen, the frauders use it at a store. The cardholder then does a chargeback. The bank will refund the cardholder and take it from the retailer, so the retailer assumes all risk. Many online sales have 15% margins from which you have to pay advertising and labor costs. A single fraudulent sale can take 10-20 legitimate sales just to break even! Most of the frauders are from countries like Vietnam, China etc. they will ship often to a US address and the cardholder is a US address as well. The only thing us retailers have to go by is the location of the IP address. If that's from a country other than the cardholder's that's a very strong signal that it's a fraudulent order. Size of order, fake phone number are also good signals. If you don't want an order flagged, then don't look like a frauder! Place your order from your actual IP address.

Come on...

[Mr+Krinkle]

". But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."

Seriously?

Why would you ever need to "protect your privacy" via Tor etc, from an ONLINE SHOPPING SITE that you are GIVING YOUR CREDIT CARD AND SHIPPING INFORMATION TO?

I mean, I'm as much anti NSA crap as the next guy. but come on. That said, cool tech. It would make sense that retailers would do this. I see this is a good thing, not a reason to slam the lizards running our government.

vpn use triggers the 'cancel the order' logic

[TheGratefulNet]

I was trying to buy something from an online merchant. I happened to have been using my vpn at the time but I paid using my paypal account and the merchant accepted my order.

an hour later they canceled it. gave no reason. I emailed them and they asked 'are you on vacation?'. no. they still canceled it.

this has happened more than once.

its annoying as hell. the world is slowly becoming vpn-unfriendly.

What's the problem?

[FireballX301]

If you use your card online, you're telling the retailer who you are and where you generally are, and having them do their homework is nothing but a good thing. Making people go through more verification steps if red flags are thrown is nothing but a good thing. If you use Tor and then buy something with a personal credit card or debit card, you're doing it wrong.

If you want to stay anonymous, load a pre-paid debit card and jump through the anti fraud hoops. Nobody said staying off the grid was going to be easy.

Re:What's the problem?

[gmack]

You are so wrong it's not even funny. The retailer is almost always held responsible for any fraud. If a charge is determined to be fraudulent the retailer is out the money plus a chargeback fee and on top of that, the event is kept track of so if the overall total gets too high, the merchant account gets terminated.

You want my money, right?

[Opportunist]

Oh, you don't? Well, ok, nice not doing business with you.

NEXT!

IPv6 tunnels

[alanw]

I've been getting up to speed on IPv6 and have a tunnel from he.net (tunnelbroker.net). It seems to pop out somewhere on the other side of the Atlantic, judging from geographically targeted advertising. Several big sites are already IPv6 enabled (Firefox plugin SixOrNot), e.g. Facebook, Google, Youtube.

Are you an actual moron?

[SmallFurryCreature]

The parent wrote it down for you. You are placing an order with your credit card and shipping address. What MORE could they possible need in your "dossier"? Or do you think a webstores order database is magically of limits? Or that the NSA is only snooping on your internet connection and not the webstore?

If you don't want people to know your weird hobby, don't pay it online with your registered credit card and home address. The moment you do, privacy doesn't exist anymore.

And you do deserve being called a MORON because clearly you have no clue about security and/or TOR and/or anonimity.

Remember the Silk Road story? How was he caught? By sleuthing, by connection anonymous messages together through identifiers.

You want to use TOR to place an order, a MESSAGE, with in that message your CREDIT CARD and HOME ADDRESS? Why not also include that amazingly funny nick you thought of that you also use in all your "lets blow up the government" posts and make their job extra easy?

This stuff should really be obvious, if you use an anonymous message service, don't include personal identifiers. The general advice is to avoid any mention of GENDER, TIMEZONE, use of slang, catchphrases etc etc. And you think it is a good idea to include your fucking HOME ADDRESS and credit card details.

Tor has one use, to hide your IP, and you just gave them your address instead. If you don't get the stupidity of your idea, you really just shouldn't bother with TOR, you are just going to screw up anyway.

You are not alone in this, the other responder below also just doesn't get it. What does your IP have to do with your credit card? Both are registered to the same person?

Security, it is a LOT harder then people think.