[Rhodes22-list] Shoddy credit card security

Herb Parsons hparsons at parsonsys.com
Fri Oct 24 13:31:30 EDT 2008 

Oh no no no, you are so wrong.

If I own the a domain name, and in my case I do - parsonsys.com, anyone 
else that lays claim to a web site using my name is subject to all sorts 
of legal action.

Furthermore, if you were decide one day that you wanted to "park" the 
domain name herbparsons.com (or even barakobama.com), and could show no 
legitimate use for it other than wanting to reserve it (in other words, 
your name wasn't Herb Parsons, or Barak Obama, you didn't have a 
legitimate company with that name, ), I could challenge you for the 
domain name, and would almost certainly win.

Face it, barakobama.com is Barak Obama's web site. Official.


I can not build a website and state on it that "This is the official web 
site for the

Michael D. Weisner wrote:
> Herb,
>
> >From your past responses, I presume that you are involved in some form of IT 
> consulting and should therefore know that there is really no such thing as 
> "an official site."  While I am not looking to provide an out for the Obama 
> campaign, as implied by your "good try", I was just thinking that what 
> appears may not be exactly so.  I am sure that there are crooks in all walks 
> of life, I was just indicating that this may be a different kind of crook: a 
> thief robbing the thieves, if you will.  It probably would not be that hard 
> to interpose a harvester site to intercept such lucrative info enroute to a 
> poorly secured site.  Since everyone is blaming the Obama campaign for lax 
> security, they might be ripped off and might not even know because of the 
> security failures!
>
> The "official" registration, at the prestigious GoDaddy.com (tongue firmly 
> ...) is the registrar of record is as follows:
>
> Registrant:
>    Obama for America
>    233 N. Michigan Ave
>    Suite 1100
>    Chicago, Illinois 60601
>    United States
>
>    Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
>    Domain Name: BARACKOBAMA.COM
>       Created on: 28-Dec-04
>       Expires on: 28-Dec-15
>       Last Updated on: 16-Oct-07
>
> It is interesting to note that the site was created nearly 4 years ago. 
> When did he decide to run??
>
> Mike
> s/v Shanghaid'd Summer ('81)
>        Nissequogue River, NY
>
> From: "Herb Parsons" <hparsons at parsonsys.com>Sent: Friday, October 24, 2008 
> 12:35 AM
>   
>> good try, but it's his official site.
>>
>> Michael D. Weisner wrote:
>>     
>>> Brad,
>>>
>>> Newsflash - maybe the site is not real!  What a great way to collect 
>>> credit
>>> card info and cash!  Set up a bogus prez candidate donation site to 
>>> collect
>>> credit card numbers.  Now why didn't I think of that?
>>>
>>> Mike
>>> s/v Shanghaid'd Summer ('81)
>>>        Nissequogue River, NY
>>>
>>> From: "Brad Haslett" <flybrad at gmail.com>Sent: Thursday, October 23, 2008
>>> 11:06 PM
>>>
>>>       
>>>> Ben,
>>>>
>>>> Follow up report-
>>>>
>>>> One thing I learned from my old boss at CFS in Little Rock in the late
>>>> 70's is never, never, ever do anything on credit with a political
>>>> campaign. Obama is living on the "float".
>>>>
>>>> Brad
>>>>
>>>> ----------------
>>>>
>>>> BarackObama.com's Lax Security Opens Door to Online Donor Fraud
>>>>
>>>>
>>>> by Patrick Ruffini | October 23, 2008 at 2:26 PM
>>>>
>>>>
>>>> I just contributed $5 to Barack Obama.
>>>>
>>>> I didn't want to. Ideally, I could have contributed $0.01 and cost
>>>> them money. But it was the only way to confirm the root cause of the
>>>> fraudulent micro-donations to the Obama campaign ("Doodad Pro" for
>>>> $17,300 and "Good Will" for $11,000).
>>>>
>>>> The Obama campaign has turned its security settings for accepting
>>>> online contributions down to the bare minimum -- possibly to juice the
>>>> numbers, and turning a blind eye towards the potential for fraud not
>>>> just against the FEC, but against unsuspecting victims of credit card
>>>> fraud.
>>>>
>>>> The issue centers around the Address Verification Service (or AVS)
>>>> that credit card processors use to sniff out phony transactions. I was
>>>> able to contribute money using an address other than the one on file
>>>> with my bank account (I used an address I control, just not the one on
>>>> my account), showing that the Obama campaign deliberately disabled AVS
>>>> for its online donors.
>>>>
>>>> AVS is generally the first line of defense against credit card fraud
>>>> online. AVS ensures that not only is your credit card number accurate,
>>>> but the street address you've submitted with a transaction matches the
>>>> one on file with your bank.
>>>>
>>>> Authorize.net, the largest credit card gateway provider in the
>>>> country, lists AVS as a "Standard Transaction Security Setting,"
>>>> recommends merchants use it, and turns it on by default. So, in order
>>>> for AVS to be turned off, it has to be intentional, at least with
>>>> Authorize.net.
>>>>
>>>> Authorize.net's website describes it this way:
>>>>
>>>>    Bankcard processors implemented the Address Verification Service
>>>> (AVS) to aid merchants in the detection of suspicious transaction
>>>> activity. The payment processing network compares the billing address
>>>> provided in the transaction with the cardholder's address on file at
>>>> the credit card issuing bank. The processing network returns an AVS
>>>> response code that indicates the results of this comparison to the
>>>> payment gateway. You can configure your account to reject certain
>>>> transactions based on the AVS code returned. For example, the AVS code
>>>> "A" indicates that the street address matched, but the first five
>>>> digits of the ZIP Code did not.
>>>>
>>>> The end result? "Donors" like "Doodad Pro" can submit tons of
>>>> donations totaling well above the $2,300 limit using different bogus
>>>> addresses (this does clarify how donations from "Palestine", or PA,
>>>> got through). And the campaign has no way to reliably de-dupe these
>>>> donations, besides looking at the last four digits of the credit card
>>>> number, which with 3.1 million donors is an identifier that could be
>>>> shared by literally hundreds of donors, and is not as easy to eyeball
>>>> like a common name or address would be. The ability to contribute with
>>>> a false address, when the technology to prevent it not only exists but
>>>> comes standard, is a green light for fraud.
>>>>
>>>> One could understand the oversight if prior to the bogus donor story
>>>> breaking. But you'd think they would have taken measures to step up
>>>> their donor security in the aftermath of the revelations. Having AVS
>>>> turned on would have stopped or significantly deterred the fraudulent
>>>> donations (or, at a very minimum, made them easily detectable). By
>>>> turning this basic setting off, the Obama campaign invited this kind
>>>> of fraud and has taken no steps to correct it.
>>>> __________________________________________________
>>>> To subscribe/unsubscribe or for help with using the mailing list go to
>>>> http://www.rhodes22.org/list
>>>> __________________________________________________
>>>>
>>>>
>>>>
>>>>         
>>> __________________________________________________
>>> To subscribe/unsubscribe or for help with using the mailing list go to 
>>> http://www.rhodes22.org/list
>>> __________________________________________________
>>>
>>>
>>>
>>>       
>> __________________________________________________
>> To subscribe/unsubscribe or for help with using the mailing list go to 
>> http://www.rhodes22.org/list
>> __________________________________________________
>>
>>
>>     
>
> __________________________________________________
> To subscribe/unsubscribe or for help with using the mailing list go to http://www.rhodes22.org/list
> __________________________________________________
>
>
>

More information about the Rhodes22-list mailing list