[Rhodes22-list] Shoddy credit card security
Michael D. Weisner
mweisner at ebsmed.com
Fri Oct 24 23:26:24 EDT 2008
Elle,
For explanations of various website terminology, you may find this site
helpful: http://www.domaintools.com/domain-help/status-codes.php
It's easy to check the status of your domain. Just go to the InterNIC Whois
listing (http://www.internic.com/whois.html), enter your domain name and
check the STATUS. What you want to see is this:
Status: REGISTRAR-LOCK.
Registrar-lock means that your domain name is locked and can't be
transferred until you manually "unlock" it. A lock keeps any transfer from
taking place, so be sure to unlock the domain before you try to transfer it.
Some registrars automatically lock domain names, while others offer it as an
option. Check with your registrar to be sure your domain name is safely
locked away. There should not be a charge for this service.
Mike
s/v Shanghaid'd Summer ('81)
Nissequogue River, NY
----- Original Message -----
From: "elle" <watermusic38 at yahoo.com>
To: "The Rhodes 22 Email List" <rhodes22-list at rhodes22.org>
Sent: Friday, October 24, 2008 8:43 PM
Subject: Re: [Rhodes22-list] Shoddy credit card security
> You need to protect your domain names very carefully,
>> maintaining tight
>> security on passwords (change them often) and locking the
>> registration to
>> prevent domain slammers from moving them.
>
>
> Mike,
>
> How does one 'lock' the registration?
>
> elle
>
> We can't change the angle of the wind....but we can adjust our sails.
>
> 1992 Rhodes 22 Recyc '06 "WaterMusic" (Lady in Red)
>
>
> --- On Fri, 10/24/08, Michael D. Weisner <mweisner at ebsmed.com> wrote:
>
>> From: Michael D. Weisner <mweisner at ebsmed.com>
>> Subject: Re: [Rhodes22-list] Shoddy credit card security
>> To: "The Rhodes 22 Email List" <rhodes22-list at rhodes22.org>
>> Date: Friday, October 24, 2008, 2:14 PM
>> Herb,
>>
>> First of all, I was not talking about folks who follow the
>> rules, or the law
>> for that matter. I was thinking about Internet criminals
>> who illegally
>> change the DNS to point to their copy site, collect the
>> information, and
>> then send it on to the original site so as not to be
>> detected. These
>> schemes are rampant in banking fraud. The classic case
>> does not even
>> require one to repoint the nameserver but simply send out a
>> phishing email
>> with an embedded link to the target site, pointed to the
>> interception site.
>> I must get 10 emails daily, requesting contributions to
>> McCain's political
>> campaign and have detected several that contain phishing
>> links. They were
>> forwarded to abuse at johnmccain.com, although I never
>> received any
>> confirmation from them that they were even remotely
>> interested in
>> investigating.
>>
>> BTW, I had one of my corporate domain names stolen by
>> domain name slammer
>> and used by a former employee. It seems that the registrar
>> sent US mail to
>> the business a few months prior to the expiration of the
>> domain
>> registration. The mail was directed to the employee since
>> he managed that
>> site. He appears to have responded to the letter, paid the
>> registration and
>> moved the site to them.
>>
>> We are prosecuting on several fronts ("all sorts of
>> legal action"),
>> including mail fraud (the most significant penalty) and it
>> is anything but
>> straightforward. The name of the entity (corporation,
>> individual, etc.) has
>> no real claim on the domain. The site is still under his
>> control and legal
>> papers served on the hosting agent has not been able to
>> recover or delist
>> the domain.
>>
>> You need to protect your domain names very carefully,
>> maintaining tight
>> security on passwords (change them often) and locking the
>> registration to
>> prevent domain slammers from moving them. My advice is not
>> to rely on the
>> legal system for protection, since many of these agencies
>> on the Internet
>> are not within our borders and do not respond or answer to
>> our legal system.
>>
>> Mike
>> s/v Shanghai'd Summer ('81)
>> Nissequogue River, NY
>>
>> From: "Herb Parsons"
>> <hparsons at parsonsys.com>Sent: Friday, October 24, 2008
>>
>> 1:31 PM
>> > Oh no no no, you are so wrong.
>> >
>> > If I own the a domain name, and in my case I do -
>> parsonsys.com, anyone
>> > else that lays claim to a web site using my name is
>> subject to all sorts
>> > of legal action.
>> >
>> > Furthermore, if you were decide one day that you
>> wanted to "park" the
>> > domain name herbparsons.com (or even barakobama.com),
>> and could show no
>> > legitimate use for it other than wanting to reserve it
>> (in other words,
>> > your name wasn't Herb Parsons, or Barak Obama, you
>> didn't have a
>> > legitimate company with that name, ), I could
>> challenge you for the
>> > domain name, and would almost certainly win.
>> >
>> > Face it, barakobama.com is Barak Obama's web site.
>> Official.
>> >
>> >
>> > I can not build a website and state on it that
>> "This is the official web
>> > site for the
>> >
>> > Michael D. Weisner wrote:
>> >> Herb,
>> >>
>> >> >From your past responses, I presume that you
>> are involved in some form
>> >> >of IT
>> >> consulting and should therefore know that there is
>> really no such thing
>> >> as
>> >> "an official site." While I am not
>> looking to provide an out for the
>> >> Obama
>> >> campaign, as implied by your "good try",
>> I was just thinking that what
>> >> appears may not be exactly so. I am sure that
>> there are crooks in all
>> >> walks
>> >> of life, I was just indicating that this may be a
>> different kind of
>> >> crook: a
>> >> thief robbing the thieves, if you will. It
>> probably would not be that
>> >> hard
>> >> to interpose a harvester site to intercept such
>> lucrative info enroute to
>> >> a
>> >> poorly secured site. Since everyone is blaming
>> the Obama campaign for
>> >> lax
>> >> security, they might be ripped off and might not
>> even know because of the
>> >> security failures!
>> >>
>> >> The "official" registration, at the
>> prestigious GoDaddy.com (tongue
>> >> firmly
>> >> ...) is the registrar of record is as follows:
>> >>
>> >> Registrant:
>> >> Obama for America
>> >> 233 N. Michigan Ave
>> >> Suite 1100
>> >> Chicago, Illinois 60601
>> >> United States
>> >>
>> >> Registered through: GoDaddy.com, Inc.
>> (http://www.godaddy.com)
>> >> Domain Name: BARACKOBAMA.COM
>> >> Created on: 28-Dec-04
>> >> Expires on: 28-Dec-15
>> >> Last Updated on: 16-Oct-07
>> >>
>> >> It is interesting to note that the site was
>> created nearly 4 years ago.
>> >> When did he decide to run??
>> >>
>> >> Mike
>> >> s/v Shanghaid'd Summer ('81)
>> >> Nissequogue River, NY
>> >>
>> >> From: "Herb Parsons"
>> <hparsons at parsonsys.com>Sent: Friday, October 24,
>> >> 2008
>> >> 12:35 AM
>> >>
>> >>> good try, but it's his official site.
>> >>>
>> >>> Michael D. Weisner wrote:
>> >>>
>> >>>> Brad,
>> >>>>
>> >>>> Newsflash - maybe the site is not real!
>> What a great way to collect
>> >>>> credit
>> >>>> card info and cash! Set up a bogus prez
>> candidate donation site to
>> >>>> collect
>> >>>> credit card numbers. Now why didn't I
>> think of that?
>> >>>>
>> >>>> Mike
>> >>>> s/v Shanghaid'd Summer ('81)
>> >>>> Nissequogue River, NY
>> >>>>
>> >>>> From: "Brad Haslett"
>> <flybrad at gmail.com>Sent: Thursday, October 23,
>> >>>> 2008
>> >>>> 11:06 PM
>> >>>>
>> >>>>
>> >>>>> Ben,
>> >>>>>
>> >>>>> Follow up report-
>> >>>>>
>> >>>>> One thing I learned from my old boss
>> at CFS in Little Rock in the late
>> >>>>> 70's is never, never, ever do
>> anything on credit with a political
>> >>>>> campaign. Obama is living on the
>> "float".
>> >>>>>
>> >>>>> Brad
>> >>>>>
>> >>>>> ----------------
>> >>>>>
>> >>>>> BarackObama.com's Lax Security
>> Opens Door to Online Donor Fraud
>> >>>>>
>> >>>>>
>> >>>>> by Patrick Ruffini | October 23, 2008
>> at 2:26 PM
>> >>>>>
>> >>>>>
>> >>>>> I just contributed $5 to Barack Obama.
>> >>>>>
>> >>>>> I didn't want to. Ideally, I could
>> have contributed $0.01 and cost
>> >>>>> them money. But it was the only way to
>> confirm the root cause of the
>> >>>>> fraudulent micro-donations to the
>> Obama campaign ("Doodad Pro" for
>> >>>>> $17,300 and "Good Will" for
>> $11,000).
>> >>>>>
>> >>>>> The Obama campaign has turned its
>> security settings for accepting
>> >>>>> online contributions down to the bare
>> minimum -- possibly to juice the
>> >>>>> numbers, and turning a blind eye
>> towards the potential for fraud not
>> >>>>> just against the FEC, but against
>> unsuspecting victims of credit card
>> >>>>> fraud.
>> >>>>>
>> >>>>> The issue centers around the Address
>> Verification Service (or AVS)
>> >>>>> that credit card processors use to
>> sniff out phony transactions. I was
>> >>>>> able to contribute money using an
>> address other than the one on file
>> >>>>> with my bank account (I used an
>> address I control, just not the one on
>> >>>>> my account), showing that the Obama
>> campaign deliberately disabled AVS
>> >>>>> for its online donors.
>> >>>>>
>> >>>>> AVS is generally the first line of
>> defense against credit card fraud
>> >>>>> online. AVS ensures that not only is
>> your credit card number accurate,
>> >>>>> but the street address you've
>> submitted with a transaction matches the
>> >>>>> one on file with your bank.
>> >>>>>
>> >>>>> Authorize.net, the largest credit card
>> gateway provider in the
>> >>>>> country, lists AVS as a "Standard
>> Transaction Security Setting,"
>> >>>>> recommends merchants use it, and turns
>> it on by default. So, in order
>> >>>>> for AVS to be turned off, it has to be
>> intentional, at least with
>> >>>>> Authorize.net.
>> >>>>>
>> >>>>> Authorize.net's website describes
>> it this way:
>> >>>>>
>> >>>>> Bankcard processors implemented the
>> Address Verification Service
>> >>>>> (AVS) to aid merchants in the
>> detection of suspicious transaction
>> >>>>> activity. The payment processing
>> network compares the billing address
>> >>>>> provided in the transaction with the
>> cardholder's address on file at
>> >>>>> the credit card issuing bank. The
>> processing network returns an AVS
>> >>>>> response code that indicates the
>> results of this comparison to the
>> >>>>> payment gateway. You can configure
>> your account to reject certain
>> >>>>> transactions based on the AVS code
>> returned. For example, the AVS code
>> >>>>> "A" indicates that the
>> street address matched, but the first five
>> >>>>> digits of the ZIP Code did not.
>> >>>>>
>> >>>>> The end result? "Donors"
>> like "Doodad Pro" can submit tons of
>> >>>>> donations totaling well above the
>> $2,300 limit using different bogus
>> >>>>> addresses (this does clarify how
>> donations from "Palestine", or PA,
>> >>>>> got through). And the campaign has no
>> way to reliably de-dupe these
>> >>>>> donations, besides looking at the last
>> four digits of the credit card
>> >>>>> number, which with 3.1 million donors
>> is an identifier that could be
>> >>>>> shared by literally hundreds of
>> donors, and is not as easy to eyeball
>> >>>>> like a common name or address would
>> be. The ability to contribute with
>> >>>>> a false address, when the technology
>> to prevent it not only exists but
>> >>>>> comes standard, is a green light for
>> fraud.
>> >>>>>
>> >>>>> One could understand the oversight if
>> prior to the bogus donor story
>> >>>>> breaking. But you'd think they
>> would have taken measures to step up
>> >>>>> their donor security in the aftermath
>> of the revelations. Having AVS
>> >>>>> turned on would have stopped or
>> significantly deterred the fraudulent
>> >>>>> donations (or, at a very minimum, made
>> them easily detectable). By
>> >>>>> turning this basic setting off, the
>> Obama campaign invited this kind
>> >>>>> of fraud and has taken no steps to
>> correct it.
>> >>>>>
>> __________________________________________________
>> >>>>> To subscribe/unsubscribe or for help
>> with using the mailing list go to
>> >>>>> http://www.rhodes22.org/list
>> >>>>>
>> __________________________________________________
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>
>> __________________________________________________
>> >>>> To subscribe/unsubscribe or for help with
>> using the mailing list go to
>> >>>> http://www.rhodes22.org/list
>> >>>>
>> __________________________________________________
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>
>> __________________________________________________
>> >>> To subscribe/unsubscribe or for help with
>> using the mailing list go to
>> >>> http://www.rhodes22.org/list
>> >>>
>> __________________________________________________
>> >>>
>> >>>
>> >>>
>> >>
>> >> __________________________________________________
>> >> To subscribe/unsubscribe or for help with using
>> the mailing list go to
>> >> http://www.rhodes22.org/list
>> >> __________________________________________________
>> >>
>> >>
>> >>
>> > __________________________________________________
>> > To subscribe/unsubscribe or for help with using the
>> mailing list go to
>> > http://www.rhodes22.org/list
>> > __________________________________________________
>> >
>> >
>>
>> __________________________________________________
>> To subscribe/unsubscribe or for help with using the mailing
>> list go to http://www.rhodes22.org/list
>> __________________________________________________
>
>
>
> __________________________________________________
> To subscribe/unsubscribe or for help with using the mailing list go to
> http://www.rhodes22.org/list
> __________________________________________________
>
>
More information about the Rhodes22-list
mailing list