[Rhodes22-list] Shoddy credit card security

Herb Parsons hparsons at parsonsys.com
Sat Oct 25 13:02:39 EDT 2008


Absolutely, but that wasn't the original message from Michael. I agree 
with all his subsequent messages, but the original statement was that 
there was "no such thing as an official site".

There is indeed a such thing. And while there may be all manner of ways 
to screw things up, or let others screw things up, but someone stealing, 
hacking, redirecting or any other type of maliciousness doesn't mean 
that there is no official site.

Back in the earlier days of the internet, when I knew less about what I 
was doing that I do now (read - naive), I had set up a web site and 
domain for church organization. It was a "for free" thing, so no big 
deal. After a couple of years of reasonably heavy traffic, they decided 
to combine their site with a larger part of the organization, and just 
drop the domain name.

That's a bad mistake, we all learned to our horror. There are companies 
out there that don't care what the domain name is, ANY domain name that 
is getting regular traffic is desirable.

So, a porn site bought the name as soon as they let it go, and you can 
imagine the shocked results when people started trying to go to the new 
site.

I've since recommended to anyone that will listen - don't let domain 
names expire. Stop using them if you want, but pay the $100 or so, 
register them for ten years, and just shut 'em down.


elle wrote:
> You need to protect your domain names very carefully,
>   
>> maintaining tight 
>> security on passwords (change them often) and locking the
>> registration to 
>> prevent domain slammers from moving them.
>>     
>
>
> Mike,
>
> How does one 'lock' the registration?
>
> elle
>
> We can't change the angle of the wind....but we can adjust our sails.
>
> 1992 Rhodes 22   Recyc '06  "WaterMusic"   (Lady in Red)
>
>
> --- On Fri, 10/24/08, Michael D. Weisner <mweisner at ebsmed.com> wrote:
>
>   
>> From: Michael D. Weisner <mweisner at ebsmed.com>
>> Subject: Re: [Rhodes22-list] Shoddy credit card security
>> To: "The Rhodes 22 Email List" <rhodes22-list at rhodes22.org>
>> Date: Friday, October 24, 2008, 2:14 PM
>> Herb,
>>
>> First of all, I was not talking about folks who follow the
>> rules, or the law 
>> for that matter.  I was thinking about Internet criminals
>> who illegally 
>> change the DNS to point to their copy site, collect the
>> information, and 
>> then send it on to the original site so as not to be
>> detected.  These 
>> schemes are rampant in banking fraud.  The classic case
>> does not even 
>> require one to repoint the nameserver but simply send out a
>> phishing email 
>> with an embedded link to the target site, pointed to the
>> interception site. 
>> I must get 10 emails daily, requesting contributions to
>> McCain's political 
>> campaign and have detected several that contain phishing
>> links.  They were 
>> forwarded to abuse at johnmccain.com, although I never
>> received any 
>> confirmation from them that they were even remotely
>> interested in 
>> investigating.
>>
>> BTW, I had one of my corporate domain names stolen by
>> domain name slammer 
>> and used by a former employee.  It seems that the registrar
>> sent US mail to 
>> the business a few months prior to the expiration of the
>> domain 
>> registration.  The mail was directed to the employee since
>> he managed that 
>> site.  He appears to have responded to the letter, paid the
>> registration and 
>> moved the site to them.
>>
>> We are prosecuting on several fronts ("all sorts of
>> legal action"), 
>> including mail fraud (the most significant penalty) and it
>> is anything but 
>> straightforward.  The name of the entity (corporation,
>> individual, etc.) has 
>> no real claim on the domain.  The site is still under his
>> control and legal 
>> papers served on the hosting agent has not been able to
>> recover or delist 
>> the domain.
>>
>> You need to protect your domain names very carefully,
>> maintaining tight 
>> security on passwords (change them often) and locking the
>> registration to 
>> prevent domain slammers from moving them.  My advice is not
>> to rely on the 
>> legal system for protection, since many of these agencies
>> on the Internet 
>> are not within our borders and do not respond or answer to
>> our legal system.
>>
>> Mike
>> s/v Shanghai'd Summer ('81)
>> Nissequogue River, NY
>>
>> From: "Herb Parsons"
>> <hparsons at parsonsys.com>Sent: Friday, October 24, 2008
>>
>> 1:31 PM
>>     
>>> Oh no no no, you are so wrong.
>>>
>>> If I own the a domain name, and in my case I do -
>>>       
>> parsonsys.com, anyone
>>     
>>> else that lays claim to a web site using my name is
>>>       
>> subject to all sorts
>>     
>>> of legal action.
>>>
>>> Furthermore, if you were decide one day that you
>>>       
>> wanted to "park" the
>>     
>>> domain name herbparsons.com (or even barakobama.com),
>>>       
>> and could show no
>>     
>>> legitimate use for it other than wanting to reserve it
>>>       
>> (in other words,
>>     
>>> your name wasn't Herb Parsons, or Barak Obama, you
>>>       
>> didn't have a
>>     
>>> legitimate company with that name, ), I could
>>>       
>> challenge you for the
>>     
>>> domain name, and would almost certainly win.
>>>
>>> Face it, barakobama.com is Barak Obama's web site.
>>>       
>> Official.
>>     
>>> I can not build a website and state on it that
>>>       
>> "This is the official web
>>     
>>> site for the
>>>
>>> Michael D. Weisner wrote:
>>>       
>>>> Herb,
>>>>
>>>> >From your past responses, I presume that you
>>>>         
>> are involved in some form 
>>     
>>>>> of IT
>>>>>           
>>>> consulting and should therefore know that there is
>>>>         
>> really no such thing 
>>     
>>>> as
>>>> "an official site."  While I am not
>>>>         
>> looking to provide an out for the 
>>     
>>>> Obama
>>>> campaign, as implied by your "good try",
>>>>         
>> I was just thinking that what
>>     
>>>> appears may not be exactly so.  I am sure that
>>>>         
>> there are crooks in all 
>>     
>>>> walks
>>>> of life, I was just indicating that this may be a
>>>>         
>> different kind of 
>>     
>>>> crook: a
>>>> thief robbing the thieves, if you will.  It
>>>>         
>> probably would not be that 
>>     
>>>> hard
>>>> to interpose a harvester site to intercept such
>>>>         
>> lucrative info enroute to 
>>     
>>>> a
>>>> poorly secured site.  Since everyone is blaming
>>>>         
>> the Obama campaign for 
>>     
>>>> lax
>>>> security, they might be ripped off and might not
>>>>         
>> even know because of the
>>     
>>>> security failures!
>>>>
>>>> The "official" registration, at the
>>>>         
>> prestigious GoDaddy.com (tongue 
>>     
>>>> firmly
>>>> ...) is the registrar of record is as follows:
>>>>
>>>> Registrant:
>>>>    Obama for America
>>>>    233 N. Michigan Ave
>>>>    Suite 1100
>>>>    Chicago, Illinois 60601
>>>>    United States
>>>>
>>>>    Registered through: GoDaddy.com, Inc.
>>>>         
>> (http://www.godaddy.com)
>>     
>>>>    Domain Name: BARACKOBAMA.COM
>>>>       Created on: 28-Dec-04
>>>>       Expires on: 28-Dec-15
>>>>       Last Updated on: 16-Oct-07
>>>>
>>>> It is interesting to note that the site was
>>>>         
>> created nearly 4 years ago.
>>     
>>>> When did he decide to run??
>>>>
>>>> Mike
>>>> s/v Shanghaid'd Summer ('81)
>>>>        Nissequogue River, NY
>>>>
>>>> From: "Herb Parsons"
>>>>         
>> <hparsons at parsonsys.com>Sent: Friday, October 24, 
>>     
>>>> 2008
>>>> 12:35 AM
>>>>
>>>>         
>>>>> good try, but it's his official site.
>>>>>
>>>>> Michael D. Weisner wrote:
>>>>>
>>>>>           
>>>>>> Brad,
>>>>>>
>>>>>> Newsflash - maybe the site is not real! 
>>>>>>             
>> What a great way to collect
>>     
>>>>>> credit
>>>>>> card info and cash!  Set up a bogus prez
>>>>>>             
>> candidate donation site to
>>     
>>>>>> collect
>>>>>> credit card numbers.  Now why didn't I
>>>>>>             
>> think of that?
>>     
>>>>>> Mike
>>>>>> s/v Shanghaid'd Summer ('81)
>>>>>>        Nissequogue River, NY
>>>>>>
>>>>>> From: "Brad Haslett"
>>>>>>             
>> <flybrad at gmail.com>Sent: Thursday, October 23, 
>>     
>>>>>> 2008
>>>>>> 11:06 PM
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Ben,
>>>>>>>
>>>>>>> Follow up report-
>>>>>>>
>>>>>>> One thing I learned from my old boss
>>>>>>>               
>> at CFS in Little Rock in the late
>>     
>>>>>>> 70's is never, never, ever do
>>>>>>>               
>> anything on credit with a political
>>     
>>>>>>> campaign. Obama is living on the
>>>>>>>               
>> "float".
>>     
>>>>>>> Brad
>>>>>>>
>>>>>>> ----------------
>>>>>>>
>>>>>>> BarackObama.com's Lax Security
>>>>>>>               
>> Opens Door to Online Donor Fraud
>>     
>>>>>>> by Patrick Ruffini | October 23, 2008
>>>>>>>               
>> at 2:26 PM
>>     
>>>>>>> I just contributed $5 to Barack Obama.
>>>>>>>
>>>>>>> I didn't want to. Ideally, I could
>>>>>>>               
>> have contributed $0.01 and cost
>>     
>>>>>>> them money. But it was the only way to
>>>>>>>               
>> confirm the root cause of the
>>     
>>>>>>> fraudulent micro-donations to the
>>>>>>>               
>> Obama campaign ("Doodad Pro" for
>>     
>>>>>>> $17,300 and "Good Will" for
>>>>>>>               
>> $11,000).
>>     
>>>>>>> The Obama campaign has turned its
>>>>>>>               
>> security settings for accepting
>>     
>>>>>>> online contributions down to the bare
>>>>>>>               
>> minimum -- possibly to juice the
>>     
>>>>>>> numbers, and turning a blind eye
>>>>>>>               
>> towards the potential for fraud not
>>     
>>>>>>> just against the FEC, but against
>>>>>>>               
>> unsuspecting victims of credit card
>>     
>>>>>>> fraud.
>>>>>>>
>>>>>>> The issue centers around the Address
>>>>>>>               
>> Verification Service (or AVS)
>>     
>>>>>>> that credit card processors use to
>>>>>>>               
>> sniff out phony transactions. I was
>>     
>>>>>>> able to contribute money using an
>>>>>>>               
>> address other than the one on file
>>     
>>>>>>> with my bank account (I used an
>>>>>>>               
>> address I control, just not the one on
>>     
>>>>>>> my account), showing that the Obama
>>>>>>>               
>> campaign deliberately disabled AVS
>>     
>>>>>>> for its online donors.
>>>>>>>
>>>>>>> AVS is generally the first line of
>>>>>>>               
>> defense against credit card fraud
>>     
>>>>>>> online. AVS ensures that not only is
>>>>>>>               
>> your credit card number accurate,
>>     
>>>>>>> but the street address you've
>>>>>>>               
>> submitted with a transaction matches the
>>     
>>>>>>> one on file with your bank.
>>>>>>>
>>>>>>> Authorize.net, the largest credit card
>>>>>>>               
>> gateway provider in the
>>     
>>>>>>> country, lists AVS as a "Standard
>>>>>>>               
>> Transaction Security Setting,"
>>     
>>>>>>> recommends merchants use it, and turns
>>>>>>>               
>> it on by default. So, in order
>>     
>>>>>>> for AVS to be turned off, it has to be
>>>>>>>               
>> intentional, at least with
>>     
>>>>>>> Authorize.net.
>>>>>>>
>>>>>>> Authorize.net's website describes
>>>>>>>               
>> it this way:
>>     
>>>>>>>    Bankcard processors implemented the
>>>>>>>               
>> Address Verification Service
>>     
>>>>>>> (AVS) to aid merchants in the
>>>>>>>               
>> detection of suspicious transaction
>>     
>>>>>>> activity. The payment processing
>>>>>>>               
>> network compares the billing address
>>     
>>>>>>> provided in the transaction with the
>>>>>>>               
>> cardholder's address on file at
>>     
>>>>>>> the credit card issuing bank. The
>>>>>>>               
>> processing network returns an AVS
>>     
>>>>>>> response code that indicates the
>>>>>>>               
>> results of this comparison to the
>>     
>>>>>>> payment gateway. You can configure
>>>>>>>               
>> your account to reject certain
>>     
>>>>>>> transactions based on the AVS code
>>>>>>>               
>> returned. For example, the AVS code
>>     
>>>>>>> "A" indicates that the
>>>>>>>               
>> street address matched, but the first five
>>     
>>>>>>> digits of the ZIP Code did not.
>>>>>>>
>>>>>>> The end result? "Donors"
>>>>>>>               
>> like "Doodad Pro" can submit tons of
>>     
>>>>>>> donations totaling well above the
>>>>>>>               
>> $2,300 limit using different bogus
>>     
>>>>>>> addresses (this does clarify how
>>>>>>>               
>> donations from "Palestine", or PA,
>>     
>>>>>>> got through). And the campaign has no
>>>>>>>               
>> way to reliably de-dupe these
>>     
>>>>>>> donations, besides looking at the last
>>>>>>>               
>> four digits of the credit card
>>     
>>>>>>> number, which with 3.1 million donors
>>>>>>>               
>> is an identifier that could be
>>     
>>>>>>> shared by literally hundreds of
>>>>>>>               
>> donors, and is not as easy to eyeball
>>     
>>>>>>> like a common name or address would
>>>>>>>               
>> be. The ability to contribute with
>>     
>>>>>>> a false address, when the technology
>>>>>>>               
>> to prevent it not only exists but
>>     
>>>>>>> comes standard, is a green light for
>>>>>>>               
>> fraud.
>>     
>>>>>>> One could understand the oversight if
>>>>>>>               
>> prior to the bogus donor story
>>     
>>>>>>> breaking. But you'd think they
>>>>>>>               
>> would have taken measures to step up
>>     
>>>>>>> their donor security in the aftermath
>>>>>>>               
>> of the revelations. Having AVS
>>     
>>>>>>> turned on would have stopped or
>>>>>>>               
>> significantly deterred the fraudulent
>>     
>>>>>>> donations (or, at a very minimum, made
>>>>>>>               
>> them easily detectable). By
>>     
>>>>>>> turning this basic setting off, the
>>>>>>>               
>> Obama campaign invited this kind
>>     
>>>>>>> of fraud and has taken no steps to
>>>>>>>               
>> correct it.
>>     
>> __________________________________________________
>>     
>>>>>>> To subscribe/unsubscribe or for help
>>>>>>>               
>> with using the mailing list go to
>>     
>>>>>>> http://www.rhodes22.org/list
>>>>>>>
>>>>>>>               
>> __________________________________________________
>>     
>>>>>>>
>>>>>>>
>>>>>>>               
>> __________________________________________________
>>     
>>>>>> To subscribe/unsubscribe or for help with
>>>>>>             
>> using the mailing list go to
>>     
>>>>>> http://www.rhodes22.org/list
>>>>>>
>>>>>>             
>> __________________________________________________
>>     
>>>>>>
>>>>>>
>>>>>>             
>> __________________________________________________
>>     
>>>>> To subscribe/unsubscribe or for help with
>>>>>           
>> using the mailing list go to
>>     
>>>>> http://www.rhodes22.org/list
>>>>>
>>>>>           
>> __________________________________________________
>>     
>>>>>
>>>>>           
>>>> __________________________________________________
>>>> To subscribe/unsubscribe or for help with using
>>>>         
>> the mailing list go to 
>>     
>>>> http://www.rhodes22.org/list
>>>> __________________________________________________
>>>>
>>>>
>>>>
>>>>         
>>> __________________________________________________
>>> To subscribe/unsubscribe or for help with using the
>>>       
>> mailing list go to 
>>     
>>> http://www.rhodes22.org/list
>>> __________________________________________________
>>>
>>>
>>>       
>> __________________________________________________
>> To subscribe/unsubscribe or for help with using the mailing
>> list go to http://www.rhodes22.org/list
>> __________________________________________________
>>     
>
>
>       
> __________________________________________________
> To subscribe/unsubscribe or for help with using the mailing list go to http://www.rhodes22.org/list
> __________________________________________________
>
>
>   


More information about the Rhodes22-list mailing list