Cross-Selling Online Scams and Security Issues

An anonymous reader writes "The site 12 Angry Men recently published a discussion of a widely used but little-known online scam called 'cross-selling'. Essentially, after-sale shops cut deals with shady online retailers in an attempt to make a quick buck off of you after you've already bought something. 'What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line.' What makes everything even more interesting is that now the company has responded, with the usual white washing and meaningless statements."

At least they responded

[gbulmash (688770)]

The company gets criticized for monitoring the blogosphere and responding to complaints in the comment right after its response.

"Why would a legitimate company providing quality service have concerns about the blogosphere great enough to monitor it?"

In fact come to think of it, most of those we have seen who practice this and post comments like this are scam artists slightly worse than used car dealers.

Actually, I've seen "respectable" companies do this. When I posted a rant about the stupid ways people bid on projects [brainhandles.com] (or try to bid without bidding) on Rent-A-Coder, there was a response from Rent-A-Coder on my blog within a day.

Monitoring and responding to complaints is a positive, IMO.

Re:

[VGPowerlord (621254)]

I thought it was more because white is generally considered by western civilization to represent purity, while black is the opposite of white.

Yes, and accountants are the worst

[A nonymous Coward (7548)]

They say accounts are in the black when they are good, and in the red when they are bad. Obviously white folk don't even deal with money, only those dirty black people and red people, and just as obviously, red people are dirtier than black people. I suppose they don't include yellow people because this all started before they knew about them.

Re:At least they responded

[Mister Transistor (259842)]

OK, I'll bite.

Whitewash was a kind of paint used in the old days for fence and barn painting. It was called that (gasp) - because it was white! Think Tom Sawyer... Anyway, the term "whitewashing" means to cover up (as in with white paint).

Blacklisting comes from (also) old times, in Hollywood movie studios, if you were allowed on premises, you were on a list the security guards were given. If you pissed off the director or some studio exec, you got a line drawn through your name with a (you guessed it) - black - pencil - and were denied access from then on.

That's it, no racist overtones or conspiracies - except, perhaps in your mind!

Re:

[gbulmash (688770)]

Most HR people care about this because holes in your resume, long periods of time with no discernible activity, are worrisome. It's just SOP to put everything in your resume for whatever period you are covering.

This is a piecework RFP he's responding to. I'm not offering him employment, I'm asking him to bid on a contract. A personal CV isn't appropriate here. Just show me you can do this work.

Also you seem to think you will get good people by asking them to give you a free estimate. Perhaps that i

12 Angry men

[Bloke down the pub (861787)]

From the linked article:

As an aside, organ donors in Europe have to opt-out to NOT become an organ donor

Not so much angry as ill informed. That's certainly not the case in the UK or Italy which, last time I checked, are part of Europe. I doubt the authors could point to either on a map.

Re:

[julesh (229690)]

Not so much angry as ill informed. That's certainly not the case in the UK or Italy which, last time I checked, are part of Europe. I doubt the authors could point to either on a map.

There *are* countries in Europe which use an opt-out system, although not many yet. There have been suggestions that the UK may change to opt-out in the future, as polls have suggested that ~70% of the population would support such a change.

Re:

[Hognoxious (631665)]

There *are* countries in Europe which use an opt-out system

Read what the article said, read what the post you're replying to said, then look up the fallacy of composition [wikipedia.org].

There are parts of the US that are dry, but it doesn't mean the whole country is a beer-free zone.

Re:

[larien (5608)]

There are religous or personal beliefs which may abhor organ donation; it's not quite as clear cut as that.

As for the parent of this thread, while the UK doesn't have "opt out" organ donation at the moment, people are pressing for it to be introduced.

Re:

[Bloke down the pub (861787)]

while the UK doesn't have "opt out" organ donation at the moment, people are pressing for it to be introduced.

And they have been for over 20 years, but that's not the same as it actually being the law. Not even close. And even if one or more countries in the EU do have such a law, it's stupid to generalis that to them all - laughably stupid and incredibly ignorant to boot.

Re:

[Lehk228 (705449)]

any religion that would prohibit the re-use of life saving organs from someone who cannot use them anymore deserves to be squeezed out of decent society.

Re:

[PopeRatzo (965947)]

Dead people don't have rights

Why not? If the un-born are supposed to have the same rights as a living human being, why shouldn't the "un-live"?

Fact is, it's pretty goddamn easy to determine at what point human beings should have full rights: When they are born, and when they die. Everything else is just organized superstition.

Re:

[Pedersen (46721)]

Except for one *very* important point: At the time of organ harvesting, these people are *not* dead. Their bodies are very much alive. And those same bodies show very much the same reactions to the pain of organ harvesting as any other living person.

Add in the whole issue I mentioned above about how to deal with treatments in case of severe injury, and I have a very strong case for not wanting to be an organ donor.

Re:

[adavidw (31941)]

What? Are you serious? Please explain who these live people are who are getting their organs removed for donation. And don't include any stories about waking up in a bathtub full of ice.

Re:

[adavidw (31941)]

[blockquote]I have, and I am frightened by the fact that they did not contradict even one word of what I said. Not one.[/blockquote]

I have (ER docs), and they did contradict every word of what you said. Every one.

Re:

[fred911 (83970)]

Most likely it's a matter of an agreeable definition of death.

Re:

[marcello_dl (667940)]

You forget to account for people living in corrupt places: you could be cut apart because your organs are compatible with some VIP needing a transplant. Hopefully there are so few of those places that it's a somewhat paranoid thought yet it's not a simple matter of laziness and ignorance.

Re:12 Angry men

[Pedersen (46721)]

It's not as clear cut as that. You see, in the case of severe trauma, there are two basic treatment paths to take: Keep the body warm, or keep the body cold. The colder the body is, the better the chance the victim comes out alive and intact. So, the body should always be kept cold, right?

Well, if the victim dies anyway, then it's time to harvest. Oh, but the body being kept cold has put the organs closer to death. This reduces the amount of time they can be out of the body before they become useless to a new body.

So, we need to keep the body warm. But if we do that, then the victim has a much greater chance of suffering severe, disabling injuries out of the accident. Which means it's more likely he dies.

Think about it. Would you prefer to live, or to die? Oh, and let's not get started on the medical personnel who have a very important job: If there is any chance the person could be an organ donor, pressure the (still in shock) family to allow organ donation.

As for me, I choose to live. I do not wish to be an organ donor, and have said so to my family.

Re:

[Bert64 (520050)]

Yes, it's unfair that the donor's family don't benefit, however if they did you'd get many unscrupulous groups of people seeking to benefit from it.

Re:

[cp.tar (871488)]

Yes, it's unfair that the donor's family don't benefit, however if they did you'd get many unscrupulous groups of people seeking to benefit from it.

Well, don't you get such groups in this way as well?

Anyway, I don't care as long as I'm dead after the organ harvesting.

Re:

[feronti (413011)]

You'll certainly be dead after the harvesting. Personally, I'd prefer to be dead before the harvesting.

Re:

[cp.tar (871488)]

You'll certainly be dead after the harvesting. Personally, I'd prefer to be dead before the harvesting.

My point is, as long as I'm dead afterwards, I'll be in no position to care either way.

Well, supposing I'm at least unconscious beforehand.

Re:

[Bert64 (520050)]

Well, "the estate" is a contrived idea too... In reality, the owner of the organs is whoever has sufficient power to take them. Once dead, you have no ability to assert any ownership over anything.

Re:

[adavidw (31941)]

Can you offer any proof for any of the accusations that you've made in this post?

Re:

[sumdumass (711423)]

Proof of accusations? I made more then a few. I bet your talking about not using certain drugs and not saving you if your an organ donor.

It is a known fact that they can't take organs from a dead person. They have to keep the blood flowing with oxygen in it in order to keep the organs alive. There is a very low amount of time between death and when they can harvest organs. Your organs last longer outside your body because they can cool it. So if your not being kept alive until they decide to set you up to b

Shopsafe ad

[WPIDalamar (122110)]

This is just a Shopsafe AD.

Technical details in the article are slim and misleading.

Re:

[julesh (229690)]

Technical details in the article are slim and misleading.

Technical details in the article are substantial, although very difficult to follow. The only question I'm left with is who the fuck stores your credit card details in a _cookie_, and why...?

Rampant Fraud

[Yahma (1004476)]

I used to get $1.00 charges on my credit card that would go unnoticed for a few months. When I checked the company, they had a website that stated something to the effect:

"If you received a charge to your credit card for us, it is for services that we provided and it is not a fradulent charge."

Now, I never have purchased anything from this company, and even though the total charges were less than $3, I reported it to my credit card company. Some of these fraudulent companies can be very deceptive.

Re:

[Dogtanian (588974)]

When I checked the company, they had a website that stated something to the effect: "If you received a charge to your credit card for us, it is for services that we provided and it is not a fradulent charge."

Well, they would say that, would't they?!

To be fair, I don't know the context of the comment or how much you were paraphrasing, but it seems that any company that felt the need to bring the subject up in that manner *and* then attempted to dismiss any problems in advance knows that something shady is going on.

If they really were legit, they'd know where the (limited) problem areas were, not have to explain it like that, and have a good explanation, not a handwaving generic "if something's wrong, we did

Re:

[The MAZZTer (911996)]

In unrelated news, foxes have been quoted as saying that "any hens missing from the hen houses are totally not our fault".

Re:

[hrvatska (790627)]

The foxes in my area say that any hens they remove are compensation for the 'Hen Protection Program' they administer.

Re:

[Lumpy (12016)]

That is why I will not use any of my credit cards online anymore. I use the one time use credit card services. It works for the amount I enter and only once withing a time frame. It stops this shady scam crap that is all over the net now.

Easiest to use is paypal's. But one of my banks also offer it for my credit card.

Re:

[elfkicker (162256)]

My bank just contacted my the other day for a $1.33 charge. They called within an hour of transaction which I didn't make. Operator cancelled the card and my card immediately but wouldnt explain how they knew they knew I didnt do it. I appreciate the proactive approach, but they should really be telling me The Whole Truth.

The charge was to a company called Jazz Inc with an 800#, when you call it it says "Press 1 for more information to be texted to you about the charge on your bill." I assume they someh

Re:

[mike2R (721965)]

A small charge may be someone verifying that the card is still valid - do a small instant transaction which has a good chance of escaping detection and then use the known-good card for a larger fraudulent purchase.

If this was the case Jazz Inc would be an unwitting third party - your bank might have noticed a pattern of a small charge with them followed by a large fraud attempt.

Re:Rampant Fraud

[Night Goat (18437)]

That was a very moving poem. I particularly enjoyed the vivid description of the twenty dollars.

Funny Aside

[TiggertheMad (556308)]

...Anyone notice that the website that this article is on prevents you from navigating away via the browswer back button? I was always suspicious about sites that employed Javascript to prevent people from navigating away. An article about shifty behavior on a site that triest to manage your attemts to leave. Classy!

Re:

[wizardforce (1005805)]

...Anyone notice that the website that this article is on prevents you from navigating away via the browswer back button?

that's what noscript is for. by default it will not execute javascript code unless you actually allow it to do so. Also, middle clicking on a link in firefox opens it in another tab, there is no point in them trying to prevent you from navigating backward since you can just close the tab.

CNN does something similar

[IvyKing (732111)]

I've noticed that CNN does a dirty little trick to trip up the 'back' button - they typically put three instances of the current page on the history buffer. Found that out after using the down-arrow next to the 'back' button, and that allows me to go back to the previous page.

Explanation seems off to me

[Tim C (15259)]

Card data are usually stored in cookies encrypted under the SSL symmetric key.

I've worked in the web for 8.5 years now, and have worked on a lot of ecommerce sites in that time. I have never seen any, not one, that stores anything at all in a cookie other than a session id. There is absolutely no reason whatsoever to be storing credit card details in them - in fact I would go so far as to recommend avoiding any online store that did this, SSL-encryption or no. It's just begging to be exploited.

Also:

As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.

Sorry, but I have a card in my wallet that proves this wrong. I'm in the UK and you have to specifically register to be an organ donor. You don't have to carry the card they send you, but you do have to be in the database of registered donors.

With these two errors, I'd have to say I'm suspicious of the rest of the article; how much more have they got wrong?

Indeed

[Chuck Chunder (21021)]

Anyone capable of writing:

Card data are usually stored in cookies encrypted under the SSL symmetric key.

clearly hasn't got a fucking clue what they are talking about.

Re:

[Nazlfrag (1035012)]

I agree that the article was terrible but the complaint seems justified. His wife isn't alone in having troubles with them. For one, I stumbled across this class action lawsuit [lawyersand...ements.com], as well as some anecdotal evidence from ex customer service employees stating most of their members didn't realise they were signed up, and 99% of calls to their office were people trying to get off their program. If only he'd avoided the mangled technical explanation the issue he had might be clearer.

credit card stored in a cookie?

[J0nne (924579)]

I've never seen a shop store the CC number in a cookie, as that makes no sense at all. The proper way to do it (IF you're doing the credit card handling yourself, the company I work for uses a third party to handle this), is to store the credit card in the database as soon as it's sent, and just keep it there (and delete it when you don't need it any more). You can use a regular session id if you ever need it again. There's no reason to send it back to the client.

bad habits

[fermion (181285)]

I wish that security was not so often sacrificed for selling opportunities. When one is going through an online transaction, which is still a risky process due to man-in-the-middle attacks, one should not create an expectation of the user to see things characteristic of such attacks. There are no reason to have ads on such pages. There is no reason to set third party cookies to ad sites, or direct to other offers between the time that user checks out and the time the order is complete. If attacks such as these are successful, it is the fault of the companies that design the faulty web pages, and such companies should compensate the consumer.

Even firms that should know better, such as banks, promote such practices. I recently logged into my highly secure bank account, and instead of being greeted with my bank information was greeted with a survey. This is such a fundamental breach of security I wonder why I bank with them. Oh, I know. Because every other bank is selling out customer security to make a buck. it is nothing new. I used to recieve many offers on my banks letter head. When I called to see if they were responsible, the agent said they have nothing to do with. Well, I would reply, it is on your letterhead, should I call my AG and state that someone is representing themselves as you? Nothing was said after that.

IN any case, as long as people are trying to squeeze every dime out of every customer, we are going to have these security issues. I guess the only thing to do is to not conduct business with the worst of the worst, no matter how tempting it is.

WLI truly a problem

[Peter Simpson (112887)]

They almost got me twice with a fake "Continue" button on the order confirmation page.

After you type in your credit card info, and authorize the purchase you intended to make, the website pops up a receipt/confirmation page (just as you'd expect). At the bottom of that screen, is a "Continue" button. Below that button, in very small type, almost the same color as the page background, perhaps even below the bottom of the screen, so you'd need to scroll down to see it, is a disclaimer that tells you that by clicking the above button, you're authorizing the transfer of your data to WLI.

The next page you see asks you for a second confirmation (perhaps your email address), and in a way that does not make clear that you are not providing it to WLI...and at NO time are you told that your credit card information has been sent to WLI. You are not explicitly asked to authorize the charge.

The places I caught doing this were unaware of it, and angry about it. The WLI link comes pre-packaged in the "storefront" or "ecommerce solution" that the merchant obtains from their hosting service. My suspicion is that this is a deal between WLI and the storefront software provider, not the merchant.

It's definitely for real and a continuing problem...my experience was several years ago, and at the time, I bookmarked this site, which is still active:

http://adam.rosi-kessel.org/weblog/the_man/webloyalty_aka_wli_reservations_is_a_scam.html/ [rosi-kessel.org]

The other way they get you to click is to offer you a "credit on your next order"...

This is known as Amazon.com

[Jackie_Chan_Fan (730745)]

nt

The upside: Free food!

[aussersterne (212916)]

I know reservation rewards well! I used to get tons of free food using them through delivery.com (a fast food delivery website). Here's how it would work:

1. Order food online through delivery.com.

2. An "opt-out" cross-sell appears offering you a $10.00 coupon if you don't uncheck enroll box. First 30 days are free.

3. Agree to "free trial" and get $10.00 coupon code. Then call immediately and cancel service you just enrolled for.

4. Use free $10.00 coupon (still good) next time you want to order food through delivery.com.

5. At end of order, an "opt-out" cross sell appears offering you a $10.00 coupon if you don't uncheck the enroll box...

Just over a year ago I probably got $300 in free food delivery that way over a several month stretch before moving to an area where there is no delivery.com service. Too bad.

My card was never charged by these people. All you have to do is be dilligent and pay attention and call the 1-800 number to cancel.

The truth behind cross-sells

[Archon-X (264195)]

I've skimmed the summary, article and comments, and sadly it seems not so many people are clued in on how cross sells actually work.
There's no 'inside session passing' or rubbish. Simply, a cross-sell is a product offered by a company that uses the same billing company as the site.

For example, CCBill - huge CC processing company.

You sign up for a product or a site, X. That webmaster has made a deal w/ another webmaster that has a product / site, Y, processing with CCBill.
When you sign up, there's a box for

Going on for 5 years

[flyingfsck (986395)]

This has been going on for a long time and people are still falling for it and they are still in business. You should complain to your Congress Critters.

Re:

[VGPowerlord (621254)]

You know, it annoyed me in the past that Opera wouldn't run the onunload handler when I closed a page, but it does if I navigate somewhere from said page.

This site shows me that there's a legitimate reaason for that behavior.

Re:

[Bert64 (520050)]

You think that's bad, try signing up at:
http://www.keziefoods.co.uk/registration [keziefoods.co.uk]

Make sure you leave the "subscribe to newsletters" checkbox empty, and keep an eye on it as you click submit.
Really damn cheeky, they use javascript to re-check the button as you submit the page!
I wrote about this a while back (march 2007):
http://www.ev4.org/wordpress/2007/03/03/keziefoodscouk-are-cheeky-bastards/ [ev4.org]
http://www.ev4.org/wordpress/2007/07/04/keziefoods-are-cheeky-bastards-followup/ [ev4.org]

I mailed them about it several times.