Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security The Internet

Cross-Selling Online Scams and Security Issues 101

An anonymous reader writes "The site 12 Angry Men recently published a discussion of a widely used but little-known online scam called 'cross-selling'. Essentially, after-sale shops cut deals with shady online retailers in an attempt to make a quick buck off of you after you've already bought something. 'What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line.' What makes everything even more interesting is that now the company has responded, with the usual white washing and meaningless statements."
This discussion has been archived. No new comments can be posted.

Cross-Selling Online Scams and Security Issues

Comments Filter:
  • by gbulmash ( 688770 ) * <semi_famous&yahoo,com> on Saturday November 03, 2007 @02:43PM (#21225733) Homepage Journal
    The company gets criticized for monitoring the blogosphere and responding to complaints in the comment right after its response.

    "Why would a legitimate company providing quality service have concerns about the blogosphere great enough to monitor it?"

    In fact come to think of it, most of those we have seen who practice this and post comments like this are scam artists slightly worse than used car dealers.


    Actually, I've seen "respectable" companies do this. When I posted a rant about the stupid ways people bid on projects [brainhandles.com] (or try to bid without bidding) on Rent-A-Coder, there was a response from Rent-A-Coder on my blog within a day.

    Monitoring and responding to complaints is a positive, IMO.
    • Well it's a little off topic but since you did post a link to your rant I have a comment to make. It said:

      Second, the guy's listing stuff like being a customer service rep for a credit union on it. Why would I care about your work experience that doesn't relate to this project?

      Most HR people care about this because holes in your resume, long periods of time with no discernible activity, are worrisome. It's just SOP to put everything in your resume for whatever period you are covering.

      Also you seem t
      • Re: (Score:3, Informative)

        by gbulmash ( 688770 ) *
        Most HR people care about this because holes in your resume, long periods of time with no discernible activity, are worrisome. It's just SOP to put everything in your resume for whatever period you are covering.

        This is a piecework RFP he's responding to. I'm not offering him employment, I'm asking him to bid on a contract. A personal CV isn't appropriate here. Just show me you can do this work.

        Also you seem to think you will get good people by asking them to give you a free estimate. Perhaps that i
    • Aye, some companies either do it proactively (as a way of getting honest feedback) or sometimes bored employees may google their company name to see what turns up (and if it's negative they may bring it to someone's attention). Those two reasons I see as a positive use of an employees spare time since not all irate customers will call in. Also it's a way to catch those that slipped through the customer service cracks (150% - 200% turnover = bad apples in even the best organizations).

      I had a dental insuran
  • 12 Angry men (Score:5, Insightful)

    by Bloke down the pub ( 861787 ) on Saturday November 03, 2007 @02:53PM (#21225785)
    From the linked article:

    As an aside, organ donors in Europe have to opt-out to NOT become an organ donor
    Not so much angry as ill informed. That's certainly not the case in the UK or Italy which, last time I checked, are part of Europe. I doubt the authors could point to either on a map.
    • by Seumas ( 6865 )
      It should be the case everywhere. What am I going to do with my organs when I'm dead? Why should someone else die, because I was too lazy or ignorant to become an organ donor?
      • by larien ( 5608 )
        There are religous or personal beliefs which may abhor organ donation; it's not quite as clear cut as that.

        As for the parent of this thread, while the UK doesn't have "opt out" organ donation at the moment, people are pressing for it to be introduced.

        • while the UK doesn't have "opt out" organ donation at the moment, people are pressing for it to be introduced.
          And they have been for over 20 years, but that's not the same as it actually being the law. Not even close. And even if one or more countries in the EU do have such a law, it's stupid to generalis that to them all - laughably stupid and incredibly ignorant to boot.
        • by Lehk228 ( 705449 )
          any religion that would prohibit the re-use of life saving organs from someone who cannot use them anymore deserves to be squeezed out of decent society.
      • It should be the case everywhere. What am I going to do with my organs when I'm dead? Why should someone else die, because I was too lazy or ignorant to become an organ donor?

        Well beside the idea that I should be able to be put to rest intact as a spiritual matter, do you realize that you aren't totally dead when they decide to harvest your organs? They give up on saving you and let you succumb to a state of legally dead in order to harvest your organs and have something actually worth putting inside som

        • by adavidw ( 31941 )
          Can you offer any proof for any of the accusations that you've made in this post?
          • Proof of accusations? I made more then a few. I bet your talking about not using certain drugs and not saving you if your an organ donor.

            It is a known fact that they can't take organs from a dead person. They have to keep the blood flowing with oxygen in it in order to keep the organs alive. There is a very low amount of time between death and when they can harvest organs. Your organs last longer outside your body because they can cool it. So if your not being kept alive until they decide to set you up to b
            • by adavidw ( 31941 )
              Organs can and do get retrieved from dead people. Every time (with the exception of live donor kidneys, of course). There is of course, some ambiguity about the word "dead" and what exactly it defines. For example, if you've got a patient whose brain activity is completely ceased with absolutely no hope of restarting but still has blood flowing, few would argue that the patient's not dead, and yes, that person might be a great candidate for retrieval of organs since they're so fresh. If you believe there's
      • You forget to account for people living in corrupt places: you could be cut apart because your organs are compatible with some VIP needing a transplant. Hopefully there are so few of those places that it's a somewhat paranoid thought yet it's not a simple matter of laziness and ignorance.
      • Re:12 Angry men (Score:5, Interesting)

        by Pedersen ( 46721 ) on Saturday November 03, 2007 @11:59PM (#21229061) Homepage
        It's not as clear cut as that. You see, in the case of severe trauma, there are two basic treatment paths to take: Keep the body warm, or keep the body cold. The colder the body is, the better the chance the victim comes out alive and intact. So, the body should always be kept cold, right?

        Well, if the victim dies anyway, then it's time to harvest. Oh, but the body being kept cold has put the organs closer to death. This reduces the amount of time they can be out of the body before they become useless to a new body.

        So, we need to keep the body warm. But if we do that, then the victim has a much greater chance of suffering severe, disabling injuries out of the accident. Which means it's more likely he dies.

        Think about it. Would you prefer to live, or to die? Oh, and let's not get started on the medical personnel who have a very important job: If there is any chance the person could be an organ donor, pressure the (still in shock) family to allow organ donation.

        As for me, I choose to live. I do not wish to be an organ donor, and have said so to my family.
        • by Hatta ( 162192 )
          Well, if the victim dies anyway, then it's time to harvest. Oh, but the body being kept cold has put the organs closer to death. This reduces the amount of time they can be out of the body before they become useless to a new body.

          Then why do they transport organs on ice?
          • by Pedersen ( 46721 )
            Basically, a major organ transplant (such as heart or liver) goes through 5 stages (6 if you count the selection of the donor):

            1. Something happens to the donor which results in them being chosen as an organ donor candidate. Ideally, the person who is to be the donor will be relatively young (less than 35 or so), in great health, who has a piano fall on their head, hard enough to basically destroy all higher brain function, but not hard enough to destroy autonomic brain function. In other words, their mind
    • Same goes for The Netherlands, it's opt-in.. not opt-out. Although they are thinking of changing that.
    • by julesh ( 229690 )
      Not so much angry as ill informed. That's certainly not the case in the UK or Italy which, last time I checked, are part of Europe. I doubt the authors could point to either on a map.

      There *are* countries in Europe which use an opt-out system, although not many yet. There have been suggestions that the UK may change to opt-out in the future, as polls have suggested that ~70% of the population would support such a change.
      • There *are* countries in Europe which use an opt-out system
        Read what the article said, read what the post you're replying to said, then look up the fallacy of composition [wikipedia.org].

        There are parts of the US that are dry, but it doesn't mean the whole country is a beer-free zone.
        • by julesh ( 229690 )

          There *are* countries in Europe which use an opt-out system

          Read what the article said, read what the post you're replying to said, then look up the fallacy of composition.

          I'm aware of exactly what the article said:

          As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.

          Note that this does not say "all organ donors in Europe". It quite clearly is a statement that may or may not apply throughout Europe. As it happens, in this case, it does not.

          • does not say "all organ donors in Europe". It quite clearly is a statement that may or may not apply throughout Europe.

            Absolute rubbish. If you say "in Europe X", without qualification along the lines of "some countries in ..." or "parts of ..." it's assumed by anyone who actually understands English properly that X applies to the whole.

            By your reasoning (and I'm stretching the definition there) "odd numbers and even numbers are prime" would be true, because at least one of each is.

        • There are parts of the US that are dry, but it doesn't mean the whole country is a beer-free zone.
          It's not far off ... have you ever tried Bud Light?
    • Comment removed based on user account deletion
    • Wow, could someone please mod the parent down ... this is just ill informed.
    • by Eivind ( 15695 )
      It also fails to be the case in Germany, Finland, Norway and Spain. I doubt it is the case -ANYWHERE- in Europe, but I can't say for absolutely sure.

      That's not the only bullshit in this article. I don't know -any- site that stores credit-card numbers, expiration-dates and control-numbers as *cookies* (i.e. client-side), certainly Ebags, the site he claimed scammed his wife, does not. (I just tested. They -DO- set a cookie, but this cookie is just a hash that presumably indexes a server-side storage for vari
  • Shopsafe ad (Score:3, Informative)

    by WPIDalamar ( 122110 ) on Saturday November 03, 2007 @03:02PM (#21225849) Homepage
    This is just a Shopsafe AD.

    Technical details in the article are slim and misleading.
    • by julesh ( 229690 )
      Technical details in the article are slim and misleading.

      Technical details in the article are substantial, although very difficult to follow. The only question I'm left with is who the fuck stores your credit card details in a _cookie_, and why...?
  • Rampant Fraud (Score:4, Insightful)

    by Yahma ( 1004476 ) on Saturday November 03, 2007 @03:09PM (#21225891) Journal
    I used to get $1.00 charges on my credit card that would go unnoticed for a few months. When I checked the company, they had a website that stated something to the effect:

    "If you received a charge to your credit card for us, it is for services that we provided and it is not a fradulent charge."

    Now, I never have purchased anything from this company, and even though the total charges were less than $3, I reported it to my credit card company. Some of these fraudulent companies can be very deceptive.

    • When I checked the company, they had a website that stated something to the effect: "If you received a charge to your credit card for us, it is for services that we provided and it is not a fradulent charge."

      Well, they would say that, would't they?!

      To be fair, I don't know the context of the comment or how much you were paraphrasing, but it seems that any company that felt the need to bring the subject up in that manner *and* then attempted to dismiss any problems in advance knows that something shady is going on.

      If they really were legit, they'd know where the (limited) problem areas were, not have to explain it like that, and have a good explanation, not a handwaving generic "if something's wrong, we did

    • In unrelated news, foxes have been quoted as saying that "any hens missing from the hen houses are totally not our fault".
      • The foxes in my area say that any hens they remove are compensation for the 'Hen Protection Program' they administer.
    • I used to get $1.00 charges on my credit card that would go unnoticed for a few months.

      Now, I never have purchased anything from this company...

      Sure you didn't sign up to Happy Dude?

    • by Anonymous Coward
      I had my bank do this
      charging $20 a month for health insurance
      and not refunding more than the last two
      months
      the bakn did not charge the $20
      but had another company charge it
      the charge came out as insurance
      insurance which I never had or existed
      the bank was first union
      the bank changed their name at least once
      the company charging the $20 was out of florida
      your own bank is capable of doing this
    • by Lumpy ( 12016 )
      That is why I will not use any of my credit cards online anymore. I use the one time use credit card services. It works for the amount I enter and only once withing a time frame. It stops this shady scam crap that is all over the net now.

      Easiest to use is paypal's. But one of my banks also offer it for my credit card.

    • My bank just contacted my the other day for a $1.33 charge. They called within an hour of transaction which I didn't make. Operator cancelled the card and my card immediately but wouldnt explain how they knew they knew I didnt do it. I appreciate the proactive approach, but they should really be telling me The Whole Truth.

      The charge was to a company called Jazz Inc with an 800#, when you call it it says "Press 1 for more information to be texted to you about the charge on your bill." I assume they someh
      • Re: (Score:3, Informative)

        by mike2R ( 721965 )
        A small charge may be someone verifying that the card is still valid - do a small instant transaction which has a good chance of escaping detection and then use the known-good card for a larger fraudulent purchase.

        If this was the case Jazz Inc would be an unwitting third party - your bank might have noticed a pattern of a small charge with them followed by a large fraud attempt.
  • Funny Aside (Score:5, Interesting)

    by TiggertheMad ( 556308 ) on Saturday November 03, 2007 @03:13PM (#21225919) Journal
    ...Anyone notice that the website that this article is on prevents you from navigating away via the browswer back button? I was always suspicious about sites that employed Javascript to prevent people from navigating away. An article about shifty behavior on a site that triest to manage your attemts to leave. Classy!
    • Uh? The back button works fine on that site. =
    • ...Anyone notice that the website that this article is on prevents you from navigating away via the browswer back button?
      that's what noscript is for. by default it will not execute javascript code unless you actually allow it to do so. Also, middle clicking on a link in firefox opens it in another tab, there is no point in them trying to prevent you from navigating backward since you can just close the tab.
    • I've noticed that CNN does a dirty little trick to trip up the 'back' button - they typically put three instances of the current page on the history buffer. Found that out after using the down-arrow next to the 'back' button, and that allows me to go back to the previous page.
  • FTFA: Nope! Somewhere on the page there is a box which is checked that says "Send me this crap for $9.00 a month".

    I really hate those things. Many times, when you're filling out some poorly designed form that has information that has to be entered, I usually miss something or enter it the "wrong" way and I end up having to go back and correct my data. Upon going back, guess what, the check-box that "opts-in" to (usually to get spammed by the company) is checked again. Technically, it's "opt-in", but the ch

  • [As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box. In the United States, drivers have to opt-in to become an organ donor. The relative rates of donors in Europe is over 80% verses 20% in the United States. This is the power of opt-out and why marketeers fight for it so hard.]

    The Meaning of Life: Part Five: Live Organ Transplants.
    Hello. Uhh, can we have your liver?
  • by Tim C ( 15259 ) on Saturday November 03, 2007 @04:02PM (#21226217)
    Card data are usually stored in cookies encrypted under the SSL symmetric key.

    I've worked in the web for 8.5 years now, and have worked on a lot of ecommerce sites in that time. I have never seen any, not one, that stores anything at all in a cookie other than a session id. There is absolutely no reason whatsoever to be storing credit card details in them - in fact I would go so far as to recommend avoiding any online store that did this, SSL-encryption or no. It's just begging to be exploited.

    Also:

    As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.

    Sorry, but I have a card in my wallet that proves this wrong. I'm in the UK and you have to specifically register to be an organ donor. You don't have to carry the card they send you, but you do have to be in the database of registered donors.

    With these two errors, I'd have to say I'm suspicious of the rest of the article; how much more have they got wrong?
    • Anyone capable of writing:

      Card data are usually stored in cookies encrypted under the SSL symmetric key.
      clearly hasn't got a fucking clue what they are talking about.
    • I agree that the article was terrible but the complaint seems justified. His wife isn't alone in having troubles with them. For one, I stumbled across this class action lawsuit [lawyersand...ements.com], as well as some anecdotal evidence from ex customer service employees stating most of their members didn't realise they were signed up, and 99% of calls to their office were people trying to get off their program. If only he'd avoided the mangled technical explanation the issue he had might be clearer.
    • The gist of the story is that the security boundaries of the merchant's server are inherently compromised by hosting 3rd-party content from the same server or domain. Wherever the user's information is stored, it becomes a possibility that the 3rd party now has direct access to it. And of course, the author is correct in pointing out "cookie" headers are the most common way to establish a website session. This is just another facet of the overall problem. The Internet itself was designed a long time ago
  • I've never seen a shop store the CC number in a cookie, as that makes no sense at all. The proper way to do it (IF you're doing the credit card handling yourself, the company I work for uses a third party to handle this), is to store the credit card in the database as soon as it's sent, and just keep it there (and delete it when you don't need it any more). You can use a regular session id if you ever need it again. There's no reason to send it back to the client.
  • bad habits (Score:5, Insightful)

    by fermion ( 181285 ) on Saturday November 03, 2007 @04:09PM (#21226261) Homepage Journal
    I wish that security was not so often sacrificed for selling opportunities. When one is going through an online transaction, which is still a risky process due to man-in-the-middle attacks, one should not create an expectation of the user to see things characteristic of such attacks. There are no reason to have ads on such pages. There is no reason to set third party cookies to ad sites, or direct to other offers between the time that user checks out and the time the order is complete. If attacks such as these are successful, it is the fault of the companies that design the faulty web pages, and such companies should compensate the consumer.

    Even firms that should know better, such as banks, promote such practices. I recently logged into my highly secure bank account, and instead of being greeted with my bank information was greeted with a survey. This is such a fundamental breach of security I wonder why I bank with them. Oh, I know. Because every other bank is selling out customer security to make a buck. it is nothing new. I used to recieve many offers on my banks letter head. When I called to see if they were responsible, the agent said they have nothing to do with. Well, I would reply, it is on your letterhead, should I call my AG and state that someone is representing themselves as you? Nothing was said after that.

    IN any case, as long as people are trying to squeeze every dime out of every customer, we are going to have these security issues. I guess the only thing to do is to not conduct business with the worst of the worst, no matter how tempting it is.

    • by darjen ( 879890 )

      Even firms that should know better, such as banks, promote such practices. I recently logged into my highly secure bank account, and instead of being greeted with my bank information was greeted with a survey. This is such a fundamental breach of security I wonder why I bank with them. Oh, I know. Because every other bank is selling out customer security to make a buck. it is nothing new. I used to recieve many offers on my banks letter head. When I called to see if they were responsible, the agent said the

  • WLI truly a problem (Score:5, Informative)

    by Peter Simpson ( 112887 ) on Saturday November 03, 2007 @04:13PM (#21226301)
    They almost got me twice with a fake "Continue" button on the order confirmation page.

    After you type in your credit card info, and authorize the purchase you intended to make, the website pops up a receipt/confirmation page (just as you'd expect). At the bottom of that screen, is a "Continue" button. Below that button, in very small type, almost the same color as the page background, perhaps even below the bottom of the screen, so you'd need to scroll down to see it, is a disclaimer that tells you that by clicking the above button, you're authorizing the transfer of your data to WLI.

    The next page you see asks you for a second confirmation (perhaps your email address), and in a way that does not make clear that you are not providing it to WLI...and at NO time are you told that your credit card information has been sent to WLI. You are not explicitly asked to authorize the charge.

    The places I caught doing this were unaware of it, and angry about it. The WLI link comes pre-packaged in the "storefront" or "ecommerce solution" that the merchant obtains from their hosting service. My suspicion is that this is a deal between WLI and the storefront software provider, not the merchant.

    It's definitely for real and a continuing problem...my experience was several years ago, and at the time, I bookmarked this site, which is still active:

    http://adam.rosi-kessel.org/weblog/the_man/webloyalty_aka_wli_reservations_is_a_scam.html/ [rosi-kessel.org]

    The other way they get you to click is to offer you a "credit on your next order"...

  • This is possibly the worst summary ever written in Slashdot history. It doesn't make an ounce of sense!!! What page links to what inside of what session? It sounds like they're saying they have to pay per SSL connection while they re-route you to the original manufacturer's page like a click fraud scam but then that somehow charges you extra and then they're somehow making money off not protecting your credit card number...so like they're passing your card number to the product maker? And then they say
  • by aussersterne ( 212916 ) on Saturday November 03, 2007 @07:29PM (#21227637) Homepage
    I know reservation rewards well! I used to get tons of free food using them through delivery.com (a fast food delivery website). Here's how it would work:

    1. Order food online through delivery.com.

    2. An "opt-out" cross-sell appears offering you a $10.00 coupon if you don't uncheck enroll box. First 30 days are free.

    3. Agree to "free trial" and get $10.00 coupon code. Then call immediately and cancel service you just enrolled for.

    4. Use free $10.00 coupon (still good) next time you want to order food through delivery.com.

    5. At end of order, an "opt-out" cross sell appears offering you a $10.00 coupon if you don't uncheck the enroll box...

    Just over a year ago I probably got $300 in free food delivery that way over a several month stretch before moving to an area where there is no delivery.com service. Too bad.

    My card was never charged by these people. All you have to do is be dilligent and pay attention and call the 1-800 number to cancel.
  • I've skimmed the summary, article and comments, and sadly it seems not so many people are clued in on how cross sells actually work.
    There's no 'inside session passing' or rubbish. Simply, a cross-sell is a product offered by a company that uses the same billing company as the site.

    For example, CCBill - huge CC processing company.

    You sign up for a product or a site, X. That webmaster has made a deal w/ another webmaster that has a product / site, Y, processing with CCBill.
    When you sign up, there's a box for
    • by Raenex ( 947668 )

      There's no 'inside session passing' or rubbish. Simply, a cross-sell is a product offered by a company that uses the same billing company as the site.
      You're wrong in the case of Webloyalty. The original merchant and Webloyalty do not necessarily use the same credit card company.
  • by Anonymous Coward
    Webloyalty Named In Class Action Lawsuit
    By Melissa Campanelli
    September 18th, 2006

    Customers of several popular online retailers, including Fandango.com, Priceline.com and Staples.com were victims of an alleged Internet scheme in which their credit cards were charged a monthly fee for a "discount club" membership they had never requested, according to a class action lawsuit filed last week in US District Court in Massachusetts.

    The lawsuit accuses Webloyalty.com, an online marketing services company based in N
  • Going on for 5 years (Score:3, Interesting)

    by flyingfsck ( 986395 ) on Saturday November 03, 2007 @10:37PM (#21228655)
    This has been going on for a long time and people are still falling for it and they are still in business. You should complain to your Congress Critters.
  • I just read over 70 comments and I noticed that no one stated the obvious answer to the problem. Just dispute the charges on your credit cards. Sure it takes longer than bitching about it but it usually does work. You might have to fill out some paper work and mail some letter but the results are usually far more satisfying. You get your money back and the company that you are bitch'n about, if they get enough charge backs will have their credit card account yanked.

    I'm not sure any more, but if the m

  • As with the term "hacking", "cross-selling" is incorrectly used here to describe only a particular negative use of this otherwise accepted (and acceptable) practice.

    In marketing, cross-selling refers to the practice of trying to sell customers additional related items in the wake of a purchase they've already made. (Buying a new laptop? How about a shoulder bag to carry it in, a compact mouse, a CAT-5 cable and an extended service plan?) It's easier to sell to someone who is already in buying mode. Contra

  • Even reputable places do this. Last year, I bought a lot of tickets through Ticketmaster.com, and each and every time they tried to get me to sign up for a free trial of the Rolling Stone.

    Well, all of a sudden I started getting FREE copies of the Rolling Stone, so I knew that something fishy was going on. I kept throwing them in the trash for one year, until I got a notice that they were going to charge my credit card. I called them to cancel, but I really should have alerted my credit card that someone

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...