Cross-Selling Online Scams and Security Issues

An anonymous reader writes "The site 12 Angry Men recently published a discussion of a widely used but little-known online scam called 'cross-selling'. Essentially, after-sale shops cut deals with shady online retailers in an attempt to make a quick buck off of you after you've already bought something. 'What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line.' What makes everything even more interesting is that now the company has responded, with the usual white washing and meaningless statements."

At least they responded

[gbulmash]

The company gets criticized for monitoring the blogosphere and responding to complaints in the comment right after its response.

"Why would a legitimate company providing quality service have concerns about the blogosphere great enough to monitor it?"

In fact come to think of it, most of those we have seen who practice this and post comments like this are scam artists slightly worse than used car dealers.

Actually, I've seen "respectable" companies do this. When I posted a rant about the stupid ways people bid on projects [brainhandles.com] (or try to bid without bidding) on Rent-A-Coder, there was a response from Rent-A-Coder on my blog within a day.

Monitoring and responding to complaints is a positive, IMO.

Re:

[VGPowerlord]

I thought it was more because white is generally considered by western civilization to represent purity, while black is the opposite of white.

Yes, and accountants are the worst

[A nonymous Coward]

They say accounts are in the black when they are good, and in the red when they are bad. Obviously white folk don't even deal with money, only those dirty black people and red people, and just as obviously, red people are dirtier than black people. I suppose they don't include yellow people because this all started before they knew about them.

Re:At least they responded

[Mister Transistor]

OK, I'll bite.

Whitewash was a kind of paint used in the old days for fence and barn painting. It was called that (gasp) - because it was white! Think Tom Sawyer... Anyway, the term "whitewashing" means to cover up (as in with white paint).

Blacklisting comes from (also) old times, in Hollywood movie studios, if you were allowed on premises, you were on a list the security guards were given. If you pissed off the director or some studio exec, you got a line drawn through your name with a (you guessed it) - black - pencil - and were denied access from then on.

That's it, no racist overtones or conspiracies - except, perhaps in your mind!

Re:

[Have Brain Will Rent]

Well it's a little off topic but since you did post a link to your rant I have a comment to make. It said:

Second, the guy's listing stuff like being a customer service rep for a credit union on it. Why would I care about your work experience that doesn't relate to this project?

Most HR people care about this because holes in your resume, long periods of time with no discernible activity, are worrisome. It's just SOP to put everything in your resume for whatever period you are covering.

Also you seem t

Re:

[gbulmash]

Most HR people care about this because holes in your resume, long periods of time with no discernible activity, are worrisome. It's just SOP to put everything in your resume for whatever period you are covering.

This is a piecework RFP he's responding to. I'm not offering him employment, I'm asking him to bid on a contract. A personal CV isn't appropriate here. Just show me you can do this work.

Also you seem to think you will get good people by asking them to give you a free estimate. Perhaps that i

Re:

[lordofthechia]

Aye, some companies either do it proactively (as a way of getting honest feedback) or sometimes bored employees may google their company name to see what turns up (and if it's negative they may bring it to someone's attention). Those two reasons I see as a positive use of an employees spare time since not all irate customers will call in. Also it's a way to catch those that slipped through the customer service cracks (150% - 200% turnover = bad apples in even the best organizations).

I had a dental insuran

12 Angry men

[Bloke down the pub]

From the linked article:

As an aside, organ donors in Europe have to opt-out to NOT become an organ donor

Not so much angry as ill informed. That's certainly not the case in the UK or Italy which, last time I checked, are part of Europe. I doubt the authors could point to either on a map.

Re:

[Seumas]

It should be the case everywhere. What am I going to do with my organs when I'm dead? Why should someone else die, because I was too lazy or ignorant to become an organ donor?

Re:

[larien]

There are religous or personal beliefs which may abhor organ donation; it's not quite as clear cut as that.

As for the parent of this thread, while the UK doesn't have "opt out" organ donation at the moment, people are pressing for it to be introduced.

Re:

[DavidRawling]

However one could probably get a lot more people to opt-in if one was forced to indicate one's preference when getting a driving license.

Funnily enough, this is certainly the case in NSW, Australia. I think it's the same throughout the country.

Re:

[conufsed]

Actually this used to be the case nationwide, but it was still only a preference, without legal binding. Medicare now takes care of this, and I beleive this is actually legally binding now

Re:

[Bloke down the pub]

while the UK doesn't have "opt out" organ donation at the moment, people are pressing for it to be introduced.

And they have been for over 20 years, but that's not the same as it actually being the law. Not even close. And even if one or more countries in the EU do have such a law, it's stupid to generalis that to them all - laughably stupid and incredibly ignorant to boot.

Re:

[PopeRatzo]

Dead people don't have rights

Why not? If the un-born are supposed to have the same rights as a living human being, why shouldn't the "un-live"?

Fact is, it's pretty goddamn easy to determine at what point human beings should have full rights: When they are born, and when they die. Everything else is just organized superstition.

Re:

[Pedersen]

Except for one *very* important point: At the time of organ harvesting, these people are *not* dead. Their bodies are very much alive. And those same bodies show very much the same reactions to the pain of organ harvesting as any other living person.

Add in the whole issue I mentioned above about how to deal with treatments in case of severe injury, and I have a very strong case for not wanting to be an organ donor.

Re:

[adavidw]

What? Are you serious? Please explain who these live people are who are getting their organs removed for donation. And don't include any stories about waking up in a bathtub full of ice.

Re:

[Pedersen]

Yes, yes I am serious. The body still has a beating heart. Blood still flows through veins and arteries. These are requirements for optimal organ harvesting. If the heart is no longer beating, then the organ has already suffered oxygen deprivation. Furthermore, it has likely suffered other forms of trauma which are leading to an even earlier death.

I don't remember the lengths of time that individual organs are usable after harvesting. I think, for example, that kidneys are usable up to 24 hours later, while

Re:

[adavidw]

[blockquote]I have, and I am frightened by the fact that they did not contradict even one word of what I said. Not one.[/blockquote]

I have (ER docs), and they did contradict every word of what you said. Every one.

Re:

[Pedersen]

Fascinating. The ER docs I have spoken to, as well as the RNs I have spoken to, and the reading I have done on the subject, have all confirmed what I have related. I have no explanation for why the ones you spoke with claimed me to be wrong.

Re:

[ArsenneLupin]

Why is this blatant flamebait modded informative? It does not contain a single shred of argument, and is quite obviously bluff.

Re:

[fred911]

Most likely it's a matter of an agreeable definition of death.

Re:

[Eivind]

This may or may not be the case but is completely beside the point.

You may argue that the UK (or any other country) *SHOULD* have laws like that. The article is however claiming that they *DO* have such a law, which they do not, so, the claim is, quite simply, wrong.

Re:

[Lehk228]

any religion that would prohibit the re-use of life saving organs from someone who cannot use them anymore deserves to be squeezed out of decent society.

Re:

[sumdumass]

It should be the case everywhere. What am I going to do with my organs when I'm dead? Why should someone else die, because I was too lazy or ignorant to become an organ donor?

Well beside the idea that I should be able to be put to rest intact as a spiritual matter, do you realize that you aren't totally dead when they decide to harvest your organs? They give up on saving you and let you succumb to a state of legally dead in order to harvest your organs and have something actually worth putting inside som

Re:

[adavidw]

Can you offer any proof for any of the accusations that you've made in this post?

Re:

[sumdumass]

Proof of accusations? I made more then a few. I bet your talking about not using certain drugs and not saving you if your an organ donor.

It is a known fact that they can't take organs from a dead person. They have to keep the blood flowing with oxygen in it in order to keep the organs alive. There is a very low amount of time between death and when they can harvest organs. Your organs last longer outside your body because they can cool it. So if your not being kept alive until they decide to set you up to b

Re:

[adavidw]

Organs can and do get retrieved from dead people. Every time (with the exception of live donor kidneys, of course). There is of course, some ambiguity about the word "dead" and what exactly it defines. For example, if you've got a patient whose brain activity is completely ceased with absolutely no hope of restarting but still has blood flowing, few would argue that the patient's not dead, and yes, that person might be a great candidate for retrieval of organs since they're so fresh. If you believe there's

Re:

[Bert64]

Yes, it's unfair that the donor's family don't benefit, however if they did you'd get many unscrupulous groups of people seeking to benefit from it.

Re:

[Bert64]

Well, "the estate" is a contrived idea too... In reality, the owner of the organs is whoever has sufficient power to take them. Once dead, you have no ability to assert any ownership over anything.

Re:

[Raenex]

All true, but inheritance is a recognized principle in society. Even if you are alive and assert ownership, somebody more powerful can take stuff away from you. That's why as a society we agree on "contrived" ideas.

Re:

[cp.tar]

Yes, it's unfair that the donor's family don't benefit, however if they did you'd get many unscrupulous groups of people seeking to benefit from it.

Well, don't you get such groups in this way as well?

Anyway, I don't care as long as I'm dead after the organ harvesting.

Re:

[feronti]

You'll certainly be dead after the harvesting. Personally, I'd prefer to be dead before the harvesting.

Re:

[cp.tar]

You'll certainly be dead after the harvesting. Personally, I'd prefer to be dead before the harvesting.

My point is, as long as I'm dead afterwards, I'll be in no position to care either way.

Well, supposing I'm at least unconscious beforehand.

Re:

[marcello_dl]

You forget to account for people living in corrupt places: you could be cut apart because your organs are compatible with some VIP needing a transplant. Hopefully there are so few of those places that it's a somewhat paranoid thought yet it's not a simple matter of laziness and ignorance.

Re:12 Angry men

[Pedersen]

It's not as clear cut as that. You see, in the case of severe trauma, there are two basic treatment paths to take: Keep the body warm, or keep the body cold. The colder the body is, the better the chance the victim comes out alive and intact. So, the body should always be kept cold, right?

Well, if the victim dies anyway, then it's time to harvest. Oh, but the body being kept cold has put the organs closer to death. This reduces the amount of time they can be out of the body before they become useless to a new body.

So, we need to keep the body warm. But if we do that, then the victim has a much greater chance of suffering severe, disabling injuries out of the accident. Which means it's more likely he dies.

Think about it. Would you prefer to live, or to die? Oh, and let's not get started on the medical personnel who have a very important job: If there is any chance the person could be an organ donor, pressure the (still in shock) family to allow organ donation.

As for me, I choose to live. I do not wish to be an organ donor, and have said so to my family.

Re:

[Hatta]

Well, if the victim dies anyway, then it's time to harvest. Oh, but the body being kept cold has put the organs closer to death. This reduces the amount of time they can be out of the body before they become useless to a new body.

Then why do they transport organs on ice?

Re:

[Pedersen]

Basically, a major organ transplant (such as heart or liver) goes through 5 stages (6 if you count the selection of the donor):

1. Something happens to the donor which results in them being chosen as an organ donor candidate. Ideally, the person who is to be the donor will be relatively young (less than 35 or so), in great health, who has a piano fall on their head, hard enough to basically destroy all higher brain function, but not hard enough to destroy autonomic brain function. In other words, their mind

Re:

[LexMortis]

Same goes for The Netherlands, it's opt-in.. not opt-out. Although they are thinking of changing that.

Re:

[julesh]

Not so much angry as ill informed. That's certainly not the case in the UK or Italy which, last time I checked, are part of Europe. I doubt the authors could point to either on a map.

There *are* countries in Europe which use an opt-out system, although not many yet. There have been suggestions that the UK may change to opt-out in the future, as polls have suggested that ~70% of the population would support such a change.

Re:

[Hognoxious]

There *are* countries in Europe which use an opt-out system

Read what the article said, read what the post you're replying to said, then look up the fallacy of composition [wikipedia.org].

There are parts of the US that are dry, but it doesn't mean the whole country is a beer-free zone.

Re:

[julesh]

There *are* countries in Europe which use an opt-out system

Read what the article said, read what the post you're replying to said, then look up the fallacy of composition.

I'm aware of exactly what the article said:

As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.

Note that this does not say "all organ donors in Europe". It quite clearly is a statement that may or may not apply throughout Europe. As it happens, in this case, it does not.

Re:

[Hognoxious]

does not say "all organ donors in Europe". It quite clearly is a statement that may or may not apply throughout Europe.

Absolute rubbish. If you say "in Europe X", without qualification along the lines of "some countries in ..." or "parts of ..." it's assumed by anyone who actually understands English properly that X applies to the whole.

By your reasoning (and I'm stretching the definition there) "odd numbers and even numbers are prime" would be true, because at least one of each is.

Re:

[Bloke down the pub]

There are parts of the US that are dry, but it doesn't mean the whole country is a beer-free zone.

It's not far off ... have you ever tried Bud Light?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[schmu_20mol]

Wow, could someone please mod the parent down ... this is just ill informed.

Re:

[Eivind]

It also fails to be the case in Germany, Finland, Norway and Spain. I doubt it is the case -ANYWHERE- in Europe, but I can't say for absolutely sure.

That's not the only bullshit in this article. I don't know -any- site that stores credit-card numbers, expiration-dates and control-numbers as *cookies* (i.e. client-side), certainly Ebags, the site he claimed scammed his wife, does not. (I just tested. They -DO- set a cookie, but this cookie is just a hash that presumably indexes a server-side storage for vari

Shopsafe ad

[WPIDalamar]

This is just a Shopsafe AD.

Technical details in the article are slim and misleading.

Re:

[julesh]

Technical details in the article are slim and misleading.

Technical details in the article are substantial, although very difficult to follow. The only question I'm left with is who the fuck stores your credit card details in a _cookie_, and why...?

Rampant Fraud

[Yahma]

I used to get $1.00 charges on my credit card that would go unnoticed for a few months. When I checked the company, they had a website that stated something to the effect:

"If you received a charge to your credit card for us, it is for services that we provided and it is not a fradulent charge."

Now, I never have purchased anything from this company, and even though the total charges were less than $3, I reported it to my credit card company. Some of these fraudulent companies can be very deceptive.

Re:

[Dogtanian]

When I checked the company, they had a website that stated something to the effect: "If you received a charge to your credit card for us, it is for services that we provided and it is not a fradulent charge."

Well, they would say that, would't they?!

To be fair, I don't know the context of the comment or how much you were paraphrasing, but it seems that any company that felt the need to bring the subject up in that manner *and* then attempted to dismiss any problems in advance knows that something shady is going on.

If they really were legit, they'd know where the (limited) problem areas were, not have to explain it like that, and have a good explanation, not a handwaving generic "if something's wrong, we did

Re:

[The MAZZTer]

In unrelated news, foxes have been quoted as saying that "any hens missing from the hen houses are totally not our fault".

Re:

[hrvatska]

The foxes in my area say that any hens they remove are compensation for the 'Hen Protection Program' they administer.

Re:

[DrScotsman]

I used to get $1.00 charges on my credit card that would go unnoticed for a few months.

Now, I never have purchased anything from this company...

Sure you didn't sign up to Happy Dude?

Re:

[Anonymous Coward]

I had my bank do this
charging $20 a month for health insurance
and not refunding more than the last two
months
the bakn did not charge the $20
but had another company charge it
the charge came out as insurance
insurance which I never had or existed
the bank was first union
the bank changed their name at least once
the company charging the $20 was out of florida
your own bank is capable of doing this

Re:Rampant Fraud

[Night Goat]

That was a very moving poem. I particularly enjoyed the vivid description of the twenty dollars.

Re:

[Lumpy]

That is why I will not use any of my credit cards online anymore. I use the one time use credit card services. It works for the amount I enter and only once withing a time frame. It stops this shady scam crap that is all over the net now.

Easiest to use is paypal's. But one of my banks also offer it for my credit card.

Re:

[elfkicker]

My bank just contacted my the other day for a $1.33 charge. They called within an hour of transaction which I didn't make. Operator cancelled the card and my card immediately but wouldnt explain how they knew they knew I didnt do it. I appreciate the proactive approach, but they should really be telling me The Whole Truth.

The charge was to a company called Jazz Inc with an 800#, when you call it it says "Press 1 for more information to be texted to you about the charge on your bill." I assume they someh

Re:

[mike2R]

A small charge may be someone verifying that the card is still valid - do a small instant transaction which has a good chance of escaping detection and then use the known-good card for a larger fraudulent purchase.

If this was the case Jazz Inc would be an unwitting third party - your bank might have noticed a pattern of a small charge with them followed by a large fraud attempt.

Funny Aside

[TiggertheMad]

...Anyone notice that the website that this article is on prevents you from navigating away via the browswer back button? I was always suspicious about sites that employed Javascript to prevent people from navigating away. An article about shifty behavior on a site that triest to manage your attemts to leave. Classy!

Re:

[Minter92]

Uh? The back button works fine on that site. =

Re:

[wizardforce]

...Anyone notice that the website that this article is on prevents you from navigating away via the browswer back button?

that's what noscript is for. by default it will not execute javascript code unless you actually allow it to do so. Also, middle clicking on a link in firefox opens it in another tab, there is no point in them trying to prevent you from navigating backward since you can just close the tab.

CNN does something similar

[IvyKing]

I've noticed that CNN does a dirty little trick to trip up the 'back' button - they typically put three instances of the current page on the history buffer. Found that out after using the down-arrow next to the 'back' button, and that allows me to go back to the previous page.

OPT-OUTs arrg!

[iknownuttin]

FTFA: Nope! Somewhere on the page there is a box which is checked that says "Send me this crap for $9.00 a month".

I really hate those things. Many times, when you're filling out some poorly designed form that has information that has to be entered, I usually miss something or enter it the "wrong" way and I end up having to go back and correct my data. Upon going back, guess what, the check-box that "opts-in" to (usually to get spammed by the company) is checked again. Technically, it's "opt-in", but the ch

Re:

[VGPowerlord]

You know, it annoyed me in the past that Opera wouldn't run the onunload handler when I closed a page, but it does if I navigate somewhere from said page.

This site shows me that there's a legitimate reaason for that behavior.

Re:

[Bert64]

You think that's bad, try signing up at:
http://www.keziefoods.co.uk/registration [keziefoods.co.uk]

Make sure you leave the "subscribe to newsletters" checkbox empty, and keep an eye on it as you click submit.
Really damn cheeky, they use javascript to re-check the button as you submit the page!
I wrote about this a while back (march 2007):
http://www.ev4.org/wordpress/2007/03/03/keziefoodscouk-are-cheeky-bastards/ [ev4.org]
http://www.ev4.org/wordpress/2007/07/04/keziefoods-are-cheeky-bastards-followup/ [ev4.org]

I mailed them about it several times.

I knew there was a catch..

[eniac42]

[As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box. In the United States, drivers have to opt-in to become an organ donor. The relative rates of donors in Europe is over 80% verses 20% in the United States. This is the power of opt-out and why marketeers fight for it so hard.]

The Meaning of Life: Part Five: Live Organ Transplants.
Hello. Uhh, can we have your liver?

Explanation seems off to me

[Tim C]

Card data are usually stored in cookies encrypted under the SSL symmetric key.

I've worked in the web for 8.5 years now, and have worked on a lot of ecommerce sites in that time. I have never seen any, not one, that stores anything at all in a cookie other than a session id. There is absolutely no reason whatsoever to be storing credit card details in them - in fact I would go so far as to recommend avoiding any online store that did this, SSL-encryption or no. It's just begging to be exploited.

Also:

As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box.

Sorry, but I have a card in my wallet that proves this wrong. I'm in the UK and you have to specifically register to be an organ donor. You don't have to carry the card they send you, but you do have to be in the database of registered donors.

With these two errors, I'd have to say I'm suspicious of the rest of the article; how much more have they got wrong?

Indeed

[Chuck Chunder]

Anyone capable of writing:

Card data are usually stored in cookies encrypted under the SSL symmetric key.

clearly hasn't got a fucking clue what they are talking about.

Re:

[Nazlfrag]

I agree that the article was terrible but the complaint seems justified. His wife isn't alone in having troubles with them. For one, I stumbled across this class action lawsuit [lawyersand...ements.com], as well as some anecdotal evidence from ex customer service employees stating most of their members didn't realise they were signed up, and 99% of calls to their office were people trying to get off their program. If only he'd avoided the mangled technical explanation the issue he had might be clearer.

Explanation maybe just too simple

[Robert Chapin]

The gist of the story is that the security boundaries of the merchant's server are inherently compromised by hosting 3rd-party content from the same server or domain. Wherever the user's information is stored, it becomes a possibility that the 3rd party now has direct access to it. And of course, the author is correct in pointing out "cookie" headers are the most common way to establish a website session. This is just another facet of the overall problem. The Internet itself was designed a long time ago

Eh?

[Estanislao Martínez]

Not knowing the finer points of crazy English spelling doesn't make somebody an idiot.

Re:

[Ant P.]

So... their use of the word was completely correct then?

credit card stored in a cookie?

[J0nne]

I've never seen a shop store the CC number in a cookie, as that makes no sense at all. The proper way to do it (IF you're doing the credit card handling yourself, the company I work for uses a third party to handle this), is to store the credit card in the database as soon as it's sent, and just keep it there (and delete it when you don't need it any more). You can use a regular session id if you ever need it again. There's no reason to send it back to the client.

bad habits

[fermion]

I wish that security was not so often sacrificed for selling opportunities. When one is going through an online transaction, which is still a risky process due to man-in-the-middle attacks, one should not create an expectation of the user to see things characteristic of such attacks. There are no reason to have ads on such pages. There is no reason to set third party cookies to ad sites, or direct to other offers between the time that user checks out and the time the order is complete. If attacks such as these are successful, it is the fault of the companies that design the faulty web pages, and such companies should compensate the consumer.

Even firms that should know better, such as banks, promote such practices. I recently logged into my highly secure bank account, and instead of being greeted with my bank information was greeted with a survey. This is such a fundamental breach of security I wonder why I bank with them. Oh, I know. Because every other bank is selling out customer security to make a buck. it is nothing new. I used to recieve many offers on my banks letter head. When I called to see if they were responsible, the agent said they have nothing to do with. Well, I would reply, it is on your letterhead, should I call my AG and state that someone is representing themselves as you? Nothing was said after that.

IN any case, as long as people are trying to squeeze every dime out of every customer, we are going to have these security issues. I guess the only thing to do is to not conduct business with the worst of the worst, no matter how tempting it is.

Re:

[darjen]

Even firms that should know better, such as banks, promote such practices. I recently logged into my highly secure bank account, and instead of being greeted with my bank information was greeted with a survey. This is such a fundamental breach of security I wonder why I bank with them. Oh, I know. Because every other bank is selling out customer security to make a buck. it is nothing new. I used to recieve many offers on my banks letter head. When I called to see if they were responsible, the agent said the

WLI truly a problem

[Peter Simpson]

They almost got me twice with a fake "Continue" button on the order confirmation page.

After you type in your credit card info, and authorize the purchase you intended to make, the website pops up a receipt/confirmation page (just as you'd expect). At the bottom of that screen, is a "Continue" button. Below that button, in very small type, almost the same color as the page background, perhaps even below the bottom of the screen, so you'd need to scroll down to see it, is a disclaimer that tells you that by clicking the above button, you're authorizing the transfer of your data to WLI.

The next page you see asks you for a second confirmation (perhaps your email address), and in a way that does not make clear that you are not providing it to WLI...and at NO time are you told that your credit card information has been sent to WLI. You are not explicitly asked to authorize the charge.

The places I caught doing this were unaware of it, and angry about it. The WLI link comes pre-packaged in the "storefront" or "ecommerce solution" that the merchant obtains from their hosting service. My suspicion is that this is a deal between WLI and the storefront software provider, not the merchant.

It's definitely for real and a continuing problem...my experience was several years ago, and at the time, I bookmarked this site, which is still active:

http://adam.rosi-kessel.org/weblog/the_man/webloyalty_aka_wli_reservations_is_a_scam.html/ [rosi-kessel.org]

The other way they get you to click is to offer you a "credit on your next order"...

Re:

[Raenex]

I wonder, have you ever signed a document without reading every word on it? Like when the cable guy comes to install, do you really read every last word? Have you never agreed to a software license agreement without reading through the whole thing?

You admit these people are being tricked with nasty fine print and misleading presentation, yet you equate their behavior with gross negligence. This isn't like some Nigerian scam. These people are just shopping at a site they already trust, that they have alr

This is known as Amazon.com

[Jackie_Chan_Fan]

nt

WTF is this?

[ILuvRamen]

This is possibly the worst summary ever written in Slashdot history. It doesn't make an ounce of sense!!! What page links to what inside of what session? It sounds like they're saying they have to pay per SSL connection while they re-route you to the original manufacturer's page like a click fraud scam but then that somehow charges you extra and then they're somehow making money off not protecting your credit card number...so like they're passing your card number to the product maker? And then they say

The upside: Free food!

[aussersterne]

I know reservation rewards well! I used to get tons of free food using them through delivery.com (a fast food delivery website). Here's how it would work:

1. Order food online through delivery.com.

2. An "opt-out" cross-sell appears offering you a $10.00 coupon if you don't uncheck enroll box. First 30 days are free.

3. Agree to "free trial" and get $10.00 coupon code. Then call immediately and cancel service you just enrolled for.

4. Use free $10.00 coupon (still good) next time you want to order food through delivery.com.

5. At end of order, an "opt-out" cross sell appears offering you a $10.00 coupon if you don't uncheck the enroll box...

Just over a year ago I probably got $300 in free food delivery that way over a several month stretch before moving to an area where there is no delivery.com service. Too bad.

My card was never charged by these people. All you have to do is be dilligent and pay attention and call the 1-800 number to cancel.

Re:

[Raenex]

You rock :)

The truth behind cross-sells

[Archon-X]

I've skimmed the summary, article and comments, and sadly it seems not so many people are clued in on how cross sells actually work.
There's no 'inside session passing' or rubbish. Simply, a cross-sell is a product offered by a company that uses the same billing company as the site.

For example, CCBill - huge CC processing company.

You sign up for a product or a site, X. That webmaster has made a deal w/ another webmaster that has a product / site, Y, processing with CCBill.
When you sign up, there's a box for

Re:

[Raenex]

There's no 'inside session passing' or rubbish. Simply, a cross-sell is a product offered by a company that uses the same billing company as the site.

You're wrong in the case of Webloyalty. The original merchant and Webloyalty do not necessarily use the same credit card company.

Webloyalty Named In Class Action Lawsuit

[Anonymous Coward]

Webloyalty Named In Class Action Lawsuit
By Melissa Campanelli
September 18th, 2006

Customers of several popular online retailers, including Fandango.com, Priceline.com and Staples.com were victims of an alleged Internet scheme in which their credit cards were charged a monthly fee for a "discount club" membership they had never requested, according to a class action lawsuit filed last week in US District Court in Massachusetts.

The lawsuit accuses Webloyalty.com, an online marketing services company based in N

Going on for 5 years

[flyingfsck]

This has been going on for a long time and people are still falling for it and they are still in business. You should complain to your Congress Critters.

Dispute the charges

[Lord Apathy]

I just read over 70 comments and I noticed that no one stated the obvious answer to the problem. Just dispute the charges on your credit cards. Sure it takes longer than bitching about it but it usually does work. You might have to fill out some paper work and mail some letter but the results are usually far more satisfying. You get your money back and the company that you are bitch'n about, if they get enough charge backs will have their credit card account yanked.

I'm not sure any more, but if the m

Misuse of the term "cross-selling"

[He Who Waits]

As with the term "hacking", "cross-selling" is incorrectly used here to describe only a particular negative use of this otherwise accepted (and acceptable) practice.

In marketing, cross-selling refers to the practice of trying to sell customers additional related items in the wake of a purchase they've already made. (Buying a new laptop? How about a shoulder bag to carry it in, a compact mouse, a CAT-5 cable and an extended service plan?) It's easier to sell to someone who is already in buying mode. Contra

Reputable places do this

[GWBasic]

Even reputable places do this. Last year, I bought a lot of tickets through Ticketmaster.com, and each and every time they tried to get me to sign up for a free trial of the Rolling Stone.

Well, all of a sudden I started getting FREE copies of the Rolling Stone, so I knew that something fishy was going on. I kept throwing them in the trash for one year, until I got a notice that they were going to charge my credit card. I called them to cancel, but I really should have alerted my credit card that someone