Online Retailers Cruising Tor To Hunt For Fraudsters 188
Daniel_Stuckey writes "This week, the verification company Service Objects announced a new tool to help websites detect 'suspicious' visitors using Tor and other anonymous proxies. Its updated DOTS IP Address Validation product identifies 'suspicious' discrepancies between the user's home location and the location of the IP address the order's coming from. It joins a handful of other tools on the market promising Tor-detection for retailers. It's a logical strategy: If you're trying to buy something with a stolen credit card, you're obviously going to want to block your real identity and location while doing it. But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."
LOL wut? (Score:3, Interesting)
"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"
Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
Re: (Score:3)
Why are they only allowed to attempt anonymity in relation to the store? Perhaps they just want to remain untracked by their ISP, and foul up any GeoIP-based advertising.
Re: (Score:3, Insightful)
So they trust nobody and in turn expect stores to trust them? I don't think so. You can't have it both ways. Either behave like a normal customer and be treated as such or behave in an erratic paranoid manner and expect to receive the same treatment from your retailer. Just for fun, walk into a department store wearing a balaclava and look around three or four times before you pick up something. See how long it takes before security takes an interest in you.
Re: (Score:3)
Re: (Score:3)
Can someone in a country that is trusted please make an illegal copy and upload it elsewhere? I promise I won't make any further copies, as I'm a good law-abiding citizen.
Re: (Score:2)
They haven't asked the store to trust them. They have offered a valid form of payment in exchange for goods or services. Whether or not the buyer has the right to use that particular form of payment has no bearing on the validity of the transaction as a whole.
More to the point - If I pay for delivery of a physical product with a credit card and have it sent to the card's billing address - Explain where the possibility of fraud comes into pl
Re: (Score:3)
> So they trust nobody and in turn expect stores to trust them? I don't think so
They trust nobody is a pretty wild assumption to make. I use tor, I trust lots of people with lots of things. Why would you assume I trust nobody just because I don't blankly trust my ISP, their ISP, and everyone else down the chain that I don't even know to know everyone I talk to and do business with?
Re: (Score:2)
Re: (Score:3)
Just use AdBlock for that. Then they can do GeoIP all they want - I don't see their crap anyway.
Re: (Score:3, Insightful)
"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"
Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
That statement was not about normal people using TOR for online purchases. It was about people using TOR to hide their identity when doing things like posting to a controversial website, or whistleblowing. If this software catches on, and websites start using it to block TOR users, then it would make TOR less useful for posting anonymously.
Re: (Score:2)
If this software catches on, and websites start using it to block TOR users, then it would make TOR less useful for posting anonymously.
If people are trying to stay anonymous, yet at the same time they're entering their mailing address into web forms, Tor probably isn't going to do much for them.
Re: (Score:2)
Re: (Score:3)
"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"
Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
But you certainly have a crowd that likes the idea of tor and has their browser always configured to use it. I don't think that raising the risk level associated with a transaction based on the client using tor is unreasonable. If this were a brick and mortar store, they'd probably be a little bit wary of doing a credit card sale to someone wearing a disguise that covered their face.
Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on t
Re:LOL wut? (Score:5, Funny)
"But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online"
Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
But you certainly have a crowd that likes the idea of tor and has their browser always configured to use it. I don't think that raising the risk level associated with a transaction based on the client using tor is unreasonable. If this were a brick and mortar store, they'd probably be a little bit wary of doing a credit card sale to someone wearing a disguise that covered their face.
Also realize that this would only be one of many sanity checks employed. Is the shipping address to the address listed on the cc for example. The credit card company also checks where the card was used, for things like buying gas at 1pm and then buying it again at 2pm 100 miles away. They also consider the type of merchandise as online purchase of electronics is rife with fraud, but very few people use a stolen card to buy socks.
Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.
Masked face in a shop: Not exactly (Score:2)
Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.
I don't agree with this metaphor. See what the parent poster mentionned:
Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity.
It's like a guy, who usually drivers around with a all-black, no-marksign vehicle with smoked glass. Gets out of it while wearing a stocking over the face.
Then while wainting on queue, suddenly removes the stocking, smiles at the cashier, pay, puts immediatly his stocking back, and drives away.
(Note: Except in some places in Europe that have specific laws against covered faces)
It's a much more pertinent parallel:
- At first glance, wanti
Re: (Score:2)
A couple of only tangentially related things pop out of me from this;
In 'The Prisoner' series people go around wearing capes and carrying umbellas; there is ubiquitous surveillance and people like to feel that they can don some sense of privacy. The people in control don't care about these because really its useless and doesn't mask their identity but it makes them feel better.
In Moorcocks 'Hawkmoon' series EVERYONE in the UK wears masks ALL THE TIME.
Re: (Score:2)
Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.
No it isn't, stop being overly dramatic. It's similar to giving your friend some cash and asking them to pop into the store for you.
Rubbish. If you buy with cash you don't have to give your name and address and, oh yes, credit card number.
If you buy with a credit card that assumes a level of non-anonymity.
If you want to buy with credit card *and* you don't want your identity associated with the credit cards identity and then I assume that something dodgy is going on.
Its like here on slashdot you are posting as anonymous coward; I don't care about that, I have no reason to trust you so you can be anonymous and I don't give a flying FUCK.
Re: (Score:2)
You can be an anonymous coward on /. and say whatever you want, it doesn't affect me so I don't care. If you want to be an anonymous coward and use a CC via TOR you can get lost at the merchants discretion.
Its none of their business why you are going to their shop through TOR and its none of your business why they decline you.
Re: (Score:2)
If you want to stay annonomous using a credit card, buy one of the fucking prepaid cards that carries the Visa/MasterCard Logo and uses their system. Pay cash and you don't have a problem. Furthermore, these cards do not have the charge reverse feature of a standard card, thus the merchant shouldn't give a fuck what's bought with it or where it's shipped as they've got their money (same as cash).
Are they useful? depends on the country. In the U.S. they're limited to $500 for the cards I've seen - Anti-Terrorism requirement. Keep in mind that the U.S. wants everyone to pay by plastic (why do you think the disability system and food stamps system now use a EBT card - plastic).
Only a terrorist would need to spend more than $500
Re: (Score:2)
Except I'm not trying to hide from the people I'm buying from. I live in a communist country where all traffic is logged, and I don't think it's any of the government's concern that I want a subscription to this or that perfectly legal website. The company I'm buying from can store as much of my information as they want.
You don't have to use TOR for that.
TOR is specifically an anonymising service. Its purpose is more to hide your origin from the site you are visiting more than your local ISP or government.
If I wanted to use a stolen credit card I'd use TOR, hoping the merchant sites were stupid enough to allow it. I wouldn't use a VPN service.
Re: (Score:2)
Why is not like going to the shop and paying with cash?
So instead of blocking TOR they should offer things like Bitcoin?
Exactly, the problem (from the seller's POW) with credit cards is that the transaction can be reversed if the buyer complains. If you have a physical delivery address, and you send the cops there to investigate. If your goods are delivered electronically, then there is no recourse. A scammer could give the billing/shipping address associated with the card, receive the stolen goods, and everything would look kosher until the card owner receives their monthly bill and complains. At this point, the store
Re: (Score:2)
Making a credit card purchase online via TOR is like going into a shop to buy something using a credit card WITH A STOCKING OVER YOUR FACE.
You mean like wearing a hijab, chador, or burqa?
yeah in those cases I'd want to see some photo ID as well thanks
Re: (Score:2)
I agree - no need to hide who you are when you go shopping. But you may want to hide your identity when you are writing something controversial as an AC.
Re: (Score:2)
Believe it or not, it is possible for two parties who trust each other to trade.
Re: (Score:2)
It depends if you trust the shopkeeper. If you do, then there can be a benefit from haing your identity only known to yourself and him. If you don't trust him, then you must presume that as soon as he knows who you are he announces it to the world, and indeed, any secrecy you maintained on the way to the shop was futile.
Believe it or not, it is possible for two parties who trust each other to trade.
If you don't trust the shopkeeper, its not a good idea to use a credit card at all (they can save the details and use them to continue to make transactions on your account).
If the shopkeeper doesn't trust you, its a good idea for them not to accept your credit card (dealing with transactions from stolen credit cards isn't free for the shopkeeper).
If you don't trust the shopkeeper and want to use a credit card anonymously then the shopkeeper now has good reason not to trust you either. So its cash only, ple
Re: (Score:3)
I agree - no need to hide who you are when you go shopping. But you may want to hide your identity when you are writing something controversial as an AC.
Or anonymously use a stolen credit card in an online store.
Re: (Score:2)
I agree - no need to hide who you are when you go shopping. But you may want to hide your identity when you are writing something controversial as an AC.
Or anonymously use a stolen credit card in an online store.
But if you're having the goods shipped to you, doesn't that reveal at least WHERE you are?
Re: (Score:2)
Not necessarily. I guess you've never heard of fraudsters using the address of someone else, tracking the shipment then picking it up at the other address. It's quite common.
With the amount of abandoned houses in the country, it is quite easy to find a drop house to use.
Re: (Score:2)
"Umm.. the user is ordering something using their name, credit card, and address. They are not going to use Tor to protect their anonymity."
If this tech catches on the crooks just use Tor to get stolen credit card numbers, then go to Starbucks WIFI to buy stuff without Tor with that stolen credit card.
So just privacy-conscious real customers get driven out by moronic shop owners because they use Tor or use a VPN at Starbucks as everybody should.
Don't Go On Vacation Then (Score:4, Insightful)
That's probably the last time I'd do business with that company.
Re: (Score:2)
Depends on your source address in Toronto, also on the delivery address. It's more suspicious if you use a TOR node in Toronto than a more normal address.
But it's to some extent also the fault of credit card companies that don't offer the best possible verification and resort to the stupid CVV.
Yes. Wouldn't you? (Score:2)
Blame the criminals. Security, especially effective security is ALWAYS inconvenient. It would be much easier if I come home to simply push open the door but thanks to those who can't keep their hands of other peoples stuff I have first open two locks.
Dutch banks recently started blocking ATM access by default, you have to unlock the card if you want to use it anywhere in the world. It stops east europeans from withdrawing money on your card in their country. Same reason there is withdrawal limit on most ca
Re: (Score:2)
"Blame the criminals."
Not just no, but HELL NO. I blame the retailers (and credit card industry) for failing to find a convenient and yet secure way to make my payment.
If you make it inconvenient for me, I won't buy. It's that simple. So get on it.
Re: (Score:2)
So... it's going to see my address is Florida but I'm making an online purchase from Toronto? And disallow it?
That's probably the last time I'd do business with that company.
There are services (Netflix comes to mind) that just plain don't allow streaming/downloading/purchasing outside the US or charge a whole lot more depending on where you're buying from. Buying a game online in the EU can cost twice as much as buying the same thing online in the US.
not new, and a little more complex. CVV2, etc. (Score:3)
If you're asking that something be shipped to Toronto and you want to charge someone living in Florida, that's -3 points. If you enter the CVV2 from the back of the card, that's +3 points and they balance out.
If you've had prior transactions at least 90 days ago that weren't disputed, that's +2 points. Using an OPEN proxy -4. Business CC +1.
Depending on the value of the transaction, it could be immediately approved, you could be asked for more information, or the merchant could manually check and approve
Re: (Score:2)
good point. Several other checks. (Score:2)
That's a good point. Re "you missed one", I left out quite a few. There are checks we do as soon as you land on the page, before you even fill in form.
Re: (Score:2)
"If you're asking that something be shipped to Toronto and you want to charge someone living in Florida, that's -3 points. If you enter the CVV2 from the back of the card, that's +3 points and they balance out.
If you've had prior transactions at least 90 days ago that weren't disputed, that's +2 points. Using an OPEN proxy -4. Business CC"
Making doing business with you inconvenient for me: -10.
I'll buy from the other guy.
Not inconvenient 99.99% of the time, your info (Score:2)
> Making doing business with you inconvenient for me: -10.
9,999 out of 10,000 people will never see anything from the scrubbing. When / if you've purchased things online, have you noticed we're geoip matching against the CC address? Probably not.
For most people, the only time you'll ever notice is when you either get an authorized charge from someone who didn't do anything to confirm
who is using your card, or get a call letting you know that likely fraud was detected.
> I'll buy from the other guy.
I
typo s/authorized/unauthorized/ (Score:2)
That should read:
For most people, the only time you'll ever notice is when you either get an UNauthorized charge from someone who didn't do anything to confirm
who is using your card, or get a call letting you know that likely fraud was detected.
Re: (Score:2)
"9,999 out of 10,000 people will never see anything from the scrubbing. When / if you've purchased things online, have you noticed we're geoip matching against the CC address?"
Well, I guess I am that 1 out of 10,000. Because yes, I have noticed, because I was refused on that basis (incorrectly, by the way). And guess what? I no longer do business with that company.
In fact, I have considered writing about it, when I have some spare time.
Re:Don't Go On Vacation Then (Score:5, Informative)
Re: (Score:3)
I am an online retailer. I lost $8,000 in one season from credit card fraud. When the cards are stolen, the frauders use it at a store. The cardholder then does a chargeback. The bank will refund the cardholder and take it from the retailer, so the retailer assumes all risk. Many online sales have 15% margins from which you have to pay advertising and labor costs. A single fraudulent sale can take 10-20 legitimate sales just to break even! Most of the frauders are from countries like Vietnam, China etc. they will ship often to a US address and the cardholder is a US address as well. The only thing us retailers have to go by is the location of the IP address. If that's from a country other than the cardholder's that's a very strong signal that it's a fraudulent order. Size of order, fake phone number are also good signals. If you don't want an order flagged, then don't look like a frauder! Place your order from your actual IP address.
Would you like to block my purchase under these conditions?
1) My Internet IP address at work is about 1500 miles from my actual location at work. This is some sort of side-effect of how my employer (a very large corporation) has its connections to the Internet.
2) When I'm on vacation, perhaps 3000 miles from home, I play a game with friends and love it. I go online to buy it and have it shipped home so I can play after vacation.
Re: (Score:2)
Did you know your name is an Aptronym [wikipedia.org]? Especially for this post.
Re: (Score:2)
You seem to think users of privacy software care whether they get flagged on online orders. Generally speaking, these are users who do not stop and realize that they are reducing rather than increasing their privacy in this case. If they even realize at that moment that they are still using Tor. Most of them have probably not made the connection to the fact that they aren't protecting their pr
Re: (Score:2)
"The cardholder then does a chargeback. The bank will refund the cardholder and take it from the retailer, so the retailer assumes all risk."
I understand all this. But when you refuse a huge percentage of purchases because a small percentage of them are fraud, you hurt your business.
Repeat: I won't do business with you. If you don't like that, find some other way to change your business model.
Re: (Score:2)
"Speaking as a frequent Tor user myself, I'd seriously doubt it if Tor users comprised a "huge percentage" of legitimate purchases to any retailer."
I was replying to GP. I was not referring specifically to TOR.
"Back to the question though- I suppose one way of dealing with the fraud problem would be to only allow non-chargeback-able transactions from Tor users- BitCoin for example"
Fraud is a risk you take when you do retail business. I understand that, and I sympathize. BUT... if you make doing business with you inconvenient, you lose business. That's just the way it works. I didn't invent the free market system.
Come on... (Score:4, Insightful)
". But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."
Seriously?
Why would you ever need to "protect your privacy" via Tor etc, from an ONLINE SHOPPING SITE that you are GIVING YOUR CREDIT CARD AND SHIPPING INFORMATION TO?
I mean, I'm as much anti NSA crap as the next guy. but come on. That said, cool tech. It would make sense that retailers would do this. I see this is a good thing, not a reason to slam the lizards running our government.
Re: (Score:1)
I was thinking the same thing. Kudos sir.
Re: (Score:2)
No, what the reason is is none of your fucking business.
And to be quite honest, it is none of your fucking business if a retailer chooses not to sell to a certain sub-set of customers because they represent a high-risk for fraud.
There are plenty of retailers that choose not to ship to PO boxes, sometimes it's because of the associated risk of fraud, and sometimes it's because they sell chocolate and don't want to ship to a PO box in Phoenix in July. Which one is it in the case of the retailer you're buying from today? You got it... none of your fucking business
Re: (Score:2)
And to be quite honest, it is none of your fucking business if a retailer chooses not to sell to a certain sub-set of customers because they represent a high-risk for fraud.
That's exactly the reason I give when them darkies come into my store. Gawd damn civil rights bullsheeeet.
But seriously, I think that excluding customers because they are taking actions to protect their fourth amendment rights of privacy might be grounds for a civil rights action.
You're going to have to find a better way to verify the credit card.
Wrong. Denying service because of race is against the law. Denying service because the buyer is anon is not.
Re: (Score:2)
Wrong. Denying service because of race is against the law. Denying service because the buyer is anon is not.
It's not as black and white as that (no pun intended). Denying service is based on class of people. While the wording of the act certainly lends itself to denying service based on race (or other similar visible discrimination), the legal definition has been argued with a much wider interpretation. A good lawyer could argue that people wanting to protect their 4th amendment right are a class of people and should therefore not be discriminated against.
Do I think it would win? Not really. But I certainly t
Re: (Score:1)
Re: (Score:3)
Because cracking the onion has to be harder than https?
I'm sure buying piles of fertilizer would set off alarms, but what if I want a variety of inflatable barnyard friends, rubber sheets, that 55 gallon drum of lube, and a celebrity masturbator(male)? I don't want to get that dossier started.
Re: (Score:2)
Not if you live in the boondocks of Montana. :p
Are you an actual moron? (Score:4, Insightful)
The parent wrote it down for you. You are placing an order with your credit card and shipping address. What MORE could they possible need in your "dossier"? Or do you think a webstores order database is magically of limits? Or that the NSA is only snooping on your internet connection and not the webstore?
If you don't want people to know your weird hobby, don't pay it online with your registered credit card and home address. The moment you do, privacy doesn't exist anymore.
And you do deserve being called a MORON because clearly you have no clue about security and/or TOR and/or anonimity.
Remember the Silk Road story? How was he caught? By sleuthing, by connection anonymous messages together through identifiers.
You want to use TOR to place an order, a MESSAGE, with in that message your CREDIT CARD and HOME ADDRESS? Why not also include that amazingly funny nick you thought of that you also use in all your "lets blow up the government" posts and make their job extra easy?
This stuff should really be obvious, if you use an anonymous message service, don't include personal identifiers. The general advice is to avoid any mention of GENDER, TIMEZONE, use of slang, catchphrases etc etc. And you think it is a good idea to include your fucking HOME ADDRESS and credit card details.
Tor has one use, to hide your IP, and you just gave them your address instead. If you don't get the stupidity of your idea, you really just shouldn't bother with TOR, you are just going to screw up anyway.
You are not alone in this, the other responder below also just doesn't get it. What does your IP have to do with your credit card? Both are registered to the same person?
Security, it is a LOT harder then people think.
Re: (Score:2)
Thats the thing; if you are using an anonymising service like TOR to use a de-anonymising service like a credit card something doesn't add up and you should be flagged as suspicious! It only makes sense to wonder wtf is going on with this person.
Re: (Score:2)
It's more of a convenience thing, which will result in lost sales. I use VPN almost all the time, and if a site doesn't work with it then it has to be pretty special to make me disconnect just to use it.
It's one more barrier to making a sale, along with no displaying postage prices before registering and nonsense like that.
Re: (Score:2)
I'm sorry, I have to pick you up on this.
I use Tor for shopping, banking whatever. The reasons I do this are many and varied, but I don't see why the retailer needs to know my IP address and therefore current location for me to order something. Sure, they know where to send it, and they know where I live, but they have no business knowing that I'm at the dog track, or visiting my mistress or goofing off at work, or out of town for a few days on vacation or anything else.
And so, yes, there are very good reas
No, I just don't care about anonymity in this case (Score:2)
My transaction is between me and the retailer, who will know my name and address. I don't care if that person or company knows it. I do care that HTTPS is probably easier to crack than HTTP plus multiple onion encryptions.
I don't have any "let's blow up the government" posts. And if they are monitoring the store, my activities are legal so I'm not worried. So your straw man argument holds no water.
I would, however, prefer to keep it as quiet as possible, and TOR allows me to at least attempt that. Once
Re: (Score:2)
You really didn't think this one through, did you...
What do credit card and shipping information have to do with your IP address?
Perhaps you do other, legitimate things with your IP address that you'd like to keep dissociated from that very information.
Re: (Score:2)
". But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal."
Seriously?
Why would you ever need to "protect your privacy" via Tor etc, from an ONLINE SHOPPING SITE that you are GIVING YOUR CREDIT CARD AND SHIPPING INFORMATION TO?
I mean, I'm as much anti NSA crap as the next guy. but come on. That said, cool tech. It would make sense that retailers would do this. I see this is a good thing, not a reason to slam the lizards running our government.
Today it's the credit card transactions, then it's the cash transactions, then it's the bitcoin transactions. It's a step against privacy regardless.
Re: (Score:3)
I travel for work. There's precisely *no* reason why an online retailer should expect to have the right to know the locations of my clients. They can know my home address whither things should be delivered, but their need to know anything else about location ends right there.
vpn use triggers the 'cancel the order' logic (Score:4, Informative)
I was trying to buy something from an online merchant. I happened to have been using my vpn at the time but I paid using my paypal account and the merchant accepted my order.
an hour later they canceled it. gave no reason. I emailed them and they asked 'are you on vacation?'. no. they still canceled it.
this has happened more than once.
its annoying as hell. the world is slowly becoming vpn-unfriendly.
Re: (Score:2, Informative)
This is extremely old. Pretty much every CC processor does a location lookup on the IP. If it's not within a certain distance of the card address, it brings the risk number up. Too high, and they deny it. Your fault really for using VPN anyways when it's shipping to your home with your name attached. Zero anonymity there genius.
Re: (Score:2)
What about purely online services? I haven't encountered this yet, and I'm sort of surprised. I'm using a public wifi outside of my home country, and that triggers me using my private VPN times two. I have a VPS I mess around with, set up VPN on it. I've used it to access things like Netflix, which isn't available in my current country, get the 'correct' steam pricing, etc... If anybody really wanted to they could track me down from that IP address, but it'd probably require a warrant.
But my VPS isn't
Re: (Score:2)
Re: (Score:2, Informative)
I've experienced exactly this. I'll even name names. NewEgg not only canceled my order but locked out my account when I placed an order while using an overseas VPN.
I've also experienced the exact opposite of this. A few years ago when I was overseas in a third world country, the only way I was able to log in to my bank's webpage without instantly having my account locked was to use a U.S. based VPN.
Re: (Score:3)
vpn use triggers the 'cancel the order' logic
That's one of the main reasons I use a VPN. Since I have to give the merchant my shipping address and name I don't want them selling that info to the profilers like BlueKai or DoubleClick in conjunction with my real IP address because any traffic that leaks out via my real IP address would then be easy to cross-reference.
If a merchant is going to require that I give up the privacy of my internet usage just to do business with them, I will just spend my money elsewhere.
What's the problem? (Score:4, Interesting)
If you want to stay anonymous, load a pre-paid debit card and jump through the anti fraud hoops. Nobody said staying off the grid was going to be easy.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
If you use Tor and then buy something with a personal credit card or debit card, you're doing it wrong.
Bullshit.
Nowadays every little fucking detail that a merchant can glean from you goes into multiple databases that you have zero control over. It is preposterous that I should have to risk giving up my name and address to every website I've browsed from the same IP address that I placed an order from.
Until merchants are legally prevented from sharing your personal information with whoever the fuck they want, it is morally reprehensible for them to expect customers to not take measures to protect their priv
Re: (Score:2)
No it's not. It's not ever the retailer's job to verify credit cards are valid. That's the job of the credit card company and surprise surprise that already happens. Not only does shopping online present me with a 2 factor authentication option (mobile SMS or in my bank's case an RSA token), but any out of the normal purchases still get flagged for followup, like the other day I entirely legitimately ordered a computer via paypal from Israel. Got a call from the bank about 15min later asking if the transact
Re: (Score:2)
Err Geofencing, not geocaching.
Re:What's the problem? (Score:5, Insightful)
You are so wrong it's not even funny. The retailer is almost always held responsible for any fraud. If a charge is determined to be fraudulent the retailer is out the money plus a chargeback fee and on top of that, the event is kept track of so if the overall total gets too high, the merchant account gets terminated.
Re: (Score:2)
Plus almost certainly the inventory sold...
Re: (Score:2)
No the only thing funny is that you think that a) the laws are the same everywhere and b) that I didn't fact check before posting.
The retailer is NOT liable in a chip and pin transaction or in a CNP transaction that uses the 3-D Secure protocol online.
And think logically for a second, why should a retailer be liable for use of a credit card which has been checked by the issuer using 2-factor authentication?
Re: (Score:2)
What does logic have to do with it? I work for a company that uses 3d secure and it has changed nothing about how the bank treats us when a chargeback happens.
Is that really going to work? (Score:1)
Um.. last time I checked, exit nodes are not a stable thing. They come and go. Kind of hard to block/detect a moving target, I'd think.
Re: (Score:2)
Thankfully tor exports a handy list of exit nodes [blutmagie.de]. This list is also kept in other places and it came in handy a few months back when someone used tor to flood my ssh server with a massive amount of ssh logins. You can even find some scripts that parse the list and turn it into an iptables ruleset.
WTB 99x potions, deliver behind starbucks (Score:1)
Go to starbucks, use tor, ask to deliver behind starbucks. Seems legit.
Only works for basement dwellers (Score:2)
Good (Score:3)
I can't seem to find anything in the article that says they're automatically blocking all orders from Tor users. It's just one tool. If they're using it like most spam filters, then it's like saying they're detecting emails with the word "Viagra." It doesn't mean it's being blocked, it means it's a red flag that should signal further scrutiny, and presumably if there are many redflags than it would warrant more detailed scrutiny by a human. Frankly, having an online retailer assess the risk of each order to determine if further scrutiny is warranted seems like a GOOD thing, but in the summary's myopia all it's seeing is the spin that this is anti-Tor and therefore evil.
All that said, why would anybody think that using Tor when placing an online order with a credit card would protect them from NSA spying? The retailer obviously knows who are because you're giving them all your credit card info, and if you think it's to protect you from the NSA knowing what you're ordering, all you're doing is redflagging yourself by going through Tor, and I'm sure they're more likely to get your purchase info from Visa or your bank than from off the wire.
You want my money, right? (Score:4, Insightful)
Oh, you don't? Well, ok, nice not doing business with you.
NEXT!
Re: (Score:2)
Oh, you don't? Well, ok, nice not doing business with you.
Let me see if I understand this:
Rather than bury your strangest, most suspect, purchases beneath a billion routine online sales, you want to give them a blood red flag by routing them through TOR? Remember that your suppliers will be demanding a valid shipping address, etc.
Re: (Score:2)
Probably not, but that's a sale someone else will make.
Re: (Score:2)
I think you misunderstand, Opportunist is right, while the Tor market is tiny, give the recent Snowden-gate revelations, combined with the Pirate Browser bundle, Tor use has been skyrocketing. If they want to be so dumbtarded and turn them away, more power to them when they hit chapter 11.
Skyrocketed? You mean like doubled or tripled, from 3 users to 6 or 9?
Re: (Score:2)
Nah, I only audit companies for PCI DSS...
IPv6 tunnels (Score:4, Informative)
I've been getting up to speed on IPv6 and have a tunnel from he.net [he.net] (tunnelbroker.net [tunnelbroker.net]). It seems to pop out somewhere on the other side of the Atlantic, judging from geographically targeted advertising. Several big sites are already IPv6 enabled (Firefox plugin SixOrNot [entropy.me.uk]), e.g. Facebook, Google, Youtube.
Geo-fencing, nothing more. (Score:2)
Ever ask yourself why the merchant would spend money on this? I mean there's no risk to the merchant. If stuff is bought with a stolen credit card then the credit card company or the bank bears the risk. Not to mention the amount of security already in the credit card system. For instance my bank requires 2-factor authentication for any online order over $50. The Verified by VISA window pops up and asks for my RSA token, or optionally an number that gets SMS'd to my mobile if I don't have the token on me. O
Re: (Score:3)
"If stuff is bought with a stolen credit card then the credit card company or the bank bears the risk."
I highly doubt that; the thief could have a friend set up an online merchant, make $2000 purchases of virtual goods and split the profit.
The reason merchants are so careful is that the merchants will have to eat the loss in case of a fraudulent transaction.
Re: (Score:2)
Hmm you're half right. Turns out in the USA merchants are not protected. Where I live the merchant is protected if the transaction is Chip & PIN. For online purchases they are covered if they use 3-D Secure such as Verified by VISA.
Re: (Score:2)
Ever ask yourself why the merchant would spend money on this? I mean there's no risk to the merchant. If stuff is bought with a stolen credit card then the credit card company or the bank bears the risk.
No, it's the merchant who bears all the risk. If someone disputes a charge, the merchant's acquiring bank writes a friendly letter asking for proof of the card-holder's authorization, eg a signed receipt. If you can't offer evidence that it was authorized, then you get a chargeback (ie they deduct the purchase amount from your account) and you are out of the value of whatever you mailed out to the customer.
When we sold stuff online, obviously we don't get physical signatures, but normally we could convince
Re: (Score:2)
In card not present scenarios the authorisation is given by VISA / Mastercard themselves via the issuing bank (i.e. my RSA token / SMS 2-factor check)
By the way I never said the bank "voluntarily" eats the loss. :-)
You're half right though. Turns out the rules vary by country. Where I live the merchant is covered providing the transaction is Chip & PIN for card present payments, and an additional authentication scheme (i.e. Verified by VISA) in a Card-Not-Present transaction.
Re: (Score:2)
No - not true. The merchant bears most of the risk. It's entirely wrong, and I'm amazed it's even legal, but that's how it is.
If you set up an online shop, you'll find that you are asked to take on the risk of fraud, yet you don't get the card number or card address from the purchaser. That means you have no reasonable way to verify if the purchaser is fraudulent - even if you had a list of all the stolen cards or whatever, you still couldn't make that judgement. Instead, the card company does that fraud ch
It isn't so black & white (Score:2)
"Fraud" is just a boot wedging the door open (Score:2)
"Fraud protection" is just the opening pretext for this kind of service. People hare off debating retailer rights and all that, but what we are looking at here is a new commercial service which will offer a handy blacklist to any government, employer, store or random schmuck which will be used to remove internet privileges from anyone who doesn't want a giant "HERE HE IS" Google Earth arrow floating over his location. Another deanonymizer. Another goddamned bar in our prison cage. No one gets to be anonymou
Re: (Score:2)
Not really, they use the shipping address to detect foreign purchases. (and more and more online retailers are detecting and blocking the use of re-shippers)