Survey and article

Having thought it all through, I think the subject of online credit card fraud deserves the specially written article. But before jumping the water, I think it would be worth to at least try to gather as much information as possible. So I set up a small survey, which I ask anyone who reads this blog to participate in. There are only 12 questions and it doesn’t take more then 5 minutes to fill out.

Here’s the URL:<deprecated>

Please, do not fill it more then once.

Thank you.

outsourcing piracy

Monday morning

Yeah, the election day is tomorrow and nobody seem to care about anything anymore. Personally I’d like to see someone else winning then some Texan cheater, but hey, that’s not even up to me.

During this weekend talked to some other folk to see if I was right about the attitude I was getting from the Russian guys and was totally supported. Nice to see the business is not only about making money, but also about making a good impression.

Strange thing about other guys who bid on my project. Where it clearly states that the budget is fixed, they nevertheless put their own price on things. Fun part is they feel discriminated when I tell them I have a budget. Cheapskates.

Some teams are so anxious to get the job, once they get my e-mail, they started sending me their ideas on the web site WITHOUT EVEN HAVING THE SPECS! That’s funny, because if I don’t like their ideas I’ll turn to others and they don’t even want to have a chance to look at what I, as a client, may want. This activity looks like premature ejaculation of some sort. C’mon, guys, save it for a proper moment. You’d please much more then.

Continuing on a subject of carding. I have bookmarked the carders’ web site last year. Yesterday went to it – it’s still up and perfectly running. Either web hosters who keep the site on their servers couldn’t care less or there’s some major twist in people’s minds that I totally missed. I mean – no matter what they tell you about not paying by stolen cards you may as well be their next victim. Not sure if banks would go for this, but I have a plan. It sort of like hiring ex-hackers to harden security that they themselves had breached. Instead of paying high insurance premiums and reimbursements, why not secretly purchase all those stolen credit card numbers and silently alter the accounts affected. It would cost much cheaper then making up for it, at least from my prospective. It would also give banks the edge on alerting insecure vendors that they have security flaws. All in all it would benefit both consumers and banks. If any bank wants to implement such a security measure I’ll be happy to do the research for them.


Raising your concern

After some thought-sharing with friends, I’ve got some links to visit and some things to read. Results were petrifying, to say the least. It’s not like it’s the end of the world, but it does raise the concern of outsourcing in a whole.

The web forum I had a chance to visit (no url here for obvious reasons) is dedicated to carding. You don’t know what this is? Oh, that’s easy – carding is when you open your monthly statement honestly believing that you’ve paid off this credit card last month and then – mwa-ha-ha (aka evil laughter) you see that you have spent quite some money ordering stuff you had no idea about and that goods were shipped somewhere you also have no idea of. That’s it, you just have been carded. Meaning – your credit card’s number have been stolen by someone else and all the money used for ordering some goods that were shipped across the country.

But how is this possible? – you might want to ask. And here’s where the concern arises. Some credit card numbers are stolen by bad guys who invade large companies, steal large amounts of numbers. Banks usually are aware of this, take charge and change your number and pin almost immediately. This is bad for the banks, but simply an inconviniece for you.

What’s worse – is when numbers are stolen from small merchants. The following example is actually a real-world example that I have found on the above mentioned forum. No names were given, so unfortunately I cannot warn the owners of the card or other people who might be affected. The credit card information that was stolen included credit card numbers, CVV2 codes, billing addresses, phone numbers – pretty much all the information you need to make an order on an merchant web site. The interesting thing is – how it got stolen. It was not from a security breach (which would be understandable), however it was from the scripts that were developed by outsourcing vendor. Apparently someone didn’t review the code after it was submitted by programmers from Russia. The trick is that some vendors keep the credit card information in their databases (God knows why). So, when user pays for service or goods the credit card info gets submitted to the database. The programmer only had to make one additional PHP line that e-mails him same data that gets transmitted to the merchant’s credit card processor. This way the process of stealing credit cards gets automated…

Back from article mode. When I outsource things there are two requests that must be met. First – I must see the source code. Second – I myself will install all the scripts. This usually weeds out those, who wish to plant their “seeds of evil” in otherwise perfectly working scripts (and they must work properly, because otherwise the owner or clients would suspect the problem). Ofcourse it doesn’t totally guarantee the security, but it assures at least some additional level of protection for customers.

On the other hand – there’s no way that owner of the store can protect himself from the chargeback if someone makes a purchase with a stolen credit card. Unfortunately…