| Grex > Coop11 > #186: Time to terminate "telnet-through"? |
| response 14 of 48: | 
Jun 29 02:03 UTC 2000 |
re resp:12 - No, not really.
| response 15 of 48: |
Jun 29 02:31 UTC 2000 |
So the response to the speculations in #0,
1) This is possibly a majority of our credit card transactions.
2) My guess is that the companies may not like Grex having such
a high percentage of rejected credit cards. Even if the
card firms don't get upset with us, it's wasted work for the
treasurer.
especially the second, is "It's not a problem"? So there is no reason
to further consider the proposed solution?
| response 16 of 48: |
Jun 29 03:48 UTC 2000 |
Sounds that way. DOn';t see why you should inconvenience anyone, then.
| response 17 of 48: |
Jun 29 04:09 UTC 2000 |
Sorry....I didn't think to mention that it's mostly one person trying several cards, instead of a lot of people trying one card each. Greg will have to give a better answer to this than I, but I believe that we do not get charged for somebody's card being declined, and that it doesn't actually require Greg to do anything....we just get a log of it. (that's my impression anyway...I could be massively wrong....)
| response 18 of 48: |
Jun 29 16:21 UTC 2000 |
Actually, I think lots of sites have high rates of rejected transactions like this. I doubt if we are standing out.
| response 19 of 48: |
Jun 29 19:48 UTC 2000 |
that's about what i was thinking. i suspect that we would really stand out if we had few or no rejected transactions.
| response 20 of 48: |
Jun 30 01:38 UTC 2000 |
My understanding is that card companies don't much care about automated/ computerized/costs-about-3-electrons-and-a-nanosecond rejections. The human-handled, paperwork-intensive, etc. chargebacks are where they get ticked off fast.
| response 21 of 48: |
Jul 1 12:54 UTC 2000 |
The 40 rejections/month figure is not very meaningful by itself. Assuming Grex has 20 accepted/month, all it would mean it that it took people, on average, three tries to enter their name and number correctly. This actually seems like a LOW failure rate.
| response 22 of 48: |
Jul 1 14:11 UTC 2000 |
This response has been erased.
| response 23 of 48: |
Jul 1 15:16 UTC 2000 |
I don't think the credit card info goes through Grex at all, so we wouldn't have a chance to massage the data.
| response 24 of 48: |
Jul 1 17:38 UTC 2000 |
This response has been erased.
| response 25 of 48: |
Jul 1 18:58 UTC 2000 |
Now *there's* a fundraising idea...
| response 26 of 48: |
Jul 2 22:34 UTC 2000 |
The fact that the credit card info never touches Grex itself means that we're not responsible for the security of the server used for the credit card transactions. Running our own secure server would probably involve not only a lot of time and effort, but a lot of legal liability.
| response 27 of 48: |
Jul 2 23:06 UTC 2000 |
This response has been erased.
| response 28 of 48: |
Jul 3 00:09 UTC 2000 |
Armatures? You must be thinking of either electric motors or some sort of 3d art form.
| response 29 of 48: |
Jul 3 00:20 UTC 2000 |
Re #26: You're absolutely right on that one. Stay away.
| response 30 of 48: |
Jul 3 20:47 UTC 2000 |
Tardy response: I too telnet-through, frequently. IN fact, on this last trip I took I was using Grex to telnet through to UM every day.
| response 31 of 48: |
Sep 27 03:40 UTC 2000 |
Since Grex seems to have gotten raped for a couple hundred dollars on illicit credit card authorizations (see August 2000 financial report) I'm kicking this item again. Do we now need to consider choosing between offering credit cards and offering telnet-through?
| response 32 of 48: |
Sep 27 04:01 UTC 2000 |
Well, disabling telnet-through on a trial basis MIGHT let us test the hypothesis that the invalid charges are motivated by that access. Of course, the subsequent disappearance of invalid charges wouldn't tell us much; only the continuation of the charges would disprove the hypothesis.
| response 33 of 48: |
Sep 27 04:08 UTC 2000 |
People trying lots of invalid credit card numbers is likely to be a continuing problem, and I can't imagine that that's any different for any other "e-commerce" web site. It may be that other sites are doing a lot more business, and may consider $300-$500 to be far more of a drop in the bucket than Grex can, but with that presumably comes a higher profile and more valuable services, which would presumably make the amount of fraud go up. It sounds like prehaps we need to find a credit card processing company that isn't going to charge us huge amounts of money for something that's pretty much a fact of doing business on the Net.
| response 34 of 48: |
Sep 27 06:03 UTC 2000 |
Can someone please concisely explain the mechanics of how grex gets charged for some action that does not result in a valid transaction? Or direct me to where this has already been explained?
| response 35 of 48: |
Sep 27 09:31 UTC 2000 |
The vandals who try to do "telnet-thru" are I think dumb enough they wouldn't necessarily notice or care that we have a policy against it. After all, they can just crack the system & be r00t, right?
| response 36 of 48: |
Sep 27 16:14 UTC 2000 |
I'll see if I can't attempt #34.
There are two people who charge us for credit card services: Charge Solutions
and CardService. (The similarity of these names confuses the hell out of me,
too.)
CardService is the bank with whom we have a merchant account. They
perform the actual authentication and charge the credit cards. That is, they
somehow get the credit card number, expiration, name, address, etc., and
decide whether to accept or decline the transaction.
Charge Solutions provides the web portion. They own the secure server
where you enter your credit card number, exp, name, address, etc.
CardService charges us as follows. (This is from memory, so I may
be forgetting something minor.) For every authorization, they charge
us $0.35, whether it results in a charge or not. If the authorization
succeeds, they charge the credit card the specified amount. They
deposit approximately 97% of that amount directly in our bank account,
and keep the rest. At the end of the month, they remove the
accumulated $0.35 fees from our bank account directly.
Charge Solutions charges us $0.50 (currently) every time they send a
card number to CardService for authorization. The total amount is
removed directly from our bank account at the end of the month.
Examples (slightly simplified):
A. On September 15, janc goes to the web page and purchases a 1-year
membership for $60. He enters a real credit card number, with
correct name, address, etc., and presses the final "Purchase" button,
which is on a web page hosted by Charge Solutions. Immediately,
their software takes that card number etc., and sends it to
CardService for authorization. CardService says yes, we'll
accept it, but does not charge the card yet. Charge Solutions
then sends me an email informing me that a successful authorization
has been done. I get the email, go to another web page on the
Charge Solutions server, where I can view the details of the
transaction (such as the card number) that they didn't tell me
over email. I write the details down for my records, and tell
Charge Solutions to go ahead and do the transaction. Charge
Solutions then tells CardService to go ahead and do the
transaction. At this time, (still on September 15 (at least in
theory)) CardService charges the credit card $60, deposits $58.20
in our bank account, and keeps $1.80.
Nothing more happens until the end of the month, at which time
Charge Solutions charges $0.50 to our bank account for the
authorization, and CardService charges $0.35 to our bank account.
Final result:
Us: +57.35,
CardService: +2.15,
Charge Solutions +0.50
This is the way it's supposed to work, and everybody's happy.
B. On September 15, J. Random Cracker goes to the web page and
attempts to purchase a one month membership for $6. He enters
a credit card number generated by a program he downloaded
somewhere, a name that resembles "hahdhadf sakfdjj", similar
address information, an email address that he stole from
some innocent bystander or just made up, such as (this is common)
fuck@fuck.com, and clicks the final purchase button. Immediately,
Charge Solutions takes that card number, etc., and sends it to
CardService for authorization. CardService declines it. Charge
Solutions tells Mr. Cracker that the card has been declined.
Meanwhile, I get an email informing me that an authorization was
declined, get pissed off, and save it out of habit, mainly.
Nothing more happens until the end of the month, at which time
Charge Solutions charges $0.50 to our bank account for the (failed)
authorization, and CardService charges $0.35 to our bank account.
Final result:
Us: -0.85
CardService: +0.35
Charge Solutions: +0.50
This is what is happening a lot.
C. Exactly the same as example B, except that by sheer luck, the
generated card number gets accepted. Charge Solutions tells
Mr. Cracker that the authorization was successful. I get an
email informing me that "hahdhadf sakfdjj", fuck@fuck.com, has
successfully authorized me to charge $6.00 to this card number.
Obviously, I do nothing of the kind, not being utterly stupid.
I save the email as before.
The bottom line is the same: we lose 85 cents, CardService gets
35 cents, and Charge Solutions gets 50 cents. But in this
scenario, J. Random Cracker now knows a valid credit card number
and expiration date that he can take elsewhere.
This is somewhat simplified (Funny things happen on the CardService
side especially, with regard to batches of transactions, and the 3% is
an approximation, that varies with certain factors.), but it's
basically what's going on.
Well, that was hardly concise, but hopefully it was helpful.
| response 37 of 48: |
Sep 27 16:46 UTC 2000 |
Whooo, a cheap test for validity of credit card numbers. With only $6 being charged if it is successful, Mr. Cracker has a high likelihood of being able to use the card for over a month without being noticed. Some people wouldn't even notice, much less quibble about an unremember $6 charge.
| response 38 of 48: |
Sep 27 20:01 UTC 2000 |
Thanks very much for #36! In a certain way, Charge Solutions has a "scam" going, in that their mindless handling of every transaction attempt without oversight allows the mechanism to be abused, at grex's expense. I'm not sure off hand what could be used to limit the crackers attempts (say, to one per day) - IP address, e-mail address, SSN, etc. But this automated nicety grex tried to establish has now already proven more costly than beneficial. Without a human involved in the process - and who on grex is going to volunteer for the job - I don't see any way for grex to prevent abuse and expense. I would be glad to be shown that I'm wrong about this, but I don't have a rosy outlook at the prospects.