|
Grex > Coop11 > #186: Time to terminate "telnet-through"? | |
|
| Author |
Message |
krj
|
|
Time to terminate "telnet-through"?
| 
Jun 28 17:36 UTC 2000 |
In the June meeting minutes, eeyore wrote:
> Right now we are having about 30-40
> credit cards declined every month.
This is entirely speculative on my part, but:
1) This is possibly a majority of our credit card transactions.
2) My guess is that the companies may not like Grex having such
a high percentage of rejected credit cards. Even if the
card firms don't get upset with us, it's wasted work for the
treasurer.
3) My belief is that this is bad guys seeking to telnet into Grex
and then telnet out again to do harm to other systems.
I suggest that it may now be time to end "telnet-through,"
allowing users who telnet into Grex to telnet out again.
My thought is that this would reduce the incentive for people to
try to scam Grex with bad credit cards.
I do not suggest restricting telnet availability for connections
which originate on the local dial-ins.
But telnet-through has little real benefit -- if any -- for legitimate
users. Anyone who is telnetting to Grex, then telnetting elsewhere,
should just be able to go to their final destination directly.
|
| 48 responses total. |
krj
|
|
response 1 of 48:
|
Jun 28 17:40 UTC 2000 |
(What if it's not telnet that is the lure for the bad credit card
attempts? What if it's IRC? But my own observation from party is that
the floundering wannabe vandals are looking to telnet out to other
systems more than they are looking for IRC.)
|
jp2
|
|
response 2 of 48:
|
Jun 28 17:47 UTC 2000 |
This response has been erased.
|
jared
|
|
response 3 of 48:
|
Jun 28 17:50 UTC 2000 |
There are numerous systems that allow free access to telnet out,
but i'm not sure that you are wrong either, Ken.
I would be interested in a more detailed look into if it is the card owners
that are just over their limit, or why they are signing up for
a membership.
perhaps a survey when you pay via cc that says:
why are you becoming a member of grex:
a) support conferencing system
b) use internet connection (eggdrop, irc, telnet, ssh)
c) email access
etc..
|
aruba
|
|
response 4 of 48:
|
Jun 28 17:52 UTC 2000 |
I wonder how often members use this. I know of one who became a member just
so he could telnet to MSU and get his mail; it has worked well for him. Is
there a log which says how often members telnet out?
|
aruba
|
|
response 5 of 48:
|
Jun 28 17:54 UTC 2000 |
(I should add that the member in question lives in Ann Arbor and dials in.
Is it technically feasible to distinguish between dialers-in and
telnetters-in when deciding whether someone can telnet out?)
|
jmsaul
|
|
response 6 of 48:
|
Jun 28 18:41 UTC 2000 |
If you can block it at all, you can probably block it by port.
|
krj
|
|
response 7 of 48:
|
Jun 28 19:06 UTC 2000 |
I agree with Jamie in resp:2 :: rerouting your packets when the network
is wonky is a legitimate use for telnet-through. I forgot that I do this
with my for-pay ISP account when I can't go direct from MSU to Grex,
sometimes. I'm not sure this happens often enough to invalidate
my main point, but thanks for thinking of it.
I should stress here that my only agenda here is trying to get down Grex's
bad credit card charges. I'm not on a crusade to eliminate telnet-through.
|
kkell
|
|
response 8 of 48:
|
Jun 28 20:30 UTC 2000 |
Would it be possible to have a waiting period to be sure
about the credit cards, and not have telnet-through
allowed until the wait was up?
|
jmsaul
|
|
response 9 of 48:
|
Jun 28 20:31 UTC 2000 |
I think that would really annoy people. One of the points of paying via
credit card is that you get near-immediate gratification.
|
krj
|
|
response 10 of 48:
|
Jun 28 21:10 UTC 2000 |
I may have been unclear here. The minutes say the cards are being
declined. So the people who submit the declined cards are
not succeeding in becoming Grex members, not even for a little bit.
I'm trying to suggest that we stop offering something which people
with stolen credit cards might find worth trying to get. ???
|
flem
|
|
response 11 of 48:
|
Jun 28 23:13 UTC 2000 |
Even though we're getting about 30 declined transactions a month (less
this month, though; possibly a good sign), they don't come from 30
users. Usually one person will try two or three different card numbers
(sometimes as many as five or six). The system is set up so as not to
allow duplicate transactions within 15 minutes, so frequently the same
card will be declined twice in quick succession.
Also, it seems to me (relatively subjective viewpoint here) that
people who steal credit card numbers are often just looking to be
malicious in a difficult-to-trace way, rather than being interested in
buying things with the stolen cards.
So, I don't think changing the outgoing telnet policy, or probably any
other policy for that matter, will change the frequency of declined cc
transactions much.
|
jmsaul
|
|
response 12 of 48:
|
Jun 29 00:55 UTC 2000 |
Are the declined transactions harming Grex in any way?
|
mwg
|
|
response 13 of 48:
|
Jun 29 01:24 UTC 2000 |
Changing the telnwet policy would have one irritating side-effect for me.
I occasionally run into situations where I cannot access my primary shell
account from where I am at the moment, and I'll use Grex as a pass-through
to get around the broken link.
This also works the other way, I've telnetted in from Msen when Grex was
not directly reachable. If I can't reach either one, that I can't go
anywhere because the only time that happens is when the outfit I am
connecting through loses its' link to the net.
|
flem
|
|
response 14 of 48:
|
Jun 29 02:03 UTC 2000 |
re resp:12 - No, not really.
|
gelinas
|
|
response 15 of 48:
|
Jun 29 02:31 UTC 2000 |
So the response to the speculations in #0,
1) This is possibly a majority of our credit card transactions.
2) My guess is that the companies may not like Grex having such
a high percentage of rejected credit cards. Even if the
card firms don't get upset with us, it's wasted work for the
treasurer.
especially the second, is "It's not a problem"? So there is no reason
to further consider the proposed solution?
|
jmsaul
|
|
response 16 of 48:
|
Jun 29 03:48 UTC 2000 |
Sounds that way. DOn';t see why you should inconvenience anyone, then.
|
eeyore
|
|
response 17 of 48:
|
Jun 29 04:09 UTC 2000 |
Sorry....I didn't think to mention that it's mostly one person trying several
cards, instead of a lot of people trying one card each.
Greg will have to give a better answer to this than I, but I believe that we
do not get charged for somebody's card being declined, and that it doesn't
actually require Greg to do anything....we just get a log of it. (that's
my impression anyway...I could be massively wrong....)
|
janc
|
|
response 18 of 48:
|
Jun 29 16:21 UTC 2000 |
Actually, I think lots of sites have high rates of rejected transactions like
this. I doubt if we are standing out.
|
other
|
|
response 19 of 48:
|
Jun 29 19:48 UTC 2000 |
that's about what i was thinking. i suspect that we would really stand out
if we had few or no rejected transactions.
|
i
|
|
response 20 of 48:
|
Jun 30 01:38 UTC 2000 |
My understanding is that card companies don't much care about automated/
computerized/costs-about-3-electrons-and-a-nanosecond rejections. The
human-handled, paperwork-intensive, etc. chargebacks are where they get
ticked off fast.
|
prp
|
|
response 21 of 48:
|
Jul 1 12:54 UTC 2000 |
The 40 rejections/month figure is not very meaningful by itself.
Assuming Grex has 20 accepted/month, all it would mean it that it
took people, on average, three tries to enter their name and
number correctly. This actually seems like a LOW failure rate.
|
jp2
|
|
response 22 of 48:
|
Jul 1 14:11 UTC 2000 |
This response has been erased.
|
remmers
|
|
response 23 of 48:
|
Jul 1 15:16 UTC 2000 |
I don't think the credit card info goes through Grex at all, so
we wouldn't have a chance to massage the data.
|
jp2
|
|
response 24 of 48:
|
Jul 1 17:38 UTC 2000 |
This response has been erased.
|