Hi all

This is a bit long winded but for those of you who don't know how buying gear with credit cards really works, you should find it worth while!

REGISTRATION FORMS
The easy bit first. Went to register on a web site the other day and stopped when I realised the online form I was filling out wasn't secure. For me the idea of putting personal details, name, address, phone numbers etc over the internet unprotected is not very smart. The easiest was to tell if a page/connection is secure is the web address should start with https (not just http) and there should be a little padlock in the bottom right of the screen. If I still want access to the site I just use a fake name and address and all is good. (And no you will not find my name in whitepages.com.au)

CREDIT CARDS
When filling out the payment form to buy a TLD25 for example, first put in a fake name, address and credit card number. I usually select visa and use 4564 4444 4444 4444 and then click submit and see what happens. (Obviously check the https and padlock is visible first!) If it says invalid credit card then there is a half decent chance the transaction is actually being processed directly by a reputable bank/payment gateway and hence reasonably secure. Your credit card details are not being stored in their entirety and all is good. However, if it accepts it then you know it's getting dodgy - just how dodgy you can't tell.

What is happening is your credit card details are now being stored in some database somewhere, on some server somewhere, in some ISP somewhere. The idea being someone from the company will later manually retrieve your credit card details and complete the transaction with the bank. However, how secure the database/server/ISP that is now holding your credit card details is you will have absolutely no idea and who (and of what character) has access to your credit card details you will also have no idea. (The https/padlock gives no indication of security at this end of the process) Maybe your details are fully encrypted and only the accounts dept have access to it, or maybe it's not that secure and anyone including the ISPs shifty 18yr old techo on $12.50/hr doing the graveyard shift can just as easily look at it…hmmm

Obviously after they do the check they'll know it's someone just *iss #arting about and you won't get your goods but you will have a better understanding of the risks involved should you decide to continue with the purchase for real. If it's dodgy but I still want to buy from the company I will call them and give my details over the phone. I feel the risk of someone having tapped the line or them misusing my details is less than having it stored indefinitely somewhere on the internet where anyone with half a brain can hack into it.

Note that business that sell recurring goods and services (think magazines subscriptions, mobile phone bills etc) have a legitimate reason to store you credit card details. Business dealing in one off transactions such as fishing stores generally do not.

Why 4546 4444 4444 4444? Well you can use any number you want but some payment forms will do some basic error checking but not do the full bank/payment gateway thing. For example, there are only a certain sequence of numbers all visa cards start with, 4564 is one of them. So the idea is to get past the basic error checking to try and work out if a legitimate payment gateway/bank is being used.

And don't be fooled into thinking it's a reputable big business so they must be doing it right, WRONG!!! The last time I checked (which was some time ago I admit) a world renowned prestigious newspaper based in New York had a dodgy payment gateway. More closer to home, the online version of a very popular Australian consumer magazine was also dodgy. (I found it quite ironic that a consumer magazine advocating consumer rights and testing and publishing pros and cons on consumer products should not have a proper payment gateway to protect their consumers!) I hope they have changed since I last saw them. These are only two examples, there are heaps and heaps of companies doing the wrong thing and you'll always come across them when shopping online, for fishing gear or anything else, you just gotta know how to identify them.

And it's not necessarily the company's fault, or the web developer for that matter. The company is not e-commerce savvy so they trust the web developer who in turn may be working to a price set by the company and goes the cheap and easy option, it can be a vicious circle.

A word of caution, if you try this for downloadable subscription services, e.g. the consumer magazine I mentioned above, it will approve your fake credit card number and then allow you to download the product/report. (because you got past their basic error checking and they have yet to properly verify your credit card details) You then have access to a report which you have not paid for and this may land you in hot water should they decide to trace you down. The terms stealing and fraud come to mind.

If this post helps at least someone then all my years in web dev might not have been in vain…who am I kidding, bean bags, chill out areas and getting plastered every Fri arvo courtesy of the company was a blast!

Btw, I will probably post this up on some of the other forums I frequent so it you see it a few times, apologies. And ditto on the length.

cya
ff

some of what you say is true, but a dodgey number does not make a good test, try for instance when you want to make a legitimate transaction, just put in 1 wrong number (apart from the first 4 you mention) it will flick you off as well, it must match your details exactly or "no go" and most ISP's will not be any part of dodgey dealings, it is too easy to trace, and believe me if it is important they WILL find you regardless of how clever you think you might be

I see your point Noelm and it's good to see you already have you own system to test payment gateways. It also gives another option for people who don't yet use one.

Doing it your way will for a legit payment gateway ensure you get bounced and for dodgy ones, you will definitely get past any basic error checking. The down side is for the dodgy ones which you are trying to avoid, you would have just sent all your personal details, except one incorrect digit, onward and it's too late to call them back. So your name, address, name as it appears on the credit card, expiry date, 3/4 digit confirmation number and credit card number (save one incorrect digit) has all been sent.

You now also face the risk of it being interpreted as a genuine attempt at fraud, where there is a real person and address given, just the credit card number is "slightly" different and this may not be picked up in time before the goods are dispatched.

I prefer to be more obvious in my intentions e.g. 4654 4444 4444 4444 or address: 69 Xxxxx St, XXXXX, 6666, WA. This way if it does get past the error checking, there is no way it can be mistaken for a real attempt to purchase something.

But each to their own and the more options we can put out there and debate, the better off everyone will be.

And I should probably clarify "dodgy". Last time I checked with dept fair trading (and I did check), it is not illegal to have a "dodgy" payment gateway or to store credit card details. Hence there is not reason why an ISP could/should stop hosting such a site. I've only labelled it dodgy as I personnally do not agree with companies holding my credit card details, especially after the transaction is complete, but that is just me.

Hi all

This is a bit long winded but for those of you who don't know how buying gear with credit cards really works, you should find it worth while!

REGISTRATION FORMS
The easy bit first. Went to register on a web site the other day and stopped when I realised the online form I was filling out wasn't secure. For me the idea of putting personal details, name, address, phone numbers etc over the internet unprotected is not very smart. The easiest was to tell if a page/connection is secure is the web address should start with https (not just http) and there should be a little padlock in the bottom right of the screen. If I still want access to the site I just use a fake name and address and all is good. (And no you will not find my name in whitepages.com.au)


That would depend on the type of form. Some forms you can fill out your name and address, etc and then you are sent to a secure form to enter credit card details.




CREDIT CARDS
When filling out the payment form to buy a TLD25 for example, first put in a fake name, address and credit card number. I usually select visa and use 4564 4444 4444 4444 and then click submit and see what happens. (Obviously check the https and padlock is visible first!) If it says invalid credit card then there is a half decent chance the transaction is actually being processed directly by a reputable bank/payment gateway and hence reasonably secure. Your credit card details are not being stored in their entirety and all is good. However, if it accepts it then you know it's getting dodgy - just how dodgy you can't tell.


Not particularly true, it can is simply an algorithm in the script that checks the card is a legit card. It may not even be processed by a card company when you enter the details.



What is happening is your credit card details are now being stored in some database somewhere, on some server somewhere, in some ISP somewhere. The idea being someone from the company will later manually retrieve your credit card details and complete the transaction with the bank. However, how secure the database/server/ISP that is now holding your credit card details is you will have absolutely no idea and who (and of what character) has access to your credit card details you will also have no idea. (The https/padlock gives no indication of security at this end of the process) Maybe your details are fully encrypted and only the accounts dept have access to it, or maybe it's not that secure and anyone including the ISPs shifty 18yr old techo on $12.50/hr doing the graveyard shift can just as easily look at it…hmmm


Sounds a bit paranoid to me.
It is just the same as if you hand over your card to a shop assistant or a waiter at a restaurant. They can easily skim your details and sell them.



Obviously after they do the check they'll know it's someone just *iss #arting about and you won't get your goods but you will have a better understanding of the risks involved should you decide to continue with the purchase for real. If it's dodgy but I still want to buy from the company I will call them and give my details over the phone. I feel the risk of someone having tapped the line or them misusing my details is less than having it stored indefinitely somewhere on the internet where anyone with half a brain can hack into it.


No different to using it on the net. The person you talk to could always sell your details. Or someone who can read the bit of paper with your order on it.

I have used my credit card on the net for over 14 years now and it has never been compromised. I have had it copied twice over the years when I have used it in restaurants.

I have been in the web industry for over 14 years now and am surprised that this sort of information is still floating around about using credit cards on the net.


The bottom line is that credit cards are not secure, doesn't matter where you use them. The banks know this but they are still making millions out of them. It is just a numbers game to them, they loose a bit but make a lot.


Just use a bit of common sense whenever you use your credit card, on or off line.

I've only labelled it dodgy as I personnally do not agree with companies holding my credit card details, especially after the transaction is complete, but that is just me.

They have to hold your details in case you dispute the charge on your credit card. They also have to hold on to the printouts for 7 years by law for the tax department.

spot on steve use that thing on your head

been using credit cards online for ages without problem, but I was involved (as a victim) of a card "skimming" scam and got stung for a few grand that was never recovered, but some straight out purchases where reimbursed.

I now use a system that is almost foolproof when purchasing on line.

I now have a Visa Debit card that I only leave 1 or 2 dollars in just to keep it active. Whenever I finalise a purchase on line I then transfer from my normal savings account the exact sum that I have agreed to pay. This way no one can get your card and do a bogus transaction on it, after all there is nothing in the account to skim off.

One benefit of this also is that if you purchase overseas there is no huge fee by Visa on the currency conversion because you are using your own money.

This does not lessen the chances of being ripped off at a fake site but you will only lose what you have transferred to the Visa Debit account.

Oh and the account is fee free if you use a Credit Union.