freddofrog
24-07-2007, 01:36 PM
Hi all
This is a bit long winded but for those of you who don't know how buying gear with credit cards really works, you should find it worth while!
REGISTRATION FORMS
The easy bit first. Went to register on a web site the other day and stopped when I realised the online form I was filling out wasn't secure. For me the idea of putting personal details, name, address, phone numbers etc over the internet unprotected is not very smart. The easiest was to tell if a page/connection is secure is the web address should start with https (not just http) and there should be a little padlock in the bottom right of the screen. If I still want access to the site I just use a fake name and address and all is good. (And no you will not find my name in whitepages.com.au)
CREDIT CARDS
When filling out the payment form to buy a TLD25 for example, first put in a fake name, address and credit card number. I usually select visa and use 4564 4444 4444 4444 and then click submit and see what happens. (Obviously check the https and padlock is visible first!) If it says invalid credit card then there is a half decent chance the transaction is actually being processed directly by a reputable bank/payment gateway and hence reasonably secure. Your credit card details are not being stored in their entirety and all is good. However, if it accepts it then you know it's getting dodgy - just how dodgy you can't tell.
What is happening is your credit card details are now being stored in some database somewhere, on some server somewhere, in some ISP somewhere. The idea being someone from the company will later manually retrieve your credit card details and complete the transaction with the bank. However, how secure the database/server/ISP that is now holding your credit card details is you will have absolutely no idea and who (and of what character) has access to your credit card details you will also have no idea. (The https/padlock gives no indication of security at this end of the process) Maybe your details are fully encrypted and only the accounts dept have access to it, or maybe it's not that secure and anyone including the ISPs shifty 18yr old techo on $12.50/hr doing the graveyard shift can just as easily look at it…hmmm
Obviously after they do the check they'll know it's someone just *iss #arting about and you won't get your goods but you will have a better understanding of the risks involved should you decide to continue with the purchase for real. If it's dodgy but I still want to buy from the company I will call them and give my details over the phone. I feel the risk of someone having tapped the line or them misusing my details is less than having it stored indefinitely somewhere on the internet where anyone with half a brain can hack into it.
Note that business that sell recurring goods and services (think magazines subscriptions, mobile phone bills etc) have a legitimate reason to store you credit card details. Business dealing in one off transactions such as fishing stores generally do not.
Why 4546 4444 4444 4444? Well you can use any number you want but some payment forms will do some basic error checking but not do the full bank/payment gateway thing. For example, there are only a certain sequence of numbers all visa cards start with, 4564 is one of them. So the idea is to get past the basic error checking to try and work out if a legitimate payment gateway/bank is being used.
And don't be fooled into thinking it's a reputable big business so they must be doing it right, WRONG!!! The last time I checked (which was some time ago I admit) a world renowned prestigious newspaper based in New York had a dodgy payment gateway. More closer to home, the online version of a very popular Australian consumer magazine was also dodgy. (I found it quite ironic that a consumer magazine advocating consumer rights and testing and publishing pros and cons on consumer products should not have a proper payment gateway to protect their consumers!) I hope they have changed since I last saw them. These are only two examples, there are heaps and heaps of companies doing the wrong thing and you'll always come across them when shopping online, for fishing gear or anything else, you just gotta know how to identify them.
And it's not necessarily the company's fault, or the web developer for that matter. The company is not e-commerce savvy so they trust the web developer who in turn may be working to a price set by the company and goes the cheap and easy option, it can be a vicious circle.
A word of caution, if you try this for downloadable subscription services, e.g. the consumer magazine I mentioned above, it will approve your fake credit card number and then allow you to download the product/report. (because you got past their basic error checking and they have yet to properly verify your credit card details) You then have access to a report which you have not paid for and this may land you in hot water should they decide to trace you down. The terms stealing and fraud come to mind.
If this post helps at least someone then all my years in web dev might not have been in vain…who am I kidding, bean bags, chill out areas and getting plastered every Fri arvo courtesy of the company was a blast!
Btw, I will probably post this up on some of the other forums I frequent so it you see it a few times, apologies. And ditto on the length.
cya
ff
This is a bit long winded but for those of you who don't know how buying gear with credit cards really works, you should find it worth while!
REGISTRATION FORMS
The easy bit first. Went to register on a web site the other day and stopped when I realised the online form I was filling out wasn't secure. For me the idea of putting personal details, name, address, phone numbers etc over the internet unprotected is not very smart. The easiest was to tell if a page/connection is secure is the web address should start with https (not just http) and there should be a little padlock in the bottom right of the screen. If I still want access to the site I just use a fake name and address and all is good. (And no you will not find my name in whitepages.com.au)
CREDIT CARDS
When filling out the payment form to buy a TLD25 for example, first put in a fake name, address and credit card number. I usually select visa and use 4564 4444 4444 4444 and then click submit and see what happens. (Obviously check the https and padlock is visible first!) If it says invalid credit card then there is a half decent chance the transaction is actually being processed directly by a reputable bank/payment gateway and hence reasonably secure. Your credit card details are not being stored in their entirety and all is good. However, if it accepts it then you know it's getting dodgy - just how dodgy you can't tell.
What is happening is your credit card details are now being stored in some database somewhere, on some server somewhere, in some ISP somewhere. The idea being someone from the company will later manually retrieve your credit card details and complete the transaction with the bank. However, how secure the database/server/ISP that is now holding your credit card details is you will have absolutely no idea and who (and of what character) has access to your credit card details you will also have no idea. (The https/padlock gives no indication of security at this end of the process) Maybe your details are fully encrypted and only the accounts dept have access to it, or maybe it's not that secure and anyone including the ISPs shifty 18yr old techo on $12.50/hr doing the graveyard shift can just as easily look at it…hmmm
Obviously after they do the check they'll know it's someone just *iss #arting about and you won't get your goods but you will have a better understanding of the risks involved should you decide to continue with the purchase for real. If it's dodgy but I still want to buy from the company I will call them and give my details over the phone. I feel the risk of someone having tapped the line or them misusing my details is less than having it stored indefinitely somewhere on the internet where anyone with half a brain can hack into it.
Note that business that sell recurring goods and services (think magazines subscriptions, mobile phone bills etc) have a legitimate reason to store you credit card details. Business dealing in one off transactions such as fishing stores generally do not.
Why 4546 4444 4444 4444? Well you can use any number you want but some payment forms will do some basic error checking but not do the full bank/payment gateway thing. For example, there are only a certain sequence of numbers all visa cards start with, 4564 is one of them. So the idea is to get past the basic error checking to try and work out if a legitimate payment gateway/bank is being used.
And don't be fooled into thinking it's a reputable big business so they must be doing it right, WRONG!!! The last time I checked (which was some time ago I admit) a world renowned prestigious newspaper based in New York had a dodgy payment gateway. More closer to home, the online version of a very popular Australian consumer magazine was also dodgy. (I found it quite ironic that a consumer magazine advocating consumer rights and testing and publishing pros and cons on consumer products should not have a proper payment gateway to protect their consumers!) I hope they have changed since I last saw them. These are only two examples, there are heaps and heaps of companies doing the wrong thing and you'll always come across them when shopping online, for fishing gear or anything else, you just gotta know how to identify them.
And it's not necessarily the company's fault, or the web developer for that matter. The company is not e-commerce savvy so they trust the web developer who in turn may be working to a price set by the company and goes the cheap and easy option, it can be a vicious circle.
A word of caution, if you try this for downloadable subscription services, e.g. the consumer magazine I mentioned above, it will approve your fake credit card number and then allow you to download the product/report. (because you got past their basic error checking and they have yet to properly verify your credit card details) You then have access to a report which you have not paid for and this may land you in hot water should they decide to trace you down. The terms stealing and fraud come to mind.
If this post helps at least someone then all my years in web dev might not have been in vain…who am I kidding, bean bags, chill out areas and getting plastered every Fri arvo courtesy of the company was a blast!
Btw, I will probably post this up on some of the other forums I frequent so it you see it a few times, apologies. And ditto on the length.
cya
ff