# FraudRecord Public Dumps User / Customer Info



## drmike (Feb 12, 2015)

Folks who use FraudRecord should note, your details have been public outed / displayed ....

http://www.fraudrecord.com/emails/email1.php


----------



## drmike (Feb 12, 2015)

Some other exposure of public directory:

http://fraudrecord.com/emails/


----------



## XFS_Duke (Feb 12, 2015)

dammit, you were supposed to just contact harzem! lol

Awesome...


----------



## MannDude (Feb 12, 2015)

Well that's concerning.

I like FraudRecord in theory and on paper but @harzem needs to step it up and make it worthwhile. Instead of sending unwanted promotional emails ( ) he could instead charge a reasonable fee for the service assuming it gets hardened and implements features others have requested that'd make it better and more appealing. Well intentioned in the beginning I'm sure but this is a blow and people aren't a fan of the promotional emails either.

Luckily the leak is just email addresses, most of which appear to be public addresses that you could find in WhoIS information or by browsing a website. Hopefully nothing worse comes from this.


----------



## drmike (Feb 12, 2015)

XFS_Duke said:


> dammit, you were supposed to just contact harzem! lol
> 
> Awesome...


Plain text, open directory.... Been such....

If people in that database who are fans of FraudRecord didn't prior mention it or get it done and done, well... Not my feeling bad...   

People should be slightly concerned about company details and data correlations that can / make / perhaps will be made from accounts.  Probably a bunch of accounts that funnel to one email that in public are multiple unrelated companies... Ho hum.

How hard is an ACL to protect things like this?   Exposure happened,  people got sunburned.


----------



## TruvisT (Feb 12, 2015)

This explains all the spam.


----------



## harzem (Feb 12, 2015)

Thanks a lot! It was clearly a security issue on my end,   all I can see is there was a problem uploading the blank index.html so the directory got exposed. 

But instead of alerting me, which a professional would do, you posted it publicly, not only allowing multiple people to access the data, but also run the email script over and over again, causing multiple emails per person.

Really professional thing to do. 

The whole "our emails are exposed" could be prevented if i had checked the directory integrity, or if you contacted me first instead of posting publicly right away. 

Exposure didn't "happen". You exposed it to everyone. 

Anyone who wants to contact me regarding this can send an email to [email protected] as i will not be participating in this discussion.


----------



## drmike (Feb 12, 2015)

Blank index.html isn't how you protect a directory.

Index.html isn't how you protect a directory either.

That was the problem and remains the problem.  Not best practices, not good practices.


----------



## DomainBop (Feb 12, 2015)

harzem said:


> But instead of alerting me, which a professional would do, you posted it publicly, not only allowing multiple people to access the data, but also run the email script over and over again, causing multiple emails per person.
> 
> Really professional thing to do.



You sent out another SPAM email blast tonight @harzem after promising that no more SPAM would be sent and you actually have the nerve to make comments about professionalism? What a motherfarking joke.

You need to try reading the FTC guidelines on SPAM and you need to try really hard to stop violating the US federal CAN-SPAM act buddy.

From December:



> As for the "emailing practices involved", this was a single e-mail which will be the last according to Harzem. If he does send another e-mail then there's something to discuss but so far Harzem hasn't given me any reason to distrust him.


Well hey, today's email blast would indicate that there is a definite reason to distrust @harzem and that his word doesn't mean crap.

Complaint just filed with the FTC about FraudRecord's violation of the CAN-SPAM law because I have zero tolerance for spamming farktards who think they're exempt from following the anti-spam laws..


----------



## XFS_Duke (Feb 12, 2015)

I got an email earlier about Phychz or something network dedicates. Although I like the service, I do not like the fact that I get emails which do not pertain to anything that I signed up with them for. I do not care about those dedicated servers. I care about using FraudRecord. Not being spammed by crap none of us care about. 

@harzem, how much do you need to run FraudRecord? I can donate some money if needed, but the emails need to stop.


----------



## serverian (Feb 12, 2015)

It's offline due to DDoS now. Hope you guys are happy now.


----------



## Aldryic C'boas (Feb 12, 2015)

And this is why I have always done in-house, and will continue to do so.


----------



## DomainBop (Feb 12, 2015)

serverian said:


> It's offline due to DDoS now. Hope you guys are happy now.


I'd be happy if SecuredDragon and WiredTree would actually act on SPAM reports instead of giving this spammer @harzem a free pass to continue spamming from the same IP addresses he spammed from and was reported for in December.

Plus, the fact that @harzem can't even follow basic security on his own website brings into question just how secure the rest of his site is and whether consumers' info that is stored in the FR database is truly secure or if the same lax security is followed with consumers' info.   Combine the poor website security with the fact that  FraudRecord isn't even a registered business and consumers' info (need I mention FR also allows credit card numbers and PayPal email address "hashes" to be submitted to its database and searched) is being transmitted to a database  which is controlled by an individual who is in a different jurisdiction than the majority of consumers' whose info he is being entrusted with and I'd say there is a definite reason for consumers to be concerned about the safety of their info (_anyone who feels like saying "but it's a hash" should see TRUSTe's comments on why hashes should be considered personal info, especially in the case of a service like FR where anyone who registers with FR can do a search of the database and info about the consumer is returned_)



> And this is why I have always done in-house, and will continue to do so.


In house manual checking, as well as Kount and/or Authorize.net's fraud suite here.  The difference between using services like  Kount/Authorize.net fraud suite which are registered companies and using a 1-man show unregistered business "fraud prevention" outfit like FraudRecord is like the difference between night and day in terms of properly safeguarding consumer's info.


----------



## drmike (Feb 12, 2015)

XFS_Duke said:


> I got an email earlier about Phychz or something network dedicates. Although I like the service, I do not like the fact that I get emails which do not pertain to anything that I signed up with them for. I do not care about those dedicated servers. I care about using FraudRecord. Not being spammed by crap none of us care about.
> 
> @harzem, how much do you need to run FraudRecord? I can donate some money if needed, but the emails need to stop.


This was already discussed in December I think it was... about the ad spamming - started with selling ad in the module area, then to outright email.

The emails were to stop and all that fun.  No more were to happen.... but here again, fundraising.

Lots of people would sponsor the project and it appears at least three do as per the front the site company call outs.

Inconsistent ideas vs. actions is what I see from FraudRecord.   Good intentions initially, but dev happened, site launched, providers used and misused and yeah monetization continues in ways people aren't happy with.  While stuff gets filed that isn't fraud in nature, where customers have no rights really, where the system is open but I can't see way to query it in truly open way (outside of that email API play), where transmission of customer data to such third party likely violates privacy regulations in EU and elsewhere.... Those are my points... and best practice fail points....  

Reminds me of Diebold voting machines years ago and their plaintext web disclosure of their source which lead to many revelations about those rigged systems, "unintentionally".


----------



## KuJoe (Feb 12, 2015)

serverian said:


> It's offline due to DDoS now. Hope you guys are happy now.


Where did you hear this? I see a few attacks today but nothing above 2Gbps which isn't enough to even cause any packet loss. Unless they are targeting their webserver directly, in which case I'm curious how the IP got leaked this time.


----------



## drmike (Feb 12, 2015)

https://fraudrecord.com/sign-up/

Why can't people sign up now / that pulled and displaying another public directory?  At least that one is empty...


----------



## Joshua-Epic (Feb 12, 2015)

Oh fantastic news! I don't mind people emailing me, but I do mind unwanted spam.


----------



## Munzy (Feb 12, 2015)

harzem said:


> [snip] all I can see is there was a problem uploading the blank index.html so the directory got exposed.
> 
> [snip] but also run the email script over and over again, causing multiple emails per person.
> 
> [snip]



This is honestly, scary......

Are you saying you had a php file that would just execute a whole email event by simply browsing to the link?


----------



## k0nsl (Feb 13, 2015)

> Thanks, by constantly visiting the email script, which I mistakenly left vulnerable temporarily, you have re-sent the emails all over again. Apologies for those who received multiple copies of the email due to re-runs. If you have any questions or criticism, you may direct them at [email protected] - Harzem Yalçýnkaya FraudRecord


KEK  :lol:  :lol:


----------



## lbft (Feb 13, 2015)

harzem said:


> Really professional thing to do.
> 
> The whole "our emails are exposed" could be prevented if i had checked the directory integrity, or if you contacted me first instead of posting publicly right away.
> 
> Exposure didn't "happen". You exposed it to everyone.


If you were professional you'd recognise that:


You hold private information and have a responsibility to adequately secure it, and trying to deflect the blame is unprofessional.
The fact that information could leak by you forgetting to upload a blank index.html is strongly indicative of you being unprofessional in your approach to development (unless we suddenly took a trip back to 1998 when I wasn't looking).
The fact that you could forget to upload a single file is strongly indicative of an unprofessional deployment process.
*You* exposed it by failing to competently run the site, and if it wasn't made public your arse-covering attitude makes me think your users would never have any idea their information was ever exposed.
It doesn't take a genius to see that the low end of the VPS industry is infested with skids, as evidenced by the scumbag apparently DDoSing you - and your behaviour of sticking your head in the sand when you got busted making such an incredibly fundamental error has convinced me that you're not up to the task of building a system that can survive in that sort of environment.


----------



## DomainBop (Feb 13, 2015)

Munzy said:


> This is honestly, scary......
> 
> Are you saying you had a php file that would just execute a whole email event by simply browsing to the link?


Reminds me of the GVH password reset incident last year when people received dozens of reset emails...



> The fact that information could leak by you forgetting to upload a blank index.html is strongly indicative of you being unprofessional in your approach to development


If the email program could be triggered by someone visiting the URL then an index.html file wouldn't be adequate protection.  The directory should have been password protected or IP access restricted.

The lack of an index.html file isn't the only problem with that website.  SSL Labs gives it a big fat C rating.  How many months ago was the Poodle vulnerability disclosed and Harzem still hasn't bothered to fix it?  It takes 2 effin' seconds to disable SSL 3 and another 2 seconds to fix the other SSL problems, even Jonny's 10 year old sister could do it so what is the excuse?



> trying to deflect the blame is unprofessional.


That is to be expected because a consumer reporting service that isn't even run by a registered company is the definition of unprofessional and reeks of Ringling Brothers.

http://www.youtube.com/watch?v=YLsPnf3cKR0


----------



## lbft (Feb 13, 2015)

DomainBop said:


> That is to be expected because a consumer reporting service that isn't even run by a registered company is the definition of unprofessional and reeks of Ringling Brothers.


It fills a niche - the fact that it is far from perfect and yet still massively popular in a particular market segment is indicative of the need for _something_.


----------



## drmike (Feb 13, 2015)

lbft said:


> It fills a niche - the fact that it is far from perfect and yet still massively popular in a particular market segment is indicative of the need for _something_.


Sadly there are adult ran companies in there, folks I do respect.

There is a niche, but as-is, prior issues plus current = trouble in paradise.

There are lots of sayings about you get what you pay for with free.    If the service is viable, then make it a business, get professionals doing things, stop monkeying around with lowend mentality on the stuff, audit things truly, incorporate, clean up the standard docs, etc.

I am not even going to say, meh, but that site can't cost much to run.  Whole thing is prettied up and all, works...  People behind it should run it like the business it should be.  Fnck the advertising.  Second time at this and got slapped.  Make it meh $1-3 a month --- even the cheapest lowend company can afford that.  Enough cash to actually do real things with instead of running disinvestment fundraising scams with the email spams.

The SSL certificate I saw earlier and let it slide.  But that money I just created above, that could pay for some admin hours monthly, for someone that might give a crap about running things sanely, safely and with regard to privacy.

Spend some of that cash on EU privacy researcher / legal and get the site compliant.   One trip out on the wrong person and legal takedown really likely.


----------



## Aldryic C'boas (Feb 13, 2015)

lbft said:


> It fills a niche - the fact that it is far from perfect and yet still massively popular in a particular market segment is indicative of the need for _something_.


Sure, it indicates the need for some _`providers`_ to actually learn how to be a proper company, and not just apply some crappy third party software to handle things they don't know how to do.  I remember a few years back everyone gave us crap because of how strict I was on anti-fraud.. but now that there's _a Solus_ to do it for them, they're all finally trying to catch up 

Seriously folks - start learning WHAT makes an order fraudulent, stop selling to any random signup to make a buck, and you won't have these problems in the first place.


----------



## Jasson.Pass (Feb 13, 2015)

I've heard having people fax in forms of ID and credit cards cuts down on fraud like crazy


----------



## rds100 (Feb 13, 2015)

Jasson.Pass said:


> I've heard having people fax in forms of ID and credit cards cuts down on fraud like crazy


Probably. It also cuts down your customer base by 99%. Really, buying a simple hosting product should not be THAT hard in the 21st century.


----------



## mitgib (Feb 13, 2015)

Aldryic C said:


> Sure, it indicates the need for some _`providers`_ to actually learn how to be a proper company, and not just apply some crappy third party software to handle things they don't know how to do.  I remember a few years back everyone gave us crap because of how strict I was on anti-fraud.. but now that there's _a Solus_ to do it for them, they're all finally trying to catch up
> 
> Seriously folks - start learning WHAT makes an order fraudulent, stop selling to any random signup to make a buck, and you won't have these problems in the first place.


How does solus cause or cut down on fraud?  I'm scratching my head on that one, I know you probably mean something else, but I'm not seeing it.


----------



## Aldryic C'boas (Feb 13, 2015)

mitgib said:


> How does solus cause or cut down on fraud?  I'm scratching my head on that one, I know you probably mean something else, but I'm not seeing it.


Oh, aye, I was making a reference at FR being along the same lack of quality as Solus.


----------



## MattKC (Feb 13, 2015)

Jasson.Pass said:


> I've heard having people fax in forms of ID and credit cards cuts down on fraud like crazy


Until a company like GVH dumps their copies of these into an open directory available to all (which GVH did and has still not reported to the necessary agencies nor directly contacted the people they just caused identity theft risk to). Of course they also use fraud record to get revenge against people they don't like by making false/misleading submissions. Another area fr needs to address, scam/fraudulent companies using their service and making false reports.


----------



## PortCTL (Feb 13, 2015)

It's quite unfortunate that it wasn't properly secured. If anyone can simply access the file and send mass spam emails, you should consider adding something like authorization tokens, or better yet, take it out of the accessable web directories, and just execute it using php in the command line.


----------



## robbyhicks (Feb 13, 2015)

Maxmind helps, but having a reputation directory for hosts to subscribe to with fraudulent emails would definitely be helpful. If an order gets flagged, it's pretty common practice to ask for a copy of government issued photo ID.


----------



## WSWD (Feb 13, 2015)

Curious what @Profuse-Jim has to say about all this.  Surely he approved his services being spammed?


----------



## hxQ&S8ZaVn9e (Feb 13, 2015)

Is there any alternative to FraudRecord being used?


----------



## PortCTL (Feb 13, 2015)

hxQ&S8ZaVn9e said:


> Is there any alternative to FraudRecord being used?


Typically people use MaxMind, I am not trying to self advertise, but am building something to help prevent fraud in my billing software.


----------



## DomainBop (Feb 13, 2015)

drmike said:


> Spend some of that cash on EU privacy researcher / legal and get the site compliant.   One trip out on the wrong person and legal takedown really likely.


This is from a May 2014 EU opinion on anonymization techniques like hashes.  The determinant of whether the anonymized data (in the case of Fraud Record, the "hash" that is stored in the database) is considered personally identifiable information is the following:

_(i) is it still possible to single out an individual,_

_(ii)is it still possible to link records relating to an individual, and_

_(iii) can information be inferred concerning an individual? _

The answer to all 3 of those questions is a definitive yes where FraudRecord is concerned because all anyone has to do is a plain text search on the hashed data in the database and all 3 of those criteria are met.

TL;DR: EU hosts who transmit PII (the hashed data) to FR are most probably not compliant with EU data protection laws...especially the majority who fail to even state on their privacy policies that they transmit data to FR. .

ISO29001 says basically the same thing the EU opinion said: in order for anonymized data like a hash to be considered truly anonymous and not PII it must be anonymized in a way that it can't be traced back to a single individual (an example of true anonymized data would be aggregated traffic data that is collected from multiple people but can't be traced back to an individual).

_anonymisation is also defined in international standards such as the ISO 29100 one being the “Process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in collaboration with any other party” (ISO 29100:2011)_

FraudRecord's use of hashes also fails the ISO29001 standard because the hashed data in the database is used to single out an individual and bring up a report on them whenever any Tom, Dork, or Harry runs a plain text search.

TRUSTe's opinion that hashes when used like FR uses them constitute PII is based on the same concepts as the EU opinion and ISO290001:2011 standard.

 

For tomorrow's lesson: why it is a violation of credit card industry rules to allow hosts to submit to FraudRecord (_which isn't even a legal entity so legally they are submitting the customer's info to Harzem Y_), and other to search on, the following two data fields:

ccname Name on credit card ccnumber Credit card number.


----------



## drmike (Feb 13, 2015)

^ ---     WOW    ---^


----------



## DomainBop (Feb 13, 2015)

drmike said:


> ^ ---     WOW    ---^


I think there's a definite need for a fraud screening service for the hosting industry but FraudRecord's implementation is very, very flawed and and as you said _"One trip out on the wrong person and legal takedown really likely."_ 

There was a service similar to FR that also had a searchable database that many hosts used about 10 years ago called ChargebackBureau.org (the company and its database were in Panama to avoid the FTC's tentacles).  It eventually shut down after VISA/MC and the FTC leaned on it for various violations of card industry rules and US consumer protection laws.

http://www.sfgate.com/business/article/Dispute-charges-at-your-peril-2494770.php

https://www.google.com/search?q=chargeback+abuse+database&ie=utf-8&oe=utf-8#q=chargebackbureau.org+%2Bsite:webhostingtalk.com


----------



## drmike (Feb 14, 2015)

DomainBop said:


> There was a service similar to FR that also had a searchable database that many hosts used about 10 years ago called ChargebackBureau.org (the company and its database were in Panama to avoid the FTC's tentacles).  It eventually shut down after VISA/MC and the FTC leaned on it for various violations of card industry rules and US consumer protection laws.


I can't thank you enough for that gem!

"ChargeBack Bureau costs merchants $29.99 per quarter or $99.99 per year for full access to its database."

"The service claims to have more than 7,500 online merchants enrolled as members and more than 40,000 listings in its database."

[SIZE=13.63636302948px]Do the math:  $99.99/year x 7500 = $749k+[/SIZE]

[SIZE=13.63636302948px]Fraudrecord is something like 1k~ members  even at $20 per year = $20k income potential.[/SIZE]

[SIZE=13.63636302948px]All that aside, prior effort was same duck US regulators game.   They lost, same reasons.[/SIZE]


----------



## rds100 (Feb 14, 2015)

If there can be databases for credit rating / credit score and such, why there can't be other similar databases? What makes this one different from the database of bad debtors?


----------



## William (Feb 14, 2015)

An expensive audit, primarily.


----------



## lbft (Feb 14, 2015)

rds100 said:


> If there can be databases for credit rating / credit score and such, why there can't be other similar databases? What makes this one different from the database of bad debtors?


Web hosting is small enough and the margins for many slim enough that there isn't the money to pay for the legal compliance costs or the money to fight in court people who got busted doing bad things. Even then, the credit report/cheque fraud/etc. databases tend to be limited to single countries, whereas web hosting/VPS/dedicated servers/colocation all require a single global database.

Which is probably partly why FraudRecord works for the most part - it's away from the legal and regulatory influence of the US, EU, China, etc. The only hiccup is the transfer of personal information from the country of the provider to another country, but the businesses using it are too small to attract government interest for the most part (look at how a certain Buffalo-based VPS provider still hasn't got spanked for three major data breaches).


----------



## Lee (Feb 14, 2015)

DomainBop said:


> This is from a May 2014 EU opinion on anonymization techniques like hashes.  The determinant of whether the anonymized data (in the case of Fraud Record, the "hash" that is stored in the database) is considered personally identifiable information is the following:
> 
> _........_


I have raised these kind of issues almost every time I see a post about FR.  EU providers continually claim how much they respect privacy and protect data yet they hide their use of this service, I have yet to see a reference to FR in terms and conditions or confirmation that your personal data may be transferred outside the EU.  Harzen simply point blank refuses to deal any of these issues.

The appeal process is another thing.  Harzem constantly goes on about there is no identifiable client information held and that he nevers sees personal data on anyone.  So what If I have to come to you to appeal an entry in the system?  The host refuses to remove it and the only way I can prove to you that it's false is to give you a document or email that I can't censor but reveals more of my personal data than I would want a real service to see nevermind FR?  



drmike said:


> [SIZE=13.63636302948px]Fraudrecord is something like 1k~ members  even at $20 per year = $20k income potential.[/SIZE]


I am sure the intention was to provide a solid, reliable database for the hosting industry.  If once that grew to a certain level Harzem could have charged for it, and why not, if it's providing a decent service then it's offering value worth paying for.  The issue though is that you would be paying for a database top heavy with useless crud.  Harzem himself admits that FR is used in the main by LET type providers, the quality is just not worth paying for.  Not saying its totally useless, as there is good info in there but not enough.

The amount of unreliable information far exceeds the reliable.  When you realise that idiots like GVH and others use it as a revenge service how can you treat it as a useful tool?  Or consider paying for it? This is the kind of thing that will prevent the largest market players wanting to participate in this kind of service who would bring a serious amount of good data to the table.

I have seen lots of reports in FR that are there simply because maxmind found an issue, so it's a duplication of information.  Who is that useful for?  People who are to lazy or cheap to use maxmind and rely on FR only or just in general too lazy to be bothered making an effort full stop.

You can easily see the logic with providers where someone for example gets 3 reports for DDoS and Chargeback.  Provider one reports clients for DDoS/Chargeback, provider 2 gets a request from client and sees the report by provider 1, he ignores the report in favour of the $2 he would otherwise loose but within a month the client uses it for DDoS/Chargeback.  And so the cycle continues!





rds100 said:


> If there can be databases for credit rating / credit score and such, why there can't be other similar databases? What makes this one different from the database of bad debtors?



That is a really bad comparison.  For one, credit rating and scoring is heavily regulated and audited.  Most importantly the information there is *factual.*

As a very rough example, I go to a bank and borrow $1,000 repaid at $100 per month over 10 months.

That bank will send data to the credit agency telling them whether I paid on time, paid, late, stopped paying, was taken to court and so on.  They do this via *factual information only* using codes.  Within the credit entry a 1 means I was 1 payment late, 3 means three payments late, D means I stopped paying and have since defaulted. You will never find an entry on a credit report that says "client is an asshole, do not lend".

In FR the reports use free text which can be emotive, aggressive and ultimately can rarely be relied upon as to whether they are factual.  The free text comments are very often emotive, badly written and appear much like a rant by a child than a true report of a client done something wrong and not to be considered for service elsewhere.

Now of course many will say that as it's only "bad" clients they report what is all the fuss?  But that is my point at least, where it's already been used several times as a revenge system then it's clearly not just a bad client reporting system.  Aside from this truly awful lapse in security it needs to burn in a fire generally, Harzem needs to stop acting like a spoiled child and it needs a complete rebuild to actually deal with the truly important elements.

/rant


----------



## drmike (Feb 14, 2015)

~Lee~ said:


> I have raised these kind of issues almost every time I see a post about FR.  EU providers continually claim how much they respect privacy and protect data yet they hide their use of this service, I have yet to see a reference to FR in terms and conditions or confirmation that your personal data may be transferred outside the EU.  Harzen simply point blank refuses to deal any of these issues.
> 
> ...
> 
> ...


I couldn't have said it better and I shall not try.


----------



## AnthonySmith (Feb 17, 2015)

human error, bad practice, call it what you will and you are right it is not good practice etc but posting it publicly first is another separate matter I think notifying them and giving then 24 - 48 hours to fix it before making it public would have been a less 'dick move'

just my 2c


----------



## northhosts (Feb 17, 2015)

Anybody who is handling data in the fashion they are should be super tight, we are registered with them ourselves and use them to double check suspect orders that get through Maxmind. Its worrying that they let that happen to be honest.


----------



## drmike (Feb 17, 2015)

AnthonySmith said:


> human error, bad practice, call it what you will and you are right it is not good practice etc but posting it publicly first is another separate matter I think notifying them and giving then 24 - 48 hours to fix it before making it public would have been a less 'dick move'
> 
> just my 2c


This data was exposed for some chunk of time.  Unsure of the start date if multiple day, weeks, months.

By the time I noticed this, many people were already through it.  Damage was already long done.  Data then already grabbed.


----------



## harzem (Feb 17, 2015)

drmike said:


> This data was exposed for some chunk of time.  Unsure of the start date if multiple day, weeks, months.
> 
> By the time I noticed this, many people were already through it.  Damage was already long done.  Data then already grabbed.


No, it was uploaded about 2 hours before you exposed it, and it started getting server hits after you exposed it. Check the email dates. It was your "dick move" not to alert me.


Gvie yourself some credit, you found the bug first, right after it was uploaded. Congrats!


----------



## drmike (Feb 17, 2015)

harzem said:


> No, it was uploaded about 2 hours before you exposed it, and it started getting server hits after you exposed it. Check the email dates. It was your "dick move" not to alert me.
> 
> Gvie yourself some credit, you found the bug first, right after it was uploaded. Congrats!


Definitely wasn't me that found it.  I can't say 2 hours or 2 years of exposure.  There are logs, you should see how many people and IPs hit those pages.


----------



## harzem (Feb 17, 2015)

I take all the blame for lack of proper security and by relying only on "security through obscurity", as you can see I've never even tried to defend what I did.

But I uploaded the folder exactly 3.5 hours before you started this topic, as I determined now. Also, every hit to that email1.php file you linked, generated another set of emails. I was able to detect it and stop it at 23 hits. A few people received up to 23 emails, some people received less, and about 90% of people received only one email as they should. Because the email system doesn't send in bulk, it has delays after each email. The earlier I spotted the php file was being hit multiple times, the earlier I could stop further emails.

So, in short, the hits to that file started AFTER you found the email1.php file. Every run of that script would start an email, and I'm the first one to get the email.

I uploaded the folder/files and started sending the emails at Thu, Feb 12, 2015 at 10:44 PM, which is the first run of the script.

I received a second email, which indicates someone found the script, at Fri, Feb 13, 2015 at 2:24 AM (3.5 hours later)

I received several more emails in a few minutes, indicating the script was being run again and again.

You opened a thread at Fri, Feb 13, 2015 at 02:35 AM (11 minutes later) with your findings.

I kept receiving new emails, after people started clicking on the link. I was already aware and online, I logged in and disabled the script, and removed the exposed files.

5 days later you insist you aren't the one who found the script, but I do have access to a lot of data and those 11 minutes after 2.24 AM gives me all I need. I know that exactly at 2.24 AM, that email list was first clicked by anyone.

Now, if you aren't the one who found it at 2.24 AM, you sure had a good contact with whoever did it, since 11 minutes was all it took you to open a thread here after the script was run without my authorization or knowledge.

The unsecure files weren't even there before 10:44 PM, that's the upload date from my local to FTP. All dates/times are in my time zone here. It's Feb 17th, 10:38 PM here right now if you need to compare.


----------



## drmike (Feb 17, 2015)

Yeah definitely not me that found them.  

Your friends and foes are in IRC.  That's likely the vector where it was spread from.

I don't partake in IRC, contrary to phobias out there.


----------



## harzem (Feb 17, 2015)

Would you like to enlighten me how did you get a hold of it then, in 11 minutes after it was first discovered?


----------



## drmike (Feb 17, 2015)

Read above up there.  Someone was dumping that URL/data on IRC.  

Now I didn't see the conversation, nor was I on IRC, nor do I have a log of such.

I was passed a message here (I think) about public exposure and noted it was being tossed around on IRC, so was public.

Which IRC channel?  I am unsure,  I think it was mentioned as being on the lowend channel though.


----------



## Lee (Feb 17, 2015)

harzem said:


> Would you like to enlighten me how did you get a hold of it then, in 11 minutes after it was first discovered?


Who, what, when.  Makes no difference.  You got caught with your pants down, accept it. Instead of now trying to turn this into a witch hunt and take the heat away from you, do a proper audit and make sure it does not happen again.


----------



## harzem (Feb 17, 2015)

I accepted it (again) just 4 posts ago, the first sentence, if you bothered to read.


----------



## Lee (Feb 17, 2015)

harzem said:


> I accepted it (again) just 4 posts ago, the first sentence, if you bothered to read.


Yes, I seen it, that one and only line before another 15ish focussing all on the hunt.  I get it, you are a sensitive soul, that has always been apparent.  you don't like your kid being called ugly, but it is.  And this now makes not only the consumer more nervous about your kid but hopefully providers as well.  That is where you attention is needed.  Not here trying to find out who was the cause for leaking your mistake.


----------



## harzem (Feb 17, 2015)

I'm also a designer, I've had a lot of negative feedback from random people as well. I got good feedback and bad feedback about my designs. I keep it professional, I don't mind my kid being called ugly there.

It *used to* be the same for FraudRecord. I've dealt with you in the past, always being againts everything FraudRecord has. I've fought againts people who claim it's illegal, it's against EU regulations etc etc. People cliamed to have reported me to the police. They reported me to Wiredtree, my hosting company, for spamming, only to find out I obey ALL spam regulations. I have my server active. People kept searching for legal flaws, mostly regarding sharing private info to 3rd parties.

They never seem to realize that FraudRecord requires that providers mention it in their Terms of Service:

https://fraudrecord.com/sign-up/



> When you start using FraudRecord to submit reports or make queries, you will be sharing non-identifiable client information. You will need to reflect this in your Terms of Service. You may use the following example:
> 
> 
> 
> [Your Company Name] utilizes FraudRecord to screen new orders for previous fraudulent activity and report existing clients who violate our Terms of Service. In case of a violation, you may be reported to FraudRecord for misbehaviour using one-way hashed information.


 

Then people blame *me* for providers who don't mention it in their TOS.

 

I'm hosted at Wiredtree. Their contact information is on their website. If anyone feels I'm violating *privacy laws* or *spam laws* they are welcome to contact Wiredtree to get me suspended. The fact that FR is still online isn't because people haven't tried. It's because I obey the rules.

 

People blame me for sending *spam emails*. One guy here thinks he can get me into jail! Here is the facts:

 

I don't use false or misleading header information, deceptive subject lines. Identify the message as an advertisement. ı only send to those who verified their email addresses, full knowing that they may receive emails. I provide contact info on my website. I allow recipients to opt-out of receiving future messages. I honor opt-out requests immediately, in fact they are automated.

 

Those who complain about my emails are those who never read the TOS on the website before they registered.

 

Also, you do remember all the fuss last time I sent emails? *Do you know how many of ~1k members actually unsubscribed last time*? Take a wild guess for me please. (Hint: the answer is 8 people). Then the others started complaining all over again this time. Some guy went crazy here (DomainBop) calling me a spammer again.

 

So yes, I'm sensitive, and I'm going to run FraudRecord as I see fit, that is abiding by rules and regulations, and not caring what people who don't like FraudRecord call me. 95% of the memberbase know what they are in. They know they can opt out of the emails that they opted in when they registered.

 

I already took the responsibility for the failure to secure the directory. But in all 55 responses in this thread, how many are about the security, how many are about the email advertisements, how many are about how FR is illegal in X countries or laws?

 

I'm sensitive because the same people, drmike, Lee, DomainBop, a few others, run around the same old issues of blaming me for running an illegal boat, or running spam campaigns. So I'm defending my "kid" as you delicately put. I'm not worried or afraid of what I'm doing, I stand by it. I failed to secure a directory, some guy posted that online instead of alerting me, because he is in the team that loves to hate FR.

 

So yes, I'm sensitive when it's about FraudRecord. You keep not liking FR, I keep running it. I guess we'll need to leave it at that.


----------



## Lee (Feb 17, 2015)

I have never accused you of spamming, that's a worldwide persistent nuisance that will never go away.  I have no time to complain about that.

I won't go over all my very valid points made about FraudRecord, because you know many of the points I have raised time and time again.  You ignore them every time, not because you have a defence.  

As I have always said, great idea, useful system but badly managed and executed.  You let anyone use it and abuse it.  If nothing else it will be confined to a limited market space with no strength or relevance, ignored by the sensible providers who are capable of spotting the crud.  It's a useful tool for the masses of the lowend market that is riddled with the type of clients that cause the bulk of the problems within that sector.  However when the spammers get wind of being on FR they adapt and evade.  Like I said above, a database top heavy with useless crud.

But yes you are probably right I do keep running around raising the same issues because I believe my concerns are valid whilst you exploit FR for your own gain whilst ignoring providers who use your system to get back at clients as revenge for a negative but truthful review.

Yes, you keep running FR your way and trying to convince people it is doing nothing wrong.  Every thread that pops up as you say always ends up about what FR is not doing, that should tell you something.


----------



## AnthonySmith (Feb 17, 2015)

sigh.... some people have a love hate relationship with this whole industry, they love to hate it, some people thrive on chaos.

2 issues:

1) That it was allowed to happen, clearly human error, is it good enough? no, but it was done and it has been fixed and we can only hope lessons learned. 

2) Posting it on a public forum, IRC channel etc before notifying FR, no real excuse for that, but that is human nature for you, some people love the chaos and probably have very empty lives and are beyond even understanding why this was a stupid way to let people know in the first place.

If people are going to pound Harzem in to the ground over it at least separate the 2 issues.

I know not everyone will agree but that is what I think.


----------



## drmike (Feb 17, 2015)

[SIZE=13.63636302948px]Constructive post there @harzem.[/SIZE]

[SIZE=13.63636302948px]I point to things where they need addressed.   Believe me, if I had it in for you and FR, dumping public info would be the least I'd do.  Witch hunting me for posting it,  won't work.  Everyone knows I punt stuff fairly equally when deserved.   The deserving part went like this:[/SIZE]

[SIZE=13.63636302948px]1. People complained about email ads prior (we had a thread here and such was said to be stopped / not again)[/SIZE]

[SIZE=13.63636302948px]2. I am unsure if opt out functions and all are in place for providers before they get more of that.  Such wasn't at signup and auto opt-in per se I bet.  (could be wrong here).[/SIZE]

3. It was another email ad blast about to happen.

4. In same directory as ad blast were plaintext details on users (yes only their emails and IDs)

Big picture FR does a bit, it's half baked though and like DomainBOP did point out earlier, it's very similar to earlier company (for profit) that was smacked down and out for same deficiencies.  I may not agree with some finer points and see utility of such a service, but the lack of due process, rebuttals, policing screwballs who misuse the system (see: GVH vs. William for example).... yeah it's concerning.  Plus the name of the site is a violation of the English language and misleading by name.  People are shoe-hornring non-FRAUD issues into the system and such is allowed 

I don't have a competing product to promote and enrich my pocket, so no ill intent.  I know companies that use FR and big picture I disagree with said use and note their Terms lacking such disclosure.   I'll say I bet if I audit all the companies using FR that 15% or less disclose their use of the service in Terms and wrongly believe such is covered under their third-parties business operations umbrella style clause.

Similarly, these users, the ones with own IP allocations aren't rightly disclosing that they broadcast customer details to ARIN either.

Sadly, I don't think the deficiencies are related / exclusive to Lowend companies.  It's just business as usual and half assed at that.


----------



## harzem (Feb 17, 2015)

~Lee~ said:


> Yes, you keep running FR your way and trying to convince people it is doing nothing wrong.  Every thread that pops up as you say always ends up about what FR is not doing, that should tell you something.


It's the same 3-4 people who keep trying to convince me regarding how I should run it.

I realize the need to properly verify providers, or even read/approve every report to make sure the text content is useful and informational.

FraudRecord receives about:

70 new registrations per month

600 new reports per month

50 removal requests per month, that requires investigation and discussion with both parties

Hundreds of DDoS attacks

$250 in donations

FraudRecord needs:

$125 to run including backup system

20+ admin hours per month for removal requests

50+ admin hours a month if I start approving all reports manually

10+ admin hours a month if I start verifying all providers by researching each one online for reputation?

That leaves me about $125/mo for all the admin hours people ask me to spend. I apologize to those who think getting one email every few months is annoying, but I need everything to run this for free.

But I will listen to one of your previous recommendations. I will monetize it more to make sure I can spend proper time to increase the quality of the memberbase and the individual reports. I will get a lot more hate for monetizing some parts of FR, but it's either that or no FraudRecord at all, if the current wasy isn't working for everyone.


----------



## Lee (Feb 17, 2015)

harzem said:


> I realize the need to properly verify providers, or even read/approve every report to make sure the text content is useful and informational.
> 
> That leaves me about $125/mo for all the admin hours people ask me to spend. I apologize to those who think getting one email every few months is annoying, but I need everything to run this for free.
> 
> But I will listen to one of your previous recommendations. I will monetize it more to make sure I can spend proper time to increase the quality of the memberbase and the individual reports. I will get a lot more hate for monetizing some parts of FR, but it's either that or no FraudRecord at all, if the current wasy isn't working for everyone.


Again, it's a useful service done right.  If monetization leads to better quality control and controls then I won't be criticizing that move.  The ones who start to hate you for asking for a payment to make the service better serves to identify the ones you do not want or need.  thus improving quality almost immediately.


----------



## drmike (Feb 17, 2015)

~Lee~ said:


> Again, it's a useful service done right.  If monetization leads to better quality control and controls then I won't be criticizing that move.  The ones who start to hate you for asking for a payment to make the service better serves to identify the ones you do not want or need.  thus improving quality almost immediately.


Not that it always works out this way, but monetization leads to a true business.   There are insurance matters, bondability, risk, etc. involved in any business, especially something of said nature.

I encourage that pursuit and some regulation before more examples of questionable use of the system show up and someone takes such personal and decides to do something about it for a change.


----------



## Lee (Feb 17, 2015)

Monetization creates focus.  When I read that last post from Harzem all I seen was woe,  it cost's me x, my hassles are y and my motivation to even begin looking at developing it is z.

Welcome to trying to run a service which should be a regulated business on a shoestring budget.


----------



## fixidixi (Feb 18, 2015)

@harzem:

I'm no user of your service nor even received any emails  but the both threads were pretty active here:

My only question is if you are sure you've notified everyone properly that you are going to send [x] adverts / [y] period to be able to keep the service running?

Just as I've read a LOT of posts (not all of them tough) but havent seen anything like that from you. In fact my blurry memory only holds something about not going to follow this way. I can be easly wrong but if its like that then I could imagine some ppl would be pissed about it..

Well for one I think the sole idea and that you've kept this running this long is.. .. pretty awesome  so kudos!


----------



## MattKC (Feb 18, 2015)

Harzem, how about requiring providers to add the fraud record clause to their TOS and verify it has been added before allowing them to use the service? This could go hand in hand with verifying providers to help keep the trash providers (cough, GVH) out of using the service for revenge or abuse. This would address the issue of end users having no idea a provider is sending their details to a negative impact, un-affiliated third party that will impact their ability to make future orders.


Your service works (or should when not being abused) like a credit bureau report for hosting customer's history (albeit with only negative data). Customers must know that their information is being provided to you for purposes of allowing future purchases, especially when you only collect negative information that has no standardization or verification/validation associated to ensure the data is factual.


Don't get me wrong, I think fr can be a valuable tool, there are just too many ways it is being abused at present, virtually no validation and/or end user disclosure regarding the service in current form.


----------



## fixidixi (Feb 18, 2015)

@MattKC:

He already said he doesnt have enough time doing the current work. Do you think manual verification of every provider*S TOS* ?! is the way to go?

Its not the way to go. He could also be standing behind everyone with a whip to avoid fraud to be commited. It's providers responisbility to honour fraudrecord's usage policy..


----------



## DomainBop (Feb 18, 2015)

MattKC said:


> Harzem, how about requiring providers to add the fraud record clause to their TOS and verify it has been added before allowing them to use the service?


+1 to that because a sizable number of hosts don't list it in their policies and the ones who don't list it also tend to be the ones who abuse it the most by posting false reports (it's not really that surprising that these hosts don't list it since many of these hosts have amateurish TOS and privacy policies that would get thrown out of most courts...some of them would even get thrown out of a kangaroo court)

A couple of quick google searches show that many hosts do list it though on their privacy policy or their TOS so a +1 to those hosts.



> Your service works (or should when not being abused) like a credit bureau report for hosting customer's history (albeit with only negative data).


One big difference between the professional credit bureaus (_besides the obvious ones of outside auditing, adherence to government regulations, objective accurate reports as opposed to FR's subjective often false reports,  ownership by a registered business, etc_) and the amateur hour that is FR is that underage children who aren't old enough to legally sign a contract aren't submitting consumer reports to Experian, TransUnion, etc while FraudRecord welcomes children (as well as known skids) with open arms..


----------



## MattKC (Feb 18, 2015)

fixidixi said:


> @MattKC:
> 
> 
> He already said he doesnt have enough time doing the current work. Do you think manual verification of every provider*S TOS* ?! is the way to go?
> ...


Monetizing the service would address the lack of resources by allowing him to hire staff, create automation, etc. If you are going to blame a problem of non disclosure on the providers using the service, you need to find a way to address that problem. Or we can just continue to ignore it and any other problem and not suggest any solutions.


If it's the providers responsibility, there needs to be recourse for those who fail the responsibility, not just ignore it. It would take less than 30 seconds for him to check their tos for inclusion...add it to the signup process that requires a link to the tos where the clause appears. Simple to add and simple to verify. I'm not saying he has to check every day that it is there, just upon signup and perhaps at random or if a complaint is made regarding it not being there.


----------



## fixidixi (Feb 18, 2015)

@MattKC:

My problem is with the principal: if you are a hammer vendor you cant make sure than ppl who buy your tool wont use it do bad things with it... ...and its not your responsibility as a service provider.

But to be cooperative : I think we are talking about two different things: I'm talking about the current setup, your idea was about after/when harzem continued on the way of monetizing so he would earn some sort of revenue to have more hands ..


----------



## Lee (Feb 18, 2015)

fixidixi said:


> @MattKC:
> 
> if you are a hammer vendor you cant make sure than ppl who buy your tool wont use it do bad things with it... ...and its not your responsibility as a service provider.


I am going to come around and bash your skull in until you're dead for using that analogy.

Now if I did you are correct, the guy that sold me the hammer can't be responsible in any way.  But If I said that on FR in response to a client pissing me off would FR not be responsible for allowing that comment to a) exist and b ) let others see it and c) not doing something about it?  The answer you are looking for is yes they would be.  In fact there is no they, Harzem is personally liable for any damage FR may cause because he allowed it to exist as the data controller.

Now that may seem extreme of course but it only takes one serious event and Harzem could easily find himself in big trouble over a service that whether he likes it or not breaks EU rules for a start.  Search around, it's usually only after some shit hits the fan that you find out what you are liable for when running a service that holds data that then causes harm.

It's all well and good saying FR can only advise providers to mention in their terms that they may send information to FR but Harzem can't avoid responsibility for the content he has as a data controller.  It makes no difference which provider submitted it, once it's in his possession (encrypted or not) he becomes liable.

Remember once you submit a report to FR the provider no longer controls it, it is not his responsibility.  I believe it's possible for the provider who reported it to remove it, possibly change it.  

But let me be clear again:  

Once submitted to FR, the submitter can be held liable for making the comment but not responsible for the existence of the data, he has passed responsibility to FR because the data is no longer in the submitters system.

But anyway I will duck out of all this now, I don't want @MannDude to think I stayed around after my last thread and I can't have Colocrossing thinking I don't love them by being here.

Impeccable timing, just seen this on LET, https://www.fraudrecord.com/api/?showreport=5a97456bc264f109


----------



## DomainBop (Feb 18, 2015)

> It's all well and good saying FR can only advise providers to mention in their terms that they may send information to FR but *Harzem can't avoid responsibility for the content he has as a data controller.  It makes no difference which provider submitted it, once it's in his possession (encrypted or not) he becomes liable.*


Good example: last year the state of Mississippi sued the largest credit reporting agency Experian over inaccurate consumer data in its database.

http://onlineathens.com/jeff-horwitz/2014-06-16/lawsuit-filed-against-credit-reporting-giant-experian



> The lawsuit accuses Experian of knowingly including error-riddled data in the credit files of millions of Americans, jeopardizing their ability to obtain loans, employment-related background checks and sensitive government security clearances.


If you're maintaining a database of consumer information you do have a responsibility as the service provider to have controls in place to ensure that the information submitted to your service and stored in your database isn't riddled with false information and inaccuracies.  Based on some of the absolute shit I've seen in the FR database (_example: complaints by kiddie hosts that state "criminal intent" because a customer opened multiple tickets after their tickets were auto-closed without a reply, etc_) , FR doesn't have adequate controls in place to ensure the accuracy of the information in its database, and the whiny replies of _"it would take too much time to do that"_, _"it would cost too much money to do that"_ are not an excuse when you're running a consumer reporting service.  If you don't have the resources to implement the right controls from Day 1 then you shouldn't be running a consumer reporting service.


----------



## MattKC (Feb 18, 2015)

fixidixi said:


> @MattKC:
> 
> 
> My problem is with the principal: if you are a hammer vendor you cant make sure than ppl who buy your tool wont use it do bad things with it... ...and its not your responsibility as a service provider.
> ...


The difference here though is that he states it as a requirement for using the service, but does not enforce or verify it. The hammer analogy isn't at all the same thing. You don't have to agree you won't use a hammer on a person when you buy it or agree to use it.


But agree, we are talking about a before vs after scenario in terms of what has been and could be done. The example Lee posted is an excellent example of the nonsense that is being fed into the system due to no checks/balances/requirements. Asking for a refund got that customer a fraud report with the reasoning "asked for a refund due to not knowing how to manage vps". How is that fraud or abuse? If the customer qualified for a refund per tos, give it, no report justified. If they didn't qualify per tos, don't give it, still no report justified. If they harrassed/spammed/abused support then detail that if you feel a report is justified. The reason given in that report is crap and that report should be thrown out imo.


----------



## Criot (Feb 18, 2015)

I think definitely all of these points are valid, I can see why these sort of things need to be validated, but realistically, if FraudRecord started charging for their service to implement such measures, how many companies would actually continue to use it? How many use it just because it's a free service? It has to be considered that the less companies that actually use it (properly), the more useless it effectively becomes.

Providers also need to use their own judgment with these sort of systems, if you see a client on FraudRecord with a report for a silly reason, like the example given above, any provider with some sense between their ears wouldn't decline an order, I personally wouldn't.


----------



## fixidixi (Feb 18, 2015)

I think if a careful rating system would be introduced such as providers can also be rated ( like - for retardish submission) that might also help to weigh certain submissions


----------



## drmike (Feb 18, 2015)

MattKC said:


> Monetizing the service would address the lack of resources by allowing him to hire staff, create automation, etc. If you are going to blame a problem of non disclosure on the providers using the service, you need to find a way to address that problem. Or we can just continue to ignore it and any other problem and not suggest any solutions.
> 
> 
> If it's the providers responsibility, there needs to be recourse for those who fail the responsibility, not just ignore it. It would take less than 30 seconds for him to check their tos for inclusion...add it to the signup process that requires a link to the tos where the clause appears. Simple to add and simple to verify. I'm not saying he has to check every day that it is there, just upon signup and perhaps at random or if a complaint is made regarding it not being there.


The ToS inclusion is literally a verbatim matchable quote and tying that to a form that collect the company's ToS URL and fires off a HTTP GET and parses for the content exist.   Very simple.  Literally a few hours of work tops.   

Based on the rudimentary search earlier (cause Google searches are meh, often littered with other content) I'd guesstimate 500 or less mentions of FraudRecord in Terms pages.  Probably below 50% compliance today.  Driving the mention in Terms is something that should be pushed heavily.  It's good for companies to get cozy with their terms and good to disclose FR and many other things they are subjecting customer to (ARIN IP justifications).  Companies fear such disclosures because customers rightly might notice and not be happy about such and their competitors aren't being forthright and honest and disclosing similar.   It's truly a chicken sees then chicken does industry segment.



> *BudgetGeek Telecoms*http://budgetgeektelecoms.com/
> 
> 
> Reported on: Nov 23, 2014 - 02:08
> ...


^--- that FraudRecord Entry --- in there because?    Revenge submission?  Pissed support tech/owner?  Or just because they can? Oh that is MTWISCOOL submitting.  Talk about an issue on submitter and all.  Yikes.  Would someone sue FraudRecord, MTW, or his legal guardians?

Is there a way to actively query and see recent FR submissions in ongoing fashion?  Anyone?



> if FraudRecord started charging for their service to implement such measures, how many companies would actually continue to use it? How many use it just because it's a free service? It has to be considered that the less companies that actually use it (properly), the more useless it effectively becomes.


Cheapskates will use it, if it costs low end money.  Like I said earlier - $1-3 a month.  Sell it flat annual $12-24 a year.  Ideally any loss of use due to cost barrier is offset by having high caliber of well behaved paying customers who submit what is rightly defined and encompassed within the spirit of FRAUD.  Thus reducing the heap of steaming dung too many FR entries appear to be.  Also reducing public scrutiny ideally.

Imagine this, even us 'mean folks' see utility and need for the service.  Just requires properness of approach, limits on what can go in there, public access that is clear (i.e. I'd like to see at will any entries for me), means of refuting bogus entries, some sort of due process on the refutes, some common sense where submissions are off color and auto pulled / held pending manual human intervention, etc.


----------



## WSWD (Feb 18, 2015)

drmike said:


> ^--- that FraudRecord Entry --- in there because?    Revenge submission?  Pissed support tech/owner?  Or just because they can? Oh that is MTWISCOOL submitting.  Talk about an issue on submitter and all.  Yikes.  Would someone sue FraudRecord, MTW, or his legal guardians?



Honestly, reports like that are WAY more important to me than reports of actual fraud.  MaxMind and going through orders manually will find most of the fraud.

Reports like this?  Invaluable!  Can't tell you how many people are just like the client in that report.  They buy an unmanaged VPS, don't know how to use it, and then issue a chargeback.


----------



## drmike (Feb 18, 2015)

WSWD said:


> Honestly, reports like that are WAY more important to me than reports of actual fraud.  MaxMind and going through orders manually will find most of the fraud.
> 
> Reports like this?  Invaluable!  Can't tell you how many people are just like the client in that report.  They buy an unmanaged VPS, don't know how to use it, and then issue a chargeback.


Your post made me laugh because I am oh too familiar with the sad situation, having seen these screwball customers in a number of shops.

All said, that's not a fraud issue though (me knitpicking at FR name and intention vs. content stored in).  If you ran a retail store and someone bought a toaster and didn't understand it or determined this week that they hated toast, back it would come and refund would happen (usually).

No offense meant, but I think the buyers misunderstanding / knowledge thing yet still buying randomly is a 1. price point problem and 2. attracting customers via the cheap channels.   I can fully understand people lured by BUY IT NOW! BEST PRICE EVER! LIMITED STOCK! PUPPIES ON FIRE!

Same methods applied to $20 sales item would attract 80% less idiots conservatively.


----------



## zed (Feb 19, 2015)

Can you imagine retailers denying your business because you returned a thingamob to some other retailer somewhere once? It's amusing what making 37 cents a year off each customer does to people's brains, viva la low end vps market.


----------



## KuJoe (Feb 19, 2015)

zed said:


> Can you imagine retailers denying your business because you returned a thingamob to some other retailer somewhere once? It's amusing what making 37 cents a year off each customer does to people's brains, viva la low end vps market.


If they're only making $0.37 per client imagine how mad they would be when a single client costs them $25 in 1 day. There's a huge difference between returning an item to a store (costs the store $0.00) and a client filing a chargeback with their credit card company/bank. I'm just pointing out that it's not exactly comparing apples to apples more like apples to a banana peel with a bill attached to it telling the banana salesman that he owes $25 for that banana his client already ate AND the client got their money back while comfortably digesting the banana.


----------



## Wintereise (Feb 19, 2015)

>> Can you imagine retailers denying your business because you returned a thingamob to some other retailer somewhere once?

Once, no. But if you repeatedly behave in erratic ways, I would be very interested in learning about that -- and subsequently denying you service to not waste my resources.

FR, the way I see it, is just another tool in the toolbox. How you use it is entirely up to you.


----------



## drmike (Feb 19, 2015)

KuJoe said:


> If they're only making $0.37 per client imagine how mad they would be when a single client costs them $25 in 1 day.


Someone must be using that piece of f$!$ing shit STRIPE.


----------



## Steven F (Feb 19, 2015)

drmike said:


> Someone must be using that piece of f$!$ing shit STRIPE.


What's wrong with Stripe?


----------



## KuJoe (Feb 19, 2015)

drmike said:


> Someone must be using that piece of f$!$ing shit STRIPE.


Or Paypal, both are very popular and amazing. I had one issue in the past with Stripe but that was resolved by never giving clients the benefit of the doubt when they pay with credit cards that aren't their own.


----------



## drmike (Feb 19, 2015)

Steven F said:


> What's wrong with Stripe?


Stripe is the notorious $25 dispute fee bearing company isn't it?


----------



## KuJoe (Feb 19, 2015)

Stripe's fee is $15, Paypal's fee is $20.


----------



## DomainBop (Feb 19, 2015)

Steven F said:


> What's wrong with Stripe?


The ridiculously high 2.9% +$0.30 per transaction fees and their inadequate fraud protection systems for starters.


----------



## drmike (Feb 19, 2015)

DomainBop said:


> The ridiculously high 2.9% +$0.30 per transaction fees and their inadequate fraud protection systems for starters.


I don't think Stripe has any fraud protection.  It likes taking invalid stuff and rubberstamping it as fine.


----------



## joepie91 (Feb 19, 2015)

harzem said:


> That leaves me about $125/mo for all the admin hours people ask me to spend. I apologize to those who think getting one email every few months is annoying, but I need everything to run this for free.


FYI, that's a better ROI than almost every other project in existence that runs on donations. Most of them don't even have their expenses covered.


----------

