ID protection online

[Mobyturns]

Rather than hijack LD's "Banned Lurkers" thread .....

The card info isn't kept, or even stored. Its irrelevant. Thats dealt with via a gateway.

The only thing that matters is the one cent.

The charge is made and the confirmation code stored. Its just a string of number irrelevant to anyone else. It does not need to be secure.

As for the other items on the signup page, don't collect them. They are all only for ID. This idea bypasses them.

The site then only needs to collect a handle, email address... and that's it. IF the other stuff is needed, put it on page two, or a config page post signup. All they do is inhibit joining.

Clearly state that the one cent is purely and only for spam control and NONE of the data is EVER even seen by the site. Be absolutely up front about it - and if people have a whammy, refund them the goddam one cent. You'll already know they aren't a spammers - for spammers rely on volume.

But, ultimately, its not my site. I'm only offering a simple¹ bullet-proof solution to an intractable problem....



Sadly, ID to use the internet is soon to become a thing. Spam and fraud are out of control. Bots ARE out of control. The free and open internet will continue, but Internet Version 2 will involve tiny tokens like the one cent to ensure spam and fraud is destroyed right at the source.


1 - it would take less than a few hours to implement.

WP,

IF it is so simple to implement, to protect personal ID info, why are ordinary punters being subjected to spam, scams and fraud from hacks on soft targets to major corporates? Not being argumentative, simply trying to understand the issues.

How does subscription renewal billing work? The likes of McAfee, Microsoft yadda yadda all offer auto subscription renewals. They must store card data???

There are plenty of small retailers who definitely store card info! I know from personal experience with some - as they asked "do you have the same CC?" I now refuse to deal with them, however the damage is/was done. One significant book retailer takes the details online in what appears to be a secure site, but manually processes the actual transaction. How & Why? My only protection was to request a new CC.

Have a look at the staggering amount of personal information, bank, super, shares statements ..... that Centerlink collects for say the "Low Income Healthcare Card" etc. Talk about a honeypot for hackers / scammers / fraud.

I note Choice (magazine) are initiating a campaign to force the banks & tecos into doing more to protect customers and their assets, from spam, hacking etc.

Most punters would face multiple phishing scams or fraudulent offers every single day. It really is out of hand.

[woodPixel]

I'm not sure how to respond to this, or even if I should. (Ive been very quiet for some decent reasons)

(without trying to derail the idea, let me explain)

I'm not suggesting ANY data is kept - or stored - or used.

The credit card system isn't what people think, nor operates in the manner the public thinks it does. All the data breaches that are spoken of are due to executives in organisations being greedy and trying to data-harvest their own customers.

An example:
Along the top of the signup system is a simple visual STEP1 --> STEP 2 --> STEP3

• Step 1 - On the signup page, we ask for the users intended handle and email
  
  • the usual confirmation email is sent. Click the link within and it returns the newbie to....
  
  

• Step 2 - We ask for a credit card, or Paypal for one cent.
  
  • It is clearly and simply explained this is entirely and ONLY to prevent spam, scams and bots.
  • This pops up a box.
  • Customer fills in details, and IF SUCCESSFUL, goes to step 3....
  
  

• All the following stuff is internal.....
  
  • That box is controlled and displayed by the bank or "gateway provider".
  • All the WWF gets back are two things: a return-value as a URL (OK URL of FAIL URL) and a token.
  • The token is something that ONLY makes sense to the gateway (e.g. XYZ123abc).
  • The token is stored against the customer record.
  • This is in case of charge backs or later rejections.
  • Rejections and charge backs are sent daily (usually) via a data dump (a text file called a JSON file, its human-reading if needs-be).
  • We build a tool that looks up the token within that file and updates/populates the CustomersTable with the appropriate fields.
    
    • the files format is usually something simple such as: DATE: TOKEN: REJECTIONNUMBER
    • REJECTIONNUMBER is something simple like 1, 2 or 18. These match a list we know about, such as "1: Card Stolen")
    
    
  • An internal report is written (a web page that can be refreshed) that simply shows the days shenanigans and the admins can click (VIEWPOSTS) or (OK) or (KILL) or (WATCH)
    
    • VIEWPOSTS is a simple URL like this, it can be eyeballed by a human and determine if Evil is Afoot: https://www.woodworkforums.com/members/59268-doug3030
    • OK means the new user is a Good Guy
    • KILL changes the users password and email. They are now blocked.
    • WATCH marks the CustomersTable with a field called WATCH (!!) and this is incorporated into the top of this new "Evil Doers Report" page, so as it is refreshed by admins, newbies can be further evaluated. Easy peasy.
  
  

• Step 3 - Other info may be asked, as determined by the site, if needed....

The only mods are two or three extra fields in the CustomersTable in the database. There is no vast repository of Hackable Data.... the site doesn't keep any of the card data, or the names, or anything.


NOW - do sites usually do this? NO. They don't do this, because some power and data hungry executive wants to store every last scintilla of client data for "reasons". They can't even tell you why, its simply about control. They want embedded forms, data capture, store everything... for ..... reasons they cannot elaborate.... "just because" is used 99.8% of the time. These are prime hacker targets. They spend fortunes on supporting one bad decision after another. It is entirely unnecessary.

there is no reason to store data. The above I described is as easy as it gets. Nothing is kept other than that token.... and that token can be DELETED in 30 days time anyway. Once the user is a known GoodGuy there is no reason to keep it, at all.

No data = no theft.




Now, people may be wondering, how does woodpixel know this??? I used to be the CTO of a multi-billion per day credit card processing bureaux. I designed all the systems architecture, fraud systems, cost-mitigations, reporting and integration with other payment processors and banks. This is ONE of the ways of implementing this. It is dead easy.

[doug3030]

VIEWPOSTS is a simple URL like this, it can be eyeballed by a human and determine if Evil is Afoot: https://www.woodworkforums.com/members/59268-doug3030

I bet I am going to get heaps of hits on my profile page now. I might have to start charging admission.

[woodPixel]

I bet I am going to get heaps of hits on my profile page now. I might have top start charging admission.

Soz.

I chose the nicest and most kind person I know on the forum for that.

I'm not implying you are a trouble maker, evil doer or someone to keep a VERY close eye on

[doug3030]

Soz.

I chose the nicest and most kind person I know on the forum for that.

I'm not implying you are a trouble maker, evil doer or someone to keep a VERY close eye on

No need to apologise - no offence taken at all.

[ubeaut]

I'm not implying you are a trouble maker, evil doer or someone to keep a VERY close eye on

Huh! Yeah naah... you nailed it. He's a troublemaking, evil doer and someone we keep a very, very close eye(s) on all the time.

I bet I am going to get heaps of hits on my profile page now. I might have to start charging admission.

Hope the above helps with the hits and the income. I want 10%.

[doug3030]

I want 10%.

Neil, you can have 100% of the revenue, just stop following me around expecting trouble.