Posted 12/08/09 at 05:14:06 PM by Bart Salisbury

More and more it seems that e-commerce differs little from a shell game. Both have the expressed purpose of taking away my money without giving me something tangible in return. It’s almost as if my having a dollar or two in my pocket, my bank account, or on my credit limit, is too much for someone to bear--they have to find a way to separate it from me. While a traditional shell game requires my explicit participation, e-commerce doesn’t, making the task all too easy.

The tale of the scam perpetuated by affinity program hawkers Webloyalty, Vertrue, and Affinion is well known. They used a simple ploy of offering a coupon in exchange for an email address, while they were actually signing up the unsuspecting person to a web loyalty program, along with a monthly fee as high as $20. The scam was pulled off with the expressed involvement of seemingly honest web retailers, such as Orbitz, Buy.com, Travelocity, Barnes & Noble, Pizza Hut, and Priceline--who got kickbacks on each transaction. (Thanks guys, for respecting us as customers.) As many as 30 million people may have been affected.

The Senate Committee on Commerce, Science, and Transportation has been conducting an investigation into the matter, and has turned its attention to the big credit card companies: American Express, MasterCard, and Visa. Why? Because of all the parties involved they were best positioned to detect the scam and, acting on their customers best interests, put an end to it.

Credit card companies are at the forefront of the complaint process. When something that shouldn’t appears on a bill, it’s the credit card company that gets the complaint. But, the credit card company also gets to ‘wet its beak’ on all of the action--so it charges both the consumer (fees and interest), and the merchant (a percentage) for each transaction processed. The $1.4 billion Webloyalty, Vertrue, and Affinion accumulated through their bogus practice may have been just enough for the big three to turn a blind eye, despite thousands of consumer complaints. This is what the Senate Committee wants to find out.

While this particular little racket may come to an end, its unlikely those involved will get more than a slap on the wrist. And, the big players will still be there, just as unconcerned about your welfare as before. The lesson here: always carefully check your monthly statement.

Read More

Posted 12/26/08 at 06:25:24 PM by Mark Edward Soper

Before you drop in on the American Express website to see how much damage you did to your credit line with holiday shopping, you should know it's vulnerable to an XSS (cross-site scripting) exploit. As The Register reports, this news comes after a bungled attempt to fix the problem. As El Reg puts it,

The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.

So far, only proof-of-concept exploits have been written to show how easy it would be to pilfer login credentials, but until AmEx really eradicates this problem, keep a careful eye on your website transactions. For a list of precautions you can take to stop XSS exploits, see our 2007 article.

Have you been victimized by an XSS error? Join us after the jump and sound off.  

Read More