A good reason not to accept checks through CCBill (and other processors as well)
 

Most of you savvy webmasters know this already but just wanted to share for those that dont...

http://jadul.com/2008/04/new-generat...s-hack-ccbill/

Why do you post this url on GFY? I think you should send the url to ccbill support, instead of posting it here. People usually doesn't show the vulnerabilities for the crowd, you know..

Figured it would be helpful for other webmasters to know. I'm sure CCBill knows already. It's not like it's a big secret. I don't think there's any getting around it...otherwise I'm sure they would have.

site not loading here.

We are looking into this. Thank you for the link.

Oh well that's good Paul...I figured you guys knew about it already. Keep us updated if ya dont mind. Maybe I'll offer checks again if it can be fixed.

Too many idiots on the internet.

So by your logic, when I find an exploit in your software I should post it on GFY?

If it affects other webmasters here, yes. It's not just an issue with CCBill...this is the case with other payment processors as well, as it states on that site. I know when I took away checks a while back my chargebacks went way down so I'm guessing this has been going on for quite some time. I just thought it might help other webmasters. You make it sound like I wrote the article.

Uhm... I understand pretending you can and will do something about this is supposed to make CCBill look good. On the other hand though, you also pretend something that any horny 13 yo in the world has known for many years is news to CCBill - which doesn't make you look that good. :Oh crap

This is some fucked up shit man, i tried it with a site & it worked. Now i know how these password sites are getting their User/Pass:321GFY

I hope ccbill as a way to stop this....

this is EVERY check processor, not just ccbill. ccbills just the biggest, that why they are pointing it out, you wont see any processor out there say a similar thing cant happen to them

WTS, electracheck, everyone. there is no real-time system for checks like there is for credit cards

I am assuming all you will do is "look" since ccbill refuses to investigate fraud :2 cents:

BTW this was not meant to be a bash to CCBill in any way. I love CCBill, don't get me wrong. I wouldn't be using them if I didn't. I think this is just an issue for anyone that processes online checks. I don't think there's much they can do, but if there is, it would be nice.

hope CCBill staff will take care of this...

i can't open page

:eek7 :eek7

:Oh crap....

wow... this is too easy

I understand that the view of the business world you get from mom's apartment is limited but posts like this don't make you look good. On the other hand though, I'm sure you got high fives all around from your teenage friends. :Oh crap

Interesting this only just came to CCBills notice. Seems its been posted since April 10th 2008 with 1,495 views. Sure hope they can fix this:helpme

I don't think I've ever had a legit CCBill check. They ALL bounce. Thanks for the reminder to totally remove them from my options.

This is the first time that I, myself have seen that thread. I can assure you that I will be investigating this matter and CCBill will do everything in its power to keep the amount of fraud down as we have always done.

If anyone wants an update on my investigation or wishes to hear about the ACH fraud measures that CCBill has already put in place please hit me up I would be happy to discuss.

i c q 248615940
paulk @ ccbill.com

I hate when people come on GFY like they know everything and talking shit they know nothing about. I know first hand that this is not the case with WTS and yes i have checked there system to verify that this DOES not happen with WTS."

Um....

...Ok. Some of you need to re-read this. It is not just CCBill - it is ANY online check processor. Telling CCBill to "get on this" is kind of pointless. Accepting payments via online checking is much more risky than credit cards.

An e-check payment is "cleared" by the processor before the funds are withdrawn from the bank account which takes as long as 5 days.

Instead of blaming the processors, program owners can take a couple of simple steps to help themselves out.

- Turn off e-checking and stick to credit cards. It's safer and probably cheaper too.

- Check the Payment Type! When CCBill processes a payment, the payment type can be posted to your website's post-back script via CCBill. Expand this script and your password management system a little by writing some code check for this. If the payment type is by e-check, DELAY allowing him access to your members area. Send him to a Thank-You page that explains to the user that he will get his password in about 5 days. (You must turn off CCBill's password management program and substitute your own for this to work of course).

Yes maybe some customers won't like this, but its all how you write your copy here. Explain why you are doing it, and be sure to thank your customer for his patience. He will appreciate it, and best of all, your risk is reduced.

Cheers!

Couldn't they just filter proxies?

pete your right, i apologize

they have a different setup, i believe they changed it recently. they ask multiple series questions up front and if you answer them right, they let you through.

Now, i observed that they enacted that roughly around the time of the change in nacha rules a while back (a deadline where NACHA required all the *real-bad* check return codes to be below 1%.)

Now, doing this A)costs a nice amount per transaction, because it costs to access the huge databases that can pull up background info on a wide range of people in a few seconds, and B) lowers throughput because who wants to give a porn site their Social Security or Drivers License #

For whatever reason they did it, I don?t think ccbill or epoch did the same thing.


The problem with check processing is there there is no real-time clearinghouse where you can get an instant approval/denial on a user, you have to submit the check and wait for it to clear or bounce, which may take a week. With a credit card, you know whether it can be billed in a millisecond

Now you can do other checks to get an idea of if is a good user or not, but those are expensive/intrusive, when your dealing on a per transaction basis.

Wts ben or anyone, I respectfully ask you to correct any of the above

Surprise Surprise, AFF ads on a site teaching people how to rip off porn sites:Oh crap

Walmart pretty much auto draws from your account when you pay with check. Star America or something like that is who they use.


I don't think this will be that big of an issue to protect from.

all i know is with WTS i rarely ever have a check customer get canceled due to no funds.

if anything i have had maybe 1 or two when i first started using them but none in the last 12+ month that i have been using the, ive also never had a chargeback from wts either

I stopped taking checks YEARS ago....I can't understand how it's almost 2009 and this bullshit can still be run.

That article reads like it was written by a third grader.

Yeah, I use to get $10 or so on my Epoch and CCBill Check checks after all the fraud. WTS has always sent $400+ checks to me (actually it's direct deposit, but you get the picture). Almost zero fraud. For years now. It's like they go to the guy's houses themselves and collect the money with a baseball bat if needed. I took epoch and ccbill's check taking ability away along time ago. WTS is the bomb, and the only way to join by check on my sites.

Exactly, I think WTS has hired a bunch of big bouncers all around the world who go and collect the money from these idiots

is that even possible? I've been trying to figure out a foolproof way of identifying a proxy... do you mean by using a database of known proxy IP's?

and I wonder if people in third world countries even bother to use a proxy with this method and it will still work?

All the peeps doing that might be in for a big surprise.

They are actually creating fake financial instruments when they do a online
check and being that it's on the internet it's probably wire fraud also.


http://en.wikipedia.org/wiki/Wire_fraud
That's a high price to download a few hours of video.

People are fooled by the ease of filling out the form, so they don't think it's a big
offense. But ask that same person to go to the police station and fill out one of
those easy police forms with bullshit and I bet they all of a sudden realize it's a dumb idea.

Checks only work for U.S. ip ranges, so they would have to get on a U.S. Ip. Or actually be an American, defrauding, on an easy to track ip, which I'm not worried about.

You can get lists of known proxies, I'm sure people sell them like they do geoip db's. If you are tracking returns, and this was going on, it wouldn't take long to figure out the IP ranges, hosts, areas, ect that are allowing this to happen and just block the IP's directly.

There is a much easier way to scam ccbill sites with checks. Even without offering checks, Ccbill enables them by default. Anyone can replicate your signup codes on an html page, substitute ck for cc and voila, check option. Virtually any information entered into there (imo) will grant access.

Make sure that you contact google as he has adsense on the site.

Fuck him.

Why not give away some MOre into to our surfers fuck nuts.

If its that simple tell CCBILL.

fuck this thread is like a ping pong game

Sure. I will be happy to clarify some of the points in this thread.


How ACH works -

ACH is a batch file system where the debit to the consumer?s account is initiated at any of the FED windows during a given banking day or on any subsequent banking day.

RDFI?s (the consumer?s bank) have 2 business days to return the item. Return reasons are things like insufficient funds, account closed, invalid accounts, etc. In addition, unauthorized returns (charge-backs) can come in later.

ACH items do not ?clear?. They are either returned by the RDFI or they are not.

yea, i wasnt sure what to call a check that didnt get bounced back at its initial attempt
other than cleared :) thanks for coming in and clearing it up

No problem.:)

Real-time Verification ?

The top e-draw banks in the US, which represent about 70% of the checking and savings accounts in the US, participate in a system where they provide the account standing of every account in their system daily.

This system can tell the processor at the time of the transaction whether the account is in good standing or not. For instance, the system may say the account is closed, does not exist or is over drawn.

This system is not intrusive or I do not understand what you mean. It is completely transparent.

More importantly, it is not expensive for the merchant. It is included in our service.

Real-time debits ?

These are POS (point of sale) transactions.

The consumer is present and the check is scanned for the MICR data. This is not available for non face-to-face transactions (Internet / Phone transactions).

Bump, we really need to get some good answers and upcoming solutions from third party billing companies.

Solution: Don't give access until the funds have cleared. Put notice on the check join pages stating this, give option to go back and do credit card if they do not want to wait.

Authentication and Fraud Prevention ?

WTS provides our TOAST authentication and fraud system as part of our service to our clients. We started doing this in 2005, well before the NACHA rule on charge-back ratios, so you are mistaken.

It is not SSN or Drivers License dependent, although these can be used.

This is also part of our service, so it is not an expense to the merchant.

All forms of fraud prevention and many network rules, including negative databases, credit checks, email verification, CVV, AVS, etc., are impediments to throughput. Processors do what they do to balance throughput against risk.


ACH Network Rules ?

The ACH Rules state that the Originator (processor) must authenticate the identity of the Receiver (consumer). This rule has been in effect since 2004.

We don?t know what others do, but one of our objectives is compliance with the Network rules. The methods we implement are in part what we have chosen in order to meet this goal.

The main problem with excluding proxies is that many people surfing porn from work use them to hide their asses and get around filters...so banning them may destroy more business than it helps preventing fraud :2 cents:

Ahhh, understandable then. You learn something new every day. Thanks for the insight on how the online checking industry works.

Anytime. :)