Monday, December 17, 2007

Yahoo! Ignorance Shines in ShoeMoney Reputation Attack

Q: What do you do when your payment processing anti-fraud detection doesn't work?

A: It appears you fire your referring affiliate if your name is Yahoo!

That's right boys and girls, according to ShoeMoney the nitwits at Yahoo! obviously can't detect a fraudulent transaction and then blame someone who's under fire with a blatant reputation attack.

Now Yahoo! Stores and other properties do a lot of payment processing so they should have a ton of historical data, potentially from valid uses of the stolen credit cards themselves, so wouldn't you think with all this information they could flag a few fraud sales?

Apparently not.

OK, even if you don't have any historical data on the customer there are a few things you can do to easily combat what appears, based on the volume of transactions, to be automated fraud short of firing one of your affiliates.

1. Validate the account with email confirmation BEFORE processing the credit card in a 2 step process known as AUTH and BOOK. You pre-authorize the sale first, setting aside the money until you're sure the sale is valid and then BOOK the sale after the fact.

2. Require that the account creation and/or checkout page use several forms of automation blocking such as javascript and/or some form of captcha.

3. Obviously use full AVS (Address Verification) and require CSC / CVV2 (Credit Card Security Code) to make sure everything is OK per the credit card company.

4. Use GeoIP services to check that the IP address placing the order is even close to the actual address on the order and if not, flag it for human review before processing.

5. Do some basic IP blocking and restrict access to those account creation pages from hosting data centers, lists of known proxy servers, botnets and spammers.

There's a couple of other steps I'd take as well, but if someone could get past the 5 steps above without anything tripping at least one alarm for human review, I'd be shocked. Even if it was a human manually performing the attack the GeoIP should indicate a problem unless Yahoo just ignores it.

The only thing that cracks me up is ShoeMoney wanted to know what the referring URLs were and it's meaningless because the referring URL can be easily spoofed or blocked so it's a useless piece of information.

Consider that whoever did this only needed to visit your site one time to get your affiliate code and then using automation abuse it over and over again without ever visiting your site a second time and claiming in the referrer to be always coming from your site.

Cute huh?

Better yet, they didn't have to visit your site EVER because you allow your pages to be cached in the search engines so anyone could get your affiliate code directly from the search engines without leaving a trail on your website.

I've been preaching about using the meta "NOARCHIVE" for years now and this is just another reason to use it, but nobody listens and I digress...

Just to prove that the Michelle from Yahoo! was completely clueless about how internet fraud works she asked ShoeMoney to do the following:

I wanted to give you a heads up in advance to see if there was anyway you could filter or prevent fraudulent users from coming through your website/links. If so, we’d like to continue our partnership.
The odds are very high that this activity isn't passing through ShoeMoney's site whatsoever, even if it's being done manually, because they don't want to leave a trail that's too obvious.

Sorry to see you get the boot Shoe (punny) but it would appear that Yahoo! doesn't mind making a public spectacle of their shortcomings and now it's open season on YSM thanks to them admitting they can't tell a fraud transaction.

This should be loads of fun to see what happens next.


StuartL said...

You don't have to be in affiliate marketing for more than a year or two before you begin to see just how easily the system can be rorted.

And of course it's far easier for the merchant or sponsor to blame the affiliate than to accept the fact that they're the ones who aren't doing the due diligence on every payment they accept.

How anyone can expect an affiliate to filter his or her traffic to weed out the scammers is beyond me.

Experienced affiliate marketers might do better if they ditch the affiliate side of their business and start selling their own products. My partner and I have been involved in affiliate marketing for years and now we're busy building our own shops and selling our own products so that the only clueless merchants we have to deal with are ourselves.

Ban Proxies said...

The SE that can't do anything right continues to blunder down the same path. There was a feint hope that maybe, just maybe the CEO changes would have a positive impact on what could be a primary destination for surfers.

This is par for the course when ..hoo! is involved.

Anonymous said...

Bill I took your advice and have "NoArchive" and "NOCACHE" for a while now.It took the engibnes a month or so and no Cache or anything came up Yipeee..even though i dont sell anything......especially after a forum closed down and all i had to do was use the waybackmachine to get any info i wanted..the owner oblivious to the Information still out there LOL.This showed me even though you might change your site or take your site down you leave a huge eveidence base of prime information behind.
My question is does it affect rankings at all? the archive might be counted as BL,S perhaps...not that i care too much :)

Anonymous said...

Forum site at wayback machine = GOOD. It means that after the forum closed down, whatever useful information had been posted there remained available instead of disappearing. Often forum on technical subjects accumulate a ton of useful information in stickies and just especially good posts by ordinary users, but then shut down for whatever reason. It's good if that information remains findable.

As for leaving "a huge evidence base", well, if you don't want something to be public knowledge, perhaps it should not be posted to a publicly-accessible Web server to begin with?

If it's simply become outdated, people should know that if they look at the Wayback version of a page as it was in 2001 then they might be seeing out of date information, and if they take it as current and this causes problems, that's their own fault, not yours. Don't worry about them. :)

Anonymous said...

Hi Mate the thing is I agree with your sentiments in General ..But what Bill was alluding to i think is the people go wayback and get your info in all sorts of areas,and do the nastie on you...including affiliate,adsense,email,etc links if i am not mistaken.

IncrediBILL said...

That's exactly what I mean.

If you allow your stuff to be scattered all over the web then you're wide open to all sorts of attacks too numerous to mention here.

FWIW, I almost agree that forums are about the only thing I actually think should be archived on the Wayback machine but some legal issues have come up that put people in a bad place that defy allowing any online archives whatsoever IMO.

Anonymous said...

So you'd prefer that the previous generation be the last one to bequeath its cultural artifacts, documents, and the like to future generations and their archaeologists and historians and scholars?

You know, however, what they say about those who do not learn from history...

IncrediBILL said...

That's not what I said but if you want to twist my words knock your fool socks off.

Nobody said there shouldn't be archives, but while my site is alive and active, I'd prefer it not publicly available in the archives.

That lone option would probably satisfy most people having issues with archives as well but you can't trust the Wayback Machine to honor such a thing because someone has already been sued thanks the the IA having a bug.

Anonymous said...

So the IA caused someone to get caught doing something naughty? Shame on ... whoever was doing something naughty. I have no sympathy for them, and plenty for the IA.