Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

For hosts, FraudRecord.com

For hosts, FraudRecord.com

FRCoreyFRCorey Member
edited April 2012 in Reviews

Just tried out their WHMCS module and it flagged 2 customers who I suspected were shady in the first place. Finally a central database we can report spammers and other undesirables into.

Comments

  • Is there a monthly cost? How do they make money?

    Great budget VPS hosting @ http://basshost.com

  • http://www.fraudrecord.com/faq.php

    @BassHost said: Is there a monthly cost? How do they make money?

  • This goes against so many host's privacy policies, which state they won't share client information with third parties...

  • KuJoeKuJoe Member
    edited April 2012

    @subigo said: which state they won't share client information with third parties...

    And they aren't. That's why this is pretty genius as it is a way to report bad clients without sharing customer details.

    Now that I think about it, customer details are transmitted unencrypted to MaxMind by the majority of hosting companies out there. This is the first anti-fraud system I've ever seen that doesn't violate privacy laws.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
    Thanked by 3TheHackBox lbft Amitz
  • @KuJoe said: And they aren't. That's why this is pretty genius as it is a way to report bad clients without sharing customer details.

    Now that I think about it, customer details are transmitted unencrypted to MaxMind by the majority of hosting companies out there. This is the first anti-fraud system I've ever seen that doesn't violate privacy laws.

    And that's why most privacy policies state information will be transferred during the fraud check.

    This site says they hash all the data and it can't be reverse-engineered... but you can search for a client's name in the query section and it pulls up all of the people who match.... explain that one.

  • KuJoeKuJoe Member

    @subigo said: And that's why most privacy policies state information will be transferred during the fraud check.

    That's what this service primarily is, fraud checking. It is nice that they offer other reporting options though.

    @subigo said: This site says they hash all the data and it can't be reverse-engineered... but you can search for a client's name in the query section and it pulls up all of the people who match.... explain that one.

    Because it is matching the hash, not the name. If the database is compromised the thief would only have the hashed values.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • @KuJoe said: Because it is matching the hash, not the name. If the database is compromised the thief would only have the hashed values.

    Okay, I downloaded it and see how it actually works. It's a good idea, but I don't see too many hosts signing up for this. MaxMind does a proactive check and catches people before they have a chance to screw you over. This site requires at least one host to get screwed over first. With that said, I signed up. I'll keep an eye on it.

  • KuJoeKuJoe Member

    I looked over the source code also to get an idea of it and the concept looks good. I'm going to wait a bit though before putting anything on my servers.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • Let me see how many times MaxMind has failed me.. oh about ever time I had a fraud customer come through with a fake/stolen card. How many valid customers they catch, about 25%. I have not had the best luck, but now the majority are coming across paypal, and paypal is about as tight as a bucket made out of sand. So this helps.

    And actually I've posted this across a few sites, and a lot of hosts have began putting their information into it. Even when I first installed it caught 2 of my customers who I already had suspicions.

  • KuJoeKuJoe Member

    So far the best anti-fraud method I've found is the GeoFilter addon for WHMCS but it has a really painful bug that causes us downtime for WHMCS so I have to disable it until it's resolved. :(

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • edited April 2012
    The user Boltersdriveer with Email [REDACTED] (IP 218.186.17.12) is a Spam, please contact forum administrator.

    :(

    Thanked by 1netomx
  • DanielMDanielM Disabled

    For us UK Based Companies its a risky line to take. We have to comply with the Data protection act and a number of other laws. Too risky....

    Thanked by 1Amfy
  • KuJoeKuJoe Member

    @DanielM said: For us UK Based Companies its a risky line to take. We have to comply with the Data protection act and a number of other laws. Too risky....

    Ouch! We would be out of business if we didn't use MaxMind.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • DanielMDanielM Disabled

    Maxmind is fine but data laws are strict

  • Nah, not proxy'd. My StarHub connection.

  • KuJoeKuJoe Member
    edited April 2012

    @DanielM said: Maxmind is fine but data laws are strict

    Is MaxMind on an exclusion list or something? I'm a bit confused by UK law.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • Jonny_EvorackJonny_Evorack Member
    edited April 2012

    UK data protection laws are strict, but also very good. I have no problem, and actually take pleasure in complying with them, as I take the privacy of our customer details very seriously.

    MaxMind and FraudCheck are ok to use, as long as you make it clear to your customers that you will be using them.

    There is no exclusion list, as one is not needed.

    Evorack - UK Spindle & SSD Xen VPS | Gigabit Access Network | Native IPv6 /64 | RAID10 disk storage
    Rackburst - UK and Germany OpenVz SSD VPS | Native IPv6 | RAID10 SSD disk storage
  • SpiritSpirit Administrator
    edited April 2012

    Central database? Are you guys kidding? I see just nice hobby site from anonymous person without any relevant data like real address, company registration or anything at all. In domain whois check I see that it's same person as http://www.harzem.com/about/ but that's all. Ok, guy "from internet" says that he recieve only salted and looped SHA-1, bla bla... and just because that you're prepared to send client data to anoynmous guy who just made nice looking site? It can be interesting free service however I or anyone here can made such/similiar site too. You of course won't know that it's me (me = only as example) behind as there will be only anonymous "contact me" web form. Will you send me all your clients personal information? Oh, I won't be able to read them, you can trust me, buddy! :P

    @FRCorey said: And actually I've posted this across a few sites, and a lot of hosts have began putting their information into it. Even when I first installed it caught 2 of my customers who I already had suspicions.

    You're unresponsible with your customers data. You can't just send to some unknown new anonymous internet hobby site all your customers data. Or.. you can?!

    Sorry for sounding so negative. It's good looking website and idea for sure however water should be tested before you jump in.

  • RophRoph Member

    I think you're misunderstanding what's sent. SHA-1 is what's known as a one-way hash function. The only way to know what the source of an SHA-1 hash is, is to already have the "unencrypted" version and hash it yourself. You aren't sending personal information, you're sending a hash.

    Here's the SHA-1 of my Google account login and password: 60e347be34daf09765ccbabc60b8d7f31393d3c2

    Now login to my account. I'll wait ;)

    Also if that "Harzem" guy is the same Harzem from Simplemachines (SMF Forum), he's a nice guy :)

  • @Roph said: The only way to know what the source of an SHA-1 hash is, is to already have the "unencrypted" version and hash it yourself.

    No. This is simply not true. SHA-1, along with MD5 and other one way hashes, CAN be "cracked" without knowing the original string. You just need a lot of processing power and a rainbowtables generator (or very large tables already).

    Opinions/Posts are to be assumed my own/personal and not company related unless obvious
    Working @ EDIS and owning some others (and/or parts of) | Available for consulting | http://as198412.net | https://william.si

  • nabonabo Member

    @Roph said: Here's the SHA-1 of my Google account login and password: 60e347be34daf09765ccbabc60b8d7f31393d3c2

    http://www.golubev.com/hashgpu.htm

    "Kids, you tried your best and failed miserably. The lesson learned is: never try."

    Thanked by 1netomx
  • @Roph said: Here's the SHA-1 of my Google account login and password: 60e347be34daf09765ccbabc60b8d7f31393d3c2

    should used SHA-512.

    Daniel.

  • @nabo said: http://www.golubev.com/hashgpu.htm

    @Daniel said: should used SHA-512.

    I see a lot of woulda, coulda, shoulda, but what I'm waiting on before I consider any of your words, is @Roph's password, basically put up or shut up ;)

    Hostigation High Resource Hosting - SolusVM OpenVZ/KVM VPS
    Thanked by 2rds100 Amfy
  • RophRoph Member

    Of course you can brute force and use or generate rainbow tables, but the entropy from a hashed set of user details means you'll be spending millions if not billions of years doing it. I guess I should have said the only way to practically know.

    Add to that the way that this thing works, you must already know the user's details in order to compare.

  • KuJoeKuJoe Member

    I've done a lot of reading on SHA1 since this thread was posted and I still cannot find any reason not to use FraudRecord.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • nabonabo Member

    @Roph said: I guess I should have said the only way to practically know.

    49 minutes looks quite praticable to me.

    "Kids, you tried your best and failed miserably. The lesson learned is: never try."

  • @miTgiB said: I see a lot of woulda, coulda, shoulda, but what I'm waiting on before I consider any of your words, is @Roph's password, basically put up or shut up ;)

    Huh?

    Daniel.

  • RophRoph Member
    edited April 2012

    @nabo you didn't notice or understand the "length of 1-6" part. More length and a larger character set, exponentially increases the effort required.

    To look at it a simpler way, try to "crack" the SHA-1 hashes of 1 character A-Z0-9 "passwords". You'll be done in under 1ms. Congratulations. A full set of user info is potentially hundreds of characters.

  • Also, salt is good for you ;)

    Evorack - UK Spindle & SSD Xen VPS | Gigabit Access Network | Native IPv6 /64 | RAID10 disk storage
    Rackburst - UK and Germany OpenVz SSD VPS | Native IPv6 | RAID10 SSD disk storage
  • @Jonny_Evorack said: Also, salt is good for you ;)

    >

    salt won’t increase brute force time only when you have sources.

    I know, I'm Dale Maily.

  • Jonny_EvorackJonny_Evorack Member
    edited April 2012

    @Taylor Salt can increase brute force time if it adds entropy (i.e. randomness) and length to your original string :)

    But yes I agree, the main use of using a salt is to prevent rainbow tables from being used.

    See, Salt really is good for you! :)

    Evorack - UK Spindle & SSD Xen VPS | Gigabit Access Network | Native IPv6 /64 | RAID10 disk storage
    Rackburst - UK and Germany OpenVz SSD VPS | Native IPv6 | RAID10 SSD disk storage
  • Also, it's always good to iterate a hash multiple times.

    Evorack - UK Spindle & SSD Xen VPS | Gigabit Access Network | Native IPv6 /64 | RAID10 disk storage
    Rackburst - UK and Germany OpenVz SSD VPS | Native IPv6 | RAID10 SSD disk storage
  • Sigh. Most hashes/encryption CAN be cracked in theory, given enough time/computing power. Suppose a novice fraud DB programmer doesn't know about salts, and decides to use just a hash. He also thinks everyone has "English" names, so allocates 10 characters each for the first/last name. He's also stuck in the 90's and only knows of the three big TLDs, giving 20 characters total to the complete email address. So that's 40 characters, total.

    For simplicity's sake, we'll go with the Amazon cracker. We have 34 more characters, so the time to crack would be 49*2^34 minutes = 1.6 million years.

    Of course, when quantum computers become viable, all bets are off ;)

    Thanked by 1Roph
  • if it was as easy to crack as most people said it would have been cracked and posted. cracking can happen but with hash collisions it would be hard to know 100%

  • @Boltersdriveer said: Nah, not proxy'd. My StarHub connection.

    I got that with SingNet as well. A lot of sites do not understand there's something call transparent proxy.

    Anyway, use VPN solved the issue. :)

    © 2014 eLohkCalb
  • @exussum said: but with hash collisions it would be hard to know 100%

    AFAIK collisions in SHA-1 have yet to be found, but they will fairly soon. Of course, collisions have very little practical relevance to this application --- some poor sap is accidentally labeled a fraudster? He talks to the provider and sorts things out. Where they matter is when they are relied on for security, such as SSL certs, etc.

    Hashing is cheap, so perhaps someone could recommend the developer use a stronger hash just to reassure the jittery folks? SHA-512 or Whirlpool (also 512-bits) would be ideal.

  • of course there are collisions. the sha1 space is a set size so anything over that size must have a collision.

    i was talking about the password really. its less likely for a persons email hash to clash

  • komokomo Member

    I did not test this service but does someone check the companies/reporters too? How do you know that a "Constantine" did not decide to bug some people becuase s/he is just "evil"?

    Could I register and just report KuJoe or exussum because i.e. I got their email address and/or name on my blog?

    Is there a possibility to draw back the report? Will the companies who read the old/false report get updated about changed status of the report?

  • KuJoeKuJoe Member
    edited April 2012

    @komo said: How do you know that a "Constantine" did not decide to bug some people becuase s/he is just "evil"?

    They are building a "reputation" system for providers. Not sure how or what it is but if I were to do it, I would use a lot of factors to determine whether a company is legitimate or not and only accept reports from legitimate companies (i.e. registered companies, companies that pay taxes, companies registered for X years, companies with legit and public information, etc...).

    The whole point of the system is to be a guide and not a silver bullet so users will have to use common sense and still do some legwork to combat fraud.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • SpiritSpirit Administrator
    edited April 2012

    I though that whole point of a system is automation to save your time just like with maxmind and similiar services. And as we had this discussion at LET already it's known that some hosts tend to refuse service by default regarding maxmind decision even if/when refused person is willing to clarify situation over support ticket. In those cases I wouldn't call this exactly "guide" but final decision without human involved.

  • KuJoeKuJoe Member

    Different people run their companies differently. I personally wouldn't use this service if it was automated, but if it's all a manual process I would consider it when it's more developed.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • gsxgsx Member

    This seems like a great idea, until someone entirely legit is blacklisted by an angry host and a major legal storm appears.

  • innyainnya Member

    Maxmind GeoIp thing might not be filtering correct. I got flagged fraud from maxmind when I tried to order inceptionhosting current promo using my Voip home phone and from home computer. I have never gotten a called from Maxmind and flag as fraud. Also, I tried from work and inception site ban me from coming in from my work ip address.
    That's very strange and new to me. I'm in usa and I have no problem ordering with others provider in the pass.

    How do they verify the real home IP and home (voip) phone as fraud? Just wondering.

  • Some providers don't like USA. I have seen at least one person here on LET claiming that he bans all orders from USA.

  • innyainnya Member

    Maxmind flag me as fraud because Maxmind GeoIp detection think that my home ip and phone number location distance show more than 25 miles. So, they flag me as very high risk fraud.

    I live in Midwest of USA and i can keep and use my old phone numbers as long as first three digits area code is same although I had moved from more than 45 miles from where I used to lived. However, current address and old address have same 3 digit area code phone numbers and last 7 digit number point to old area. (e.g. (111) 222-2222 )

    This is my first time I got flag as fraud. That's why, I was amazed about it. I understand the host provider point of view. It has to protect his business and interest.

    I think I should try to see that I can order one or two of the over sea datacenter provider plans other than UK and France.
    I have the UK and France provider accounts.

    Could anyone suggest any good one? I have too many vps already. I just want to try out to test the water.

  • @innya I turned that feature off because of local number portability. If a host flags you because of that you can always remind them about it. I'm more concerned when the address and IP are a long ways apart aside from a wireless modem, most IP's should RDNS back to the ISP and usually it has the name of the town the connection exists.

Sign In or Register to comment.