New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Is there a monthly cost? How do they make money?
http://www.fraudrecord.com/faq.php
This goes against so many host's privacy policies, which state they won't share client information with third parties...
And they aren't. That's why this is pretty genius as it is a way to report bad clients without sharing customer details.
Now that I think about it, customer details are transmitted unencrypted to MaxMind by the majority of hosting companies out there. This is the first anti-fraud system I've ever seen that doesn't violate privacy laws.
And that's why most privacy policies state information will be transferred during the fraud check.
This site says they hash all the data and it can't be reverse-engineered... but you can search for a client's name in the query section and it pulls up all of the people who match.... explain that one.
That's what this service primarily is, fraud checking. It is nice that they offer other reporting options though.
Because it is matching the hash, not the name. If the database is compromised the thief would only have the hashed values.
Okay, I downloaded it and see how it actually works. It's a good idea, but I don't see too many hosts signing up for this. MaxMind does a proactive check and catches people before they have a chance to screw you over. This site requires at least one host to get screwed over first. With that said, I signed up. I'll keep an eye on it.
I looked over the source code also to get an idea of it and the concept looks good. I'm going to wait a bit though before putting anything on my servers.
Let me see how many times MaxMind has failed me.. oh about ever time I had a fraud customer come through with a fake/stolen card. How many valid customers they catch, about 25%. I have not had the best luck, but now the majority are coming across paypal, and paypal is about as tight as a bucket made out of sand. So this helps.
And actually I've posted this across a few sites, and a lot of hosts have began putting their information into it. Even when I first installed it caught 2 of my customers who I already had suspicions.
So far the best anti-fraud method I've found is the GeoFilter addon for WHMCS but it has a really painful bug that causes us downtime for WHMCS so I have to disable it until it's resolved.
Using a proxy?
For us UK Based Companies its a risky line to take. We have to comply with the Data protection act and a number of other laws. Too risky....
Ouch! We would be out of business if we didn't use MaxMind.
Maxmind is fine but data laws are strict
Nah, not proxy'd. My StarHub connection.
Is MaxMind on an exclusion list or something? I'm a bit confused by UK law.
UK data protection laws are strict, but also very good. I have no problem, and actually take pleasure in complying with them, as I take the privacy of our customer details very seriously.
MaxMind and FraudCheck are ok to use, as long as you make it clear to your customers that you will be using them.
There is no exclusion list, as one is not needed.
Central database? Are you guys kidding? I see just nice hobby site from anonymous person without any relevant data like real address, company registration or anything at all.
In domain whois check I see that it's same person as http://www.harzem.com/about/ but that's all. Ok, guy "from internet" says that he recieve only salted and looped SHA-1, bla bla... and just because that you're prepared to send client data to anoynmous guy who just made nice looking site?
It can be interesting free service however I or anyone here can made such/similiar site too. You of course won't know that it's me (me = only as example) behind as there will be only anonymous "contact me" web form. Will you send me all your clients personal information? Oh, I won't be able to read them, you can trust me, buddy! :P
You're unresponsible with your customers data. You can't just send to some unknown new anonymous internet hobby site all your customers data. Or.. you can?!
Sorry for sounding so negative. It's good looking website and idea for sure however water should be tested before you jump in.
I think you're misunderstanding what's sent. SHA-1 is what's known as a one-way hash function. The only way to know what the source of an SHA-1 hash is, is to already have the "unencrypted" version and hash it yourself. You aren't sending personal information, you're sending a hash.
Here's the SHA-1 of my Google account login and password: 60e347be34daf09765ccbabc60b8d7f31393d3c2
Now login to my account. I'll wait
Also if that "Harzem" guy is the same Harzem from Simplemachines (SMF Forum), he's a nice guy
No.
This is simply not true.
SHA-1, along with MD5 and other one way hashes, CAN be "cracked" without knowing the original string.
You just need a lot of processing power and a rainbowtables generator (or very large tables already).
http://www.golubev.com/hashgpu.htm
should used SHA-512.
I see a lot of woulda, coulda, shoulda, but what I'm waiting on before I consider any of your words, is @Roph's password, basically put up or shut up
Of course you can brute force and use or generate rainbow tables, but the entropy from a hashed set of user details means you'll be spending millions if not billions of years doing it. I guess I should have said the only way to practically know.
Add to that the way that this thing works, you must already know the user's details in order to compare.
I've done a lot of reading on SHA1 since this thread was posted and I still cannot find any reason not to use FraudRecord.
49 minutes looks quite praticable to me.
Huh?
@nabo you didn't notice or understand the "length of 1-6" part. More length and a larger character set, exponentially increases the effort required.
To look at it a simpler way, try to "crack" the SHA-1 hashes of 1 character A-Z0-9 "passwords". You'll be done in under 1ms. Congratulations. A full set of user info is potentially hundreds of characters.
Also, salt is good for you