[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

[Robert Edwards]

On 17/06/11 14:21, Scott Ferguson wrote:
> On Fri, 17 Jun 2011 08:33:59 +1000 Robert Edwards
>>
>> On 17/06/11 06:33, Martijn van Oosterhout wrote:
>>>> On Thu, Jun 16, 2011 at 10:48:03PM +1000, Robert Edwards wrote:
> <snipped>
>>>>>>
>>>>>> Does anyone actually _know_ of any instances where someones bank account
>>>>>> was accessed without proper authorisation over the Internet and the
>>>>>> bank didn't work hard to fix the problem? Just curious.
>>>>
>
> <snipped>
>
>>>>
>>>> Have a nice day,
>> So that's a no? Not an actual instance of this happening?
>>
>> Bob Edwards.
>
> Yes. Still working to get the money re-instated.
> Somehow a debit card which the (which) bank swore could only be debited
> for the available balance in that stand-alone account was overdrawn by
> an overseas (former USSR) company AND the bank then charged an
> overdrawal fee.
>
> It took some time to recover the funds and I have been unable to recover
> the overdrawal fee - I'm considering pursuing that through the Banking
> Ombudsman.
> The amount fraudulently debited from my account was small - I've had
> other frauds in the past for larger amounts (double dipping by Chinese
> e-bay traders) which were quickly and easily resolved by the bank.
>
> In the current case the company name appearing on the statement was
> implied illegal pornography. No I didn't and don't - and I presume that
> most people seeing this companies trading name on their statement would
> simply die of embarrassment and never consider confronting the bank. The
> first two attempts to rectify the problem in person at the bank got no
> where - only after writing and threatening to take the matter to court,
> demanding evidence authorisation, and threatening use my ISPs records
> and my firewall logs to show I couldn't have made the transaction did I
> get my $12 back. I doubt the police would have initiated an
> investigation over such a small amount. At that point in time that card
> had only ever been used for ebay purchase, and only online - so it kind
> of narrows down the number of places/people who would know my name,
> address, credit card number, and security key.
>
> The other incident was with a *very* well known international company
> with Australian offices in Sydney and Melbourne, who offer a commercial
> email hosting service. I decided to take up their offer of a "free
> trial" so I could test the level of support for a client's needs. The
> displayed terms were a 30 day "free trial", and, if at the end of the
> period you liked it you would be charged $50, otherwise you'd lose your
> emails pay no fee. To begin you had to provide a valid credit card,
> which I did. I was then denied the trial as the "transaction was
> declined by your bank" (I only put money on the card equal to what I
> intend to immediately spend). The account was then charged $1 - only
> writing to the bank threatening legal action got my $1 back (petty I
> know, but multiply it by all the other people and it's a good income for
> nothing). Repeated calls to the relevant woman at the Sydney office got
> me an answering machine but she never returned my call.
>
> Oh, and then there's the various bogus "money changing fees" that are
> greater than the cost of the money being changed (US to OZ). Fat chance
> getting "that" bank to refund those. $5 VOIP headset, free shipping, $12
> money changing fee.
>
> Cheers
>

Thanks Scott.

Ok, I count that as 1 for the first incident: clear money fraud/theft
caused by misadventure on the 'net. Still, the bank largely came
through, eventually, although you still need to recover the overdraw
fee.

I think we are blaming this on the eBay vendor you purchased from and
I can't see how an un-"secure" web server at someone's home could
possibly have been involved.

Second and third examples I am not counting as "dangerous Internet:
turn off all your home web sites right now before we have a real nuclear
incident and someone actually dies"... They seem more related to the
general vagaries of using credit/debit cards more than anything Internet
specific.

Cheers,

Bob Edwards.

>