Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


For hosts, FraudRecord.com
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

For hosts, FraudRecord.com

FRCoreyFRCorey Member
edited April 2012 in Reviews

Just tried out their WHMCS module and it flagged 2 customers who I suspected were shady in the first place. Finally a central database we can report spammers and other undesirables into.

«1

Comments

  • Is there a monthly cost? How do they make money?

  • http://www.fraudrecord.com/faq.php

    @BassHost said: Is there a monthly cost? How do they make money?

  • This goes against so many host's privacy policies, which state they won't share client information with third parties...

  • KuJoeKuJoe Member, Host Rep
    edited April 2012

    @subigo said: which state they won't share client information with third parties...

    And they aren't. That's why this is pretty genius as it is a way to report bad clients without sharing customer details.

    Now that I think about it, customer details are transmitted unencrypted to MaxMind by the majority of hosting companies out there. This is the first anti-fraud system I've ever seen that doesn't violate privacy laws.

    Thanked by 3TheHackBox lbft Amitz
  • @KuJoe said: And they aren't. That's why this is pretty genius as it is a way to report bad clients without sharing customer details.

    Now that I think about it, customer details are transmitted unencrypted to MaxMind by the majority of hosting companies out there. This is the first anti-fraud system I've ever seen that doesn't violate privacy laws.

    And that's why most privacy policies state information will be transferred during the fraud check.

    This site says they hash all the data and it can't be reverse-engineered... but you can search for a client's name in the query section and it pulls up all of the people who match.... explain that one.

  • KuJoeKuJoe Member, Host Rep

    @subigo said: And that's why most privacy policies state information will be transferred during the fraud check.

    That's what this service primarily is, fraud checking. It is nice that they offer other reporting options though.

    @subigo said: This site says they hash all the data and it can't be reverse-engineered... but you can search for a client's name in the query section and it pulls up all of the people who match.... explain that one.

    Because it is matching the hash, not the name. If the database is compromised the thief would only have the hashed values.

  • @KuJoe said: Because it is matching the hash, not the name. If the database is compromised the thief would only have the hashed values.

    Okay, I downloaded it and see how it actually works. It's a good idea, but I don't see too many hosts signing up for this. MaxMind does a proactive check and catches people before they have a chance to screw you over. This site requires at least one host to get screwed over first. With that said, I signed up. I'll keep an eye on it.

  • KuJoeKuJoe Member, Host Rep

    I looked over the source code also to get an idea of it and the concept looks good. I'm going to wait a bit though before putting anything on my servers.

  • Let me see how many times MaxMind has failed me.. oh about ever time I had a fraud customer come through with a fake/stolen card. How many valid customers they catch, about 25%. I have not had the best luck, but now the majority are coming across paypal, and paypal is about as tight as a bucket made out of sand. So this helps.

    And actually I've posted this across a few sites, and a lot of hosts have began putting their information into it. Even when I first installed it caught 2 of my customers who I already had suspicions.

  • KuJoeKuJoe Member, Host Rep

    So far the best anti-fraud method I've found is the GeoFilter addon for WHMCS but it has a really painful bug that causes us downtime for WHMCS so I have to disable it until it's resolved. :(

  • BoltersdriveerBoltersdriveer Member, LIR
    edited April 2012
    The user Boltersdriveer with Email [REDACTED] (IP 218.186.17.12) is a Spam, please contact forum administrator.

    :(

    Thanked by 1netomx
  • Using a proxy?

  • For us UK Based Companies its a risky line to take. We have to comply with the Data protection act and a number of other laws. Too risky....

    Thanked by 1Amfy
  • KuJoeKuJoe Member, Host Rep

    @DanielM said: For us UK Based Companies its a risky line to take. We have to comply with the Data protection act and a number of other laws. Too risky....

    Ouch! We would be out of business if we didn't use MaxMind.

  • Maxmind is fine but data laws are strict

  • Nah, not proxy'd. My StarHub connection.

  • KuJoeKuJoe Member, Host Rep
    edited April 2012

    @DanielM said: Maxmind is fine but data laws are strict

    Is MaxMind on an exclusion list or something? I'm a bit confused by UK law.

  • edited April 2012

    UK data protection laws are strict, but also very good. I have no problem, and actually take pleasure in complying with them, as I take the privacy of our customer details very seriously.

    MaxMind and FraudCheck are ok to use, as long as you make it clear to your customers that you will be using them.

    There is no exclusion list, as one is not needed.

  • SpiritSpirit Member
    edited April 2012

    Central database? Are you guys kidding? I see just nice hobby site from anonymous person without any relevant data like real address, company registration or anything at all.
    In domain whois check I see that it's same person as http://www.harzem.com/about/ but that's all. Ok, guy "from internet" says that he recieve only salted and looped SHA-1, bla bla... and just because that you're prepared to send client data to anoynmous guy who just made nice looking site?
    It can be interesting free service however I or anyone here can made such/similiar site too. You of course won't know that it's me (me = only as example) behind as there will be only anonymous "contact me" web form. Will you send me all your clients personal information? Oh, I won't be able to read them, you can trust me, buddy! :P

    @FRCorey said: And actually I've posted this across a few sites, and a lot of hosts have began putting their information into it. Even when I first installed it caught 2 of my customers who I already had suspicions.

    You're unresponsible with your customers data. You can't just send to some unknown new anonymous internet hobby site all your customers data. Or.. you can?!

    Sorry for sounding so negative. It's good looking website and idea for sure however water should be tested before you jump in.

  • RophRoph Member

    I think you're misunderstanding what's sent. SHA-1 is what's known as a one-way hash function. The only way to know what the source of an SHA-1 hash is, is to already have the "unencrypted" version and hash it yourself. You aren't sending personal information, you're sending a hash.

    Here's the SHA-1 of my Google account login and password: 60e347be34daf09765ccbabc60b8d7f31393d3c2

    Now login to my account. I'll wait ;)

    Also if that "Harzem" guy is the same Harzem from Simplemachines (SMF Forum), he's a nice guy :)

  • @Roph said: The only way to know what the source of an SHA-1 hash is, is to already have the "unencrypted" version and hash it yourself.

    No.
    This is simply not true.
    SHA-1, along with MD5 and other one way hashes, CAN be "cracked" without knowing the original string.
    You just need a lot of processing power and a rainbowtables generator (or very large tables already).

  • nabonabo Member

    @Roph said: Here's the SHA-1 of my Google account login and password: 60e347be34daf09765ccbabc60b8d7f31393d3c2

    http://www.golubev.com/hashgpu.htm

    Thanked by 1netomx
  • @Roph said: Here's the SHA-1 of my Google account login and password: 60e347be34daf09765ccbabc60b8d7f31393d3c2

    should used SHA-512.

  • I see a lot of woulda, coulda, shoulda, but what I'm waiting on before I consider any of your words, is @Roph's password, basically put up or shut up ;)

    Thanked by 2rds100 Amfy
  • RophRoph Member

    Of course you can brute force and use or generate rainbow tables, but the entropy from a hashed set of user details means you'll be spending millions if not billions of years doing it. I guess I should have said the only way to practically know.

    Add to that the way that this thing works, you must already know the user's details in order to compare.

  • KuJoeKuJoe Member, Host Rep

    I've done a lot of reading on SHA1 since this thread was posted and I still cannot find any reason not to use FraudRecord.

  • nabonabo Member

    @Roph said: I guess I should have said the only way to practically know.

    49 minutes looks quite praticable to me.

  • @miTgiB said: I see a lot of woulda, coulda, shoulda, but what I'm waiting on before I consider any of your words, is @Roph's password, basically put up or shut up ;)

    Huh?

  • RophRoph Member
    edited April 2012

    @nabo you didn't notice or understand the "length of 1-6" part. More length and a larger character set, exponentially increases the effort required.

    To look at it a simpler way, try to "crack" the SHA-1 hashes of 1 character A-Z0-9 "passwords". You'll be done in under 1ms. Congratulations. A full set of user info is potentially hundreds of characters.

  • Also, salt is good for you ;)

Sign In or Register to comment.