Road Bike, Cycling Forums banner

1 - 20 of 22 Posts

·
Fini les ecrase-"manets"!
Joined
·
9,416 Posts
Discussion Starter · #1 ·
As some of you probably know, I run a couple of ecommerce websites.

Today, we found someone who's making a bunch of fraudulent orders on our site--different credit card on all of them, but all to the same name and address, etc. All cards are being declined.

This fraudster has a couple of different accounts (with slightly different @yahoo.com and @outgun.com email addresses) with us, but they all use the same password. This makes me think I could probably log in to their yahoo! or outgun accounts using this password and do some snooping. I'd like to see if we're the only ones being victimized, what names they're using, etc., if they have given an address to register for the accounts and like that.

But I have a feeling this is highly unethical, even though this person is trying to steal from my company.

Your thoughts?
 

·
gazing from the shadows
Joined
·
27,224 Posts
Since you frame it as an ethics question, let me ask how your ecommerce sites' privacy policies might apply?
 

·
Fini les ecrase-"manets"!
Joined
·
9,416 Posts
Discussion Starter · #6 ·
il sogno said:
I think you should turn this over to law enforcement. DA's office? FBI maybe?
Unfortunately, with low-level fraud like this, especially since the credit cards are being declined by the issuing banks, the Man can't be bothered to help. The odds are very good (90%) that this a-hole is offshore anyway--typically somewhere in Eastern Europe, North Africa or Asia.

Crossing state lines makes the locals unwilling to bother--they always refer you to the delivery state, while the delivery state wants you to talk to your local cops. Ecommerce fraud on the sub-$1000 scale is pretty much unenforced.

What I'd really like to do is rat him/her out to the other places I'm sure he's trying to rip off, and maybe put a scare into him by sending a "you're busted" email to him from his own account.
 

·
Shirtcocker
Joined
·
60,639 Posts
bikeboy389 said:
Unfortunately, with low-level fraud like this, especially since the credit cards are being declined by the issuing banks, the Man can't be bothered to help. The odds are very good (90%) that this a-hole is offshore anyway--typically somewhere in Eastern Europe, North Africa or Asia.

Crossing state lines makes the locals unwilling to bother--they always refer you to the delivery state, while the delivery state wants you to talk to your local cops. Ecommerce fraud on the sub-$1000 scale is pretty much unenforced.

What I'd really like to do is rat him/her out to the other places I'm sure he's trying to rip off, and maybe put a scare into him by sending a "you're busted" email to him from his own account.
.......use an anonymizer and send him a scare mail--speaking hypothetically of course.
 

·
No Crybabies
Joined
·
11,684 Posts
Not sure about ethics or legality.

However, I like to take "e" world issues and analogize to concrete ones. Let's say this thief broke into your business, and made out with some things. But, in the process, he dropped his wallet. Would you hesitate to look in the wallet? Would you hesitate to call numbers that might be referenced in the wallet to track him down?

I think as long as you do no harm, and don't actively mispresent something, it's not unethical. The issue is "justification," from either a moral or legal view. I think you are justified, as long as you do no harm. (This is definitely NOT a legal opinion, so you are on your own.)
 

·
Back from the dead
Joined
·
20,626 Posts
You store passwords as plaintext? Do your users know this? What a huge security hole!

I don't think it is ethical to do what you suggest, but it certainly would be fun. If nothing else, go into each account and change the password so the guy can't get in anymore. It would also be very unethical to send email from those accounts to everyone in his address book that said something like "I'm in my office and I'm not wearing pants." Very, very unethical.
 

·
Fini les ecrase-"manets"!
Joined
·
9,416 Posts
Discussion Starter · #11 ·
mohair_chair said:
You store passwords as plaintext? Do your users know this? What a huge security hole!

I don't think it is ethical to do what you suggest, but it certainly would be fun. If nothing else, go into each account and change the password so the guy can't get in anymore. It would also be very unethical to send email from those accounts to everyone in his address book that said something like "I'm in my office and I'm not wearing pants." Very, very unethical.
I can decode the passwords if I need to, but they're not stored in plain text.

And yeah. I'm trying not to let the fun factor push me into doing something I might regret professionally.
 

·
No Crybabies
Joined
·
11,684 Posts
What do you think you can legitimately accomplish?
 

·
Shirtcocker
Joined
·
60,639 Posts
mohair_chair said:
You store passwords as plaintext? Do your users know this? What a huge security hole!

I don't think it is ethical to do what you suggest, but it certainly would be fun. If nothing else, go into each account and change the password so the guy can't get in anymore. It would also be very unethical to send email from those accounts to everyone in his address book that said something like "I'm in my office and I'm not wearing pants." Very, very unethical.
another instance of bad security:

http://www.9news.com/acm_news.aspx?...MPLATEID=0c76dce6-ac1f-02d8-0047-c589c01ca7bf
 

·
Shirtcocker
Joined
·
60,639 Posts
il sogno said:
Don't send him the merchandise he's ordered. Close his accounts and tell him why in no uncertain terms.
You have to admit it would be fun to send him a box full of dog poop with a note explaining why inside. :D
 

·
Fini les ecrase-"manets"!
Joined
·
9,416 Posts
Discussion Starter · #16 ·
Bocephus Jones II said:
You have to admit it would be fun to send him a box full of dog poop with a note explaining why inside. :D
Gross. Who's gonna collect and box up the poop for me?
 

·
No Crybabies
Joined
·
11,684 Posts
bikeboy389 said:
What I'd really like to do is rat him/her out to the other places I'm sure he's trying to rip off,

I'd be very concerned about defamation suits. It doesn't take much for him to at least get his foot in the door with a lawsuit, and then you spend a fortune defending it. I would not send info to 3rd parties, other than law enforcement.
 

·
Fini les ecrase-"manets"!
Joined
·
9,416 Posts
Discussion Starter · #18 ·
Fixed said:
What do you think you can legitimately accomplish?
Not too much, really. I could tip off any other sites that are being defrauded, though given how ham-fisted this person is, they're probably onto them already.

And I might be able to put a scare into him, if I did send him an email from himself.

So nothing really. Makes me kinda think it's not worth doing anything other than getting his IP (or IPs) and blocking them.
 

·
Fini les ecrase-"manets"!
Joined
·
9,416 Posts
Discussion Starter · #20 ·
snapdragen said:
Ask and you shall receive: Poop!
Gross, but pretty funny copy, I gotta say.

"Buster is a 110 pound powerhouse that creates massive mountains of the most robust bowel movements you have ever had the displeasure to experience."

Oh, poop. Is there no end to the humor to be found in thee?
 
1 - 20 of 22 Posts
Top