Loading ...12 Angry Men did an awesome write-up on a new type of “scam” used by shady marketing companies to automatically opt-you-in to very small month reoccurring charges that you are most likely to not notice on your credit card using some trickery of how credit card data is handled in a typical HTTP session. Here is the gist of how this works.
The Setup
- Company “Crooks Inc.” (shady company) goes to legit company “Big Vendor Inc.” (legit/honest company) and offers them a cross-sell deal. Basically if Big Vendor Inc. places cross-sell links on it’s purchase verification pages to Crooks Inc.’s merchandise (e.g. “You just bought XYZ, maybe you might also want to buy ABC” where “ABC” is from Crooks Inc. website).
- The deal Crooks Inc. proposes to Big Vendor Inc. is that for every sale made from the cross-sell page, Big Vendor Inc. gets 50% of the take… so it’s almost free-money to Big Vendor Inc. just by adding some simple HTML to it’s purchase verification page.
The Problem
- Because of how credit card information is stored in in-memory cookies (not on disk) and are valid for the length of the session, by the time you are done shopping on Big Vendor Inc.’s website, and are taken to the purchase verification page, your credit card data is still accessible from the session.
- Crooks Inc.’s has access to your credit card information you just used, but they cannot charge you without you agreeing to it… so they bury a opt-out (checked by default) checkbox somewhere on the page, usually hidden inside a big paragraph, down the page somewhere.
- When you navigate away from the page, the JavaScript on-exit() event is fired, at which point Crooks Inc. executes your agreement to be charged, for nothing, and uses your credit card information to setup monthly billing for a small amount (like $5).
- Crooks Inc. is also required to send you a verification of the transaction, which they will do, making sure the email is chalk-full of spam-like constructs and sentences, so it’s bagged immediately by your spam filter… making you non-the-wiser to your new monthly charge.
Naturally, you have no idea who to call to get this charge canceled if you ever wanted to do that, and technically Crooks Inc. didn’t violate any law.
12 Angry Men suggests using a service like Shopsafe that let’s you generate a temporary credit card with a set expiration date and set max limit, killing off any hopes of such cross-sells to hook into your credit card and start chipping away at your monthly bills.
I’ve never used a service like Shopsafe, does anyone have any experience with this or having other suggestions to avoid this?
Loading ...
Leave a Reply