Announcement

Collapse
No announcement yet.

Securitymetrics Scam

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Securitymetrics Scam



    Has anyone successfully countered what is essentially a SCAM by Merchant
    processors in conjuction with Securitymetrics.com. Basically the processor
    sends you a notice that you have to have your site approved by
    securitymetrics in order to continue processing cards. The securitymetrics
    test is a joke, although David @ hostasaurus has always been able to get
    their tests to pass, its just making money for securitymetrics.

    -Bruce Golub
    PHOSPHOR Media
    www.phosphormedia.com

    --
    Internal Virus Database is out-of-date.
    Checked by AVG Anti-Virus.
    Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005




    #2
    Securitymetrics Scam



    It's a rip off that is becoming more and more prevalent. Basically
    Security Metrics gives merchant account providers a kick back for
    'enforcing' some obscure interpretation of a Visa/MC policy and
    then the merchant account provider hits their customer with the
    "You have to be scanned but we have this great discount worked
    out with security metrics just for our customers." Then they take
    you for $600 or so, for trivial script kiddie scans to tell you
    hey your apache version is this, etc.

    Amex has started doing this too recently but Discover doesn't,
    they actually pay for the scan meaning they actually care rather
    than use it to generate revenue like the others.

    David

    Bruce Golub - Phosphor Media wrote:
    > Has anyone successfully countered what is essentially a SCAM by
    > Merchant processors in conjuction with Securitymetrics.com. Basically
    > the processor sends you a notice that you have to have your site
    > approved by securitymetrics in order to continue processing cards.
    > The securitymetrics test is a joke, although David @ hostasaurus has
    > always been able to get their tests to pass, its just making money
    > for securitymetrics.=20
    >=20
    > -Bruce Golub
    > PHOSPHOR Media
    > www.phosphormedia.com

    Comment


      #3
      Securitymetrics Scam



      If anyone (David especially) wants to write this up a bit more formally, I'd
      be happy to refer this to our State Attorney General (although, since he's a
      republican, it might fall on deaf ears) if others do the same, perhaps we
      can catch a little wind?

      -Bruce

      > -----Original Message-----
      > From: [email protected]
      > [mailto:[email protected]] On Behalf Of David Hubbard
      > Sent: Tuesday, February 01, 2005 10:27 AM
      > To: Bruce Golub - Phosphor Media; Miva Users List
      > Subject: RE: [meu] Securitymetrics Scam
      >
      > It's a rip off that is becoming more and more prevalent.
      > Basically Security Metrics gives merchant account providers a
      > kick back for 'enforcing' some obscure interpretation of a
      > Visa/MC policy and then the merchant account provider hits
      > their customer with the "You have to be scanned but we have
      > this great discount worked out with security metrics just for
      > our customers." Then they take you for $600 or so, for
      > trivial script kiddie scans to tell you hey your apache
      > version is this, etc.
      >
      > Amex has started doing this too recently but Discover
      > doesn't, they actually pay for the scan meaning they actually
      > care rather than use it to generate revenue like the others.
      >
      > David
      >
      > Bruce Golub - Phosphor Media wrote:
      > > Has anyone successfully countered what is essentially a SCAM by
      > > Merchant processors in conjuction with Securitymetrics.com.
      > Basically
      > > the processor sends you a notice that you have to have your site
      > > approved by securitymetrics in order to continue processing cards.
      > > The securitymetrics test is a joke, although David @
      > hostasaurus has
      > > always been able to get their tests to pass, its just
      > making money for
      > > securitymetrics.
      > >
      > > -Bruce Golub
      > > PHOSPHOR Media
      > > www.phosphormedia.com
      >

      Comment


        #4
        Securitymetrics Scam



        > It's a rip off that is becoming more and more prevalent.
        [...]
        > Then they take you for $600 or so, for trivial script kiddie
        > scans to tell you hey your apache version is this, etc.

        Yes, and it gets even more fun when you disable version display in Apache
        config. Their tests then generate completely bizzaire reports and pretty
        much everything after that is also all messed up.

        They are not any better than ScanAlert / HackerSafe - and sometimes I could
        swear it's the same organization. They hire those 12 year olds who think
        they are da bom because they can remotely figure out what version Apache
        someone is running, yet when you report issues with their own servers to
        them, they are completely stumped and don't know how to resolve those
        issues. One slow day I run a few simple tests myself, similar to what they
        are running on our clients' sites, and sent a report back to them, called
        them several times, and guess what - they didn't understand half the things
        I sent back not did they know how to fix them. To this day ScanAlert site
        displays the same old stuff I notified them about 5 months ago.

        Did you know merchant.mvc used to be considered a trojan, when ScanAlert
        found it on your site? Took me over a week to explain to them what Miva
        Merchant is and what .mvc extensions are. Had to go through half a dozen
        people and send numerous emails explaining it to them in 6th grade English
        what merchant.mvc was and that it was okay to pass parameters to it in the
        URL. I don't think to this day they even visited www.miva.com to verify
        anything, but... they did remove .mvc from their list of "trojans",
        eventually...

        Remik



        Comment


          #5
          Securitymetrics Scam



          They used to say that merchant.mvc was susceptible to
          a SQL injection attack. Of course with v5 maybe it will
          be :-) but it was nearly impossible to explain to them
          that a script that doesn't even use SQL is not susceptible
          to SQL injection.

          Dave

          Remik - dotCOM designers wrote:
          >> It's a rip off that is becoming more and more prevalent. [...]
          >> Then they take you for $600 or so, for trivial script kiddie
          >> scans to tell you hey your apache version is this, etc.
          >=20
          > Yes, and it gets even more fun when you disable version
          > display in Apache
          > config. Their tests then generate completely bizzaire
          > reports and pretty
          > much everything after that is also all messed up.
          >=20
          > They are not any better than ScanAlert / HackerSafe - and
          > sometimes I could
          > swear it's the same organization. They hire those 12 year
          > olds who think
          > they are da bom because they can remotely figure out what
          > version Apache
          > someone is running, yet when you report issues with their own servers
          > to them, they are completely stumped and don't know how to resolve
          > those issues. One slow day I run a few simple tests myself,
          > similar to what they
          > are running on our clients' sites, and sent a report back to
          > them, called
          > them several times, and guess what - they didn't understand
          > half the things
          > I sent back not did they know how to fix them. To this day ScanAlert
          > site displays the same old stuff I notified them about 5 months ago.
          >=20
          > Did you know merchant.mvc used to be considered a trojan,
          > when ScanAlert
          > found it on your site? Took me over a week to explain to
          > them what Miva
          > Merchant is and what .mvc extensions are. Had to go through
          > half a dozen
          > people and send numerous emails explaining it to them in 6th
          > grade English
          > what merchant.mvc was and that it was okay to pass parameters
          > to it in the
          > URL. I don't think to this day they even visited
          > www.miva.com to verify
          > anything, but... they did remove .mvc from their list of "trojans",
          > eventually...=20
          >=20
          > Remik
          >=20
          >=20
          >=20

          Comment


            #6
            Securitymetrics Scam



            Silliest thing is the easiest way to pass their "tests" is to simply block
            their IP space except for port 80. If they cannot reach any services but
            web they list it as 'passed'.

            Complete scam. We have one client who spends more on 'testing' each and
            every month than they pay for their hosting account...

            Jonathan
            Driftwood Network Services


            At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
            >Has anyone successfully countered what is essentially a SCAM by Merchant
            >processors in conjuction with Securitymetrics.com. Basically the processor
            >sends you a notice that you have to have your site approved by
            >securitymetrics in order to continue processing cards. The securitymetrics
            >test is a joke, although David @ hostasaurus has always been able to get
            >their tests to pass, its just making money for securitymetrics.
            >
            >-Bruce Golub
            >PHOSPHOR Media
            >www.phosphormedia.com
            >
            >--
            >Internal Virus Database is out-of-date.
            >Checked by AVG Anti-Virus.
            >Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
            >
            >
            >

            Comment


              #7
              Securitymetrics Scam



              LOL, I love it...even as a joke, since that is what this is on top of =
              being
              a scam....heck, this is the SAME server that they tested twice =
              already...and
              each time it=92s the "education" process as to why their little =
              kiddie-scripts
              are a joke.

              I did get a bit of encouragement from our AT...because this "test" is =
              not
              required of EVERY merchant, it comes under the concept of Arbitrary =
              Fees,
              which are prohibited by CC companies which come under state and federal
              lending practices. It=92s a start, wouldn't hold your breath.

              -Bruce


              > -----Original Message-----
              > From: Jonathan - Driftwood [mailto:[email protected]]=20
              > Sent: Thursday, February 10, 2005 7:33 AM
              > To: Bruce Golub - Phosphor Media; Miva Users List
              > Subject: Re: [meu] Securitymetrics Scam
              >=20
              > Silliest thing is the easiest way to pass their "tests" is to=20
              > simply block their IP space except for port 80. If they=20
              > cannot reach any services but web they list it as 'passed'.
              >=20
              > Complete scam. We have one client who spends more on=20
              > 'testing' each and every month than they pay for their=20
              > hosting account...
              >=20
              > Jonathan
              > Driftwood Network Services
              >=20
              >=20
              > At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
              > >Has anyone successfully countered what is essentially a SCAM by=20
              > >Merchant processors in conjuction with Securitymetrics.com.=20
              > Basically=20
              > >the processor sends you a notice that you have to have your site=20
              > >approved by securitymetrics in order to continue processing=20
              > cards. The=20
              > >securitymetrics test is a joke, although David @ hostasaurus=20
              > has always=20
              > >been able to get their tests to pass, its just making money=20
              > for securitymetrics.
              > >
              > >-Bruce Golub
              > >PHOSPHOR Media
              > >www.phosphormedia.com
              > >
              > >--
              > >Internal Virus Database is out-of-date.
              > >Checked by AVG Anti-Virus.
              > >Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
              > >
              > >
              > >

              Comment


                #8
                Securitymetrics Scam



                Anyone work with ScanAlert? I've heard some say that Securitymetrics is
                essentially the same thing, although ScanAlert is much bigger, and used by
                thousands of rather large merchants.

                Ben

                > -----Original Message-----
                > From: [email protected] [mailto:[email protected]] On
                > Behalf Of Bruce Golub
                > Sent: Thursday, February 10, 2005 11:13 AM
                > To: 'Miva Users List'
                > Subject: RE: [meu] Securitymetrics Scam
                >
                > LOL, I love it...even as a joke, since that is what this is on top of
                > being
                > a scam....heck, this is the SAME server that they tested twice
                > already...and
                > each time it's the "education" process as to why their little kiddie-
                > scripts
                > are a joke.
                >
                > I did get a bit of encouragement from our AT...because this "test" is not
                > required of EVERY merchant, it comes under the concept of Arbitrary Fees,
                > which are prohibited by CC companies which come under state and federal
                > lending practices. It's a start, wouldn't hold your breath.
                >
                > -Bruce
                >
                >
                > > -----Original Message-----
                > > From: Jonathan - Driftwood [mailto:[email protected]]
                > > Sent: Thursday, February 10, 2005 7:33 AM
                > > To: Bruce Golub - Phosphor Media; Miva Users List
                > > Subject: Re: [meu] Securitymetrics Scam
                > >
                > > Silliest thing is the easiest way to pass their "tests" is to
                > > simply block their IP space except for port 80. If they
                > > cannot reach any services but web they list it as 'passed'.
                > >
                > > Complete scam. We have one client who spends more on
                > > 'testing' each and every month than they pay for their
                > > hosting account...
                > >
                > > Jonathan
                > > Driftwood Network Services
                > >
                > >
                > > At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
                > > >Has anyone successfully countered what is essentially a SCAM by
                > > >Merchant processors in conjuction with Securitymetrics.com.
                > > Basically
                > > >the processor sends you a notice that you have to have your site
                > > >approved by securitymetrics in order to continue processing
                > > cards. The
                > > >securitymetrics test is a joke, although David @ hostasaurus
                > > has always
                > > >been able to get their tests to pass, its just making money
                > > for securitymetrics.
                > > >
                > > >-Bruce Golub
                > > >PHOSPHOR Media
                > > >www.phosphormedia.com
                > > >
                > > >--
                > > >Internal Virus Database is out-of-date.
                > > >Checked by AVG Anti-Virus.
                > > >Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
                > > >
                > > >
                > > >

                Comment


                  #9
                  Securitymetrics Scam



                  Yes, we do... we have a few clients using them. Overall, their scanning
                  techniques leave a lot to be desired - they find things that physically
                  don't exist on the server, or misinterpret things like merchant.mvc as
                  either a trojan or that it is susceptible to SQL injection attacks. Trying
                  to explain some of these things to them is, well, challenging, as they don't
                  understand half the things they report to you. When you run a similar scan
                  on their own servers, you can find many red flags that you'd think a
                  security company would not have on their own network if they want to enforce
                  you fix these things on yours.

                  The funnies thing is that many of the ScanAlert clients pay more for that
                  service than they do for their own web hosting. When I spoke with couple of
                  our clients using them, they simply said they "have to" use them because
                  their competition uses them and their target market "expects" to see the
                  same logos on all web sites selling similar products. Guess someone at
                  ScanAlert did an excellent job on the marketing front, at least! :-0
                  Either that or they are owned by Verisign and use the same marketing speak
                  for pushing overpriced ($895/year) SSL certificates.

                  Remik Kolodziej
                  dotCOM designers - Miva Premier Hosting Partner
                  <A HREF ="http://www.dotcomdesigners.com - 888-321-6239">http://www.dotcomdesigners.com - 888-321-6239</A>




                  ----- Original Message -----
                  From: "Ben Walsh" <[email protected]>
                  Sent: Saturday, February 12, 2005 7:34 PM
                  Subject: RE: [meu] Securitymetrics Scam


                  > Anyone work with ScanAlert? I've heard some say that Securitymetrics is
                  > essentially the same thing, although ScanAlert is much bigger, and used by
                  > thousands of rather large merchants.
                  >
                  > Ben



                  Comment

                  Working...
                  X