Securitymetrics Scam

Has anyone successfully countered what is essentially a SCAM by Merchant
processors in conjuction with Securitymetrics.com. Basically the processor
sends you a notice that you have to have your site approved by
securitymetrics in order to continue processing cards. The securitymetrics
test is a joke, although David @ hostasaurus has always been able to get
their tests to pass, its just making money for securitymetrics.

-Bruce Golub
PHOSPHOR Media
www.phosphormedia.com

--
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005

It's a rip off that is becoming more and more prevalent. Basically
Security Metrics gives merchant account providers a kick back for
'enforcing' some obscure interpretation of a Visa/MC policy and
then the merchant account provider hits their customer with the
"You have to be scanned but we have this great discount worked
out with security metrics just for our customers." Then they take
you for $600 or so, for trivial script kiddie scans to tell you
hey your apache version is this, etc.

Amex has started doing this too recently but Discover doesn't,
they actually pay for the scan meaning they actually care rather
than use it to generate revenue like the others.

David

Bruce Golub - Phosphor Media wrote:
> Has anyone successfully countered what is essentially a SCAM by
> Merchant processors in conjuction with Securitymetrics.com. Basically
> the processor sends you a notice that you have to have your site
> approved by securitymetrics in order to continue processing cards.
> The securitymetrics test is a joke, although David @ hostasaurus has
> always been able to get their tests to pass, its just making money
> for securitymetrics.=20
>=20
> -Bruce Golub
> PHOSPHOR Media
> www.phosphormedia.com

If anyone (David especially) wants to write this up a bit more formally, I'd
be happy to refer this to our State Attorney General (although, since he's a
republican, it might fall on deaf ears) if others do the same, perhaps we
can catch a little wind?

-Bruce

> -----Original Message-----
> From: owner-miva-users@miva.com
> [mailto:owner-miva-users@miva.com] On Behalf Of David Hubbard
> Sent: Tuesday, February 01, 2005 10:27 AM
> To: Bruce Golub - Phosphor Media; Miva Users List
> Subject: RE: [meu] Securitymetrics Scam
>
> It's a rip off that is becoming more and more prevalent.
> Basically Security Metrics gives merchant account providers a
> kick back for 'enforcing' some obscure interpretation of a
> Visa/MC policy and then the merchant account provider hits
> their customer with the "You have to be scanned but we have
> this great discount worked out with security metrics just for
> our customers." Then they take you for $600 or so, for
> trivial script kiddie scans to tell you hey your apache
> version is this, etc.
>
> Amex has started doing this too recently but Discover
> doesn't, they actually pay for the scan meaning they actually
> care rather than use it to generate revenue like the others.
>
> David
>
> Bruce Golub - Phosphor Media wrote:
> > Has anyone successfully countered what is essentially a SCAM by
> > Merchant processors in conjuction with Securitymetrics.com.
> Basically
> > the processor sends you a notice that you have to have your site
> > approved by securitymetrics in order to continue processing cards.
> > The securitymetrics test is a joke, although David @
> hostasaurus has
> > always been able to get their tests to pass, its just
> making money for
> > securitymetrics.
> >
> > -Bruce Golub
> > PHOSPHOR Media
> > www.phosphormedia.com
>

> It's a rip off that is becoming more and more prevalent.
[...]
> Then they take you for $600 or so, for trivial script kiddie
> scans to tell you hey your apache version is this, etc.

Yes, and it gets even more fun when you disable version display in Apache
config. Their tests then generate completely bizzaire reports and pretty
much everything after that is also all messed up.

They are not any better than ScanAlert / HackerSafe - and sometimes I could
swear it's the same organization. They hire those 12 year olds who think
they are da bom because they can remotely figure out what version Apache
someone is running, yet when you report issues with their own servers to
them, they are completely stumped and don't know how to resolve those
issues. One slow day I run a few simple tests myself, similar to what they
are running on our clients' sites, and sent a report back to them, called
them several times, and guess what - they didn't understand half the things
I sent back not did they know how to fix them. To this day ScanAlert site
displays the same old stuff I notified them about 5 months ago.

Did you know merchant.mvc used to be considered a trojan, when ScanAlert
found it on your site? Took me over a week to explain to them what Miva
Merchant is and what .mvc extensions are. Had to go through half a dozen
people and send numerous emails explaining it to them in 6th grade English
what merchant.mvc was and that it was okay to pass parameters to it in the
URL. I don't think to this day they even visited www.miva.com to verify
anything, but... they did remove .mvc from their list of "trojans",
eventually...

Remik

They used to say that merchant.mvc was susceptible to
a SQL injection attack. Of course with v5 maybe it will
be :-) but it was nearly impossible to explain to them
that a script that doesn't even use SQL is not susceptible
to SQL injection.

Dave

Remik - dotCOM designers wrote:
>> It's a rip off that is becoming more and more prevalent. [...]
>> Then they take you for $600 or so, for trivial script kiddie
>> scans to tell you hey your apache version is this, etc.
>=20
> Yes, and it gets even more fun when you disable version
> display in Apache
> config. Their tests then generate completely bizzaire
> reports and pretty
> much everything after that is also all messed up.
>=20
> They are not any better than ScanAlert / HackerSafe - and
> sometimes I could
> swear it's the same organization. They hire those 12 year
> olds who think
> they are da bom because they can remotely figure out what
> version Apache
> someone is running, yet when you report issues with their own servers
> to them, they are completely stumped and don't know how to resolve
> those issues. One slow day I run a few simple tests myself,
> similar to what they
> are running on our clients' sites, and sent a report back to
> them, called
> them several times, and guess what - they didn't understand
> half the things
> I sent back not did they know how to fix them. To this day ScanAlert
> site displays the same old stuff I notified them about 5 months ago.
>=20
> Did you know merchant.mvc used to be considered a trojan,
> when ScanAlert
> found it on your site? Took me over a week to explain to
> them what Miva
> Merchant is and what .mvc extensions are. Had to go through
> half a dozen
> people and send numerous emails explaining it to them in 6th
> grade English
> what merchant.mvc was and that it was okay to pass parameters
> to it in the
> URL. I don't think to this day they even visited
> www.miva.com to verify
> anything, but... they did remove .mvc from their list of "trojans",
> eventually...=20
>=20
> Remik
>=20
>=20
>=20

Silliest thing is the easiest way to pass their "tests" is to simply block
their IP space except for port 80. If they cannot reach any services but
web they list it as 'passed'.

Complete scam. We have one client who spends more on 'testing' each and
every month than they pay for their hosting account...

Jonathan
Driftwood Network Services


At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
>Has anyone successfully countered what is essentially a SCAM by Merchant
>processors in conjuction with Securitymetrics.com. Basically the processor
>sends you a notice that you have to have your site approved by
>securitymetrics in order to continue processing cards. The securitymetrics
>test is a joke, although David @ hostasaurus has always been able to get
>their tests to pass, its just making money for securitymetrics.
>
>-Bruce Golub
>PHOSPHOR Media
>www.phosphormedia.com
>
>--
>Internal Virus Database is out-of-date.
>Checked by AVG Anti-Virus.
>Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
>
>
>

LOL, I love it...even as a joke, since that is what this is on top of =
being
a scam....heck, this is the SAME server that they tested twice =
already...and
each time it=92s the "education" process as to why their little =
kiddie-scripts
are a joke.

I did get a bit of encouragement from our AT...because this "test" is =
not
required of EVERY merchant, it comes under the concept of Arbitrary =
Fees,
which are prohibited by CC companies which come under state and federal
lending practices. It=92s a start, wouldn't hold your breath.

-Bruce


> -----Original Message-----
> From: Jonathan - Driftwood [mailto:spot@driftwood.net]=20
> Sent: Thursday, February 10, 2005 7:33 AM
> To: Bruce Golub - Phosphor Media; Miva Users List
> Subject: Re: [meu] Securitymetrics Scam
>=20
> Silliest thing is the easiest way to pass their "tests" is to=20
> simply block their IP space except for port 80. If they=20
> cannot reach any services but web they list it as 'passed'.
>=20
> Complete scam. We have one client who spends more on=20
> 'testing' each and every month than they pay for their=20
> hosting account...
>=20
> Jonathan
> Driftwood Network Services
>=20
>=20
> At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
> >Has anyone successfully countered what is essentially a SCAM by=20
> >Merchant processors in conjuction with Securitymetrics.com.=20
> Basically=20
> >the processor sends you a notice that you have to have your site=20
> >approved by securitymetrics in order to continue processing=20
> cards. The=20
> >securitymetrics test is a joke, although David @ hostasaurus=20
> has always=20
> >been able to get their tests to pass, its just making money=20
> for securitymetrics.
> >
> >-Bruce Golub
> >PHOSPHOR Media
> >www.phosphormedia.com
> >
> >--
> >Internal Virus Database is out-of-date.
> >Checked by AVG Anti-Virus.
> >Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
> >
> >
> >

Anyone work with ScanAlert? I've heard some say that Securitymetrics is
essentially the same thing, although ScanAlert is much bigger, and used by
thousands of rather large merchants.

Ben

> -----Original Message-----
> From: owner-miva-users@miva.com [mailto:owner-miva-users@miva.com] On
> Behalf Of Bruce Golub
> Sent: Thursday, February 10, 2005 11:13 AM
> To: 'Miva Users List'
> Subject: RE: [meu] Securitymetrics Scam
>
> LOL, I love it...even as a joke, since that is what this is on top of
> being
> a scam....heck, this is the SAME server that they tested twice
> already...and
> each time it's the "education" process as to why their little kiddie-
> scripts
> are a joke.
>
> I did get a bit of encouragement from our AT...because this "test" is not
> required of EVERY merchant, it comes under the concept of Arbitrary Fees,
> which are prohibited by CC companies which come under state and federal
> lending practices. It's a start, wouldn't hold your breath.
>
> -Bruce
>
>
> > -----Original Message-----
> > From: Jonathan - Driftwood [mailto:spot@driftwood.net]
> > Sent: Thursday, February 10, 2005 7:33 AM
> > To: Bruce Golub - Phosphor Media; Miva Users List
> > Subject: Re: [meu] Securitymetrics Scam
> >
> > Silliest thing is the easiest way to pass their "tests" is to
> > simply block their IP space except for port 80. If they
> > cannot reach any services but web they list it as 'passed'.
> >
> > Complete scam. We have one client who spends more on
> > 'testing' each and every month than they pay for their
> > hosting account...
> >
> > Jonathan
> > Driftwood Network Services
> >
> >
> > At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
> > >Has anyone successfully countered what is essentially a SCAM by
> > >Merchant processors in conjuction with Securitymetrics.com.
> > Basically
> > >the processor sends you a notice that you have to have your site
> > >approved by securitymetrics in order to continue processing
> > cards. The
> > >securitymetrics test is a joke, although David @ hostasaurus
> > has always
> > >been able to get their tests to pass, its just making money
> > for securitymetrics.
> > >
> > >-Bruce Golub
> > >PHOSPHOR Media
> > >www.phosphormedia.com
> > >
> > >--
> > >Internal Virus Database is out-of-date.
> > >Checked by AVG Anti-Virus.
> > >Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
> > >
> > >
> > >

Yes, we do... we have a few clients using them. Overall, their scanning
techniques leave a lot to be desired - they find things that physically
don't exist on the server, or misinterpret things like merchant.mvc as
either a trojan or that it is susceptible to SQL injection attacks. Trying
to explain some of these things to them is, well, challenging, as they don't
understand half the things they report to you. When you run a similar scan
on their own servers, you can find many red flags that you'd think a
security company would not have on their own network if they want to enforce
you fix these things on yours.

The funnies thing is that many of the ScanAlert clients pay more for that
service than they do for their own web hosting. When I spoke with couple of
our clients using them, they simply said they "have to" use them because
their competition uses them and their target market "expects" to see the
same logos on all web sites selling similar products. Guess someone at
ScanAlert did an excellent job on the marketing front, at least! :-0
Either that or they are owned by Verisign and use the same marketing speak
for pushing overpriced ($895/year) SSL certificates.

Remik Kolodziej
dotCOM designers - Miva Premier Hosting Partner
<A HREF ="http://www.dotcomdesigners.com - 888-321-6239">http://www.dotcomdesigners.com - 888-321-6239</A>




----- Original Message -----
From: "Ben Walsh" <bwalsh@ironcladsecure.com>
Sent: Saturday, February 12, 2005 7:34 PM
Subject: RE: [meu] Securitymetrics Scam


> Anyone work with ScanAlert? I've heard some say that Securitymetrics is
> essentially the same thing, although ScanAlert is much bigger, and used by
> thousands of rather large merchants.
>
> Ben