Miva Merchant Community Forums

  1. #1
    Guest

    Default Securitymetrics Scam



    Has anyone successfully countered what is essentially a SCAM by Merchant
    processors in conjuction with Securitymetrics.com. Basically the processor
    sends you a notice that you have to have your site approved by
    securitymetrics in order to continue processing cards. The securitymetrics
    test is a joke, although David @ hostasaurus has always been able to get
    their tests to pass, its just making money for securitymetrics.

    -Bruce Golub
    PHOSPHOR Media
    www.phosphormedia.com

    --
    Internal Virus Database is out-of-date.
    Checked by AVG Anti-Virus.
    Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005




  2. #2
    Guest

    Default Securitymetrics Scam



    It's a rip off that is becoming more and more prevalent. Basically
    Security Metrics gives merchant account providers a kick back for
    'enforcing' some obscure interpretation of a Visa/MC policy and
    then the merchant account provider hits their customer with the
    "You have to be scanned but we have this great discount worked
    out with security metrics just for our customers." Then they take
    you for $600 or so, for trivial script kiddie scans to tell you
    hey your apache version is this, etc.

    Amex has started doing this too recently but Discover doesn't,
    they actually pay for the scan meaning they actually care rather
    than use it to generate revenue like the others.

    David

    Bruce Golub - Phosphor Media wrote:
    > Has anyone successfully countered what is essentially a SCAM by
    > Merchant processors in conjuction with Securitymetrics.com. Basically
    > the processor sends you a notice that you have to have your site
    > approved by securitymetrics in order to continue processing cards.
    > The securitymetrics test is a joke, although David @ hostasaurus has
    > always been able to get their tests to pass, its just making money
    > for securitymetrics.=20
    >=20
    > -Bruce Golub
    > PHOSPHOR Media
    > www.phosphormedia.com


  3. #3
    Guest

    Default Securitymetrics Scam



    If anyone (David especially) wants to write this up a bit more formally, I'd
    be happy to refer this to our State Attorney General (although, since he's a
    republican, it might fall on deaf ears) if others do the same, perhaps we
    can catch a little wind?

    -Bruce

    > -----Original Message-----
    > From: owner-miva-users@miva.com
    > [mailto:owner-miva-users@miva.com] On Behalf Of David Hubbard
    > Sent: Tuesday, February 01, 2005 10:27 AM
    > To: Bruce Golub - Phosphor Media; Miva Users List
    > Subject: RE: [meu] Securitymetrics Scam
    >
    > It's a rip off that is becoming more and more prevalent.
    > Basically Security Metrics gives merchant account providers a
    > kick back for 'enforcing' some obscure interpretation of a
    > Visa/MC policy and then the merchant account provider hits
    > their customer with the "You have to be scanned but we have
    > this great discount worked out with security metrics just for
    > our customers." Then they take you for $600 or so, for
    > trivial script kiddie scans to tell you hey your apache
    > version is this, etc.
    >
    > Amex has started doing this too recently but Discover
    > doesn't, they actually pay for the scan meaning they actually
    > care rather than use it to generate revenue like the others.
    >
    > David
    >
    > Bruce Golub - Phosphor Media wrote:
    > > Has anyone successfully countered what is essentially a SCAM by
    > > Merchant processors in conjuction with Securitymetrics.com.
    > Basically
    > > the processor sends you a notice that you have to have your site
    > > approved by securitymetrics in order to continue processing cards.
    > > The securitymetrics test is a joke, although David @
    > hostasaurus has
    > > always been able to get their tests to pass, its just
    > making money for
    > > securitymetrics.
    > >
    > > -Bruce Golub
    > > PHOSPHOR Media
    > > www.phosphormedia.com
    >

  4. #4
    Guest

    Default Securitymetrics Scam



    > It's a rip off that is becoming more and more prevalent.
    [...]
    > Then they take you for $600 or so, for trivial script kiddie
    > scans to tell you hey your apache version is this, etc.

    Yes, and it gets even more fun when you disable version display in Apache
    config. Their tests then generate completely bizzaire reports and pretty
    much everything after that is also all messed up.

    They are not any better than ScanAlert / HackerSafe - and sometimes I could
    swear it's the same organization. They hire those 12 year olds who think
    they are da bom because they can remotely figure out what version Apache
    someone is running, yet when you report issues with their own servers to
    them, they are completely stumped and don't know how to resolve those
    issues. One slow day I run a few simple tests myself, similar to what they
    are running on our clients' sites, and sent a report back to them, called
    them several times, and guess what - they didn't understand half the things
    I sent back not did they know how to fix them. To this day ScanAlert site
    displays the same old stuff I notified them about 5 months ago.

    Did you know merchant.mvc used to be considered a trojan, when ScanAlert
    found it on your site? Took me over a week to explain to them what Miva
    Merchant is and what .mvc extensions are. Had to go through half a dozen
    people and send numerous emails explaining it to them in 6th grade English
    what merchant.mvc was and that it was okay to pass parameters to it in the
    URL. I don't think to this day they even visited www.miva.com to verify
    anything, but... they did remove .mvc from their list of "trojans",
    eventually...

    Remik




  5. #5
    Guest

    Default Securitymetrics Scam



    They used to say that merchant.mvc was susceptible to
    a SQL injection attack. Of course with v5 maybe it will
    be :-) but it was nearly impossible to explain to them
    that a script that doesn't even use SQL is not susceptible
    to SQL injection.

    Dave

    Remik - dotCOM designers wrote:
    >> It's a rip off that is becoming more and more prevalent. [...]
    >> Then they take you for $600 or so, for trivial script kiddie
    >> scans to tell you hey your apache version is this, etc.
    >=20
    > Yes, and it gets even more fun when you disable version
    > display in Apache
    > config. Their tests then generate completely bizzaire
    > reports and pretty
    > much everything after that is also all messed up.
    >=20
    > They are not any better than ScanAlert / HackerSafe - and
    > sometimes I could
    > swear it's the same organization. They hire those 12 year
    > olds who think
    > they are da bom because they can remotely figure out what
    > version Apache
    > someone is running, yet when you report issues with their own servers
    > to them, they are completely stumped and don't know how to resolve
    > those issues. One slow day I run a few simple tests myself,
    > similar to what they
    > are running on our clients' sites, and sent a report back to
    > them, called
    > them several times, and guess what - they didn't understand
    > half the things
    > I sent back not did they know how to fix them. To this day ScanAlert
    > site displays the same old stuff I notified them about 5 months ago.
    >=20
    > Did you know merchant.mvc used to be considered a trojan,
    > when ScanAlert
    > found it on your site? Took me over a week to explain to
    > them what Miva
    > Merchant is and what .mvc extensions are. Had to go through
    > half a dozen
    > people and send numerous emails explaining it to them in 6th
    > grade English
    > what merchant.mvc was and that it was okay to pass parameters
    > to it in the
    > URL. I don't think to this day they even visited
    > www.miva.com to verify
    > anything, but... they did remove .mvc from their list of "trojans",
    > eventually...=20
    >=20
    > Remik
    >=20
    >=20
    >=20

  6. #6
    Guest

    Default Securitymetrics Scam



    Silliest thing is the easiest way to pass their "tests" is to simply block
    their IP space except for port 80. If they cannot reach any services but
    web they list it as 'passed'.

    Complete scam. We have one client who spends more on 'testing' each and
    every month than they pay for their hosting account...

    Jonathan
    Driftwood Network Services


    At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
    >Has anyone successfully countered what is essentially a SCAM by Merchant
    >processors in conjuction with Securitymetrics.com. Basically the processor
    >sends you a notice that you have to have your site approved by
    >securitymetrics in order to continue processing cards. The securitymetrics
    >test is a joke, although David @ hostasaurus has always been able to get
    >their tests to pass, its just making money for securitymetrics.
    >
    >-Bruce Golub
    >PHOSPHOR Media
    >www.phosphormedia.com
    >
    >--
    >Internal Virus Database is out-of-date.
    >Checked by AVG Anti-Virus.
    >Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
    >
    >
    >

  7. #7
    Guest

    Default Securitymetrics Scam



    LOL, I love it...even as a joke, since that is what this is on top of =
    being
    a scam....heck, this is the SAME server that they tested twice =
    already...and
    each time it=92s the "education" process as to why their little =
    kiddie-scripts
    are a joke.

    I did get a bit of encouragement from our AT...because this "test" is =
    not
    required of EVERY merchant, it comes under the concept of Arbitrary =
    Fees,
    which are prohibited by CC companies which come under state and federal
    lending practices. It=92s a start, wouldn't hold your breath.

    -Bruce


    > -----Original Message-----
    > From: Jonathan - Driftwood [mailto:spot@driftwood.net]=20
    > Sent: Thursday, February 10, 2005 7:33 AM
    > To: Bruce Golub - Phosphor Media; Miva Users List
    > Subject: Re: [meu] Securitymetrics Scam
    >=20
    > Silliest thing is the easiest way to pass their "tests" is to=20
    > simply block their IP space except for port 80. If they=20
    > cannot reach any services but web they list it as 'passed'.
    >=20
    > Complete scam. We have one client who spends more on=20
    > 'testing' each and every month than they pay for their=20
    > hosting account...
    >=20
    > Jonathan
    > Driftwood Network Services
    >=20
    >=20
    > At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
    > >Has anyone successfully countered what is essentially a SCAM by=20
    > >Merchant processors in conjuction with Securitymetrics.com.=20
    > Basically=20
    > >the processor sends you a notice that you have to have your site=20
    > >approved by securitymetrics in order to continue processing=20
    > cards. The=20
    > >securitymetrics test is a joke, although David @ hostasaurus=20
    > has always=20
    > >been able to get their tests to pass, its just making money=20
    > for securitymetrics.
    > >
    > >-Bruce Golub
    > >PHOSPHOR Media
    > >www.phosphormedia.com
    > >
    > >--
    > >Internal Virus Database is out-of-date.
    > >Checked by AVG Anti-Virus.
    > >Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
    > >
    > >
    > >

  8. #8
    Guest

    Default Securitymetrics Scam



    Anyone work with ScanAlert? I've heard some say that Securitymetrics is
    essentially the same thing, although ScanAlert is much bigger, and used by
    thousands of rather large merchants.

    Ben

    > -----Original Message-----
    > From: owner-miva-users@miva.com [mailto:owner-miva-users@miva.com] On
    > Behalf Of Bruce Golub
    > Sent: Thursday, February 10, 2005 11:13 AM
    > To: 'Miva Users List'
    > Subject: RE: [meu] Securitymetrics Scam
    >
    > LOL, I love it...even as a joke, since that is what this is on top of
    > being
    > a scam....heck, this is the SAME server that they tested twice
    > already...and
    > each time it's the "education" process as to why their little kiddie-
    > scripts
    > are a joke.
    >
    > I did get a bit of encouragement from our AT...because this "test" is not
    > required of EVERY merchant, it comes under the concept of Arbitrary Fees,
    > which are prohibited by CC companies which come under state and federal
    > lending practices. It's a start, wouldn't hold your breath.
    >
    > -Bruce
    >
    >
    > > -----Original Message-----
    > > From: Jonathan - Driftwood [mailto:spot@driftwood.net]
    > > Sent: Thursday, February 10, 2005 7:33 AM
    > > To: Bruce Golub - Phosphor Media; Miva Users List
    > > Subject: Re: [meu] Securitymetrics Scam
    > >
    > > Silliest thing is the easiest way to pass their "tests" is to
    > > simply block their IP space except for port 80. If they
    > > cannot reach any services but web they list it as 'passed'.
    > >
    > > Complete scam. We have one client who spends more on
    > > 'testing' each and every month than they pay for their
    > > hosting account...
    > >
    > > Jonathan
    > > Driftwood Network Services
    > >
    > >
    > > At 01:16 PM 2/1/2005, Bruce Golub - Phosphor Media wrote:
    > > >Has anyone successfully countered what is essentially a SCAM by
    > > >Merchant processors in conjuction with Securitymetrics.com.
    > > Basically
    > > >the processor sends you a notice that you have to have your site
    > > >approved by securitymetrics in order to continue processing
    > > cards. The
    > > >securitymetrics test is a joke, although David @ hostasaurus
    > > has always
    > > >been able to get their tests to pass, its just making money
    > > for securitymetrics.
    > > >
    > > >-Bruce Golub
    > > >PHOSPHOR Media
    > > >www.phosphormedia.com
    > > >
    > > >--
    > > >Internal Virus Database is out-of-date.
    > > >Checked by AVG Anti-Virus.
    > > >Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
    > > >
    > > >
    > > >

  9. #9
    Guest

    Default Securitymetrics Scam



    Yes, we do... we have a few clients using them. Overall, their scanning
    techniques leave a lot to be desired - they find things that physically
    don't exist on the server, or misinterpret things like merchant.mvc as
    either a trojan or that it is susceptible to SQL injection attacks. Trying
    to explain some of these things to them is, well, challenging, as they don't
    understand half the things they report to you. When you run a similar scan
    on their own servers, you can find many red flags that you'd think a
    security company would not have on their own network if they want to enforce
    you fix these things on yours.

    The funnies thing is that many of the ScanAlert clients pay more for that
    service than they do for their own web hosting. When I spoke with couple of
    our clients using them, they simply said they "have to" use them because
    their competition uses them and their target market "expects" to see the
    same logos on all web sites selling similar products. Guess someone at
    ScanAlert did an excellent job on the marketing front, at least! :-0
    Either that or they are owned by Verisign and use the same marketing speak
    for pushing overpriced ($895/year) SSL certificates.

    Remik Kolodziej
    dotCOM designers - Miva Premier Hosting Partner
    <A HREF ="http://www.dotcomdesigners.com - 888-321-6239">http://www.dotcomdesigners.com - 888-321-6239</A>




    ----- Original Message -----
    From: "Ben Walsh" <bwalsh@ironcladsecure.com>
    Sent: Saturday, February 12, 2005 7:34 PM
    Subject: RE: [meu] Securitymetrics Scam


    > Anyone work with ScanAlert? I've heard some say that Securitymetrics is
    > essentially the same thing, although ScanAlert is much bigger, and used by
    > thousands of rather large merchants.
    >
    > Ben




Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •