Re: Netblock reassigned from Chile to US ISP...
Martin List-Petersen wrote: -> Contact Google. Somebody from Google replied off-list. Sounds like Google maybe had this updated even before he looked at it. -> Again. Akamai is helpful. Contact them. Somebody from Akamai replied off-list and they're looking into it. -> 3) End-user unable to complete an online e-commerce transaction -> due to a fraud-prevention service thinking he was a Chilean user -> trying to buy something with a US-based credit card. -> -> There's no fast fix for this, but have you talked to MaxMind about -> chaning the Geo location ? They'll implent it fast and it's in their -> DB within a week, max 2, but it'll take 2 months at least, before it MaxMind was the first place I checked; they already had the correct info when I looked. IP2Location don't have the right info, but they think it's a Speakeasy.net IP in Washington DC which probably won't be a problem. No idea about Digital Element yet. Netblock is 67.214.48.0/20 - was reg'd a couple of weeks ago so folks who pull ARIN assignments regularly will have it. Those who care but don't check ARIN regularly may want to see if they think it's in Chile, and change it to Denver, Colorado if so. -> However, the ecommerce issue is a bit worse, because there's some -> of'em out there, like one of the biggest hosters in the states, that -> have 2 year old data. Yeah, it's those types that I'm hoping to locate as well... Google and Akamai were immediately noticed by the test users, and have also responded very quickly (thanks, guys), but ideally we'd like to be proactive and get as many of these updated *before* the real customers hit the network and start having problems. -Robert.-
try being illiterate and living in japan :) my gripe is the significant sites that put up the kanji page, offer no language choice, and you got there from the US url. you're trapped. and i can not tunnel out of it via my westin or ashburn racks, as my address blocks are registered to my home address here in japan. sense of humor required. younger brain desired, so i can learn japanese. randy
On Dec 11, 2008, at 10:44 PM, Robert Tarrall wrote:
... Yeah, it's those types that I'm hoping to locate as well... Google and Akamai were immediately noticed by the test users, and have also responded very quickly (thanks, guys), but ideally we'd like to be proactive and get as many of these updated *before* the real customers hit the network and start having problems.
Agreed, and I expect that we're be seeing more dynamic and more granular movement of IPv4 blocks over the next few years. Services that purport to provide useful information about IP block utilization geography had best plan accordingly. /John [my personal view only]
Is there an easy way to get past history on an IP block? Most sites will show you aspects of that *now*.... Frank -----Original Message----- From: Robert Tarrall [mailto:tarrall@ecentral.com] Sent: Thursday, December 11, 2008 9:45 PM To: nanog@nanog.org Subject: Re: Netblock reassigned from Chile to US ISP... Martin List-Petersen wrote: -> Contact Google. Somebody from Google replied off-list. Sounds like Google maybe had this updated even before he looked at it. -> Again. Akamai is helpful. Contact them. Somebody from Akamai replied off-list and they're looking into it. -> 3) End-user unable to complete an online e-commerce transaction -> due to a fraud-prevention service thinking he was a Chilean user -> trying to buy something with a US-based credit card. -> -> There's no fast fix for this, but have you talked to MaxMind about -> chaning the Geo location ? They'll implent it fast and it's in their -> DB within a week, max 2, but it'll take 2 months at least, before it MaxMind was the first place I checked; they already had the correct info when I looked. IP2Location don't have the right info, but they think it's a Speakeasy.net IP in Washington DC which probably won't be a problem. No idea about Digital Element yet. Netblock is 67.214.48.0/20 - was reg'd a couple of weeks ago so folks who pull ARIN assignments regularly will have it. Those who care but don't check ARIN regularly may want to see if they think it's in Chile, and change it to Denver, Colorado if so. -> However, the ecommerce issue is a bit worse, because there's some -> of'em out there, like one of the biggest hosters in the states, that -> have 2 year old data. Yeah, it's those types that I'm hoping to locate as well... Google and Akamai were immediately noticed by the test users, and have also responded very quickly (thanks, guys), but ideally we'd like to be proactive and get as many of these updated *before* the real customers hit the network and start having problems. -Robert.-
Sorry for my ignorance... but may some one explain how this fraud-prevention service works? How about US tourists in Chile trying to buy something with it's US based credit card? :) Thx, Nic. Frank Bulk wrote:
Is there an easy way to get past history on an IP block? Most sites will show you aspects of that *now*....
Frank
-----Original Message----- From: Robert Tarrall [mailto:tarrall@ecentral.com] Sent: Thursday, December 11, 2008 9:45 PM To: nanog@nanog.org Subject: Re: Netblock reassigned from Chile to US ISP...
Martin List-Petersen wrote: -> Contact Google.
Somebody from Google replied off-list. Sounds like Google maybe had this updated even before he looked at it.
-> Again. Akamai is helpful. Contact them.
Somebody from Akamai replied off-list and they're looking into it.
-> 3) End-user unable to complete an online e-commerce transaction -> due to a fraud-prevention service thinking he was a Chilean user -> trying to buy something with a US-based credit card. -> -> There's no fast fix for this, but have you talked to MaxMind about -> chaning the Geo location ? They'll implent it fast and it's in their -> DB within a week, max 2, but it'll take 2 months at least, before it
MaxMind was the first place I checked; they already had the correct info when I looked. IP2Location don't have the right info, but they think it's a Speakeasy.net IP in Washington DC which probably won't be a problem. No idea about Digital Element yet.
Netblock is 67.214.48.0/20 - was reg'd a couple of weeks ago so folks who pull ARIN assignments regularly will have it. Those who care but don't check ARIN regularly may want to see if they think it's in Chile, and change it to Denver, Colorado if so.
-> However, the ecommerce issue is a bit worse, because there's some -> of'em out there, like one of the biggest hosters in the states, that -> have 2 year old data.
Yeah, it's those types that I'm hoping to locate as well... Google and Akamai were immediately noticed by the test users, and have also responded very quickly (thanks, guys), but ideally we'd like to be proactive and get as many of these updated *before* the real customers hit the network and start having problems.
-Robert.-
Nicolas Antoniello wrote:
Sorry for my ignorance... but may some one explain how this fraud-prevention service works?
How about US tourists in Chile trying to buy something with it's US based credit card? :)
It's a misconception of some muppets, especially in IT related products, that forget, that a lot or IT professionals do travel all over the world and usually have a credit card in their home country. Pure and utter nonsense. /M
Thx, Nic.
Frank Bulk wrote:
Is there an easy way to get past history on an IP block? Most sites will show you aspects of that *now*....
Frank
-----Original Message----- From: Robert Tarrall [mailto:tarrall@ecentral.com] Sent: Thursday, December 11, 2008 9:45 PM To: nanog@nanog.org Subject: Re: Netblock reassigned from Chile to US ISP...
Martin List-Petersen wrote: -> Contact Google.
Somebody from Google replied off-list. Sounds like Google maybe had this updated even before he looked at it.
-> Again. Akamai is helpful. Contact them.
Somebody from Akamai replied off-list and they're looking into it.
-> 3) End-user unable to complete an online e-commerce transaction -> due to a fraud-prevention service thinking he was a Chilean user -> trying to buy something with a US-based credit card. -> -> There's no fast fix for this, but have you talked to MaxMind about -> chaning the Geo location ? They'll implent it fast and it's in their -> DB within a week, max 2, but it'll take 2 months at least, before it
MaxMind was the first place I checked; they already had the correct info when I looked. IP2Location don't have the right info, but they think it's a Speakeasy.net IP in Washington DC which probably won't be a problem. No idea about Digital Element yet.
Netblock is 67.214.48.0/20 - was reg'd a couple of weeks ago so folks who pull ARIN assignments regularly will have it. Those who care but don't check ARIN regularly may want to see if they think it's in Chile, and change it to Denver, Colorado if so.
-> However, the ecommerce issue is a bit worse, because there's some -> of'em out there, like one of the biggest hosters in the states, that -> have 2 year old data.
Yeah, it's those types that I'm hoping to locate as well... Google and Akamai were immediately noticed by the test users, and have also responded very quickly (thanks, guys), but ideally we'd like to be proactive and get as many of these updated *before* the real customers hit the network and start having problems.
-Robert.-
-- Airwire - Ag Nascadh Pobal an Iarthar http://www.airwire.ie Phone: 091-865 968
On 2008-12-12, at 15:02, Martin List-Petersen wrote:
It's a misconception of some muppets, especially in IT related products, that forget, that a lot or IT professionals do travel all over the world and usually have a credit card in their home country.
Pure and utter nonsense.
Or perhaps the hassle of dealing with stolen US credit card numbers from clients outside the US costs far more money than you could hope to make back with the purchases of US nationals travelling overseas? Could well be muppets, but surely there are other possibilities. Joe
On Fri, 12 Dec 2008, Joe Abley wrote:
On 2008-12-12, at 15:02, Martin List-Petersen wrote:
It's a misconception of some muppets, especially in IT related products, that forget, that a lot or IT professionals do travel all over the world and usually have a credit card in their home country.
Pure and utter nonsense.
Or perhaps the hassle of dealing with stolen US credit card numbers from clients outside the US costs far more money than you could hope to make back with the purchases of US nationals travelling overseas?
Could well be muppets, but surely there are other possibilities.
Sad but true, we have had to turn off signups outside the US because of that very problem. Yes, I am sure we lose some sales, but in general it is not worth the fraud costs.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
On Dec 12, 2008, at 3:14 PM, Nathan Stratton wrote:
On Fri, 12 Dec 2008, Joe Abley wrote:
On 2008-12-12, at 15:02, Martin List-Petersen wrote:
It's a misconception of some muppets, especially in IT related products, that forget, that a lot or IT professionals do travel all over the world and usually have a credit card in their home country. Pure and utter nonsense.
Or perhaps the hassle of dealing with stolen US credit card numbers from clients outside the US costs far more money than you could hope to make back with the purchases of US nationals travelling overseas?
Could well be muppets, but surely there are other possibilities.
Sad but true, we have had to turn off signups outside the US because of that very problem. Yes, I am sure we lose some sales, but in general it is not worth the fraud costs.
Why don't the fraudsters just use Open US Proxies? Owen
Owen DeLong wrote:
On Dec 12, 2008, at 3:14 PM, Nathan Stratton wrote:
On Fri, 12 Dec 2008, Joe Abley wrote:
On 2008-12-12, at 15:02, Martin List-Petersen wrote:
It's a misconception of some muppets, especially in IT related products, that forget, that a lot or IT professionals do travel all over the world and usually have a credit card in their home country. Pure and utter nonsense.
Or perhaps the hassle of dealing with stolen US credit card numbers from clients outside the US costs far more money than you could hope to make back with the purchases of US nationals travelling overseas?
Could well be muppets, but surely there are other possibilities.
Sad but true, we have had to turn off signups outside the US because of that very problem. Yes, I am sure we lose some sales, but in general it is not worth the fraud costs.
Why don't the fraudsters just use Open US Proxies?
You can be sure, that the people wanting to defraud merchants know all these tricks and use them. The verified by visa password option is a far better solution, but I've not seen many US merchants supporting that yet. Instead they're relying on outdated geoip data or ask people to fax a copy of their credit card. /Martin -- Airwire - Ag Nascadh Pobal an Iarthar http://www.airwire.ie Phone: 091-865 968
Because anyone with half a brain blocks proxies from their e-commerce site.
-----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Friday, December 12, 2008 3:49 PM To: Nathan Stratton Cc: nanog@nanog.org Subject: Re: Netblock reassigned from Chile to US ISP...
On Dec 12, 2008, at 3:14 PM, Nathan Stratton wrote:
On Fri, 12 Dec 2008, Joe Abley wrote:
On 2008-12-12, at 15:02, Martin List-Petersen wrote:
It's a misconception of some muppets, especially in IT related products, that forget, that a lot or IT professionals do travel all over the world and usually have a credit card in their home country. Pure and utter nonsense.
Or perhaps the hassle of dealing with stolen US credit card numbers from clients outside the US costs far more money than you could hope to make back with the purchases of US nationals travelling overseas?
Could well be muppets, but surely there are other possibilities.
Sad but true, we have had to turn off signups outside the US because of that very problem. Yes, I am sure we lose some sales, but in general it is not worth the fraud costs.
Why don't the fraudsters just use Open US Proxies?
Owen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Dec 12, 2008 at 11:12 PM, Randy Bush <randy@psg.com> wrote:
On 08.12.13 09:33, Tomas L. Byrnes wrote:
anyone with half a brain blocks proxies from their e-commerce site.
can you know at a reasonable confidence level that it's a proxy?
Give me an IP address (privately, of course). I can tell you if it is, with consult from other colleagues in the security community. That's almost a no-brainer. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJQ2Kqq1pz9mNUZTMRArkZAJ42wBsiviQOeX/Ei6gPCY+Rk8zRjQCdHDfg djeldwF25CYOUsDoGQQzKPs= =jkIf -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Give me an IP address (privately, of course). I can tell you if it is, with consult from other colleagues in the security community.
147.28.0.36 and "consult with colleagues" is not something very operationally scalable. randy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Dec 12, 2008 at 11:24 PM, Randy Bush <randy@psg.com> wrote:
Give me an IP address (privately, of course). I can tell you if it is, with consult from other colleagues in the security community.
147.28.0.36
and "consult with colleagues" is not something very operationally scalable.
Of course, chasing ghosts in RGnet/PSGnet is clever, but not a worthwhile exercise. The point here is that there are many folks monitoring open proxies for illegal activities, etc., and not all of the mind-share reside in one single database. A collaborate effort to share information on abuse activity is required, of course -- and indeed already exists. So having said all that, what exactly was your point? :-) - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJQ2R7q1pz9mNUZTMRArY+AJ0VRvOLF/xEBzAKHysNKRo668ucQwCgmhL9 ZoPn/XhkTcABuVQwFBKa2qk= =sdw8 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
So having said all that, what exactly was your point? :-)
bluff calling. that you can not tell us if that specific host is a proxy means that this is pretty much bs. that you and your no-girls-allowed club have some list of things you think are proxies (sure would be nice to have a definition thereof), doeth not make a rigorous, testable, and scalable system. though i guess some list of things you don't like has some utility. but it sure ain't automatible ops let alone computer science. randy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Dec 12, 2008 at 11:36 PM, Randy Bush <randy@psg.com> wrote:
So having said all that, what exactly was your point? :-)
bluff calling.
that you can not tell us if that specific host is a proxy means that this is pretty much bs.
that you and your no-girls-allowed club have some list of things you think are proxies (sure would be nice to have a definition thereof), doeth not make a rigorous, testable, and scalable system.
Gee, I seem to have said that before regarding nsp-sec. D-oh! Look it, whatever you may think, there's certainly no "old boys club" factor at work here, but I'm certainly not going to put up a portal where anyone and their grandmother can check for known open proxies -- there is already enough of that -- and that actually is not the point. That chip on your shoulder must be getting pretty heavy... so forget it. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJQ2eRq1pz9mNUZTMRAsWNAKDU1/u/PH3xTNQAfGJqZIpT6H6jpQCg+cbM nxKsQOt+2vwa92pA3oWqI5w= =vmia -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On 08.12.13 09:33, Tomas L. Byrnes wrote:
anyone with half a brain blocks proxies from their e-commerce site. can you know at a reasonable confidence level that it's a proxy? Give me an IP address (privately, of course). I can tell you if it is, with consult from other colleagues in the security community. That's almost a no-brainer.
Oh, but can you tell if an IP address is a compromised workstation or host of a VPN application that only allows the proxy access to the intruder? Not all proxies are plainly visible. Geography of an IP address can be a useful heuristic to assist detection, when most transactions attempted from certain regions are bad; esp. when combined with other factors This is a strategy well-known to be probalistic, and thus imperfect (not every fraud attempt will be noticed by a detector, and there will be false positives, but probably very few in relation to the total transaction throughput of say a large online retailer). E-mail spam filters use imperfect methods like this all the time; there is no magic check to prove a message spam or not spam. Instead, _many_ randomized spam checks are strung in sequence for the same message. And if any one or two checks fail, filters drop the message. A successful message (or E-commerce transaction) is one that clears substantially all spam/ fraud checks. An in-depth strategy with hundreds or thousands of factors examined results in a smaller (but still present) possibility of the filter/detector being fooled. IP-based methods can be combined with the other stronger analysis of transaction details and other info that can be gathered about a submitter for detection of attempted abuse. -- -J
On Fri, 12 Dec 2008 16:33:51 -0800 "Tomas L. Byrnes" <tomb@byrneit.net> wrote:
Because anyone with half a brain blocks proxies from their e-commerce site.
What is a proxy? A garden-variety squid server, in the DMZ of a corporate firewall? The nasty box in some hotels that "helps" guests surf the net? A socks proxy installed by the RBN on unsuspecting desktops? I *always* use a squid proxy server; if nothing else, it protects me when I'm using a wireless network. I've never had a problem (though now that Google thinks that Randy's machines are in Japan, I'm expecting some trouble...) --Steve Bellovin, http://www.cs.columbia.edu/~smb
On 13 Dec 2008, at 12:39, Steven M. Bellovin wrote:
On Fri, 12 Dec 2008 16:33:51 -0800 "Tomas L. Byrnes" <tomb@byrneit.net> wrote:
Because anyone with half a brain blocks proxies from their e- commerce site. What is a proxy? A garden-variety squid server, in the DMZ of a corporate firewall? The nasty box in some hotels that "helps" guests surf the net? A socks proxy installed by the RBN on unsuspecting desktops?
Hi, We've all jumped on Tomas, but I suspect that the word 'open' was missing from his summary. I've worked in e-commerce environments where we deployed tools that checked whether orders with high risk scores appeared to come through an open proxy, and unusual browsing patterns were detected and investigated for the same. I wont give the game away, since some of the people on this list will be able to work out who I am talking about :-) but open proxies are a source of fraudulent orders, and also competitors spidering e-commerce sites for price and availability information. Making it harder for both was an important job - both groups of troublemakers would look for a softer target elsewhere. Andy
Joe Abley wrote:
On 2008-12-12, at 15:02, Martin List-Petersen wrote:
It's a misconception of some muppets, especially in IT related products, that forget, that a lot or IT professionals do travel all over the world and usually have a credit card in their home country.
Pure and utter nonsense.
Or perhaps the hassle of dealing with stolen US credit card numbers from clients outside the US costs far more money than you could hope to make back with the purchases of US nationals travelling overseas?
Could well be muppets, but surely there are other possibilities.
I can understand merchants wanting the extra security, but the issue is, that they then don't want to fork out for a MaxMind subscription or the likes. One of the bigger colo providers in the states is selling SSL certificates, but their geoip data is ancient. I even bothered to raise a ticket with them and the answer was just "we're working with our development team on that". When I revisited 6 months later, nothing had changed. It's not the only case, that I've ran into this issue and the US is not the only place that credit cards are issued or used. Nor is credit card/credit card theft a outside US only thing. It happens anywhere, inside or outside the US. That's exactly, why the banks starting adding the personalized password option etc. Using outdated geoip data for merchant-services is as unprofessional as asking people to fax a copy of their credit card to some fax number. Kind regards, Martin List-Petersen -- Airwire - Ag Nascadh Pobal an Iarthar http://www.airwire.ie Phone: 091-865 968
We probably should move this to funsec, but I'll bite. The basic problem is the lack of security and non-repudiation in credit cards in general, and the US in particular. Non-clonable, card-present, technologies have existed for a long time, and card readers are cheap. AMEX tried to make this free with Blue, but it wasn't adopted. So, the US banks, and AMEX, seem willing to exchange some amount of fraud, and inconvenience for a minority; in exchange for convenience and higher transaction volume for the majority. They've been enabled by the fact that HNC's software works very well. As long as those who make the profit bear the bulk of the risk, as they do with credit cards, I guess there's no issue. Given the "debit card" lack of limit of liability for the consumer, this may change.
-----Original Message----- From: Joe Abley [mailto:jabley@hopcount.ca] Sent: Friday, December 12, 2008 3:07 PM To: Martin List-Petersen Cc: nanog@nanog.org Subject: Re: Netblock reassigned from Chile to US ISP...
On 2008-12-12, at 15:02, Martin List-Petersen wrote:
It's a misconception of some muppets, especially in IT related products, that forget, that a lot or IT professionals do travel all over the world and usually have a credit card in their home country.
Pure and utter nonsense.
Or perhaps the hassle of dealing with stolen US credit card numbers from clients outside the US costs far more money than you could hope to make back with the purchases of US nationals travelling overseas?
Could well be muppets, but surely there are other possibilities.
Joe
On Fri, Dec 12, 2008 at 01:13:59PM -0600, Frank Bulk <frnkblk@iname.com> wrote a message of 52 lines which said:
Is there an easy way to get past history on an IP block? Most sites will show you aspects of that *now*....
http://www.renesys.com/blog/2008/11/for-sale-clean-lightly-used-ip.shtml (That's just an idea, not a real service.)
participants (17)
-
Andy Davidson
-
Frank Bulk
-
James Hess
-
Jim Popovitch
-
Joe Abley
-
John Curran
-
Martin Hannigan
-
Martin List-Petersen
-
Nathan Stratton
-
Nicolas Antoniello
-
Owen DeLong
-
Paul Ferguson
-
Randy Bush
-
Robert Tarrall
-
Stephane Bortzmeyer
-
Steven M. Bellovin
-
Tomas L. Byrnes