While the 12AngryMen wax philosophic on the issues of our time, I thought it would be perhaps useful to forward a bit of knowledge to our dear readers. Let me preface this missive by stating that in a previous life, I developed banking and on-line software for a credit card marketing company. While the company I worked for was not above certain ethically challenged marketing efforts, I assure you that it never decended to the levels described herein. I know — my group wrote all of the applications. One has to, however, admit to a bit of grudging admiration for the deviousness inherent in this bit of subterfuge.

Usually I make purchases on-line using my card and a bit of software called Shopsafe which produces one-time cards with a specified expiration date and a specified credit limit. This is a practice I heartily recommend by the way. Unfortunately other members of my family are not so circumspect. The following is an analysis of what happened and how it happened.

Upon receiving a monthly statement, my wife reviewed the card statement and noticed a charge for $9.00 from a company called WLI.ReservationRewards.com. I immediately recognized the charge as an after-marketing or cross-sell result from some purchase made by my wife. A quick search revealed what I expected. The on-line site my wife visited was eBags.com (which happens to be listed on the previous link.) Intriqued, did a little CSI work and uncovered the logic and process involved. The following is a bit technical, but if nothing else, skip it to the recommendations at the end.

WLI contacts on-line companies with affinity and cross-sell agreements. Basically, no one in their right mind would sign up for this crap (My previous company sold similar enhancements. They had a 98% profit margin.) So in order to get sales, WLI has to make agreements with companies who sell stuff you actually want. They will cut a deal with the company—after you complete your transaction, link to our site for a cross-sell opportunity and we will split any sales with you 50-50. To the legimate company, this is a hell of a deal. Free money even. All you have to do is add some code pages to your web site and in return you get 50% of the till. A lot of profit for no effort.

What actually happens is that instead of linking to the site as a separate session, they link internally as another page in the same session. Why is this important? When you do a credit card transaction, any reputable company will attempt to protect your credit card data. They do this by establishing an SSL session to encrypt sensitive data on-line. Because of the stateless transactions on the HTTP protocol, it is sometimes necessary to store the card data in the event that a transaction does not run to completion. Card data are usually stored in cookies encrypted under the SSL symmetric key. Note that this is actually safe as this data is not usually stored on disk, and even if it is, it is encrypted with a 128 bit symmetric key. When the session ends, the data are automatically purged, and the data on disk is not accessible as the key is toast also. Visa and Mastercard rules state that card data should not be stored, and the CVV, the verification codes are NEVER to be stored. A lot of companies interpret this as stored on disk. So when you end your transaction, and leave your session, your card data is purged. Right? Not so fast!

Remember that the code the cross-sell company added doesn’t link in the normal sense but just continues with the session in an attempt to sell you some useless crap. By continuing the session, the application running (the cross-sell application, not the original on-line store) has access to the card data in the cookie. Most legitimate companies don’t think this through — the money is too good.

Now here is where the sneakiness gets involved. This has to be legal. That is to say, somewhere you have to say that you want to buy the product that they are selling. Further, they have to send you an acknowlegment. This can be immediate (print this page) or usually as a follow-on email. So what happens?

You get to the cross-sell page and see some gobbly-gook and decide this is bullshit and navigate away from the page. You are done with it and gone. Nope! Somewhere on the page there is a box which is checked that says “Send me this crap for $9.00 a month”. This is called opt-out and is a source of great consternation between marketing people and the FTA. [As an aside, organ donors in Europe have to opt-out to NOT become an organ donor, i.e., uncheck the box. In the United States, drivers have to opt-in to become an organ donor. The relative rates of donors in Europe is over 80% verses 20% in the United States. This is the power of opt-out and why marketeers fight for it so hard.] Clever web designers that they are, attempt to hide the opt-in box which of course is prechecked (making it, in effect, an opt-out). This could be buried in a mass of text, but typically is in a place that requires the user to scroll down to see it. A cursory glance at the page shows nothing so the user just navigates away from the page.

At this point the old javascript on-exit() script kicks in. Before the browser exists, it pulls the name, card information and everything that is required to create a new transaction from the cookie left behind by the legitimate store and posts a new form to WLI. Since this is a monthly charge, it sends all of the card data so that transactions can be recurring. This has two effects: 1) you are charged for something you don’t want, and 2) your card data is now on a server somewhere else protected by likely not very much security.

Actually, I am a step ahead of myself. Typically these deals come with a free 60 or 90 day trial period, after which the charges start to appear. To be legal they have to send an acknowlegment. Since you obviously can’t print the screen since you navigated away, they send you an email. (also grabbed from the cookie.) Unfortunately, this is a simple message couched in language such that there is no immediate charge
to catch your attention and usually with a subject line that guarantees that the email will be spam-canned immediately.

After 90 days, the more enterprising send you another email, also likely spam-canned, that let you know that the charges are about to begin and then they hit you up for the $9.00 per month. The other thing is that the fees are kept low so that they are likely to slip in under the radar in a long list of charges. Err what is that – a latte I charged at Starbucks? The billing statements are also listed as obscurely as possible.

A heck of a deal. Don’t bother calling the legitimate on-line store customer service. They are usually completely unaware that this is happening, and the marketing people are not about to draw it to anyone’s attention if they find out because their revenue stream has just jumped up.

As a service to readers I give the following advise:

  • Use Shopsafe or some similar software to generate one-time cards. Set the expiration date at minimum (usually 2 months from current date) and the limit at $5.00 over the current purchase (plus shipping and handling, etc.) Scams like this can’t work if the card is invalid (expired) at the end of the free-trial period, or if the absolute credit limit will be exceeded.
  • After you complete the transaction (the page will say this) and BEFORE YOU DO ANYTHING ELSE, close the browser. Kill it — and the session data. Then open a new browser to continue whatever you want to do. Never navigate away from a completed transaction page.
  • Read your credit card statements.

[Author's Note: If there is sufficient interest and comments, I will be willing to expose more credit card ethically challenged activities. There are several interesting ones.]