Tag Archives: Commerce

Dud of the Week: eBay Anniversary

I shouldn’t boast too much about this, I know, since you’re all going to get horribly jealous, but I just received a very exciting email, courtesy of the nice folks over at eBay, congratulating me on an impressive year (or is it 10?) of dedicated custom:

Now my friend Jim says this is the lamest bit of spam he’s seen in a long while, and points out that since I haven’t actually sold anything on eBay the sentiments expressed therein are as genuine as the Microsoft Office on his computer, but I think he’s just green with envy. Not least because the email contained a picture of the eBay Green-Pants Wearing Party Dude (pictured below for your convenience):

 I think it’s a great idea to send congratulatory emails to your customers on the anniversaries of their signing up. Everyone could do it – ‘This is Microsoft here, congratulating you on the anniversary of buying Windows 98! Oh, and buy the way we don’t support it anymore, so you’ll have to buy Vista real soon! Have a good one!’ or ‘Hi! It’s your friendly cellphone company here. Congratulations on the 3rd anniversary of using our service! You’ll be pleased to know that with all the hidden fees and ridiculous per-kilobyte charges we tag onto your bill we’ve been able to send all our kids to finishing school in Switzerland! Keep talking and downloading and not looking too closely at your phone bill!’ It might clog our inboxes but it’ll be worth it to feel wanted.

And I think I’m going to make the Green Pants Dude my Dud of the Week emblem. After all he’s already wearing a dunce’s hat.

Pumping Stock, Spam and the Criminal Underworld

If you ever feel the urge to trade on a spam stock tip, I offer this unsolved whodunnit as a cautionary tale.

If you’ve been getting an extra dumpster of spam in your inbox lately, it’s probably because of a little known company called Cana Petroleum. If you open the email in question (and I’ve counted nearly 300 in my spam dumps in the past three days alone) you’ll find it’s a pretty straightforward pump and dump scam, where the sender tries to raise buying interest in the stock (the pumping bit) to push up the price so he can make a killing selling his stock (the dumping bit.)

It worked: according to Don Mecoy of The Daily Oklahoman:

Cana Petroleum shares, which trade on the unregulated Pink Sheets via the over-the-counter market, lost 32 percent on Friday to close at $4. On Thursday, the stock traded as high as $10 a share. Seven months ago, it traded for about a dime.

But is this just a case of some day trader making a quick killing? Or is there something more sinister afoot? The company involved has been in trouble before for promoting its stock. Don says that “Information regarding the company is difficult to find. Internet searches reveal no Web site, and telephone listings for Cana Petroleum led to disconnected or wrong numbers:

The company changed its name, ticker symbol and business model in August. Previously called Global DataTel, the company sold personal computers, mainly in Latin America.

Securities regulators filed a complaint against Global DataTel in 2001, and obtained a judgment against a stock promoter hired by the company. He was accused of spreading groundless price projections and strong “buy” recommendations even as he sold his own shares of the company’s stock. The promoter and two Global DataTel executives were fined.

Global DataTel shut down operations in the spring of 2001, “due to the big financials problems,” according to a regulatory filing.

That’s pretty much where the trail ends. As Don points out, a lot of companies don’t like their stock being manipulated for obvious reasons. The promoter involved in the 2001 case, Stuart Bockler, seems to have kept a low profile since. The SEC complaint describes him as a “corporate public relations consultant who controlled and operated, as the sole employee, three public relations-related companies — International Market Advisors Inc., International Market Call Inc., and Imcadvisors, Inc. — and a related Internet website www.imcadvisors.com.” The website itself is under construction although it does offer an address in Columbus, Indiana and an email address under the name Don Michael. The WHOIS information is the same.

Archived copies of the site indicate it’s been pretty dormant since 2001, when its homepage touted a mailing list of “hot news” for $100 a year. (You can see the buy recommendations IMC put out on Global Data Tel at this archived page: In less than five months it put out six ‘breakout buy’ reports on the company, out of a total of nine. A copy of one of the reports is here.) According to the SEC complaint, Bockler sent out 30,000 emails drawing attention to the reports. The stock rose, according to the SEC, from $7.19 a share on Jan 12 1999 to reach a high of $18.84  in April. Within a month of Bockler’s last report the price had fallen to $2.875.

From there the trail goes cold. Or does it? In 2004 a Beverly Hills lawyer called Allen Barry Witz pleaded guilty in a Newark District Court to manipulating the same stock with the help of four other men. (Bockler was also indicted, but I can find no record of the case having gone to trial.) But more intriguing is the link to a murder case that has not been solved: One of Witz’s unindicted co-conspirators, Joe. T. Logan Jnr, was, according to the Asbury Park Press, closely connected to two pump and dump stock dealers, Albert Alain Chalem and Maier Lehmann, who were murdered execution-style in October 1999, the same time the Global Datatel pump fraud ended. The two men’s stock website, StockInvestor.com, was heavily promoting the stock in the last recorded snapshot of the site before their deaths, about two weeks before they were killed. The most recent news article on the unsolved killings, by AP’s David Porter on October 30, quotes one of the dead man’s attorneys as saying:

“It sounded like an extremely professional hit,” he said. “It sounded like the perpetrators were on a plane back to Eastern Europe before they even found the bodies.”

It all may be a coincidence, of course. But the killings, the indictments and the fraud in the Global Datatel case might help to remind us that the links between stock scams, spam and criminal organisations with access to ruthless killers are not the stuff of fiction.

Technorati tags: , , , , , , ,

The Online Dutch Auction

Good piece by my old friend Rani about how online auctions work in Singapore: 

When I tried to sell my xda II online, I was surprised to find out that the logic of online auction is almost totally different in Singapore. At first, I tried to sell my xda II in Singapore Pocket PC user group (PPCSG). However, I can say that, although PPCSG market place forum is a great place to buy stuff, it is not a great place to sell stuff. People from the forum would mercilessly bargain 40-50% from the initial price. Having been unable to sell my xda II with a good price in PPCSG, I looked for other alternatives.

Enter auctions sites, namely, Yahoo Auctions Singapore and ebay Singapore. And I was surprised to find out that… nobody bids on those auctions sites. It was not long until I find out the unwritten rules of the online auction game in Singapore, which is totally different from my experience doing online auction in the US and UK.

Basically it’s like a reverse auction: Put your highest price as the opening bid, and wait for folk to call you with lower bids. Then you just seal the deal over the phone. I wonder how true this is elsewhere? And I wonder, too, whether Rani’s suggestion that eBay and co actually build the capability for reverse auctions into their software, so that in places like Singapore, people actually use their services?

IVR Cheat Sheets, And Dirty Tricks?

The IVR debate rumbles on. Could automated voice phone systems be better than just having a human answering the phone? Is it better to cheat the system? Paul English’s cheat sheet has appeared more than 100 TV and radio stations in a month. One company, Angel.com, has been fighting back, first with a pretty harsh broadside, but now appears to have replaced it (the page redirects) with a more measured ‘IVR Cheat Sheet for Businesses’, figuring, I guess, that if you can’t beat ‘em, join ‘em.

Anyway, I got an interesting take on it this morning as a comment appended to my blog from someone who identified herself as Kate, with a believable-looking email address. ‘She’ wrote:

Paul English makes some great points. I saw his piece on ABC World News Tonight and he’s bringing to light that most companies operating in the IVR space have shoddy systems. In my opinion, Angel.com is one of the few companies in the IVR industry trying to change things, however, with web-based next generation systems that link to CRM systems. Small businesses are finally able to create IVR systems (using a self service model if they wish) that are even more sophisticated than what large industry is using. My Dad uses the system for his online ebay store selling vintage posters and autographed baseballs. He’s able to provide far better customer service using Angel.com’s system than he would ever be able to provide on his own. The boon to small business of using these inexpensive, next generation IVR systems is getting lost in the debate.

That’s one well-written comment. I was impressed (as I imagine, would be Angel.com. Not only can they be linked with the little guy (and who wants to bash the little guy?) but they get to bash some of their competitors too). But not being cynical about the posting, I allowed it through and emailed ‘Kate’ with a request to interview her father. If true, it’s a valid point and one to explore.

What I didn’t expect was for the email to bounce. Not that unusual, especially with comment spam, but not when the given name (‘Kate’) jibes with the email address (‘katerobins@yahoo.com’). Why go to the trouble of putting a believable fake email address, especially when you presumably would be quite happy if someone followed up and got a bit of publicity for your eBay-selling dad? Baffled, I checked the IP address where the comment came from: a Verizon address in Washington DC. Not, coincidentally, that far from Angel.com HQ in McLean, Virginia.

I wish I could say my sleuthing took me further. But I could find no Kate Robins in the phone book, no sign of someone with that Yahoo address on Google, or anyone on eBay who might be her dad (not that surprising; it’s a big place). I’ll keep looking, but if anyone knows Kate Robins, her dad, or could shed any light on this, I’d love to hear from them. I’d hate to think that my blog is being used by anonymous shills to do damage limitation exercises for the IVR/CRM industry. On the other hand, if Kate does exist and just mistyped her email address, I’d love to follow up the angle she suggests.

The Big Credit Card Theft

Trying to make sense of the massive theft of credit card numbers at CardSystems, ‘a leading provider of end-to-end payment processing solutions focused exclusively on meeting the needs of small to mid-sized merchants’, in which information on more than 40 million credit cards may have been stolen.

CardSystems itself has issued only a brief statement on its website (no permalink available) saying it had identified

a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security.

Notice the careful language: It talks only of ensuring all ‘systems were secure’ — in the security industry this is like checking all the locks work while watching all the horses bolting off down the street. (And don’t the FBI work on Sundays? Why wait a day to let them know?)

Then there’s the question: Why wait almost a month to let us know? A separate story by AP quotes CardSystems as saying that

it was told by the FBI not to release any information to the public. The company says it’s surprised by MasterCard’s decision to go public.

Actually, not so, say the FBI: Another AP story quotes an FBI spokeswoman, Deb McCarley, as denying

that the agency told CardSystems not to disclose the existence of the intrusion. McCarley says the FBI told CardSystems to follow its corporate policies without disclosing details that might compromise the ongoing investigation.

In fact, a MasterCard statement suggests that it was they, not CardSystems, who first identified the breach:

MasterCard International’s team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.

Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached. Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor’s systems.

In the meantime CardSystems was pretending it was business as usual, including an announcement on June 14 of a move into check processing, and posting job-ads for a ‘Software Quality Assurance Analyst’ to cover, among other things, ‘troubleshooting from operations, production, and outside vendors’ who can work ‘in a very fast-paced, high-visibility organization where priorities often change’. Indeed.

Anyway, the scale of the thing is pretty awesome: Softpedia quotes experts as saying

that this is the worst case of data theft in IT history. “In sheer numbers, this is probably one of the largest data security breaches,” said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

And just how did the theft happen? Details are sketchy, probably because no one yet knows (the MasterCard software which identified the fraud did so by monitoring transactions, not the actual breach. In other words, they observed the stolen goods being peddled, not the actual break-in). According to another AP story, MasterCard has identified CardSystems as being ‘hit  by a viruslike computer script that captured customer data for the purpose of fraud’, but hasn’t given any more details. CardSystems itself is not talking:

CardSystems’ chief financial officer, Michael A. Brady, refused to answer questions and referred calls to the company’s chief executive, John M. Perry, and its senior vice president of marketing, Bill N. Reeves. A message left for Perry and Reeves at the company’s Atlanta offices was not returned.

Both Perry and Brady have been with CardSystems a little over a year.

Want Some Wi-Fi In Your Shopping Cart?

Amazing how Wi-Fi has come, in three or so years, from a very obscure and slightly geeky thing to something supermarkets sell, both in terms of devices and services.

Robert Jaques of VNUNet today reports that Linksys “will begin marketing a special line of wireless networking products for home users at selected Tesco superstores in the UK”. Linksys, the report says, is “the only consumer networking vendor in all three of the world’s top retailers, i.e. Tesco, Wal-Mart and Carrefour”.

A piece in this month’s Grocery Headquarters magazine, meanwhile (yes, I read it all the time) says “the supermarket industry is starting to use wi-fi cafes to drive incremental sales and customer loyalty one latte at a time”. Supermarkets in the U.S., the report says, are using their own wireless LANs to offer customers Wi-Fi. Wegmans Food Markets is already testing the technology in two Pennsylvania stores. Quality Food Centers (QFC), a division of Cincinnati-based Kroger Co., offers shoppers wi-fi access in half a dozen stores in the state of Washington.

Soon Wi-Fi will just be something that everyone has, everyone expects, and nobody pays for. Just as it should be.

Vmyths Up For Sale On eBay

Vmyths, the web site that takes a skeptical look a the anti-virus industry, is for sale on eBay: item 5762562547  at a starting bid of $200,000. (Or you can buy the whole thing for $280,000:

Vmyths.com is the leading independent voice in the computer security and computer virus industry. The site is owned by an investor not directly involved in the industry and is looking to sell the site to either another investor or to a someone directly involved in the industry that could benefit from the editorial exposure from being associated with the site. We have an exclusive contract to Rob Rosenberger, editor-at-large. The site comes with URL, all content, and rights to Rob’s contract.

Rob Rosenberger, the editor, explains in his newsletter (not available on the website at the time of writing) that co-founder Eric Robichaud wants to sell Vmyths, and he’s got experience selling websites on eBay. But our readers will want to know: “why now?” Robichaud called to say he’s riding on the coattails of a bombshell we dropped in our latest “Whisper” Update. He told me to announce the eBay auction in a special newsletter or he’d do it himself in an advertisement.

I’ve not always agreed with Vmyths, believing sometimes that a threat is a threat and not always a hype. But its skeptical approach has been a useful antidote to the often inflated claims made by some security vendors. Indeed, Rob’s fear is that one of the companies he has been most scathing of, Britain-based mi2g, could shut down one of their most vocal critics with a meager $200k bid. Oh, sure, I could still rant — but years of historical insight would disappear overnight.

That would definitely be a shame.

Amazon, eBay And The New Liquidity

I bought a second-hand book off Amazon the other day and was boasting about it to a friend. He wasn’t impressed. “We never buy anything new anymore,” he said. Clothes? Thrift shops. Toys? Yard sales. Books, CDs and whatnot? Amazon or eBay. Only food seemed to be something he bought new, and even then I got the impression he was mulling other options on that. All this made me wonder: Has the Internet pushed us into a new phase, where possessions aren’t possessions anymore, but stuff we have until someone comes along with an offer decent enough for us to sell?

Amazon, for example, lists all the books and stuff you’ve bought (scary, sometimes, seeing your literary life flash before you on the screen) and makes it very, very easy for you to list them for sale. So why not? If you set a price that you’re comfortable with, why not see if someone wants to buy? Why not list everything we own online, set a price for each and just see what happens?

Of course some of us want to keep things like books forever, but if this whole process makes goods more liquid, you can always buy back again what you sell later. Maybe people on eBay do this already: Not necessarily needing, or wanting to sell, but if the price is right, why not? I really, really like my new Rockport shoes, but maybe someone might be willing to pay more for them than I reckon they’re worth. Welcome to the New Liquidity.

Closing The Door After The Phish Has Bolted

MasterCard, one of several banks discovered to have flaws on their websites that would have allowed a phisher to capture passwords, says it has fixed the problem.

American Banker Online reported (subscription required) last week that MasterCard International “has confirmed finding and fixing a flaw on its web site’s ‘Find A Card’ tool that could have facilitated a phishing scam”. The flaw had been discovered by British programmer Sam Greenhalgh and published on his web site on June 28. Greenhalgh lists in a sidebar those web sites that have been fixed or the flawed code removed. It’s not yet over: He says that PayPal and several sub-domains of Microsoft.com “remain susceptible”.

Besides the failure of some web sites to tackle the problem, a few other things worry me. 

  • Why did it take MasterCard three weeks to remove the flawed code? American Banker reports that the tool was removed on July 20. As Greenhalgh writes it’s probably a case of closing the door after the horse has bolted. (American Banker quotes MasterCard as saying that “It does not believe that any scams were attempted”.)
  • Why is no mention made of the flaw or the fix in MasterCard’s own ‘newsroom’? There are two releases trumpeting MasterCard’s own ‘fight on phishers’ but nothing of its own vulnerabilities.
  • How many more vulnerabilities are out there? Did Greenhalgh’s discovery trigger a serious audit of all code on such websites, or did they just plug the holes he had found?

Anyway, plaudits should be offered to Greenhalgh (so far I’ve not seen any from the banking fraternity, but I could be wrong) for his work and others encouraged to hunt for more leaks. Such folk are not troublemakers looking for nits to pick. They perform a very useful service. Phishing has shown that all this is no longer just theory, if it ever was. Every one of these vulnerabilities will be found and exploited if the good guys don’t get there first.

Double Checking A Phishing Scam

Sometimes the usual checks to see whether an email is a phishing scam or not don’t work.

Here’s an example. This morning I received a quite credible looking PayPal email. Of course it had all the hallmarks of a phishing scam too, but then again I’ve received some genuine emails I thought were phishers, so you can never be 100% sure.

The best test — viewing the email in non-HTML format, so the links show up for what they really are — didn’t work particularly well this time: The URL was http://www.updatesecuritycheck.com, which doesn’t sound like PayPal, but then sounds official enough to possibly lure some folk.

So I checked the registrant of the website in question, usually a surefire way to know whether it’s dodgy. It was under the name of someone in the UK, with an address and telephone number that all looked kosher (right postcode, all that sort of thing). Hard to imagine that someone in the wilds of Devon would be administering PayPal accounts, but who knows? If the website was fraudulent, the thinking goes, why would someone go to such trouble to register a full name and address?

So I checked to see whether the person existed. He does. I contacted him, not via the email address given, but by hunting down a working email address via Google. Needless to say he’s not part of the scam and is suitably outraged that his name has been used. (Of course all this raises the possibility he has become the victim of broader ID and financial theft.) The page on the scam site itself no longer exists, as far as I can see, but the home page is a boilerplate PayPal copy.

The lesson: Sometimes it’s not enough to check whether the URL looks and feels kosher. Neither it is sufficient to see whether the website itself has been registered by someone who looks kosher. Clearly scammers are going to greater lengths to register proper sounding website names, and to register them under real names and addresses — which they’ve probably found in phone books and on the Internet.