[104872] in North American Network Operators' Group
RE: amazonaws.com?
daemon@ATHENA.MIT.EDU (Matthew Huff)
Thu May 29 09:15:03 2008
Date: Thu, 29 May 2008 09:14:50 -0400
In-Reply-To: <483EAADF.5040905@bogus.com>
From: "Matthew Huff" <mhuff@ox.com>
To: "Joel Jaeggli" <joelja@bogus.com>,
"Dorn Hetzel" <dhetzel@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
The financial services world felt the same pre-9/11. Since then FINRA =
and SEC regulations enforce "Know Your Customer" rules that require =
extensive record keeping. The regulations now are quite burdensome. =
Given that usage of "cloud" resources could be used for DDOS and other =
illegal activities, I wonder how long it will take companies to realize =
that if they don't do a good job of self policing, the result will be =
something they would prefer not to have happen.
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
www.otaotr.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
-----Original Message-----
From: Joel Jaeggli [mailto:joelja@bogus.com]=20
Sent: Thursday, May 29, 2008 9:09 AM
To: Dorn Hetzel
Cc: nanog@nanog.org
Subject: Re: amazonaws.com?
Dorn Hetzel wrote:
> There is a really huge difference in the ease with which payment from =
a
> credit card can be reversed if fraudulent, and the amount of effort
> necessary to reverse a wire transfer. I won't go so far as to say that
> reversing a wire transfer is impossible, but I would claim it's many =
orders
> of magnitude harder than the credit card reversal.
To paraphrase one of my colleagues from the user interaction world:
"The key to offering a compelling service is minimising
transaction hassles."
I encourage all my competitors to implement inconvenient hard to use=20
payment methods....
> A mere "court subpoena" wouldn't even be remotely sufficient. The =
person
> wanting their money back would pretty much have to sue for it and win.
> Heck, people that get scammed and send their money via western union =
can't
> even get their money back... People who sell physical goods that get
> shipped internationally to places where they can't get them back from =
have
> been dealing with irrevocable payment forms for a long, long time, and =
those
> are generally wire transfers.
>=20
> Once that guy in Frackustan has my widgets, I need to make darn sure =
he
> can't take his money back :)
>=20
> So, yeah, there would be some customers for whom the couple of =
business
> hours it take their wire to go through (that's a pretty typical time =
from my
> actual experience) would be longer than they would want to wait for =
their
> port 25 or other "risky" service to be enabled, but really, how many =
is that
> going to be. We're not talking about the wait for ordinary customers =
who
> don't need those particular services that tend to be problem children, =
and
> we're not talking about existing accounts of long standing, just about =
a
> barrier for the drive-by customer who wants to use services and then =
not pay
> the cost when they violate the AUP...
>=20
> On Wed, May 28, 2008 at 11:53 PM, Peter Beckman <beckman@angryox.com> =
wrote:
>=20
>> On Wed, 28 May 2008, Barry Shein wrote:
>>
>> On May 28, 2008 at 21:43 beckman@angryox.com (Peter Beckman) wrote:
>>>> On Wed, 28 May 2008, Dorn Hetzel wrote:
>>>>
>>>>> I would think that simply requiring some appropriate amount of
>>> irrevocable
>>>>> funds (wire transfer, etc) for a deposit that will be forfeited in =
the
>>> case
>>>>> of usage in violation of AUP/contract/etc would be both sufficient =
and
>>> not
>>>>> excessive for allowing port 25 access, etc.
>>>> Until you find out that the source of those supposedly =
irrevocable
>>> funds
>>>> was stolen or fraudulent, and you have some sort of court =
subpoena to
>>> give
>>>> it back.
>>>>
>>>> I don't believe there is a way for you to outwit the =
scammer/spammer
>>> by
>>>> making them pay more of their or someone elses money. If you =
have
>>> what
>>>> they need, they'll find a way to trick you into giving it to =
them.
>>> Are you still trying to prove that Amazon, Dell, The World, etc =
can't
>>> possibly work?
>>>
>> Amazon and Dell ship physical goods. Amazon Web Services sells =
services,
>> as do I. Services are commonly enabled and activated immediately =
after
>> payment or verification of a valid credit card, as is often expected =
by
>> the customer immediately after payment. Shipment of physical goods =
will
>> almost always take at least 24 hours, often longer, enabling more =
thorough
>> checks of credit, however they might do it.
>>
>> And even with the extra time to review the transaction and attempt =
to
>> detect fraud, I'm confident Amazon and Dell lose millions per year =
due to
>> fraud. The reality is that the millions they lose to fraud doesn't =
affect
>> us because a Blu-Ray player purchased with a stolen credit card =
doesn't
>> send spam or initiate DOS attacks.
>>
>> At least not yet; those Blu-Ray players do have an ethernet port.
>>
>> By your reasoning why don't the spammers just empty out Amazon's (et
>>> al) warehouses and retire! Oh right, they'd have to sell it all over
>>> the internet which'd mean taking credit cards...
>>>
>> Now you're just being rediculous. Or sarcastic. :-)
>>
>> I am a big, big fan of assessing charges for AUP abuse and making =
some
>>> realistic attempt to try to make sure it's collectible, and =
otherwise
>>> make some attempt to know who you're doing business with.
>>>
>> Charging whom? The spammer who pays your extra AUP abuse charges =
with
>> stolen paypal accounts, credit cards, and legit bank accounts funded =
by
>> money stolen from paypal accounts and transferred from stolen credit
>> cards?
>>
>> If you are taking card-not-present credit card transactions over the
>> Internet or phone, and not shipping physical goods but providing =
services,
>> in my experience the merchant gets screwed, no matter how much money =
you
>> might have charged for the privilege of using port 25 or violating =
AUPs.
>> That money you collected and believed was yours and was in your bank
>> account can be taken out just as easily 6 months later, after the =
lazy
>> card holder finally reviews his credit card bill, sees unrecognized
>> charges and says "This is fraudulent!" And there you are, without =
your
>> money.
>>
>> Getting someone to fax their ID in takes extra time and resources, =
and
>> means it might be hours before you get your account "approved," and =
for
>> some service providers, part of the value of the service is the =
immediacy
>> in which a customer can gain new service.
>>
>>
>> Beckman
>> =
-------------------------------------------------------------------------=
--
>> Peter Beckman =
Internet Guy
>> beckman@angryox.com
>> http://www.angryox.com/
>> =
-------------------------------------------------------------------------=
--
>>
>>
>=20
