Page 1 of 3 123 LastLast
Results 1 to 25 of 72
  1. #1
    Join Date
    Dec 2005
    Location
    I'm Lost...Help
    Posts
    895

    Fraudrecord.com - What are your thoughts?

    http://www.fraudrecord.com

    I came across this site the other day through a link in Harzem's sig and through another post in these forums. It seems they just launched this project a few days ago so I am sure many are not even aware of it yet. So I thought I would bring it to the communities attention and see what people thought about it.

    I have looked it over and it seems to be a pretty nice system. It also comes with a WHMCS module that I have checked out and looks very promising with the rest of the system. I am not actively using this yet and just ran a few tests, but from what I have seen so far, it looks like this could have a promising future.

    Another point that I like about this system is it looks to be created by Harzem which is well know and trusted around the this community. That is a big factor for myself when it comes to anything relating to customer information. The other factor which is always an added bonus it that it is free and claims to stay that way. Like anything else, that can always change though.

    So I hope others will check this out and provide some thoughts and feedback on it. From what it looks like, the more that participate, the more web hosts will get in return from it.

    I really think this system has some great potential and if everything checks out, we as a community need to spread the word about this to help ourselves and others from fraud and abusive customers.
    Kevin Kopp - MonsterMegs Business Class Hosting Services
    Pure SSD Powered Shared, Reseller, and Enterprise Hosting Solutions
    US & NL Locations :: [US] PhoenixNAP | [NL] EvoSwitch Datacenters

  2. #2
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Am kean to know the legalities with sharing personal data upon each other, Am sure the UK Data Protection Act has something in it to prevent those holding data sharing it.

    Personally I can see it becoming a legal nightmare for them specially for us being UK based.

    Also they could get swamped down with people requesting information which they hold about them which they have to also comply with...
    Last edited by Server Management; 03-02-2012 at 01:23 PM.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  3. #3
    Join Date
    Dec 2005
    Location
    I'm Lost...Help
    Posts
    895
    Quote Originally Posted by cd/home View Post
    Am kean to know the legalities with sharing personal data upon each other, Am sure the UK Data Protection Act has something in it to prevent those holding data sharing it.

    Personally I can see it becoming a legal nightmare for them specially for us being UK based...
    Ya that is certainly one of our concerns with it. Some state to just put in your TOS something like you may transmit their data to a 3rd party fraud verification service, but I am not so sure that is enough on the hosts end either.
    Kevin Kopp - MonsterMegs Business Class Hosting Services
    Pure SSD Powered Shared, Reseller, and Enterprise Hosting Solutions
    US & NL Locations :: [US] PhoenixNAP | [NL] EvoSwitch Datacenters

  4. #4
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by Kevin K View Post
    Ya that is certainly one of our concerns with it. Some state to just put in your TOS something like you may transmit their data to a 3rd party fraud verification service, but I am not so sure that is enough on the hosts end either.
    I dont think it is just a case of adding something to your ToS.

    For anyone UK based you would need to do this (I believe):

    The Data Protection Act (DPA) requires that organisations provide the ICO with a description of the individuals or organisations to whom they intend or may wish to disclose personal data. The legal requirement is to provide a description of the recipient or the recipients of the data – this means types of organisation, not the names of specific organisations. The notification requirement does not include people to whom you may be required by law to disclose personal data in a particular case, for example where the police require a disclosure of personal data under a warrant. When you intend to share personal data with another organisation or group of organisations you must check whether you need to update your notification to describe this. When any part of the notification entry becomes inaccurate or incomplete, for example because you are now disclosing information to a new type of organisation, you must inform the ICO as soon as practical and in any event within 28 days. It is a criminal offence not to do this.

    Where several organisations are sharing personal data it is important that each organisation is clear about the personal data they are responsible for and include that information on their notification entry.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  5. #5
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    Thanks for your interest!

    No client data is ever transmitted or stored. The system only accepts salted sha-1 hashes of customer data, and even FBI can't figure out the customer details from a database dump. There are both technical details and overview of security and privacy on the website.

    When a comparison is needed, the system compares the stored hash with the provided one. Only positive matches are returned, otherwise there is no way of retrieving any information
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  6. #6
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,800
    Looks promising. Thanks Kevin for posting this. Comparing hashes is a brilliant solution to privacy issues. I may sign up later.

  7. #7
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by Harzem View Post
    No client data is ever transmitted or stored.
    So how does it work exactly then?

    As taken from the site:

    FraudRecord, and access our database to read the information provided by other companies.
    Which for any UK business to disclose information to a 3rd party they must be registered and follow the correct laws, Just adding a piece to their ToS does not cover them as your disclosing sensitive information to a 3rd party which in this case Fraudrecord.

    Within the UK you need to follow the Data Sharing Code Of Pratice.

    This will be a legal nightmare for anyone in the UK who doesnt do this correctly.

    Also from the within the UK you have to becareful where you send personal data:

    You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK. However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data.
    Which country is the database held in?

    Does the country have the adequate protection?

    http://www.ico.gov.uk/for_organisati...inciple_8.aspx

    Has anyone at FraudRecord factored in the strong/strict Data Protection Act the UK has?
    Last edited by Server Management; 03-02-2012 at 02:56 PM.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  8. #8
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    I explained it above. It uses hash comparison. No actual data is received. There are detailed info on the site, i don't want to post the link. But no privacy law can possibly be broken. I can post the database here and you would have no way to determine any sensitive info.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  9. #9
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by Harzem View Post
    I explained it above. It uses hash comparison. No actual data is received. There are detailed info on the site, i don't want to post the link. But no privacy law can possibly be broken. I can post the database here and you would have no way to determine any sensitive info.
    The Data Protection Act just doesnt cover the storage of personal data but rather the sharing of it aswell.

    The act contains eight “Data Protection Principles”. These specify that personal data must be:

    1. Processed fairly and lawfully.

    2. Obtained for specified and lawful purposes.

    3. Adequate, relevant and not excessive.

    4. Accurate and up to date.

    5. Not kept any longer than necessary.

    6. Processed in accordance with the “data subject’s” (the individual’s) rights.

    7. Securely kept.

    8. Not transferred to any other country without adequate protection in situ.
    For this "FraudRecord" to work you rely upon people sending you information correct?

    Their is strict guidelines which a business must follow should they wish to send/disclose sensitive client data with 3rd partys, Also its a good idea I dont think its been thought about well enough as anyone from the UK pretty much cannot use it in its current state.
    Last edited by Server Management; 03-02-2012 at 03:06 PM.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  10. #10
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    You don't seem to be willing to read the web page explaining everthing. I'll say it again. No actual data is shared, no actual data received, no actual data is stored. If you kindly take time to read the 'how it works' page, you will understand. And if you also read the 'security' page, you will understand even better.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  11. #11
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,800
    From what I understand, when someone submits client data, the WHMCS module encrypts the information and sends the hash string which is what's actually transmitted and stored on FraudRecord's servers. Another host who wants to check a client then also submits client data as a hash string. FraudRecord compares the hashes and then reports back if it matches any known past fraudulent cases.

    No actual client data is transmitted or stored, only the hash string.

  12. #12
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by Harzem View Post
    You don't seem to be willing to read the web page explaining everthing. I'll say it again. No actual data is shared, no actual data received, no actual data is stored. If you kindly take time to read the 'how it works' page, you will understand. And if you also read the 'security' page, you will understand even better.
    Am confused, So how do you get the information about fraud clients if no data is being shared?

    The website doesnt provide enough information to satisfy my needs hence am asking here.

    Quote Originally Posted by WickedFactor View Post
    From what I understand, when someone submits client data, the WHMCS module encrypts the information and sends the hash string which is what's actually transmitted and stored on FraudRecord's servers. Another host who wants to check a client then also submits client data as a hash string. FraudRecord compares the hashes and then reports back if it matches any known past fraudulent cases.

    No actual client data is transmitted or stored, only the hash string.
    Even with encrpytion in place a UK business still needs to follow the DPA

    I am VERY interested in using this service hence all the questions but I think it will be a legal nightmare for me at the moment without much information, I will contact the ICO and see if I can use said service or not...
    Last edited by Server Management; 03-02-2012 at 03:19 PM.

  13. #13
    Join Date
    Oct 2005
    Location
    Internet
    Posts
    1,161
    Quote Originally Posted by cd/home View Post
    Am confused, So how do you get the information about fraud clients if no data is being shared?

    The website doesnt provide enough information to satisfy my needs hence am asking here.



    Even with encrpytion in place a UK business still needs to follow the DPA
    http://www.fraudrecord.com/how-it-works.php

    You are essentially sharing a hash string. This could *possibly* fall under a grey area at worse case.

  14. #14
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by LuckyAnonymous View Post
    http://www.fraudrecord.com/how-it-works.php

    You are essentially sharing a hash string. This could *possibly* fall under a grey area at worse case.
    Even the transmission of encryted information has its guidelines.

    I think I will need to contact the ICO to make sure I can 100% use it without any legal proceedings, Better to be safe than sorry

    Which country is the hashed database being stored in exactly?

  15. #15
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    The catch is, encryption and hashing is technically and legally different. Encryption can be reversed with the right key, and I wouldn't dare to store anything encrypted. When hashed, all hope of retrieving the actual data is lost. You can build a monument with the hashed text written on it, and no one would have a way to retrieve the data, even me.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  16. #16
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,800
    Quote Originally Posted by cd/home View Post
    Even with encrpytion in place a UK business still needs to follow the DPA
    Understood, but we're not talking about encryption in transit like SSL. The actual sensitive data does not get transmitted and stored.

    Their security page outlines the process really well: http://www.fraudrecord.com/security.php

    John Smith is one-way encrypted to ac2c739924bf5d4d9bf5875dc70274fef0fe54cf.

    ac2c739924bf5d4d9bf5875dc70274fef0fe54cf is what is transmitted and stored. It's then just a text string that cannot be decrypted. It's impossible to get "John Smith" back out from that text string.

  17. #17
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by Harzem View Post
    The catch is, encryption and hashing is technically and legally different. Encryption can be reversed with the right key, and I wouldn't dare to store anything encrypted. When hashed, all hope of retrieving the actual data is lost. You can build a monument with the hashed text written on it, and no one would have a way to retrieve the data, even me.
    Quote Originally Posted by WickedFactor View Post
    Understood, but we're not talking about encryption in transit like SSL. The actual sensitive data does not get transmitted and stored.

    Their security page outlines the process really well: http://www.fraudrecord.com/security.php

    John Smith is one-way encrypted to ac2c739924bf5d4d9bf5875dc70274fef0fe54cf.

    ac2c739924bf5d4d9bf5875dc70274fef0fe54cf is what is transmitted and stored. It's then just a text string that cannot be decrypted. It's impossible to get "John Smith" back out from that text string.
    Ok, But I still need to contact the ICO to make sure I can do such thing because after all you are still technically "sharing" even if its encrypted/hashed.

  18. #18
    Join Date
    Oct 2005
    Location
    Internet
    Posts
    1,161
    Quote Originally Posted by cd/home View Post
    Ok, But I still need to contact the ICO to make sure I can do such thing because after all you are still technically "sharing" even if its encrypted/hashed.
    Please update us with what the response turns out to be. But I believe once you turn that client info into hash, that data is yours to share.

  19. #19
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by LuckyAnonymous View Post
    Please update us with what the response turns out to be. But I believe once you turn that client info into hash, that data is yours to share.
    I doubt I will get a response anytime soon as the weekend is drawing in so I will fire the email monday morning or over the weekend.

  20. #20
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    Please use the word 'hashing' or 'one way digest algoritm' to make sure they respond to the correct concept.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  21. #21
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by Harzem View Post
    Please use the word 'hashing' or 'one way digest algoritm' to make sure they respond to the correct concept.
    I shall be linking this thread and the FraudRecord website within my inital email.

  22. #22
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    16,703
    Scammers/fraud have no right to privacy anyway.
    Legally speaking, consumer awareness/security trumps privacy.
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
    ||

  23. #23
    Join Date
    Jun 2005
    Posts
    3,455
    The ideas is not only excellent but highly needed in the hosting industry. Specially because scammers jump from one company to the other. Working together could avoid some of this.

    When I posted this idea not sure where it was, people said I was a lunatic and I would get sued, and its asking for legal problems.

    I guess Harzem has figured out a way to do it, and I really wish him all my heart that this works. For the best of everyone.

    Hosting companies need something like this.

  24. #24
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,325
    Harzem, nice work as usual. I'll send the API details to my developer and strongly consider integrating this.

  25. #25
    Join Date
    Jun 2005
    Posts
    3,455
    Quote Originally Posted by cd/home View Post
    I shall be linking this thread and the FraudRecord website within my inital email.
    I donīt think you understand the system correctly. What is data? Define data?

    The system is not sending personal sensitive information so the privacy laws and regulations donīt applly to this.

    When its hashed, you transforms the bits and bytes to something else, something which is completely non sense digits, which doesn't mean anything to anyone except computers. You are not transmitting any data client out, ever, not sharing it either because the hash is already new data.

    You donīt need to ask anything to anyone because you are not sharing customer data in any way. Even if it was, (which is not) it would be fake data anyway, because you don't expect fraudster and scammers to use real data, which is what providers report it seems. Not data from each and every single customer.
    Last edited by nibb; 03-03-2012 at 12:53 AM.

Page 1 of 3 123 LastLast

Similar Threads

  1. About 30% done -- thoughts?
    By David in forum Web Site Reviews
    Replies: 19
    Last Post: 09-10-2011, 04:28 PM
  2. Im having second thoughts lately ....
    By unity100 in forum Running a Web Hosting Business
    Replies: 20
    Last Post: 12-05-2009, 08:47 PM
  3. Your thoughts
    By freshjada in forum Ecommerce Hosting & Discussion
    Replies: 2
    Last Post: 12-19-2005, 02:28 PM
  4. Your thoughts please
    By JMD in forum Web Site Reviews
    Replies: 3
    Last Post: 07-08-2002, 09:39 PM
  5. Your thoughts please
    By JMD in forum Web Site Reviews
    Replies: 0
    Last Post: 07-07-2002, 02:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •