Tuesday 23 February 2016

Stopping The Scammers

scam

Our previous article focused on securing an e-commerce website against hacking.


This article addresses the ways you can reduce the chance of fraudulent transactions being successful (in a bad way!)


Our website sells silver and gold jewellery, a desirable commodity for potential scammers. They seem to think that is ok to steal from anyone without a thought to the consequences of their actions. Over the past 5 years I have seen many different ways that these a**holes will try to game the system and I have had to devise a number of methods to reduce the chance of their success.


Firstly, as an on-line store, there must be a way to collect payment from our customers. We offer several methods of payment, some more secure than others.


Cash Payments


Cash is not an option as your customers physically cannot hand it to you. Sending cash through the post is not advised as no-one will insure against it not arriving. For an on-line store it simply is not an option and leaves the customer in a vulnerable position.


Money Orders


Money orders sent through a post office are the equivalent of cash. The customer pays the post office for the money order with cash or a bank transfer and the money order is sent by post to the store. The store receiving the money order is paid in cash at the post office, and is normally required to present proof of identity at that time. Once cashed, they cannot be withdrawn.


Direct Deposits


Direct deposit into your bank account is by far the best option for a merchant. Once the money has been transferred, you are absolutely assured it is yours. The customer cannot reverse the transfer. It can only be reversed (refunded) by the account holder receiving the deposit. This is the payment method you should promote to your customers. Giving a discount for direct deposits may convince the customer to complete their order.


Cheques


Cheques are generally safe but the funds can take 3 to 5 days to clear and arrive into your account. If the owner of the account disputes the cheque payment, the bank may decide to reverse the payment and you could lose your money. Insist on additional proof of identity before accepting a cheque for payment.


PayPal


PayPal is seen by many people as being safe and is often the preferred method of payment for a customer. From the customers point of view, the ‘buyer protection’ offered by PayPal makes this a ‘feel safe’ method of payment.


If a dispute arises, PayPal will negotiate between the merchant and the customer to achieve what they consider to be a fair resolution. Another advantage to the customer is that the store never sees the customers payment details. This means that a customer can pay by credit card and only PayPal has the details of that card. The store is made aware that a payment has been made with a credit card, but has no further details.


PayPal allows payments to be made to a merchant in two ways. Firstly a customer can use a credit card as described above. Secondly a customer can use a PayPal account which either has a sufficient balance to make the payment or is linked to a bank account/credit card from which the payment can be sourced.


Using a credit card


When a sale is made and the payment is by credit card, the store receives an email advising of the payment. In this case the buyer is protected if the merchant fails to deliver goods or services matching what the customer had purchased (and the customer can provide sufficient evidence). The seller is offered NO PROTECTION from the credit card being misused, as in the case where the card details have been stolen and used without the card owners knowledge. The card owner tells their bank to stop payment, this is known as a chargeback. PayPal will ‘act on your behalf’ but invariably they refund the bank after garnishing the disputed amount from your PayPal account.


In this situation the store owner should make an extra effort to ensure that the order and customer are legitimate.


Using a PayPal account


When a customer pays for their order using a PayPal account (not a credit card via PayPal) the buyer and seller are both protected by PayPal. The email advising payment will include a declaration that the seller is eligible for ‘seller protection.’ Should it be found that the PayPal account had been misused by a third party, the seller is unlikely to suffer financially as a result, with some big IFs.


IF the goods are not shipped to the address on the payment advice sent by PayPal at the time the sale occurred, you will not be able to claim seller protection.

IF you can not provide proof of delivery to the address on the payment advice sent by PayPal, you will not be able to claim seller protection.


Signs a customer may not be genuine


  • The use of free email accounts. Hotmail and G-mail are two of many free email accounts that anyone can create. Orders from one of these email accounts are much more likely to need extra attention.

  • Their name and address is not in the phone book. Some people don’t have home phones or may have unlisted numbers, but again take extra care.

  • They give an unlisted mobile number. Search using a reverse lookup site and Google, again take extra care.

  • They want delivery to a P.O.Box or a delivery address different to their home address.

  • They paid with a credit card. (no seller protection)

  • The IP address the order was placed from is not from the same area as the address they gave.

None of the points above (either alone or together) mean that the order is not genuine, but they are all factors that should make you pay extra attention to the sale.


The more of the above points that are true, the more suspicious and careful you should be.


Fraud


Fraud is becoming more and more of a problem and at the end of the day there is only one loser.

It isn’t the customer, it isn’t the bank, it isn’t PayPal.

It’s YOU. The merchant.


  • When you are in doubt, ask to customer to provide proof that they are who they say they are.

  • All of the clients I have requested further information from have been happy that I made the effort to check.

  • Every one of them was able to provide what I asked for, and there were no issues with the sales.

  • The ones who ‘promised’ to send me the extra information I requested and never did were all scammers and in each case PayPal later alerted me to “unusual account activity” and a chargeback was instigated by the account owner.

If you are in doubt that an order is above board you may be better to cancel it.


It may be better to lose a little profit, than a large outlay for stock you just handed to a scammer.


Personally, I’d rather not give them the satisfaction.


 



Stopping The Scammers

Wednesday 17 February 2016

Website Security Considerations

do-not-enter

Website Security Considerations


Running and maintaining a jewellery website where the price of some of our gold chains exceeds
$20,000 means that security is one of the very most important considerations. This article deals with the security related to the hosting of a web site, detecting and preventing fraud will be covered in a future article.


Securing The Web Server


There are a number of things that can be done to limit the chance of having your website hacked. (As long as a computer is connected to the Internet it can be vulnerable to hack attempts, so we are talking risk minimisation not absolute guarantees of imperviousness.)


Passwords


Having complex passwords of a reasonable length is the first-most consideration. Use at least 12 characters containing some of each from the following groups: upper-case letters, lower-case letters, numbers and symbols. An example of a strong password would be similar to this – *hY55″gTh09,Jj – it contains characters from each of the groups mentioned and it will not be found in a dictionary. On older systems rename the administrator account to another name like hy66d6yuskl. The chance of this combination of username and password being discovered is next to zero. (but not impossible)


Many password attacks use brute force by trying thousands of passwords one after the other, often from common words that could be found in a dictionary and they may add numbers to the beginning or the end of the word. An example of a really bad password is – password123 – don’t expect this to keep anyone out of your web server!


Virtual Private Server (VPS) v’s Shared Hosting


Shared Hosting

A shared host is where multiple web sites are run on the same server and share a common IP address.


If one of those sites is compromised, the other sites may also be vulnerable to attack. Furthermore, if one of those sites is a gambling, pornography, hacking, pirated software or other low quality site, Google may penalise YOUR web site in their SERP’s because you share a common IP address.


If one of the other sites sharing your server becomes infected with malware, Google may also penalise your own site.


If one of the other sites is acquiring lots of low quality spammy incoming links, Google may also penalise your site.


On a shared server there may be many programs running that you don’t need. Each additional program has the potential to be susceptible to security vulnerabilities that a hacker may exploit.


Private Hosting

A VPS gives you a unique IP address and a computer running a web server that you are not sharing with other web sites.


Having a VPS will prevent the problems that can occur when using a shared hosting arrangement.


Typically they are also able to deliver web pages much more quickly than a shared host that has another 50 or 100 other websites in addition to your own.


It does cost more to use private hosting but the benefits are immense, consider:


How much is your reputation worth?


If you run an e-commerce store and Google dumps you from their search results how much could you lose in sales?


On a VPS, you control what software is installed. This means you only run software that YOU need, unlike on a shared server. Much more secure.


Managing the server and uploading new pages to your website (via FTP) are some of the tasks you will perform reasonably frequently.


On a VPS, you can restrict access to the management console and FTP (file transfer) by IP address. If you have a static IP address in your office, you can allow FTP/console access to your web server from that IP address and ONLY that IP address.


Anyone connected from a different IP address will be allowed to browse your web site (you want this!) but be blocked from accessing the web server for any other purpose.


FallBack Plans


In the event that you find your server has been compromised, it is vitally important to have a recovery plan in place.


You (or your host) should be making regular backups of your web site. (Best you both keep copies)


If the content on your web site changes often, backup more frequently.


If you are going to make major changes to your content, do a backup first and another one after the changes have been uploaded.


If you have a database (on an e-commerce store for example) you should back it up at least once a day. Leave a copy on the web server and download a copy to your office computer as well.


Having current backups is critical should your web site be hacked.


It is also very important to have historical backups – you may not know your web site has been compromised for some time and if your only available backup was done yesterday, then that backup may be of no use to you.



Website Security Considerations

Thursday 4 February 2016

Gold and Silver Metal Testing

25335_C20Jewellery is rarely made from pure gold or silver as both these metals are very soft. Normally gold chains for example are made from pure gold which has been alloyed with silver, copper and zinc.


To make jewellery that will wear well, gold and silver are mixed with other metals to improve the hardness and durability of the metals. Gold jewellery in Australia is most frequently either 9ct (375) or 18ct (750) and should be stamped as such. In the US, 10ct (417), 14ct (583) and 22ct (916) are popular.


A common misconception is that 18ct gold is much softer than 9ct because it contains twice as much pure gold. In hardness tests, 18ct gold will actually be very slightly harder and more durable than 9ct, the difference in hardness between the two metals is less than 1% but 18ct gold will be considerably more expensive.


Sterling silver is an alloy of 92.5% pure silver and 7.5% of another metal (nearly always copper). Silver jewellery from Mexico and many Asian countries will be less than 90% pure silver and may be considerably less. The percentages of one metal to another in an alloy is always by weight.


9ct yellow gold is 37.5% pure gold and 62.6% other metals, typically the majority is silver and copper with a small fraction of zinc. Varying the percentages of the silver and copper will cause a change in the actual colour of the gold alloy. More silver and less copper will give a brassier yellow hue and the opposite, more copper and less silver will give a pinkish hue to the alloy. Rose gold has a larger proportion of copper than silver.


Normally you can tell the carat of gold jewellery by the hallmark. This is a small stamping on the piece of jewellery of the carat weight, i.e. 9ct or the parts per thousand of gold i.e. 375. This mark can also be etched into the piece with a laser, instead of being stamped.


With the easy availability of carat stamps, some unscrupulous people are profiting from jewellery being incorrectly hallmarked. Cheap silver or brass chains can be gold plated and stamped with 375, and the buyer assumes they have purchased a 9ct solid gold chain necklace.


The only way to be absolutely sure of the actual carat weight of gold jewellery is by testing the metal chemically or with an electronic metal analyser.


Manufacturers are subject to random tests of their jewellery and undergo the most accurate testing. A random sample(s) is collected from their products and it is chemically analysed to around 1 part per thousand for gold content. This process is completely destructive and is only suitable for ensuring that manufacturers are adhering to the correct marking of carat weights of their products.


Gold testing kits are available quite cheaply and can be used to obtain a reasonably accurate measure of the gold content of a single piece of jewellery. They are however destructive in that a small section of the jewellery is removed by scratching the piece on a special stone used for testing. An area that is not normally visible should be used and the amount is very small.


The mark left on the stone is covered with a solution that will cause a chemical reaction and a colour change will be seen. Different chemicals are used depending on the actual carat of the gold being tested, so sometimes more than one scratch on the stone will be required. These chemicals are typically strong acids and require care during use. It may be best to have these tests performed by a jeweller who has the knowledge and experience to perform the tests safely and accurately for you.



In recent years electronic testers have come onto the market. Currently the price makes them not practical for anyone not using them regularly in a business. They are however very accurate and more importantly they are completely non-destructive. Handheld models with an LCD readout will indicate on the display the composition of the piece being tested and show the percentage of up to 14 different elements. More complex models can offer the detection up to 21 different elements.


X-ray Fluorescence (XRF) is the technique employed by these analysers. The device can be focused and an area as small as 1mm x 1mm and return a reading showing the percentage of each metal present in the sample without causing any destruction to the jewellery being tested.


If you are considering buying second hand jewellery you should arrange for a jeweller to test the item to make sure it is as expected. A seller who refuses or is reluctant to allow you do this should probably be avoided. False hallmarks have been widely reported on silver jewellery coming from China and frequently being sold on sites like and including eBay. If the price seems to good to be true, just move on, because it won’t be real.


Buying from a reputable store should guarantee you will not have issues with the jewellery not meeting the hallmarks applied. Buying within Australia also gives you protection under common law, consumer law and you have the backing of the consumer affairs and/or fair trading government departments.


 



Gold and Silver Metal Testing