This is a bit off the technical subjects, but I would like to bring it
to the attention of our community because it does impact security policy
in some regard..
For many years, I have been involved with fighting what are called "fall
through" contracts, contractual arrangements whereby if you agree to one
thing, then your commitment falls through to a long term contract in
some other area. It becomes a security issue for us as it often gets
involved with inadvertent or inappropriate disclosure of company credit
cards through the internet, often for white papers or subscriptions.
However, we are seeing a greater incident that this technique is being
used as a method to gather credit card information via the network
which, from our point of view is as dangerous as giving up corporate IT
assets by theft or deception..
The old approach was to offer a subscription or membership after a trial
period. At the end of the trial, the user was bombarded with emails,
(or snail mail invoices) attempting to induce the recipient to yield up
the billing method, often the credit card.
The new approach is that the offerer is making available a "free" item,
but it is only "free" if the user beforehand submits the credit card
information. In doing so, the offerer is gathering the credit card
information without a contractual commitment on whatever the resulting
contract will be. The user is then faced with a fall through situation
in which the offerer is free to bill the credit card without the user
being aware that the request for the "free" trial or offer subsequently
caused a billing situation.
This is similar to the slamming technique that is used by some telephone
companies to change billing on phone service. The technique induces a
user to agree to one thing and the small print, often hidden in the
back, indicates that the approval is a blanket approval including change
of contractual service.
I only bring this to our group's attention because we have been faced
with this situation with people wanting to get white papers on various
subjects, only to be faced with reprimand for disclosing our credit card
information inappropriately. We have since issued instructions in our
asset protection and security policies indicating the danger of fall
through contractual obligations and releasing CC information without
proper approval. Those of you who are involved with asset protection
might want to consider limiting activity of this type.
Not all security issues on the net are technical in nature.
John Braden
Izar Associates, Inc.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
