My friend is trying to build a commercial website for his business and I'm just trying to cover all of the possible weaknesses. Also, as a curious techie, I'm interested in knowing how all of this stuff works.

One time, I was banned from purchasing from a website (all because I disputed a charge which I never bought). I understand them trying to be super protective but it was over a measly $30 and they lost a customer as a result. It wasn't like I was stealing from them, it was an honest overcharge and I disputed it, sheesh. I tried all of my other CC's and debit card but they still knew it was me and they told me so when I called them. I figured all of my cards are linked (behind the scenes and blind to them) via a common factor (e.g. social security number, dob, etc). Then, I tried borrowing my friend's CC to buy from that site (with the same computer) but somehow they still knew!! I'm guessing in conjunction with CC tracking, they also log the IP of where you're coming from and they somehow added updated info to their database. So now, they have 2 identities that would be blocked. And if I were to buy from a different IP but with CCs from either me or my friend, they would now have a total of 2 sets of CCs and 2 IPs to block (updating their database). Do you think this is what they did? So, if IP tracking and CC tracking are all they do, hypothetically, then, buying from a new IP with a CC from a different person would work since there is no linking of people involved, right? I'm still racking my brain trying to figure out what method they used. But nonetheless, seems like they use decent security measures on their site.

So what are the high tech measures commercial websites employ to detect who you are (to try to curb fraud, tailor site to the user, etc)?
1. Identity tracing with CCs
2. IP addresses
3. cookies
3. MAC addresses of network adapters and cable modems?? (not sure of this, is this possible to obtain this info?)
4. hostname aka computer name (can this be done?)
5. browser (and version), os (and version), processor (even if these were obtained, many many people have the same configuration so I doubt this is an effective method to block the specific person who you want to block but probably useful for tailoring the appearance of the page)

What other possible methods can modern websites use to know who is coming to their site?

Also, even though I deleted all of my internet files and cookies, set my privacy level to maximum, and deleted autocomplete entries (under internet options in the tools menu of IE), I still get the textfields pre-filled when I go to sites which have this kind of security.



How does this happen? I'm guessing from the fact that they fields get filled with my previous entries, they know who I am right?

Thanks in advance for the feedback.

 

Well a website can certainly block an IP address or even a block of IP addresses, but since most people have dynamically allocated IP addresses this doesn't work 100%. There are very few ways for a website to accurately identify you. I don't think a website can obtain your Ethernet MAC address, but if they could that would certainly identify you, well at least until you got a new ethernet card. That website you were talking about probably either knew you through a cookie or flagged your IP address as a "suspicious" buyer from the previous dispute. Either method is not foolproof. They can't track users through browser, os, etc. since obviously as you said, there can be many people with the same configuration. The dialog box you see that pops up, is for authentication/authorization when you enter "secure" sections of the website. It doesn't mean they know you. So, basically if you had cleared your cookies, or were able to get a different IP address I don't think they would know you. And I really doubt that these guys are privy to your SSN. Did you enter the same shipping or billing address? That is probably the most obvious way for them to know it was you.

 

.

 

.

 

.

 

.

 

[QUOTE]Originally posted by pantyraider
Well a website can certainly block an IP address or even a block of IP addresses, but since most people have dynamically allocated IP addresses this doesn't work 100%.

 

.

 

.

 

Woah, one person at a time please !

No, they can't place any dormant cookies on your computer. I'm assuming you use IE, IE has a bug where it sometimes doesn't clear out the cache or cookies even when you tell it to. You can check your Documents and SettingsUserLocal SettingsHistory and many times it won't be cleared at all. It's quite a pain in the ass. I suggest you use Mozilla, go to www.mozilla.org and download version 1.6. Another possibility is that they installed some software on your computer, dou you recall giving them permission to install anything? If you did then yes, their software is now on your computer and they can go ahead and store stuff in the registry, basically do what they want with your computer. So, make sure the software you install is from a trusted source, or has some kind of third-party certification.