CCBill-Giving Away Your Memberships!
 

that's right...check this shit out!

last month one of my members was blocked by pennywize for password trading. this guy actually had the nerve to contact ccbill to complain about being blocked. normally, when i get a blocked account email from pennywize i cancel the membership right away but it was a busy day for me so i didn't get around to it. ccbill sent me an email saying a customer was compaining about being blocked so i replied that he was a password trader and not to re-add him.

the customer sent another email complaint so ccbill refunded their membership. when i called ccbill, the rep told me that the other rep who refunded it did not read the message i sent and that it was a mistake on their part. oh ok, so it's a mistake at my expense! oh well, shit happens but it gets better...

a few days ago another member got blocked for password trading so i was quick to get on this one. after doing a look-up, i discovered that the membership expired almost a year ago! the ccbill rep told me that sometimes the "kill" message in their script doesn't remove the login from the (htpasswd) file. i couldn't believe it! he assured me that it was very uncommon even though the only way i caught this one was he was sharing the wealth of his life-time membership with his buddies. you see, the "kill" message only gets sent once so if it misses the member he gets a FREE life-time membership!

out of curiousity i downloaded the htpasswd file and compared it to my active members and as it turns out, 45 non-members still have full access to my member's area! some of them have had it as far back as 2006! so not only am i losing potential membership sales, i'm paying for their bandwidth!

i'm still waiting for them to take action and tell me what they're going to do to fix this. if you're using ccbill as a processor you could be giving people free life-time memberships and it's worth looking into.

Not exactly a news flash. You can ask them to resync your htpasswd file which would prevent that problem if you did it on say a monthly basis.

Bad news indeed. Though I would not straight out kill anyone pennywise blocks. First that software sort of sucks and is common to throw false positives and second is that some people do get their shit jacked and never shared anything.

Man, those password protection scripts have so many bugs, that just because it tells you the member is a password trader, it doesn't have to be true. In most cases, it isn't. Even if you have a internet connection not with a stable IP and you login to the site each time from a different IP, it blocks you.

And about the 45 non-paying members, I'm pretty sure most of the old members don't download anything anymore, but even if they would, bandwitch is so cheap nowadays...You concentrate too much on the "not so important" things.

well, this is new to me.

as far as pennywize goes, you could be right. it's the software my host offers so that's why i use it. i'm going to look into using something else.

when i remove someone it's because they are showing hits from numerous countries so it seems odd that the software would generate bogus info like that. kind of defeats the purpose don't you think?

why should i do additional work on a monthly basis? i pay them 14% to do that! i'm sure no one at ccbill logs into my member's area on a regular basis to make sure it's up.

i doubt very much that someone is going to hack a computer and then take the time to get their porn site logins to then go on a board where they share the logins for free. pretty generous thieves!

many of the non-members are in the member's area all the time...i checked. after all why wouldn't they. i'm sure they don't mark on their calendar when their membership expires and they don't try after that date. you're missing the point about the bandwidth. it doesn't matter if it's 1 non-member or 45, there's a problem that needs to be fixed. those are 45 people who would never re-join!

Quick question, do you let users pick usernames and passwords or do you have ccbill assign long random digit ones?

Hey D,

You and I have talked in the past at TFF, remember? I'm not sure exactly how others do it, but just an FYI, our password management is a little more "enterprise class" than what you described. If we post *any* change to the user/pass data, our system expects a positive response from the module. If it doesn't get that response, it assumes the post failed and it will post again until it succeeds. I would think the better systems have at least that level of data integrity protection built in.

Also, as you know, using your bandwidth fraud package controls to stop sharing without making life too difficult for your customers is, of course, a balance. We work with our merchants on those strategies. Hit me up if you'd like to discuss.

:2 cents:

they can select their own login.

That alone is a severe security issue and will get your valid accounts hacked on a daily basis. Odds are you have been cancelling valid customers who had their usernames and passwords guessed or brute forced. Hell I would reason to say 9 out of 10 people you thought were sharing passwords, never did after knowing this.

hey joel, how's it going man! ya, this is not cool. i just spoke with my host and there was no maintenance being performed on the dates in question. i'm not sure where the problem exists yet but it's something ccbill needs to work on.

I tested CCBill a few times for customer service, asked for a refund on a site, and they told me it was not possible for them to give refunds, only the site could issue refunds. I told them I knew this was not true as I am a site owner myself, and they basically told me to go to hell.

Which is exactly why I use Epoch, and will never use CCBill.

They don't hack the person's computer - they hack your site, they don't get a password at a time... they get dozens and they do it using automated tools. They DO share the passwords since it's what the password trading forums do. A person buying a membership and sharing it would be WAY more generous a thief than the ones who steal them :2 cents:

i'm not sure if there's a way to change that...just the way they do it.

There is, I run a ccbill site or three myself.

if they get dozens at a time, why wouldn't there be more logins blocked? this only happens about once a month.

Your first mistake is using pennywize.

Trust us, that is how it works.

k, found that setting in the admin and changed it from "user defined" to "random". thanks for the tip, that should help quite a bit.

so what's the fix?

Random passwords & user names.
Better security program like strongbox or phantomfrog.
Reset a persons password once if they get nailed for duplicate password usage and email them the new password along with how to sweep their PC. If it happens again with them cancel account.
Synch your site with ccbill once every month or quarter.

i was told the same thing then one day i saw a refund so i called. they said the member threatened to charge back so the refunded. i asked what the reason was and they didn't know.

ya, i'm going to switch to something else. i definately don't want to be cancelling members due to software errors.

Yes, just because pennywize blocked them doesn't mean that they're password traders....I hope that you at least logged into the admin area to make sure that they weren't using AOL or something...

Pennywize used to block all kinds of shit for no reason.

Duh! Just use NATS, it can be setup to catch these!

i check each one out individually before i cancel their membership.

lol, nice plug!