OVH Community, your new community space.

Orders with SMS confirmation


oles@ovh.net
24-06-2008, 06:46
Dash a écrit:
>
> I think Oles' main intention is to stop fraud & not necessarily use it
> as a way of blocking international orders.

we are very montivaed to stop the fraud. and it will stop the
international orders (lot of TR, SE, IT). we prefer to prepare
a new market (like we do on IT right now) and sell quickly lot
of servers with the best payemnt conditions, that allow a
customer from a country to order 1 or 2 servers with lot of
risks of payments for Ovh. when we start a new market we
start the domains, the local phone services (for VoIP, soon in
UK), the best payement with lot of security, the contracts,
the support, the website, and we have the local firm with
local laws. it's full security for the customer.

Dave
23-06-2008, 18:13
Quote Originally Posted by oles@ovh.net
iand a écrit:
>
> id like to see how this is going tostoppeople with friends over here
> ordering from other contries thats the way most people are getting round
> the uk only rule so how do you think this is going to stop it?

we propose the dedicated in UK. not for SE/MA/TN/RU or JP.
I think something was lost in translation here.
oles@ovh.net
23-06-2008, 13:42
iand a écrit:
>
> id like to see how this is going tostoppeople with friends over here
> ordering from other contries thats the way most people are getting round
> the uk only rule so how do you think this is going to stop it?

we propose the dedicated in UK. not for SE/MA/TN/RU or JP.

iand
23-06-2008, 11:07
id like to see how this is going to stop people with friends over here ordering from other contries by getting there friends to order the server and them paying there friend thats the way most people are getting round the uk only rule so how do you think this is going to stop it?
oles@ovh.net
23-06-2008, 07:50
Dash a écrit:
>
> As others have pointed out, it's possible to buy a UK SIM from EBay and
^^^
the bug is here. no hacker
buys. the hackers get the
goods for free. stollen
CB, ...
oles@ovh.net
23-06-2008, 07:48
Dave a écrit:
>
> oles@ovh.net;5150 Wrote:
>>
>> If I live in Marrocco, Can I buy this cart ? Working ?
>>
> Finding a seller on ebay that will send something so cheap and small to
> Marrocco shouldn't be hard at all.

how much does it cost ? it will work only for 1 order. the goal
of the hacker isn't to pay, but get the services for free. They
use the stollen CB so it's free. Will they get the SIM cart for
free ? Just for 1 order in Ovh ?

> The first provider I checked was Vodafone and yes UK "pay as you
> talk"/prepay sim cards work in Marrocco, only a single band phone is
> required and your uk number will be acceptable, in Marrocco it will
> connect via "Medi Telecom" or "Maroc Telecom" depending on area and
> coverage and Text services are available on both.

it costs and it works for 1 order only. the hackers will be stopped.
Dave
23-06-2008, 05:05
Quote Originally Posted by oles@ovh.net
If I live in Marrocco, Can I buy this cart ? Working ?
Finding a seller on ebay that will send something so cheap and small to Marrocco shouldn't be hard at all.

Quote Originally Posted by oles@ovh.net
Do the carts work in Marrocco ?
The first provider I checked was Vodafone and yes UK "pay as you talk"/prepay sim cards work in Marrocco, only a single band phone is required and your uk number will be accessible, in Marrocco it will connect via "Medi Telecom" or "Maroc Telecom" depending on area and coverage and Text services are available on both.

I'm assuming this is true for other UK networks but I'm sure you know this from your R&D that must of been undertaken before launching this system.

Quote Originally Posted by oles@ovh.net
There is lot of "hard", "expensive" and "sure" way to check it
with 99.99% of the true. I'm looking for a light solution with
90% of the true. Right now, we have a check with 60%. It's not
enought.
I'd say "If its worth doing, its worth doing properly"

EDIT:

I think my post came across like I am trying to prove you wrong, I am just point out what I would consider fundamental flaws in the system.

I will say this again, hacks and fraudsters take advantage of weak systems because they can, this sms system will put an obsolesce in their way but by no means stop them.
oles@ovh.net
22-06-2008, 18:56
Dave a écrit:
>
> I'm not sure this is a good move by OVH really, I'm not sure how its
> going to cut fraud either I can get pay as you go SIM cards from £5 at
> the local shops or free online depending on the network and I wouldn't
> have to register the sim card to my name or address.

I have no problem with "you" since you live in UK. I want to
check if you are in UK and not in MA or TN. That's all.

> Free sims from major networks:
> http://freesim.o2.co.uk
> http://shop.vodafone.co.uk/mobile-ph...y-as-you-talk/
> http://www.orange.co.uk/freesimcard

If I live in Marrocco, Can I buy this cart ? Working ?

> Also simcards can be bought from ebay or amazon from £0.01 plus
> postage, most uk sim cards will work aboard.

Do the carts work in Marrocco ?

> The point I'm trying to make is if someone wants to hack or use
> fraudenlent payments then they'll find ways around poorly thought out
> systems like the SMS system you need to verify something solid like
> address etc.
>
> The way I would go is when a person orders a server a letter is sent to
> the persons billing address and the server isn't activated untill a
> code/word in the letter is entered on your website, thus confirming the
> payment address etc.

There is lot of "hard", "expensive" and "sure" way to check it
with 99.99% of the true. I'm looking for a light solution with
90% of the true. Right now, we have a check with 60%. It's not
enought.

Andy
22-06-2008, 17:31
Good morning,
I read your questions and I prefer to respond globally

There are no problems to provide for our customers. Only
new customers are affected by the verification by the SMS.
We checked only once the new ID at its inception.
If you are not yet a customer of Ovh AND If you do not have
cell phone, you can use a mobile phone
a co-worker to receive 1 times the activation code.
If your co-workers do not have mobile phones,
you pay by cheque, then your ID is validated.
The following payments will be made by the CB. If you do
no cheque book, you can pay in cash. If you do
no liquid, bahh ... you take the free lodging.

And therefore, a little abstract:
1.) Not validated by SMS for renewal
2.) If you already have an ID, no validation
necessary (you are already a client Ovh).
3.) If you do not have any ID and you want
order the 1st time a service at Ovh, one sees sends
SMS for validation. Once the ID is
validated, no revalidation for the following commands.
4.) If no validation possible for the 1st command,
can pay by cheque and the ID is
automatically validate for other payments.

In France, we agree to send emails only
to the number of mobile phones +336 XXXXXXX. The
same thing in other countries (UK: +448 or +447 XXXX XXXX).
In Poland +4869 XXX XXX +4866, +4888 XXX XXX +4872, +4878 XXX,
XXX +4860, +4851 XXX XXX +4879, +4850 and Germany XXX XXX +491
and +497 XXX. In short, SMS on VoIP are not accepted
or fixed telephones. Only on phones
portable.

Yours
Octave
oles@ovh.net
22-06-2008, 17:30
Hello,

I read your questions and I prefer to respond globally

There are no problems forcast for our customers. Only new customers are affected by verification via SMS. We check only the new ID once, at its creation.
If you are not an OVH customer yet AND If you do not have a mobile phone, you can use the mobile phone of a colleague to receive the activation code. If your colleagues do not have mobile phones, you pay by cheque, then your ID is validated. The following payments will be made by credit card. If you do not have a cheque book, you can pay in cash. If you do not have any cash, bahh ... you take the free hosting.

And therefore, a little abstract:
1.) No validation by SMS for renewal
2.) If you already have an identifier, no validation is necessary (you are already an Ovh customer).
3.) If you do not have an identifier and you want to order a service at Ovh for the first time, we will send you validation by SMS. Once the identifier is validated, no revalidation for following orders is required.
4.) If no validation is possible for the 1st order, you can pay by cheque and the identifier is automatically validated for the other payments.

In France, we send emails only to the numbers of mobile phones +336 XXXXXXX. The same thing in other countries (UK: +448 or +447 XXXX XXXX). In Poland +4869 XXX XXX +4866, +4888 XXX XXX, +4878 XXX, +4872XXX, +4860XXX, +4851 XXX, +4879XXX , +4850 and in Germany +491XXX XXX and +497 XXX. To sum up, SMS on VoIP or landline phones wont be accepted. Only on mobile phones.

Regards.

Octave
Murph
22-06-2008, 16:18
Quote Originally Posted by w00t
i mentioned the exaact same thing when it was first mentioned in this topic.

http://forum.ovh.co.uk/showthread.php?t=470

i dont think its thought out very well imo. 99.9% of people who use the net use a landland, which would be much better than a mobile number.

just my opinion.
Landlines are no better than mobiles for verifying which country you are in, thanks to VoIP, forwarding services, etc.
Murph
22-06-2008, 15:56
Quote Originally Posted by w00t
you should verify them by having an automated call contact a landline to the house where the card is billed to. They enter like a 4 didgit number etc or the last 6 digits of there card i dont know
That's not a good idea. Some people will be buying on business cards, where the number might be very inconvenient for such a call (eg an accounts department 100s of miles away); others may not find it convenient to be called on their registered "home" number. For example, in my case, my registered "home" number is one of many numbers the bank have to contact me, but it's one I'm rarely available at to take routine administrative calls. And anyway, merchants have absolutely no business in using the cardholder's phone number for anything other than verification with the bank's computer in distance selling.

Calling a miscellaneous landline is no better than SMS to a mobile - VoIP makes pretty much any geographic or non-geographic number available worldwide, if you are willing to put the time and effort in.
w00t
22-06-2008, 14:29
i mentioned the exaact same thing when it was first mentioned in this topic.

http://forum.ovh.co.uk/showthread.php?t=470

i dont think its thought out very well imo. 99.9% of people who use the net use a landland, which would be much better than a mobile number.

just my opinion.
Dave
22-06-2008, 13:23
Quote Originally Posted by w00t
i agree with dave like i mentioned before.

you should verify them by having an automated call contact a landline to the house where the card is billed to. They enter like a 4 didgit number etc or the last 6 digits of there card i dont know

the sms idea is totally whack. any 1 can gain a UK sim card.
I felt I was being a bit long winded but glad you got my point

I would of loved to of been in the meeting where the SMS idea was conceptualized.... "Wow SMS no one can get around that bad boy!" when I first heard the idea I thought they might as well save their money setting that system up and just send a confirmation code to an email address instead as it would be about as useful
w00t
22-06-2008, 13:16
i agree with dave like i mentioned before.

you should verify them by having an automated call contact a landline to the house where the card is billed to. They enter like a 4 didgit number etc or the last 6 digits of there card i dont know

the sms idea is totally whack. any 1 can gain a UK sim card.
Dave
22-06-2008, 13:05
I'm not sure this is a good move by OVH really, I'm not sure how its going to cut fraud either I can get pay as you go SIM cards from £5 at the local shops or free online depending on the network and I wouldn't have to register the sim card to my name or address.


Free sims from major networks:
http://freesim.o2.co.uk
http://shop.vodafone.co.uk/mobile-ph...y-as-you-talk/
http://www.orange.co.uk/freesimcard

Also simcards can be bought from ebay or amazon from £0.01 plus postage, most uk sim cards will work aboard.

The point I'm trying to make is if someone wants to hack or use fraudenlent payments then they'll find ways around poorly thought out systems like the SMS system, you need to verify something solid like address etc.

The way I would go is when a person orders their FIRST server a letter is sent to the persons billing address and the server isn't activated untill a code/word in the letter is entered on your website, thus confirming the payment address etc, obviously once the customer is verified then subsequent product purchases won't need verifying if the same payment method is used.
hyster
22-06-2008, 11:43
Wow that is one heck of a post you made there. Better not quote it lol.

I bet Oles has fun translating that !!!!
Murph
22-06-2008, 11:39
Quote Originally Posted by oles@ovh.net
Murph a écrit:
>
> oles@ovh.net;5125 Wrote:
>> > For example loads of VOIP providers now provide SMS services and can
>>
>> http://www.ovh.com/fr/produits/rates/GB.xml
>> you will be able to provide only "Royaume-Uni - Mobile"
>> for example:
>> +4472 "I accept to send a SMS"
>> +447999 "it's not a availble SMS number for me"
>
> Hmm, perhaps I've not fully understood what you are saying, but my
> contract mobile number which is 100% UK based, absolutely standard, and
> one of the older numbers (it's over 10 years old) is listed as
> "Royaume-Uni - Fixe" - +447973. Does that mean you would reject it? If
> so, you urgently need to find a more accurate list.

you are right. the names are wrong (webmaster problem), the prices
are okey. But it's not the right list for this question I will
generate an another one: example for UK:
+448 SMS okey
+447 SMS okey
the rest not: (+445)

So, the right question is now: "Do you know the VoIP providers with
+448 or +447" ? Or how a hacker from Marocco can use a +448 or +447
number to receive a code to be able to pay with CB ? Or someone from
Egypt to get it ?".
I suspect that +447[1-9] is what you need, possibly an even narrower range than that, but I'm not 100% sure, so please don't take my word for it. From vague memory, +4470 are not real mobile numbers, but call forwarding numbers (where the customer can dynamically redirect calls at will).

Most of the traditional mobile number ranges in the UK are +447[7-9], but that's only 300,000,000 numbers in the traditional style (+44 7xxx xxx xxx), so it's quite possible that numbers may have now been allocated in lower parts of +447 due to the huge number of disposable SIM cards, operators, and multiple numbers per phone (e.g. my phone can have up to 4 numbers - 2 voice, 1 fax, 1 data), and many people have spare, un-registered SIMs for occasional anonymity. In fact, having just done a little digging around, it's probably all of +447[5789] at the moment, with some exceptions.

Here is the *almost* definitive answer:

http://www.serviceview.bt.com/list/p....htm#1631-d0e1

Codes in there (where, eg, +447973 is equivalent to 07973) with a charge rate beginning "fm", i.e. fm1 - fm10, are *probably* mobiles.

+448 should not be mobile numbers - that range is used for company contact numbers.

As you can probably see, if you dare to look into the depths of the official BT Price List, number allocation, whilst there are some patterns to it, is far from straightforward.

If I were you, I'd start with +447[5789] being allowed, and monitor it carefully, expecting there to be exceptions on both sides (mobiles somehow outside that range, and non-mobiles/VoIP/whatever inside that range), but with an expectation that it's about 80-90% accurate as a starting point.

For a better solution, I suggest that you investigate the "Verified by Visa" and "MasterCard SecureCode" services, where the e-commerce site redirects to a website controlled by the banks, and the customer has to authenticate with the bank. Those are not perfect solutions either, as it's very difficult for the customer to know, with confidence, that they really are looking at a page from the banks, but I think that's about the state of the art for online CC fraud prevention.

As for the VoIP question and the hacker in Morocco, that's a much tougher question. With the highly de-regulated telecomms industry in the UK, it's very difficult to say where things like VoIP might appear in the number space.
oles@ovh.net
22-06-2008, 10:50
Murph a écrit:
>
> oles@ovh.net;5125 Wrote:
>> > For example loads of VOIP providers now provide SMS services and can
>>
>> http://www.ovh.com/fr/produits/rates/GB.xml
>> you will be able to provide only "Royaume-Uni - Mobile"
>> for example:
>> +4472 "I accept to send a SMS"
>> +447999 "it's not a availble SMS number for me"
>
> Hmm, perhaps I've not fully understood what you are saying, but my
> contract mobile number which is 100% UK based, absolutely standard, and
> one of the older numbers (it's over 10 years old) is listed as
> "Royaume-Uni - Fixe" - +447973. Does that mean you would reject it? If
> so, you urgently need to find a more accurate list.

you are right. the names are wrong (webmaster problem), the prices
are okey. But it's not the right list for this question I will
generate an another one: example for UK:
+448 SMS okey
+447 SMS okey
the rest not: (+445)

So, the right question is now: "Do you know the VoIP providers with
+448 or +447" ? Or how a hacker from Marocco can use a +448 or +447
number to receive a code to be able to pay with CB ? Or someone from
Egypt to get it ?".
hyster
22-06-2008, 10:40
Quote Originally Posted by Murph
Hmm, perhaps I've not fully understood what you are saying, but my contract mobile number which is 100% UK based, absolutely standard, and one of the older numbers (it's over 10 years old) is listed as "Royaume-Uni - Fixe" - +447973. Does that mean you would reject it? If so, you urgently need to find a more accurate list.
My number which is on Orange UK is +44796*******

By my understanding of your post Oles this is not allowed. ????
Murph
22-06-2008, 10:30
Quote Originally Posted by oles@ovh.net
> For example loads of VOIP providers now provide SMS services and can

http://www.ovh.com/fr/produits/rates/GB.xml
you will be able to provide only "Royaume-Uni - Mobile"
for example:
+4472 "I accept to send a SMS"
+447999 "it's not a availble SMS number for me"
Hmm, perhaps I've not fully understood what you are saying, but my contract mobile number which is 100% UK based, absolutely standard, and one of the older numbers (it's over 10 years old) is listed as "Royaume-Uni - Fixe" - +447973. Does that mean you would reject it? If so, you urgently need to find a more accurate list.
oles@ovh.net
22-06-2008, 10:06
> For example loads of VOIP providers now provide SMS services and can

http://www.ovh.com/fr/produits/rates/GB.xml
you will be able to provide only "Royaume-Uni - Mobile"
for example:
+4472 "I accept to send a SMS"
+447999 "it's not a availble SMS number for me"
Dave
22-06-2008, 09:47
It will be interesting to see how SMS will stop people ordering outside the country's that you sell your products in.

For example loads of VOIP providers now provide SMS services and can provide numbers in any of the country's you sell to, so in theory I could live in Afghanistan and still get a UK or FR number that would accept/send SMS's no problem.

I'd be very interested to see how you are going stop this, I'm sure this came up in your research and would be interesting to see how you plan on dealing with this?
oles@ovh.net
22-06-2008, 09:14
Hello,

For around 4 months now, we have been working on developing an order confirmation system using SMS. We have talked about this project 3 months ago and we have discussed the system that we are going to implement this week, thoroughly with our customers. Within around 10 days, all our subsidiaries will have the new 2008 website with the new ordering system. We will therefore be able to set up the confirmation of the order by SMS.

The Aim
----------------
For around 4 years now we have regularly had unpaid orders due to the hackers that pay with stolen credit cards. We are regularly working on improving the system that detects these payments and on its prevention so that we do not accept this type of payment. We have regularly had problems varying in seriousness with our banks. We remember 3 years ago when one of our banks had been ordered by mastercard to suspend our payments without notice. With more and more important transactions per day, despite the effective checking before and after the payment. Even with this, we still have too many fraudulent payments, not to mention the huge amount of cancellations of payments that we make a day to avoid (future) cancellation of payment (and the costs that go with it).

Therefore we have decided to establish a system based on the validation of the order using SMS. The advantages of an SMS number is becuase its in the country of origin (or traveling). However, 99% of our problems with the credit card payment come from hackers who get connected from the emerging countries (directly or through a proxy). By forcing them to enter a mobile phone number in one of the 5 countries where OVH offers its services (FR / ES / PL / UK / DE) + country where OVH wishes to sell its services (BE / CH / LU / MC /...), we will block 99% of our problems.

The Operation
-----------------
When ordering, you would already have an OVH ID (nichandle) assigned. If you do not have an ID at OVH, then you must create it. The creation of an identifier that places the order (only the ID that places the order) will be accompanied by a verification via SMS. If the customer has been able to validate the mobile number, he will be able to pay by credit card and receive services in 1 hour. Otherwise, he will be able to pay by cheque. There are no changes for existing IDs. They can place orders the same as usual. A mobile number can be used for a single ID (nichandle).

We plan for the setup of the system during the week.

Regards,

Octave