It seems that some anti-fraud mechanisms have evolved to use information about how a user is connected to the Internet to determine whether they are likely to be fradulent. Specifically, in my case it turns out that Paypal does not accept my debit card: "We were unable to verify this credit card through our card validation process. To proceed with checkout, please verify the information you entered is correct or try a different card." I do not have other cards, and my card works everywhere else. A little online investigation suggests that Paypal outsources its card verification process to an overzealous company called CyberSource, and there are many false positives. I suspect that in my case, the false positive is related to my use of Tor. According to this article, geographic location (i.e. "where a buyer's computer is") determined by IP address and ISP data, can cause a transaction to be denied: http://www.intelligentbanking.com/brm/news/ob/20000915.asp These articles cite geolocation as a useful anti-fraud technique: http://www.cybersource.com/news_and_events/international/view.xml?page_id=575 http://www.reliant.com/yhb/department/1,,CID457419,00.html?&cktst=true&REID=FA544C80-A195-0762-7F7B-9DCB487135AD http://www.slate.com/id/74654/ http://www.collectionsworld.com/cgi-bin/readstory2.pl?story=20031201CCRU387.xml http://www.networkworld.com/news/2001/1022visa.html It seems to me that the world has already begun walking down the dangerous road of developing infrastructure that rely upon routing information and ISP data to identify fraudulent activity. This will present a major stumblingblock to the deployment of location-independent services and overlay networks such as Tor that attempt to separate location from identity. Geoff
Attachment:
signature.asc
Description: Digital signature