Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


      LittleBITS: Issue #1600, Card Testing Attack, Preventing Inadvertent
                                  Unsubscribes

   Adam Engst

   Is it really TidBITS#1600 already? The weeks just keep slipping by as
   we write and edit TidBITS and keep up with all that's necessary for a
   modern-day Internet presence.

Celebrating TidBITS#1600

   The longer you do something, the more milestones you hit. This issue
   marks our 1600th publishing of a collection of articles about the Apple
   world, so I took the opportunity to go back through some of the twisty
   little passages we've taken in getting here.
    1. First came [1]TidBITS#100, where we unveiled our new setext format
       in '[2]TidBITS in new format' (6 January 1992), which later
       provided some inspiration for John Gruber's creation of
       [3]Markdown.
    2. Then there was '[4]Two Hundred Issues?' (1 November 1993), where I
       thanked some of the people who played key roles in the early years
       of TidBITS.
    3. Next, we invited some friends to help brainstorm entries for
       '[5]300 Reasons the Mac is Great' (23 October 1995). I wonder how
       many of those reasons are still true?
    4. Another two years brought a new site, as explained in '[6]Four
       Hundred Issues and a Dynamic Web Site' (6 October 1997).
    5. For the next milestone, we announced a new home page design in
       '[7]Five Hundred Issues and a New Home Page' (4 October 1999).
    6. In '[8]Six Hundred Issues and New TidBITS Services' (8 October
       2001), we rolled out an RSS feed along with an HTML email version
       of the TidBITS issue.
    7. For [9]TidBITS#700, we could only announce our choice of a new
       content management system in '[10]Seven Hundred Issues, a CMS, and
       Creative Commons' (6 October 2003) because we weren't ready to make
       the switch'publishing on the Internet was getting harder.
    8. With no infrastructural changes to announce, '[11]Trends to Watch
       from 800 Issues of TidBITS' (10 October 2005) reverted to punditry.
       Happily, it's not embarrassing to read now.
    9. Our 2007 site redesign couldn't wait for our 900th issue, so Glenn
       Fleishman and I gave away an ebook version of The Wireless
       Networking Starter Kit, announced in '[12]900 Issues and a Free
       Ebook on Wi-Fi' (15 October 2007).
   10. For [13]TidBITS#1000, I mused about what sets TidBITS apart from
       other publications in '[14]1,000 Issues of TidBITS: It's All about
       Our Readers' (18 October 2009)

   After 1000 issues, we ran out of steam when it came to writing
   something to commemorate the next notch on the odometer. Just as with
   birthdays, once you've hit a high enough number, the specifics no
   longer have the power to thrill like they once did. And as with
   birthdays, it's probably best not to promise too far into the
   future'2000 issues of TidBITS would require more than 8 more years of
   regular publication. That's not inconceivable, but just as [15]Jim
   Dalrymple announced today (congratulations, Jim!), retirement is likely
   at some point in our future.

Dealing with a Card Testing Attack

   It was a Sunday, and I was sitting in a comfortable chair with the
   MacBook Air in my lap and the cat at my side (she's a right-hand cat,
   so I sometimes have to resist the temptation to use her head as a
   pointing device). A notification appeared, telling me that someone had
   created a TidBITS account in WordPress and signed up for a membership.
   Such notifications aren't unusual, but what was strange was when
   another one appeared, and then another, and another. Curious, I loaded
   the Users page on our site and realized that a bot was creating
   accounts with random Gmail addresses, all of which were TidBITS members
   with $2 custom monthly accounts.

   It was clearly not a good thing to have TidBITS memberships created at
   the rate of about one every 10 seconds. By the time I figured out what
   was happening and stopped the attack by turning off the Custom Monthly
   Amount option on our membership page, 70 accounts had been created. I
   then texted our developer, who enabled Cloudflare's [16]Bot Fight Mode
   as well. I had some other things to do, but when I returned a few hours
   later and enabled Custom Monthly Amount as a test, the attacking bot
   created a new account within 15 seconds. I shut it off again.

   The next day, I contacted Stripe support to see what to do about all
   the $2 subscriptions. They were all on legitimate credit cards, though
   many of the accounts used the same card number. Stripe told me that
   this was likely what's called '[17]card testing,' a process designed to
   identify which stolen credit card numbers are still active. I refunded
   all 71 of the fraudulent charges, and Stripe asked for a report of the
   refunds; although they aren't promising anything, I think they may
   refund me the $25.84 in transaction fees that I would otherwise pay.

   After my developer added a [18]reCAPTCHA (which theoretically prevents
   bots from submitting forms) to the TidBITS membership signup page, I
   again turned on the Custom Monthly Amount option. No further accounts
   were created, so I'm hoping the reCAPTCHA does the job.

   There's no great moral to the story here, apart from noting that the
   Internet has become a place where constant vigilance is necessary for
   those who try to roll their own services.

Preventing Future Inadvertent Unsubscribes

   Finally, I want to close the loop on another recent event that I shared
   in '[19]LittleBITS: Unsubscribe Bug Reversed and Virtualizing Monterey
   on an Old Mac' (14 February 2022). We discovered that 201 people had
   inexplicably been unsubscribed from TidBITS on 6 December 2021, right
   after that day's issue went out in email. In [20]TidBITS Talk, Eng Aun
   Cheng gave me the clue I needed, and correspondence with the developer
   of the Sendy app that we use for email distribution both confirmed it
   and provided the solution.

   As part of best practices for bulk email, Sendy includes a
   List-Unsubscribe header in every email it sends. That header contains a
   unique unsubscribe link for each recipient, and many email clients use
   it to display a user-friendly Unsubscribe link or button in the
   message. So far, so good.

   The problem comes when an email provider examines all the links in
   incoming email messages to identify and block phishing attempts.
   Although there's no telling what was special about that particular
   issue, it seems likely that some widely used filter triggered the
   List-Unsubscribe link for those people. Instant unsubscribe, without
   alerting anyone.

   The solution was a Sendy setting I wasn't previously familiar with:
   Double Opt-Out for unsubscribes. With that option set, clicking the
   List-Unsubscribe link loads a page with a confirmation link that the
   user must click as well. That's now in place, which should prevent
   these inadvertent unsubscribes in the future.

   Although the List-Unsubscribe link works, we recommend that you use
   your profile management page on our site if you want to manage your
   TidBITS subscriptions. The List-Unsubscribe approach doesn't
   communicate back to WordPress, so you'd need to ask us for help to
   resubscribe in the future.

References

   1. https://tidbits.com/issues/100/
   2. https://tidbits.com/1992/01/06/tidbits-in-new-format/
   3. https://daringfireball.net/projects/markdown/
   4. https://tidbits.com/1993/11/01/two-hundred-issues/
   5. https://tidbits.com/1995/10/23/300-reasons-the-mac-is-great/
   6. https://tidbits.com/1997/10/06/four-hundred-issues-and-a-dynamic-web-site/
   7. https://tidbits.com/1999/10/04/five-hundred-issues-and-a-new-home-page/
   8. https://tidbits.com/2001/10/08/six-hundred-issues-and-new-tidbits-services/
   9. https://tidbits.com/issues/700/
  10. https://tidbits.com/2003/10/06/seven-hundred-issues-a-cms-and-creative-commons/
  11. https://tidbits.com/2005/10/10/trends-to-watch-from-800-issues-of-tidbits/
  12. https://tidbits.com/2007/10/15/900-issues-and-a-free-ebook-on-wi-fi/
  13. https://tidbits.com/issues/1000/
  14. https://tidbits.com/2009/10/18/1000-issues-of-tidbits-its-all-about-our-readers/
  15. https://www.loopinsight.com/2022/02/28/jim-dalrymple-i-am-retiring/
  16. https://developers.cloudflare.com/bots/get-started/free/
  17. https://stripe.com/docs/card-testing
  18. https://www.google.com/recaptcha/about/
  19. https://tidbits.com/2022/02/14/littlebits-unsubscribe-bug-reversed-and-virtualizing-monterey-on-an-old-mac/
  20. https://talk.tidbits.com/t/littlebits-unsubscribe-bug-reversed-and-virtualizing-monterey-on-an-old-mac/18105/19?u=ace

.