Back

Brick and Mortar Triangle Fraud

81 points16 hoursgetcho.app
steveBK12314 hours ago

I had a slightly different but also unsettling fraud happen to me this summer.

Credit card number stolen most likely at a restaurant by staff. In two hours they ran up $2k of online orders across 6 stores.

But here’s the weird part - they shipped everything to me. Mostly in my name but also with my first or last name swapped. I realized this as I was reporting the fraudulent charges to my credit card but then I started getting informed delivery mails from UPS and fedex.

Apparently it’s a package interception scam where they try to redirect the package to a different address before it’s delivered. They failed at the second part so I had a dozen packages show up over a couple weeks I then had to deal with returning.

Real time suck. Dozens of calls and mails. I didn’t have original purchase order numbers in some cases nor the email address. Some stores were not equipped well to handle this, some told me to keep and donate the clothing. It was all fairly mass market high priced DTC stuff like Bombas.

Weird. My wife was freaked out that they got our home address from our name on the credit card fast enough to make all these orders in under two hours.

gscott12 hours ago

Embarrassingly I reused my email password. So my email was compromised, someone logged into my Best Buy account bought $500 in gift cards using my PayPal account. It took several days for Best Buy to email the cards so by then I changed my password before the gift cards showed up.

I was able to get PayPal to reverse the charge but Best Buy refused to cancel the gift cards. I now have 2 factor auth turned on for everything I can. I tried several times for Best Buy to cancel the cards and return the money to PayPal to no avail. They just wouldn't do it.

eigenman10 hours ago

“Once you have their money, you never give it back.” First Rule of Acquisition.

aaronbrethorst12 hours ago

this happened to me about 8 years ago, but it was $5,000 in mens clothes and $6,000 in computer hardware. I disputed the charges but my credit card company rejected my disputation until I was able to 'prove' that the charges came from a city 45 minutes north of where I lived by a combination of reverse IP lookup on the credit card company's transaction logs and a last minute redirect from my home address to a package holding location in that same town. (or something like that—it's been a while).

pjot13 hours ago

This happened to my parents in the late 90s. No recourse back then - or at least I don’t think there was. Roughly 20 pairs of shoes were delivered to our door.

wmf13 hours ago

This technique was published in Phrack(?) around 25 years ago and it was thought to no longer work at that time. I guess the old cons really are the best.

chipsa13 hours ago

Did the stealing occur in your home town? Do you show up in people search tools?

steveBK12313 hours ago

Yes, credit card was definitely stolen while I dined out at a nearby restaurant (like 1 mile away).

It was pretty easy to pin it down as I had been ill a few weeks and done basically 0 in-person, physical card transactions in that time. It was a restaurant where they bring you the bill, then walk away with your card for a few minutes (which is becoming less the norm these days).

It has pushed me to only use my Apple Card for these types of purchases where the physical card goes out of sight, as theres 0 card info on the card for them to snap a photo of.

throwaway51910 hours ago

I'm amazed there are places that take cards out of sight. Even for physical cards, I'm just so used to going to a designated cashier point.

Are these also magnetic strip cards?

steveBK1233 hours ago

Yes, the US credit card situation is decades behind. We added chips when rest of world had tap, and then we finally added tap when everyone had NFC on their phones. We've only recently started doing the mobile POS terminals at restaurants with the waiter coming to you, but it's maybe 10% of restaurants at most. The standard practice remains handing your card to the waiter who then disappears for a few minutes to ring up the bill.

We also never got rid of swipe, and most cards have their number/expiry/security code printed right on them. Everything you need to go shop online with someone else's card...

It's terrible infosec all around.

jjmarr14 hours ago

What's crazy about the original story is that you can buy something on Amazon with your own credit card from a highly rated vendor and go to jail because the seller was involved in a criminal enterprise!!!

I know Amazon marketplace sells sketchy products, but I didn't know not doing my due diligence there could expose me to criminal liability.

az22614 hours ago

This is wrong.

mbauman13 hours ago

Sure should be. But Krebs’ story on it is proof it can happen.

Story: https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...

HN discussion: https://news.ycombinator.com/item?id=39056733

LeonB12 hours ago

That’s a shocking case.

Several layers of problem there, particularly that a “criminal record” doesn’t mean you’ve been found guilty, only charged, and that the stay on proceedings means an innocent person can never clear their name- allowing the Canadian police to sweep their faulty charges under the rug.

PhasmaFelis13 hours ago

Source?

jjmarr13 hours ago

Literally the post in the OP, which linked this post by Brian Krebs:

> A Canadian man who says he’s been falsely charged with orchestrating a complex e-commerce scam is seeking to clear his name. His case appears to involve “triangulation fraud,” which occurs when a consumer purchases something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.

https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...

lazide14 hours ago

That seems highly unlikely - mens rea absolutely applies to fraud.

cortesoft11 hours ago

You might not get convicted, but it can still ruin your life:

https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...

dlcarrier15 hours ago

You could do all that, or just require PINs for credit purchases. They're not near as good as passwords, but PINs are still much, much better than nothing.

wmf15 hours ago

This isn't really a thing in the US. (Technically 3D Secure exists but customers will just bounce.)

jonathanlydall10 hours ago

It boggles my mind that the whole US has this outrageous amount of fraud because they’re complete laggards with what is pretty much standard additional security measures everywhere else.

Look at how long it took them to move to chips on their cards. And I heard they initially required signatures instead of safer PINs, I hope they’re on PINs by now, but I don’t know.

If stores are worried that if they implement things like 3D Secure their customers will go to their competitor which do not, then the solution is simple, make it a regulatory requirement that EVERYONE must do it by a particular date.

Merchants will still try claim that it will confuse customers, but the truth is they would prefer to avoid the hassle of implementing it. The problem is these merchants already build the cost of fraud into their prices, in essence they’re passing on the cost of fraud to all their honest customers.

Also, how much time is collectively wasted by people having to deal with the admin of fraud on their credit card which is also largely due to apathetic merchants.

It would be a NETT benefit to US society if 3D secure was mandated.

And not just in the US, the rest of the world would no longer have to suffer with fraud on their credit card where it was used on a US website which doesn’t have 3D Secure.

kevincox14 hours ago

Except that this runs in an iframe with no way to tell that it is actually your bank. So we are teaching the users to enter their Bain passwords into random websites.

(Actually your password manager might fill in the password as it knows the domain of the iframe, but this is more luck than skill on behalf of the financial industry)

derefr13 hours ago

No, (Visa) 3D Secure is challenge-response. It pops the iframe on behalf of your bank, sure, but the iframe itself is operated on a white-labelled basis by Visa (with your bank's insignia put there because Visa knows the bank logos by CCN BIN prefix.) The iframe (i.e. Visa) says it sent you an SMS verification code; you plug the code into their iframe; and transaction continues. You never need to log into your bank.

Note how there's no point in MITMing that flow by presenting a phishing version of the confirmation iframe—all the iframe is asking for is the code, and the code is single-use, and all it can be used for is to approve that one transaction.

+2
kevincox13 hours ago
maest11 hours ago

This is widely used in Europe and it's secure. Nobody gets confused by it and they understand they are interacting with their bank

kevincox5 hours ago

You are missing the point. You expect that you are interacting with the bank but the average person has no way to verify this. They are just conditioned to type their bank password into a random site after their credit card number.

A malicious site could just put up a box that looks like the bank's regular authentication page and skim the extra authentication. Either replaying OTPs or capturing other credentials. Unless you used the developer functions of your browser to check the iframe URL there is no way to tell the difference between a real 3D Secure page and a phishing clone.

publicola199010 hours ago

But why is that so? Can't the credit card regulator simply mandate the use of PINs for credit card transactions.

wmf10 hours ago

Practically no. Customers would hate it and it would also take 10-15 years to roll out.

Muromec14 hours ago

Or do the sensible thing, which is a proper active confirmation from customer's device. It's more convenient too -- you just scan the payment qr code with your bank's app and click confirm instead of entering any numbers.

benlkatz15 hours ago

I've dealt with some of this in past roles and can confirm it's like playing whack a mole trying to shut it down.

steveBK12313 hours ago

I assume given the mechanics.. the perpetrator could easily be in a foreign jurisdiction where enforcement isn't going to happen as well?

paulpauper15 hours ago

So we blocked the order, reported the card to Stripe and alerted the police, the store and the unknowing consumer. In one case, we got a hold of the cardholder who confirmed his wallet had been stolen. For a few weeks, we played a big game of whack-a-mole and prevented a dozen instances of triangle fraud.

How often do police respond? is there a follow-up? I imagine the police get inundated with reports and are overwhelmed to to anything . Would it go to FBI or just local ?

jackconsidine15 hours ago

Sometimes police refuse to accept the reports because they're in another jurisdiction (you can't file a police report in X town unless you're there).

To your point they usually don't have time. The report serves as a record for the retailer and the victim to float around, but practically it doesn't catch anyone sadly

detourdog15 hours ago

I tried to buy something online from CDW. 5 days after the purchase I got a call from CDW trying to confirm I ordered the items.

I said I had and the response was ok I just need to ask you 32 questions. The first question was my order number. I didn’t know the answer to the first question which was my order number. I could have dropped everything and focused on these questions. I felt that the burden on my time was too much and they said I couldn’t continue without it. The experience was very weird considering how convenient online ordering can be

wmf15 hours ago

Insurance may want you to report fraud/theft to the police (even if they know it does nothing).

AFAIK the FBI can handle fraud over $5,000 but they won't do anything unless it's much bigger.

TylerE13 hours ago

It does do something, even if the police don’t: Filing a false police report is itself a crime in most jurisdictions so being willing to do. Demonstrates to the insurance company that you’re operating in good faith.

wmf12 hours ago

Lying to your insurance company is also a crime, but yeah, lying to the police and your insurance company is even more crimes.

1oooqooq13 hours ago

yet another "we found one bad guy. now let's make the life of those other 100 valid customers hell because they are traveling"

fdhfdjkfhdkj16 hours ago

[dead]