I had a slightly different but also unsettling fraud happen to me this summer.
Credit card number stolen most likely at a restaurant by staff. In two hours they ran up $2k of online orders across 6 stores.
But here’s the weird part - they shipped everything to me. Mostly in my name but also with my first or last name swapped. I realized this as I was reporting the fraudulent charges to my credit card but then I started getting informed delivery mails from UPS and fedex.
Apparently it’s a package interception scam where they try to redirect the package to a different address before it’s delivered. They failed at the second part so I had a dozen packages show up over a couple weeks I then had to deal with returning.
Real time suck. Dozens of calls and mails. I didn’t have original purchase order numbers in some cases nor the email address. Some stores were not equipped well to handle this, some told me to keep and donate the clothing. It was all fairly mass market high priced DTC stuff like Bombas.
Weird. My wife was freaked out that they got our home address from our name on the credit card fast enough to make all these orders in under two hours.
What's crazy about the original story is that you can buy something on Amazon with your own credit card from a highly rated vendor and go to jail because the seller was involved in a criminal enterprise!!!
I know Amazon marketplace sells sketchy products, but I didn't know not doing my due diligence there could expose me to criminal liability.
This is wrong.
Sure should be. But Krebs’ story on it is proof it can happen.
Story: https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...
HN discussion: https://news.ycombinator.com/item?id=39056733
That’s a shocking case.
Several layers of problem there, particularly that a “criminal record” doesn’t mean you’ve been found guilty, only charged, and that the stay on proceedings means an innocent person can never clear their name- allowing the Canadian police to sweep their faulty charges under the rug.
Source?
Literally the post in the OP, which linked this post by Brian Krebs:
> A Canadian man who says he’s been falsely charged with orchestrating a complex e-commerce scam is seeking to clear his name. His case appears to involve “triangulation fraud,” which occurs when a consumer purchases something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.
https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...
That seems highly unlikely - mens rea absolutely applies to fraud.
You might not get convicted, but it can still ruin your life:
https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...
You could do all that, or just require PINs for credit purchases. They're not near as good as passwords, but PINs are still much, much better than nothing.
This isn't really a thing in the US. (Technically 3D Secure exists but customers will just bounce.)
It boggles my mind that the whole US has this outrageous amount of fraud because they’re complete laggards with what is pretty much standard additional security measures everywhere else.
Look at how long it took them to move to chips on their cards. And I heard they initially required signatures instead of safer PINs, I hope they’re on PINs by now, but I don’t know.
If stores are worried that if they implement things like 3D Secure their customers will go to their competitor which do not, then the solution is simple, make it a regulatory requirement that EVERYONE must do it by a particular date.
Merchants will still try claim that it will confuse customers, but the truth is they would prefer to avoid the hassle of implementing it. The problem is these merchants already build the cost of fraud into their prices, in essence they’re passing on the cost of fraud to all their honest customers.
Also, how much time is collectively wasted by people having to deal with the admin of fraud on their credit card which is also largely due to apathetic merchants.
It would be a NETT benefit to US society if 3D secure was mandated.
And not just in the US, the rest of the world would no longer have to suffer with fraud on their credit card where it was used on a US website which doesn’t have 3D Secure.
Except that this runs in an iframe with no way to tell that it is actually your bank. So we are teaching the users to enter their Bain passwords into random websites.
(Actually your password manager might fill in the password as it knows the domain of the iframe, but this is more luck than skill on behalf of the financial industry)
No, (Visa) 3D Secure is challenge-response. It pops the iframe on behalf of your bank, sure, but the iframe itself is operated on a white-labelled basis by Visa (with your bank's insignia put there because Visa knows the bank logos by CCN BIN prefix.) The iframe (i.e. Visa) says it sent you an SMS verification code; you plug the code into their iframe; and transaction continues. You never need to log into your bank.
Note how there's no point in MITMing that flow by presenting a phishing version of the confirmation iframe—all the iframe is asking for is the code, and the code is single-use, and all it can be used for is to approve that one transaction.
> My banks as for a password in that iframe. Not done type of one-time-code.
Maybe there's an option for this that a bank can choose when "enabling" 3D Secure? Seems stupid, though. Never experienced it personally.
> If it was just an OTP why would yhe iframe even be necessary?
90% of 3D Secure isn't the user interaction, it's browser integrity checking and permacookie-based submission deduplication. Essentially the iframe delivers a payload similar to the one used by Cloudflare Turnstile. That kind of thing could run in the context of a website (like Cloudflare Turnstile does), but it's a lot easier to manage when it's on its own secure origin without other scripts able to mess with it.
It’s not necessarily an OTP, it’s any form of additional verification that the bank decides to implement.
My bank allows me to switch between SMS or USSD.
When in France in late 2000s the bank did a stupid “virtual PIN pad”, which I suppose was better than nothing, but only barely.
But the point is that the system could allow any kind of verification including new and modern Passkeys.
This is widely used in Europe and it's secure. Nobody gets confused by it and they understand they are interacting with their bank
You are missing the point. You expect that you are interacting with the bank but the average person has no way to verify this. They are just conditioned to type their bank password into a random site after their credit card number.
A malicious site could just put up a box that looks like the bank's regular authentication page and skim the extra authentication. Either replaying OTPs or capturing other credentials. Unless you used the developer functions of your browser to check the iframe URL there is no way to tell the difference between a real 3D Secure page and a phishing clone.
But why is that so? Can't the credit card regulator simply mandate the use of PINs for credit card transactions.
Practically no. Customers would hate it and it would also take 10-15 years to roll out.
Or do the sensible thing, which is a proper active confirmation from customer's device. It's more convenient too -- you just scan the payment qr code with your bank's app and click confirm instead of entering any numbers.
I've dealt with some of this in past roles and can confirm it's like playing whack a mole trying to shut it down.
I assume given the mechanics.. the perpetrator could easily be in a foreign jurisdiction where enforcement isn't going to happen as well?
So we blocked the order, reported the card to Stripe and alerted the police, the store and the unknowing consumer. In one case, we got a hold of the cardholder who confirmed his wallet had been stolen. For a few weeks, we played a big game of whack-a-mole and prevented a dozen instances of triangle fraud.
How often do police respond? is there a follow-up? I imagine the police get inundated with reports and are overwhelmed to to anything . Would it go to FBI or just local ?
Sometimes police refuse to accept the reports because they're in another jurisdiction (you can't file a police report in X town unless you're there).
To your point they usually don't have time. The report serves as a record for the retailer and the victim to float around, but practically it doesn't catch anyone sadly
I tried to buy something online from CDW. 5 days after the purchase I got a call from CDW trying to confirm I ordered the items.
I said I had and the response was ok I just need to ask you 32 questions. The first question was my order number. I didn’t know the answer to the first question which was my order number. I could have dropped everything and focused on these questions. I felt that the burden on my time was too much and they said I couldn’t continue without it. The experience was very weird considering how convenient online ordering can be
Insurance may want you to report fraud/theft to the police (even if they know it does nothing).
AFAIK the FBI can handle fraud over $5,000 but they won't do anything unless it's much bigger.
It does do something, even if the police don’t: Filing a false police report is itself a crime in most jurisdictions so being willing to do. Demonstrates to the insurance company that you’re operating in good faith.
Lying to your insurance company is also a crime, but yeah, lying to the police and your insurance company is even more crimes.
yet another "we found one bad guy. now let's make the life of those other 100 valid customers hell because they are traveling"
[dead]
Embarrassingly I reused my email password. So my email was compromised, someone logged into my Best Buy account bought $500 in gift cards using my PayPal account. It took several days for Best Buy to email the cards so by then I changed my password before the gift cards showed up.
I was able to get PayPal to reverse the charge but Best Buy refused to cancel the gift cards. I now have 2 factor auth turned on for everything I can. I tried several times for Best Buy to cancel the cards and return the money to PayPal to no avail. They just wouldn't do it.
“Once you have their money, you never give it back.” First Rule of Acquisition.
this happened to me about 8 years ago, but it was $5,000 in mens clothes and $6,000 in computer hardware. I disputed the charges but my credit card company rejected my disputation until I was able to 'prove' that the charges came from a city 45 minutes north of where I lived by a combination of reverse IP lookup on the credit card company's transaction logs and a last minute redirect from my home address to a package holding location in that same town. (or something like that—it's been a while).
This happened to my parents in the late 90s. No recourse back then - or at least I don’t think there was. Roughly 20 pairs of shoes were delivered to our door.
This technique was published in Phrack(?) around 25 years ago and it was thought to no longer work at that time. I guess the old cons really are the best.
Did the stealing occur in your home town? Do you show up in people search tools?
Yes, credit card was definitely stolen while I dined out at a nearby restaurant (like 1 mile away).
It was pretty easy to pin it down as I had been ill a few weeks and done basically 0 in-person, physical card transactions in that time. It was a restaurant where they bring you the bill, then walk away with your card for a few minutes (which is becoming less the norm these days).
It has pushed me to only use my Apple Card for these types of purchases where the physical card goes out of sight, as theres 0 card info on the card for them to snap a photo of.
I'm amazed there are places that take cards out of sight. Even for physical cards, I'm just so used to going to a designated cashier point.
Are these also magnetic strip cards?
Yes, the US credit card situation is decades behind. We added chips when rest of world had tap, and then we finally added tap when everyone had NFC on their phones. We've only recently started doing the mobile POS terminals at restaurants with the waiter coming to you, but it's maybe 10% of restaurants at most. The standard practice remains handing your card to the waiter who then disappears for a few minutes to ring up the bill.
We also never got rid of swipe, and most cards have their number/expiry/security code printed right on them. Everything you need to go shop online with someone else's card...
It's terrible infosec all around.