Originally published at: https://boingboing.net/2020/03/06/this-researcher-learned-how.html
…
Article and graphic from Krebs for a quick explainer on triangulation fraud for the curious but time-challenged:
https://krebsonsecurity.com/tag/triangulation-fraud/
How do fraudsters “cash out” stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they don’t yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder.
So - only use PayPal on ebay?
Paypal doesn’t really protect you here because you aren’t being directly defrauded, you’re being made an unwitting accomplice in the defrauding of someone else.
…and they called it “triangulation fraud” and not scam-ohtoa?
Booo.
Thanks! Reread and got it now.
So, we are all potential money launderers?
I watched the whole video.
I would think that after having so many orders sent TO HER from Nespresso that were paid for WITH STOLEN CREDIT CARDS, that some chargebacks might be hitting Nespresso, they would put “someone” on it and stop shipping these items to her.
But either Nespresso does SO MUCH BUSINESS that they can’t be bothered, OR as mentioned in the video, all the stolen card info is from older people who are not equipped with the tools or understanding of how to do a chargeback.
In my experience from working for an e-retailer the business usually get stuck with the charges. Consumers are protected, but companies are chided for not having better fraud detection and they are stuck with the charge. Which is probably fair, but I didn’t expect it.
I enjoyed that video, her students must love her (although I have no idea what the students at the Naval War College are really like.)
This is true, and the risk to the seller is considerable. The worst thing for them is that they can process the transaction and then weeks later, it gets flagged as fraudulent (e.g. when someone gets their card statement) and then they are out the money. Still, they are generally better able to shoulder the risk than is an individual buyer.
Thank you - I came to the comments section hoping I could find out without having to watch a video
We get hit with this periodically, but it’s usually easy to detect.
- They will almost inevitably trigger multiple fraud alerts in our system.
- They really seem to zero in on specific items. The Leatherman Raptor, for instance.
We just cancel these orders when they come in, and no one ever complains after the fact. So far we haven’t been burned.
BUT, we almost got badly burned. A few months ago, when they started focusing on the Raptor, we had a rush of orders over the weekend. A guy called me Monday morning to ask what this charge was on his card. I told him it was his Leatherman Raptor and he said he didn’t know what that was nor who we are, and could we please give his money back. Which we did right away, and we hadn’t shipped his order, either. Then we realized all the Raptors we sold had the same fraudy characteristics. So we unpacked them all, refunded all the cards, and put the Raptors back in stock. About an hour before the outgoing shipments were picked up.
And this is why a bigger company would be easier to hit. As the lady says, a company that has a lot of automation and not a lot of checks and balances, is ideal. When orders are fulfilled automatically, on demand, perhaps by a 3rd party warehouse, they’ll be shipped before anyone has time to call and complain.
Businesses that let money settle the old fashioned way are better protected.
when she bought a used Nespresso machine
This did not happen.
That would explain why I sometimes see prices that are just a little too good on products that seem to be legit. The funny thing is that if they can zero in on a product that a lot of people are just waiting on a good price for, they could move a lot of units in just a few hours. I was doing just that for a raptor, but being overseas, all the good priced ones were going to get hammered on the shipping charge, makes sense now.
Wait doesn’t shipping to an address other than the cardholders billing address raise red flags? If not maybe it should?
Now it’s a used machine.
The problem is you have a lot of legitimate use where the buyer sends the purchase to another address. I mean, I have sent the majority of my Christmas packages to another address for upwards of 15 years at this point (i.e., to the house of whoever was hosting that year). Some years I have sent gifts to as many as half a dozen different addresses.
She addressed this… they stolen cards were all from senior citizens. How many of them realized what was happening? or realized too late? Clearly not a victimless crime.