Credit card number stolen most likely at a restaurant by staff. In two hours they ran up $2k of online orders across 6 stores.
But here’s the weird part - they shipped everything to me. Mostly in my name but also with my first or last name swapped. I realized this as I was reporting the fraudulent charges to my credit card but then I started getting informed delivery mails from UPS and fedex.
Apparently it’s a package interception scam where they try to redirect the package to a different address before it’s delivered. They failed at the second part so I had a dozen packages show up over a couple weeks I then had to deal with returning.
Real time suck. Dozens of calls and mails. I didn’t have original purchase order numbers in some cases nor the email address. Some stores were not equipped well to handle this, some told me to keep and donate the clothing. It was all fairly mass market high priced DTC stuff like Bombas.
Weird. My wife was freaked out that they got our home address from our name on the credit card fast enough to make all these orders in under two hours.
I was able to get PayPal to reverse the charge but Best Buy refused to cancel the gift cards. I now have 2 factor auth turned on for everything I can. I tried several times for Best Buy to cancel the cards and return the money to PayPal to no avail. They just wouldn't do it.
It was pretty easy to pin it down as I had been ill a few weeks and done basically 0 in-person, physical card transactions in that time. It was a restaurant where they bring you the bill, then walk away with your card for a few minutes (which is becoming less the norm these days).
It has pushed me to only use my Apple Card for these types of purchases where the physical card goes out of sight, as theres 0 card info on the card for them to snap a photo of.
Are these also magnetic strip cards?
I know Amazon marketplace sells sketchy products, but I didn't know not doing my due diligence there could expose me to criminal liability.
Story: https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...
HN discussion: https://news.ycombinator.com/item?id=39056733
Several layers of problem there, particularly that a “criminal record” doesn’t mean you’ve been found guilty, only charged, and that the stay on proceedings means an innocent person can never clear their name- allowing the Canadian police to sweep their faulty charges under the rug.
https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...
> A Canadian man who says he’s been falsely charged with orchestrating a complex e-commerce scam is seeking to clear his name. His case appears to involve “triangulation fraud,” which occurs when a consumer purchases something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.
https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-tr...
(Actually your password manager might fill in the password as it knows the domain of the iframe, but this is more luck than skill on behalf of the financial industry)
Note how there's no point in MITMing that flow by presenting a phishing version of the confirmation iframe—all the iframe is asking for is the code, and the code is single-use, and all it can be used for is to approve that one transaction.
Look at how long it took them to move to chips on their cards. And I heard they initially required signatures instead of safer PINs, I hope they’re on PINs by now, but I don’t know.
If stores are worried that if they implement things like 3D Secure their customers will go to their competitor which do not, then the solution is simple, make it a regulatory requirement that EVERYONE must do it by a particular date.
Merchants will still try claim that it will confuse customers, but the truth is they would prefer to avoid the hassle of implementing it. The problem is these merchants already build the cost of fraud into their prices, in essence they’re passing on the cost of fraud to all their honest customers.
Also, how much time is collectively wasted by people having to deal with the admin of fraud on their credit card which is also largely due to apathetic merchants.
It would be a NETT benefit to US society if 3D secure was mandated.
And not just in the US, the rest of the world would no longer have to suffer with fraud on their credit card where it was used on a US website which doesn’t have 3D Secure.
How often do police respond? is there a follow-up? I imagine the police get inundated with reports and are overwhelmed to to anything . Would it go to FBI or just local ?
To your point they usually don't have time. The report serves as a record for the retailer and the victim to float around, but practically it doesn't catch anyone sadly
I said I had and the response was ok I just need to ask you 32 questions. The first question was my order number. I didn’t know the answer to the first question which was my order number. I could have dropped everything and focused on these questions. I felt that the burden on my time was too much and they said I couldn’t continue without it. The experience was very weird considering how convenient online ordering can be
AFAIK the FBI can handle fraud over $5,000 but they won't do anything unless it's much bigger.
