40 thoughts on “Account Takeovers Fueling ‘Warranty Fraud’

  1. c/od

    Hope you and yours had some quite time and are good. Stay safe and have a safe and prosperous new Year 2016.

  2. daddmac

    If a perp can login to the victim’s account and change the email address, why wouldn’t they also change the phone number?

    1. ThursdaysGeek

      That’s my question too. I don’t see how that makes it any more secure.

      1. AllanS

        Changes shouldn’t be allowed to occur until after verification through the user’s current device.

        1. Derek

          With 2FA, the fraudster would be able to log into the customers account without the code that is sent to the phone.

          1. Jeff

            *would not* be able to, not “would be able to”. Key word left out.

  3. Johnny

    I don’t see this as an IT problem, this is a business process problem. Broken fitbit? No problem, here is a prepaid shipping label, please drop the device in the mail and we will get your new device back out to you in 2 days. Don’t send out the new device until you receive the old one. Problem solved. No need to make it an IT fix. Don’t get me wrong, 2FA is great but this is a business process problem.

    1. timeless

      Unfortunately, companies want to have happy customers, and they don’t want their customers to have to wait days between previous product and replacement.

      There’s a risk they’ll give up and buy a competitor.

      That’s why this proactive shipping system is used.

      1. Mike

        Fraudsters have taken advantage of their customer friendly policies. They quesiton really comes down to what losses are they willing to accept to trade for customer service.

      2. brian

        I’d rather wait and be annoyed than have to have to overall cost to all of the consumers GO UP due to this reckless friendly policy!!

    2. NotMe

      Plus Fitbit will give you a new device even if you just lose your existing one. They are awesome to work with and this is probably why they can get hit for fraud. I’ve had really good experiences with the customer service so I hope the changes do not affect the good service I had become used to.

  4. NedR

    Daddmac,
    To answer your question, usually with a 2 factor authentication you are required to authorize on login, so if they dont have access to the cellphone they cant login to change the details in the first place.

    Also many 2FA setups require a follow up code for any major changes such as email address or 2fa registered device.

    If you want to see it in action, setup a gmail account and enable it on your phone. Its pretty sweet!

    Ned R

    1. daddmac

      I think I get it now, I may have lost context.
      1. Setup two factor authentication.
      2. The email and phone info cannot be changed without having the mobile for the authentication code.

      I was asking in the context of an account with single factor authentication being compromised, and then the 2FA scenario.

      My bad; thanks for the reality check!

      1. ethereum

        However this approach won’t help with man-in-the-middle or other session hijacking attempts.

  5. Hawkeye

    Just from the standpoint of FitBit, don’t they require the customer to return the old, non-functioning unit? I’m just not sure how big a problem this is for the vendor. Heck, I rarely can wrangle a replacement “widget” from a company when I’ve bought, paid and can produce a broken product with receipt, much less with nothing to show.

  6. Tom

    Fraudsters can demand a “hot swap” give a stolen credit card number as collateral, and make off with the merchandise.

  7. JCitizen

    This is the kind of news that makes be mad; because it is hard to find a good company that stands behind their product, and then this kind of dastardly thing happens!

    Perhaps if a serial number were required to be called in from the phone number on file for the customer in question, this would help. I realize fraudsters can fake caller IDs, so some other factor would need to come into play to minimize that possibility. I really wonder how they could come up with questions only the actual customer could answer without becoming just another data point the criminals already have on file for just about everyone in the US already! Email and possibly SMS are already compromised. Perhaps an automated phone verification service?

    1. Chriz

      The SN of the device is probably accessible once you get access to the customer account.

      The way I see it, as told by other folks before: The customer must send the broken device first to receive a new one.

  8. Tom

    Brian, please fix this sentence! “Bown the fraudsters will log in to the customer’s account and change the email address and on the customer’s account.”

  9. Michael Iger

    Every time I wanted a new product because of a problem the seller wanted me to send the old one back to them usually on my dime. If sellers did this whether they opened the box or not it would end this scam fast since the scammer doesn’t have the merchandise.

  10. Brian

    I was wondering why Fitbit doesn’t require the caller to return the “defective” product with proof of purchase prior to sending out a new unit. And I wonder if these Fitbits have serial numbers. Seems like that would reduce the fraud since the perp would not be able to return the “defective” device, especially with the registered serial number. And if it had been purchased in a brick and mortar store (no emailed receipt) that would also make it more difficult for the perp to meet proof of purchase requirements .

    1. Chriz

      And what makes you think it’s the same guy, aside from the nickname? Sure, there’s a couple of entries anyone can pull from Google on this nickname, but otherwise…

      Maybe the guy really sucks at opsec, maybe he just borrowed the nickname.

  11. Jones

    At some point society is going to say ….”no more!” The issues discussed here in Brian’s most excellent website are less technical than they are social, political and technical. I personally believe that we should cut off the internet from North America until we figure out WTF is going on….

  12. dcmargo54

    I once had a set of nice, fairly expensive earbuds develop a short in the main wire. I contacted the company and they sent me a brand new pair, no questions asked. Great customer service and PR. Needless to say, I was quite pleased, particularly since I didn’t have to bother to return the defective pair. I’ve since returned to the manufacturer to purchase numerous items. Their service went a long way to earn my loyalty.

    1. Bob

      Hey dcmargo. I wanted to ask you what company those earbuds were from? Thanks!

    2. Bob

      Hey dcmargo. I wanted to ask you what company those earbuds were from? Thanks!!!!

  13. Rob

    Typo in the caption under the first screenshot: ‘waranty’

    American shops and firms seem insanely trusting compared to their European counterparts. Even if the company paid for delivery of the defective product back to them, it would be worthwhile to cut out fraud.

  14. Chris Thomas

    Modern technology appears to be more ramshackle and flawed with every day which passes. Brian catalogues episode after episode of incompetence which seems to pervade every operator of information technology, large or small. With all elements of systems inherently visually concealed and therefore inherently impossible for the lay people who ‘control’ organisations and businesses to verify for themselves, I lose hope of the situation ever improving.

    We depend on vital yet fragile systems composed of many chain links which are vulnerable to intended and unintended disabling damage from unseen agents. The reliability of systems ultimately depend on difficult to verify diligence and trust-worthiness of countless individuals.

    Dilbert and his pointy-haired boss are symbolic of the problem.

    I like things like steam locomotives which display visual evidence of their vital workings. When you can see a leak or that something is missing or damaged or hear sounds or smell odours of distress, you can tell that something is wrong.

  15. Nitesh Patel

    With Account changes logging enabled the customer support representative should be able to see when the last details on the account were changed.

    Verifiable via a memorable word / or any saved payment cards or identification with the purported warranty claimant.

    This information will only be known to the actual original purchaser,

    Why does something that makes so much sense,
    Incorporated into the industry slower than a snail can move ?

    Loss prevention / fraudulent returns have a dedicated part of the budget where beyond a certain point risk can outweigh profitbability thus putting the company at risk.

    I understand that customer service and the image of the company is important but products cant just be freely replaced without auditing.

    1. Mike

      “With Account changes logging enabled the customer support representative should be able to see when the last details on the account were changed.”

      That’s IF anything actually gets logged.
      That’s IF those logs are not being edited/erased.
      That’s IF the customer support representative has access or even cares enough to read these details.

      These are computer files and database records.

      “This information will only be known to the actual original purchaser,”

      Then what good is it?
      This information must have a match to something on file in the database to be worth anything at all. You can do A=B, B=C, C=D but there still must be something that matches. Those computer files can be access and manipulated and copied.

      “Loss prevention / fraudulent returns have a dedicated part of the budget where beyond a certain point risk can outweigh profitbability thus putting the company at risk.”

      If any of this actually meant anything to the people in charge then we would see so much lack-of-security issues going on. It’s obviously not a big enough problem to convince enough customers to NOT put more money into it (which is the only way these companies will even think about focusing on these problems).

      “I understand that customer service and the image of the company is important but products cant just be freely replaced without auditing.”

      Yeah right! Maybe that’s the way things were 30-40 years ago. Maybe!

      If customer service were all that important to these companies, we wouldn’t have so much idiocy from them.

      Ya know, most companies give away quite a bit of stuff all the time. Alot of stuff gets bought in bulk anyway and there is no desire or time to mess with auditing anything. How many millions of fitbit items have already been produced?

  16. Kyle

    Maybe I am missing something here but.. Where is FitBit shipping these replacement items? Doesn’t the customers account have their home address?? When these bad guys hack the accounts are they changing the address information? Wouldn’t monitoring for activity involving address changes be fruitful for FitBit?

  17. DFIR

    How about some simpel auditing thrown in for good measure with the other suggestions. Like, Umm, I dunno, tracking changes to accounts! Like, Umm , I dunno, EMAIL ADDRESSES for one.

  18. Ken

    Seriously Brian? There’s not enough real-live cyber incidents out there that you gotta report on small-time conmen making a play for cheap consumer electronics?

  19. Sasparilla

    Very nice article Brian.

    Here’s another angle on this. Over at Dell, either via insiders (support employees?) or stealing of their entire user / buyer database people are getting phone call’s from “Dell” with intimate details from Dell’s records (like the computer they have, the last issue they resolved with Dell on their computer etc.) and they offer to fix the problem the user has with their computer (that doesn’t exist) for a fee. With the added context of each user’s Dell support details this has the appearance of validity to fool alot of people.

    http://arstechnica.com/security/2016/01/latest-tech-support-scam-stokes-concerns-dell-customer-data-was-breached/

  20. hfux0r

    Nitesh nailed it. Recently updated attributes of an account should not be considered for account validation. It’s a fairly simple measure that greatly reduces fraud. Fraudsters, also, typically create simple patterns that are easy to identify and alert on.

  21. Banana

    If anyone wants to register on leak here
    leakforums.net/member.php?action=register&referrer=669620
    Ayyylmaoooo

Comments are closed.