03
Nov 15

How Carders Can Use eBay as a Virtual ATM

How do fraudsters “cash out” stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they don’t yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder.

So-called “triangulation fraud” — scammers using stolen cards to buy merchandise won at auction by other eBay members — is not a new scam. But it’s a crime that’s getting more sophisticated and automated, at least according to a victim retailer who reached out to KrebsOnSecurity recently after he was walloped in one such fraud scheme.

The victim company — which spoke on condition of anonymity — has a fairly strong e-commerce presence, and is growing rapidly. For the past two years, it was among the Top 500 online retailers as ranked by InternetRetailer.com.

The company was hit with over 40 orders across three weeks for products that later traced back to stolen credit card data. The victimized retailer said it was able to stop a few of the fraudulent transactions before the items shipped, but most of the sales were losses that the victim firm had to absorb.

Triangulation fraud. Image: eBay Enterprise.

Triangulation fraud. Image: eBay Enterprise.

The scheme works like this: An auction fraudster sets up one (or multiple) eBay accounts and sells legitimate products.  A customer buys the item from the seller (fraudster) on eBay and the money gets deposited in the fraudster’s PayPal account.

The fraudster then takes the eBay order information to another online retailer which sells the same item, buys the item using stolen credit card data, and has the item shipped to the address of the eBay customer that is expecting the item. The fraudster then walks away with the money.

One reason this scheme is so sneaky is that the eBay customers are happy because they got their product, so they never complain or question the company that sent them the product. For the retailer, the order looks normal: The customer contact info in the order form is partially accurate: It has the customer’s correct shipping address and name, but may list a phone number that goes somewhere else — perhaps to a voicemail owned and controlled by the fraudster.

“For the retailer who ships thousands of orders every day, this fraudulent activity really doesn’t raise any red flags,” my source — we’ll call him “Bill,” — told me. “The only way they eventually find out is with a sophisticated fraud screening program, or when the ‘chargeback’ from Visa or MasterCard finally comes to them from the owner of the stolen card.”

In an emailed statement, eBay said the use of stolen or fraudulent credit card numbers to purchase goods on eBay is by no means unique to eBay.

“We believe collaboration and cooperation is the best way to combat fraud and organized retail crime of this nature, working in partnership with retailers and law enforcement,” wrote Ryan Moore, eBay’s senior manager of global corporate affairs. Detecting this type of fraud, Moore said, “relies heavily on the tools that merchants use themselves, which includes understanding their customers and implementing the correct credit card authorization protocols.”

Moore declined to discuss the technology and approaches the eBay uses to fight triangulation fraud — saying eBay doesn’t want tip its hand to cybercriminals. But he said the company uses internal tools and risk models to identify suspicious activity on its platform, and that it trains hundreds of retailers and law enforcement on various types of fraud, including triangulation fraud.

QUAD FRAUD?

Moore pointed to one education campaign on eBay’s site, which adds another wrinkle to this fraud scheme: Very often the people listing the item for sale on eBay are existing, long-time eBay members with good standing who get recruited to sell items via work-at-home job scams. These schemes typically advertise that the seller gets to keep a significant cut of the sale price — typically 30 percent.

A recruitment email from a work-at-home job scam that involves respondents in triangulation fraud. Source: eBay

A recruitment email from a work-at-home job scam that involves respondents in triangulation fraud. Source: eBay

Interesting, the guy selling carded goods stolen from Bill’s company has been on eBay for more than a decade and has a near-perfect customer feedback score. That seller is not being referenced in this story because his feedback page directly links to transactions from Bill’s company.

Bill said he believes fraudsters targeted his company because it is relatively small, and is less likely to rely on sophisticated fraud tools that can sort out fraudulent orders. In his company’s case, it wasn’t spending any money on such fraud prevention tools until all this eBay fraud started.

“It wasn’t a huge order size, just random products we sell,” Bill said. “They’re going after us as a medium-sized retailer because we’re not yet to the size where we have all the fraud software built-in.”

TRI-FRAUD BOTS?

According to Bill, the company thought it had figured out a fraud pattern to help block future phony charges, which it found all came from different Internet addresses at Amazon’s Elastic Compute Cloud (EC2) service. But he said the fraud didn’t stop until the company started blocking purchases made from servers hosted at Amazon’s EC2 service. After that block was put in place, visitors coming from EC2 servers could still browse the site, but they would be blocked from placing orders.

Bill said he believes the orders may have been placed by automated “bot” programs running on instances of Amazon’s EC2 platform (instances that were also likely paid for with stolen card data).

“The fraud kept going until we put in some things that blocked his bots at Amazon EC2 from transacting with our site,” Bill said. 

Bill allowed that he can’t prove it wasn’t just a human manually transacting from all those EC2 systems. However, another security measure that Bill’s company established to fight triangulation fraud lends credence to the theory that some sort of automated EC2-based bots may indeed be involved in placing the unauthorized product orders. Bill’s firm put new data fields in the part of the checkout process where customers type in their name and address. This trick uses data fields that are hidden from regular Web site visitors but that are still visible on the site to computers and Web crawlers.

The idea is to separate orders made by humans from those entered by automated bots. Although the latter may dutifully supply some phony requested data in the new data fields, legitimate, human customers would never input data into those extra fields because they can’t see the information being requested in the first place.

‘Blocking EC2 purchases and the data fields have worked really well blocking this fraudster’s bots from spamming our email forms,” Bill said.

Bill’s company also just signed up with MaxMind, a company that gives retailers multiple clues about potentially fraudulent orders based on the geography of the order. For example, was the order placed from an Internet address that is located near the shipping address?

For its part, eBay says merchants can fight triangulation fraud by focusing on the products being sold by suspect eBay accounts. “Collaborate with auction and marketplaces that are known to have fraudulent sellers,” the company said in its tri-fraud primer. “Together, you may be able to uncover additional orders that may be part of the scam to help identify fraudulent sellers and/or employers.”

Has your company or credit card been victimized by triangulation fraud? Sound off in the comments below about your experience.

Tags: , , , , , ,

122 comments

  1. When I place an online order, the retailers generally refuse to ship to anything other than the address associated with the card: how are the fraudsters getting around this? Claiming it’s a gift? Finding retailers that don’t check?

    • Based on the article, It seems like the fraudsters are targeting smaller e-commerce stores, e-commerce stores can now be easily set up by just about anyone, who may not be sophisticated enough to identify differences in shipping addresses and billing addresses.

      Or maybe those retailers don’t care, they are successfully selling their products.

      • Well, they’d care once the chargebacks start killing their profit margin.

        But that said, I also wonder if there are cases where the fraudsters get away with this because the person who’s credit card was faked doesn’t check their bill closely. Granted, you’d have to be seriously oblivious to miss large purchases on the bill that you didn’t actually buy, but that said, I can imagine people out there being that spacey.

        • Well, they might check but often not until they get a statement, which could be weeks after the transaction. By then, the auction winner will have paid and the merchant will have shipped the product. The scammer only needs for the winner to have paid and receive the product to win.

    • I often have purchases sent to friends’ addresses because I live in the city and there is no safe place to leave deliveries if I’m not home. Only one store (a local store w/ a website) has ever called and asked me to verify the delivery address. The others just ship, no questions asked. And if I were the fraudster, or the unwitting accomplice, or the eBay buyer, I would just confirm the delivery address and the item would be shipped. I’m not sure they link the phone number to the credit card number.

      • I’ve had things shipped to where I worked because I wouldn’t be home to sign for it, shipping to the non-billing address isn’t uncommon for sure.

    • Really? I send stuff from Amazon to other addresses all the time. I don’t have to click any kind of “gift” checkbox either. They only thing they care about is that the billing address I list is the same for the card – the shipping address is irrelevant.

    • While this does happen at some retailers, it’s not at all common. The vast majority of retailers prompt for a shipping and billing address separately, with a checkbox or option to sue the same address for both.

      I frequently have online orders shipped to family, hotels i’m staying at, etc – I’ve never once had this rejected outside of PayPal/ebay transactions, as PP used some verification process for your mailing address.

      If retailers didn’t allow this to happen, the entire concept of buying and shipping gifts online would be dead – not exactly something most retailers are willing to give up.

    • Many retailers (especially those shipping big-ticket items, in my experience) validate this shipping address with the bank. If you aren’t shipping to the billing address, then the shipping address needs to be on-file with the bank that issued the card.

      I had to deal with this several times – calling up my bank to put my work address and occasionally a family member’s address on file as legitimate shipping addresses for purchases made from my card.

      If all retailers would do this, it would completely eliminate this kind of scam. The merchant and bank would realize that the merchandise is not being shipped to any of the cardholder’s addresses and the charge would be refused. The scammers would now have to contact the bank’s customer service department to add every shipping address to the card which (I hope) would set off an avalanche of alarms.

      • If retailers were this strict it would cost them more in sales than the fraud would cost them.

        I understand if you’re shipping diamonds around.. most people aren’t willing to put up with the inconvenience of calling their bank to get another address added to their card. I’d just shop elsewhere if someone asked me to do that unless it was a pretty special item.

    • Most triangulation fraud we see on our site have different bill to and ship to addresses. The bad guy will generally give the correct billing address (so AVS will match), but then ship it to the Ebay purchaser’s address. The retailer becomes the dropshipper if the bad guy is successful.

  2. Brian,

    I feel the worst thing is that, there’s no easy way to spot this, right?

    • It helps if merchants are relying on some kind of solution that helps build a fraud score that they can use to assess the likelihood that any given order is in fact fraud.

      Matching billing and shipping addresses (AVS checking), checking for transactions from cloud computing services, etc., seem to be good ideas, as well as the extra form fields mentioned in the story to help tell bots from humans.

      • “It helps if merchants are relying on some kind of solution that helps build a fraud score that they can use to assess the likelihood that any given order is in fact fraud.”

        I like this idea, but how would it work? A business could build its own Fraud Score but you would have to build that score up which takes time and it doesn’t break the scheme at its core. It just saves the business, which means the fraudster moves along to the next sap’s store.

        Matching billing and shipping addresses (AVS checking), checking for transactions from cloud computing services, etc., seem to be good ideas, as well as the extra form fields mentioned in the story to help tell bots from humans.

        These seem like band-aid solutions that over complicate security and have no way of actually stopping the scheme from occurring.

        -Matching billing & shipping addresses would lose you customers since you wont ship to anything that doesn’t match. Granted you would stop the fraud, but you would also lose legitimate business.

        -Extra form fields seems, from my perspective, like a stop-gap solution, but eventually it would be worked around because filling in three fields is just as easy as filling in three and avoiding one.

        • I run the fraud prevention dept at an e-commerce business and we do just that, we have a fraud score protocol in place. Any sales rep that encounters a score of 2 or higher submits the order to me for review. It has worked out quite well for us. Ping me if you want details.

        • The extra form fields are a nice variant on a canary. The extra information that a human Wouldn’t provide gives away the bot.

          Some of these security measures (I shop- and surf- with a VPN beccause I don’t want to be tracked) get in the way when I try to buy things online, but not very often. The hidden form fields are, to my mind, a much smarter solution. I am a human, I do want (and pay for) the things I buy online, I just shouldn’t have to have those retailers (or their toadies) following me for the rest of my life after I’ve left the store. If it’s a huge problem, I can take the effort to change the VPN exit point to be closer to home. I’m going to have to really want whatever it is to do that, however. I realy like not getting local advertising in my search results.

      • To Brian and everyone….

        one of the real problems with credit card “security” (at least in the U.S.) is that the only things required to process a transaction is: card number, expiration date, dollar amount.

        that’s it!

        the credit card companies speak about “PCI” compliance, and security. But the reality is, the credit card processing companies do NOT enforce the compliance.

        • PCI isn’t aimed at the credit card companies, there is nothing in PCI for them to comply to, nor does any of PCI cover things like requiring additional information to validate the transaction is legit.

          PCI, the Payment Card Industry, is a conglomerate created BY the credit card companies, to help secure credit card data from breaches and skimming, nothing more.

  3. I discovered on eBay earlier this year a dozen or so sellers of luxury designer goods who a) posted a stock picture of the handbag; b) had less than 10 feedback (feedback looked bought, cheap 99 cent items); and c) when you ask about pictures of the actual item you are told they don’t have item (or it is at their mother’s house in NY and the seller is a “student in Virginia”) and promise to ship in two days. My spidey sense went haywire since I knew this was some type of scam. It was something that I could not report to eBay since the reporting criteria at that time didn’t include “seller doesn’t have actual item in their possession”. It is interesting & makes sense how they are targeting seasoned eBay sellers to front for them.

    • eatthekidsfirst

      There was an eBay report called “item location misrepresentation”. Your ignorance has cost us.

      • No reason to be rude. Even if reported there is no guarantee that eBay would take the auction down.

        • Thanks KathyB, I investigate new sellers on eBay the same way you do; only I just plain won’t order from a low score seller. I will admit though if the item was some kind of rare thing I just had to have, that no other seller has – then I’d be forced to reconcile the chances on a possible fraud. Of course, I doubt most of these transactions happen that way, and are probably on regular popular products. I will definitely be thinking about it very earnestly if I have another such “opportunity”.

          Thanks for posting!

  4. As a retail ecommerce fraud auditor I see this all the time, another thing these guys do is place the orders with the legit merchant at next day air. This means the recipient customer is super thrilled because they don’t pay shipping and get it next day (glowing reviews for the ebay store scammer) and its rough on us merchants because it makes me paranoid about every single next day air order. More paranoid than I already am I guess.

  5. Typo:
    “The fraud kept going _util_ we put in some things that blocked his bots at Amazon EC2 from transacting with our site,” Bill said.

    ——-

    Fascinating story. It’s already been mentioned by one commenter, but it seems that blocking third party shipping addresses would put a hard stop to this issue. Many retailers already do so, I’m surprised that the more technical solutions were put in place before that route. Third party shipping addresses must be a more common need than I would expect.

    • There are a bunch of legitimate reasons for 3rd party shipping addresses. People have stuff shipped to work because they aren’t home to sign for a package. People ship gifts. College students may use their parent’s house for billing address but have it shipped to their dorms.

      I frequently order stuff for my employer. The billing address is our business office, which is different than that of our receiving area. We also have a few satellite locations I will have stuff shipped to.

      • Credit card companies have a way to store legitimate alternate ship-to addresses. Use that mechanism.

        • Yes, exactly. Alt ship to addresses is a requirement for a lot of our sales and takes 5 min to put in place by the cardholder. If the customer puts up a fight, it is red flag # 1.

          • But why would I want to store with my card company the address of a friend who I only ship something to once a year for their birthday because they moved out of country? Putting up a fight about that isn’t a red flag. I have one friend who teaches english in japan and has a new address every year I have to tell the credit card company its ok to ship to these addresses? No I should just tell the business I’m buying the product from where it is going. While the fraudsters need to be stopped, storing arbitrary addresses on your credit card file instead of the website your buying from is not the solution.

            • Certainly is a red flag. 1. it takes 5 minutes to do an 2. it protects the merchant from fraud. Unless you don’t care about #2, why wouldn’t you? I have been in fraud prevention for 15 years. Most times we encounter a “customer” that is reluctant to add an alternate shipping address to their account for a large purchase, it ends up being fraud. 100% a red flag.

              • Doug,

                I’m the owner of an ecommerce site and very involved in our anti-fraud processes.

                Unless you sell something very expensive and/or very unique, why would you think #2 is a big red flag? I generally wouldn’t be very interested in taking my time to wait on hold and get this setup on my card for an order with an ecommerce site. I’d either ship to my billing address (maybe) or I’d cancel and buy somewhere else. It doesn’t mean it’s a red flag to me.

                Most of the time, I can figure out if the order is something I’d want to ship or not without dragging the customer into it.

              • Also Doug,

                Why would I care about #2?

                I don’t care about protecting a website from fraud because I’m not going to be a fraudulent transaction. I’m not helping protect your site from fraud by doing this extra time-wasting step. I’m just letting your company relax about the order.

                Zero fraud is not my goal. VERY little is my goal. I don’t want to cancel legitimate orders too. It’s a fine line.

                • A fine line for sure. Last thing you want to do is turn away a legitimate order. But – if you do this long enough your gut tells you better than anything what is fraud and what isn’t. Someone that gives you a legitimate reason for not putting an alt. shipping address on file with their card will typically get a green light. Someone that just simply refuses, that is the red flag I was referring to and is most likely a fraudster.

    • Myself, and much of my firm, work entirely on the road (a la ‘Up in the Air’). As a result, most of what I buy online gets shipped to a hotel or business address, and my billing address almost never has things shipped to it.

      While this is uncommon, there are tens of thousands of ‘super-commuters’ or ‘road warriors’ in the US. My guess, from being part of that demographic, is that most people in it do most shopping online and are substantially more affluent than the general population.

      There’s also the 3.1% of homes that are for seasonal use in the US (vacation homes). Again, another demographic that is substantially more likely to be affluent.

  6. Blocking non-USA traffic is a great solution if a company can live with that. But if not, blocking the Amazon networks along with other hosting company networks will go a LONG way to exclude unwanted fraudsters.

    For ecommerce sites, I suggest you look into what iovation.com is doing because it sounds too good to be true. But one of our clients tried it and I can confirm it’s going to do most of what you want for e-commerce sites. (Brian, please remove the mention of Iovation until you can agree they are a good resource. I have no connection or commercial interest in promoting them.).

    My client stopped using Iovation after a test period. What they do amazed me (and I don’t say that lightly.). The problem is the client had PPC click fraud issues and at that time Iovation did not have any solution. Once someone clicks on your PPC ad maliciously, the crime is committed. Trying to recover the loss from a search engine provider saying that the click came from an IP with a bad reputation doesn’t go very far without more evidence…

    Lastly, the hidden field trick works well. But think about ways now to thwart bots or spammers from getting around this technique, rather than later. And don’t post about your solution directly. 🙂

    • I disagree. Blocking AWS services outright is a bad strategy and prevents legitimate users from making purchases on ecommerce sites, there are companies that host their DHCP and DNS servers on EC2, using even remote workstations hosted on EC2.

      I think the real solution is understanding the inherent risk of using e-commerce software. Having the adequate infrastructure in place BEFORE accepting payments. Doing risk assessments based on industry best practices and compliance standards.

      You definitely don’t want to just completely block and entire cloud infrastructure over one bad apple.

      • You can block AWS without blocking the sale.

      • Orders coming from hosting companies is a large red flag. Your examples of DNS servers and other servers being hosted on AWS isn’t relevant. Very few people run workstations on AWS and place legitimate orders on Ecommerce sites from them. I’m sure a few might occur, but 99%+ of them are probably fraud.

  7. It was bound to happen that “fraudsters” would use AWS services for malicious activity. I know several people working within AWS that perform fraud analysis checks on people/companies using their services. Their security is very tight, often times catching people who are scanning their own services looking for vulnerabilities within their infrastructure and sending out nasty emails. Personal experience. It’s unfortunate to say the least that malicious people would use AWS and tarnish the reputation at the same time, but I don’t predict that AWS is going to turn into another CloudFlare.

  8. I was thinking of contacting you about an eBay fraud I got caught up in last week, now I wonder if you are getting close to this particular style of fraud. Let me describe what happened.

    Two weeks ago, I listed my used iPhone 5 + extras for sale on eBay. The auction went fine until the last hour. Last legit bid was $200. Then in the last 15 minutes, the next bid was $450, then another at $475. These were obviously fraudulent, who would overbid by more than double the last bid? Red Flag #1 And both these user accounts were registered at http://www.ebay.in according to their profiles but had shipping addresses in the US. Red flag #2, I set the auction to ship to US customers only. I called eBay to confirm my suspicions, they said I should invoice the buyer and add a note that shipment will only occur after funds were deposited in my PayPal account.

    I looked at the ship-to address, it had a street address and a box number like #U34678. Red flag #3, I had this auction set to not ship to PO boxes or APO/FPO. I googled the shipping address, it was a freight forwarding company. I sent the invoice with the notice “shipment upon funds rec’d.” Soon a red tag appeared on my eBay account, marking PAID. But this was the fraud attempt. No payment was made. The buyer checked a box indicating he sent payment. But no PayPal transaction occurred.

    So I googled a little more and I found a site http://www.badbuyerlist.org, if you google the shipping address “McCullough Dr, New Castle, Delaware, 19720” you will find HUNDREDS of complaints about this fraud ring posted to this site, going back YEARS. Their scam is simple: win an auction with a bid that is too good to be true, appeal to the seller’s greed. Seller marks the auction paid, but does not send payment. The eBay app has a check box to mark that a payment was sent, for buyers that will accept payment by other means like a check in the mail. Then the PAID logo appears on your auction. They are trying to trick inexperienced users into shipping on the faked payment notice.

    I called PayPal security and asked how this auction was marked PAID even though no PayPal transaction occurred. The rep said do not ever ship unless you get a notice via email from eBay.com notifying that PayPal payment was received AND it was marked with Seller Protection. If payment was received but NOT listed with Seller Protection, the payment was probably suspicious and from a stolen credit card.

    So I called eBay security. They checked it out and said he could see a dozen fraudulent accounts linked to this ring. He’d cancel their bids and I could make a Second Chance offer to the last legit bidder. I expressed outrage that this fraud ring could have been operating for years on eBay. He said they have an incentive to keep eBay free of fraud because they make money on transaction fees and nobody would trust them if fraud was rampant, and they’d make no fees. So he would cancel the fraudulent bids and I would be able to relist the auction for no fee.

    BUT that’s not how it worked. They cancelled the whole auction and I could not make the Second Chance offer to the legit bidder. I was told I should leave negative feedback “did not pay” on the scam account, but they cancelled the auction in a way that I could not leave negative feedback. I could relist the auction, but I was charged a new listing fee. So THAT is how eBay makes money from fraud: more fees from cancelled auctions. Even worse, I got an email from eBay security a few days later, informing me that the scam artist claimed his account was hacked and the bid was placed without his knowledge. Yeah right. So the scam artist’s account is still active, and still has positive feedback. He is free to continue using this account to defraud eBay users. Even if he lost this account, he has hundreds of others.

    So I got screwed by the fraud by both the scam and by eBay. The scammer ruined my auction and prevented me from selling to a legit buyer, causing me to lose an opportunity to sell my phone before it started dropping in price. Then eBay charged me for listing fees a second time. eBay has an incentive to permit this fraud, since the sales are not under Seller Protection, and they make extra fees too.

    But worst of all, many people are actually falling for this scam and shipping products to the freight forwarding company and never getting paid, while their products fly to India or the Ukraine or wherever this ring operates from. And all eBay would have to do to stop this scam would be to kill all eBay accounts with shipping addresses at McCullough Dr, New Castle, Delaware, 19720. But they won’t do it. Users have complained for YEARS about this scam ring, and this particular address. There are even reports online of users contacting the New Castle Delaware police department and they won’t do a thing either.

    • eBay gives exactly zero *#%’s about anything other than making themselves money. I’ve been a seller there since 2001 but only for items under $100 that I can’t sell on Craigslist (think fancy-ish clothes no one in my hick town will buy). Even at the lower end of sales people still will try to scam you – saying the item was fake, not received, sending you back a rag instead of the item they’ve returned. You have to write off about 1 in 10 sales I find.

      Don’t sell anything on there you can sell locally (on kijiji or craigslist) or anything over $100. Don’t ever expect eBay to help you if you’re a seller.

    • I only sell as buy it now and must pay at that time, I move the PayPal money out before I ship, never had a problem that way.

    • I’m not really surprised. eBay has seemed sleazy for most of their existence. I stopped using them over 10 years ago when they decided to demand notarized identity documentation (enough to steal a lifetime worth of identity) simply because they didn’t like the domain name associated with my e-mail address. (An address that I had been using with them for several years prior to their new “security” policy.)

      It wouldn’t surprise me if they are in league with the thieves.

      • I’ve bought & sold on ebay since 1999 with few problems & none that did not get fixed.
        Keep trying to get recompense via the phone line for your relisting fees, and keep reporting the scammer, also via phone. Eventually you will achieve more satisfaction.

    • @Charles Xavier

      Looks like you’re a triple-fit for MaxMind services! I just don’t know how they obtain a bidder’s IP address: telekenesis or telepathy?

    • I also sold my iPhone 5 on eBay last month and also had a non-paying auction winner which wasted a lot of my time. Eventually I re-listed the phone on eBay and sold it two weeks later for $20 less than the first winner had bid. I only ship to the U.S. And I require payment upon checkout in every case where eBay lets me do so.

      eBay can improve this situation. eBay needs to start forcing payment at time of auction win. Ebay could choose to require that bidders escrow the amount of their bid until the auction closes, then eBay could pay the seller automatically. Last time I checked they allowed me to require immediate payment from fixed price bidders but not auction winners.

      In my case, even though I had other bids at nearly the same amount, the second chance offers were just another waste of my time. Still, after all that, I sold the scratched but fully functional iPhone 5 plus case for 50% more, after deducting fees and shipping, than any retailer was offering for trade-in. And I also tried unsuccessfully to leave “did not pay” feedback. eBay works a lot better for low value items that are not time sensitive. We’ll get any relist fees and seller fees back eventually but not the value of the iPhone’s price decline over those few days. The iPhone 5’s value was declining every day during the time before and after the latest iPhone release and those fraudulent bids cost us much more than the 30 cent listing fee.

  9. In the past 6 months I’ve order computer parts for my parents (different address in the same zip code), clothes for my son (sent to his college dorm) and two gifts for people in different states.

    A merchant that rejected those legitimate purchases would lose money as well as future purchases. They can’t afford to do that.

    And I could be wrong, but I believe that merchants don’t get charged back for fraud if they’ve taken reasonable precautions? Wasn’t that the cudgel card companies used to push merchants to read chips instead of stripes, that merchants who didn’t make the switch *would* be liable? (Which was a change from usual procedures.)

    • No, merchants are on the hood for any fraudulent chargeback, regardless of any / all steps taken.

    • @Jon Marcus,
      Rules for e-commerce fraud are very different from card present fraud. The EMV/chip push only relates to card present fraud.

    • I have placed many internet orders that were not going to the CC billing address. Never a rejection by the merchant.

      • The last word should be “merchants”.

      • Then these merchants are putting themselves at great risk for chargebacks if they do not at least call you to confirm that you are the cardholder. They will make that mistake once and only once if they want to reduce losses.

  10. I work for a small to mid-size retailer, and, for what’s its worth, about 10% of the orders we receive through our ecommerce site specify a delivery address that is different than the billing address. So declining to accept these orders would take a noticeable bite out of sales.

    The idea of blocking all transactions originating from AWS is interesting, but I am curious if anyone has an idea of what percentage of legitimate consumers would be unable to place an order.

    • What you want to look out for, if you ship with UPS or FedEx, is fraudsters changing the delivery address once the order has shipped. UPS and FedEx allow the recipient to change delivery addresses unless you have a restriction in place. We got burned several times before putting these restrictions in place.

      • I second Doug on this. For years we haven’t allowed customer to redirect their package for this reason. We also don’t allow any redirections to occur from us either. We had someone pretend fairly recently that they were one of our employees and they needed to redirect the package. Fortunately we caught it in time, redirected it back to us and added the second type of block.

  11. I wonder why “Secure by Visa” and such aren’t more enforced. Every transaction made with a credit card should redirect to the Credit Card (CC) provider website for confirmation with a password known by the legitimate owner of the CC and Visa (encrypted, of course). That would seriously limit this kind of scam as large CC leaked info would not be associated with their password. This way, the scammer could not so easily by the item to ship from the merchant as it very unlikely he would have the CC password.

    This has been said many times, but still… merchants should include a CAPTCHA in their cart. And no, I’m not talking about those very simple CAPTCHA like type the street number or word. I’m talking about real CAPTCHA like selecting all images related to food. (Then you would have a banana, an apple, a door, a car, etc.)

    And regarding the idea of shipping only to the billing address, that doesn’t really make sense. Most people ship items to work to they don’t end up with a box sitting behind a trash can for 3 days, under the rain outside (yes, I’m talking to you Amazon and FedEx…)

  12. While working as Trust & Safety Supervisor for one of eBay’s classifieds properties, we detected (during 2013-2014) several ads offering air conditioning systems at almost half the price during high season (months prior to summer) and most of the were fraud ads.

    The problem here was that as a classified platform we did not take part on the deal, this means you can’t do a background check on credit cards or bank account, as the deal is mostly closed via phone, email or face to face.

    Here the plot was to sell a fake item, ask the buyer to make a deposit on a bank account belonging to a second person who was not part of the plan. This 2nd guy was usually a small company selling cellphones, printers, computers, etc. via another marketplace. At the end of the day, the first buyer will end loosing it money and having nothing in return, the second one will ship an item to a disposable address (most of the time unoccupied house) and after some time will receive a note regarding a fraud investigation against him.

    In this case, they were using unoccupied houses as the post office will not leave the package there, instead they will leave a notification. All the fraudsters had to do then, was to collect this notification from the mailbox and go to the post office to collect the item.

  13. Whether you lose sales from not accepting addresses other than the billing address also depends on how dumb you are.

    One company I had been doing business with without a problem suddenly decided they would not accept billing addresses that were PO Boxes. It was the address the credit card bill goes to, so the credit card company knew of it to say the least.

    There are many companies that have a different billing address from a shipping address. But I think my credit card company has my physical address as well.

    I avoid Paypal as they ban perfectly good cards of mine for no reason at all.

  14. “the extra form fields mentioned in the story to help tell bots from humans” sounds like a good idea. Except I use my password manager to fill in all those fields. I guess I am going to start seeing transactions declined on sites I use infrequently and don’t have user accounts with.

    • Password managers generally aren’t dumb enough to try to fill in invisible forms. Anytime they do that, it’s a bug.

      Sadly, if they can get it right, eventually fraudster programs will too.

    • Nic, give it another read. Those extra fields are ONLY “seen” by the bots, that’s why they are there. Your browser won’t display them, and they don’t need to be filled in. So… no problem for you or any other legitimate entity.

      • > Those extra fields are ONLY “seen” by the bots, that’s why they are there. Your browser won’t display them,

        There is almost no practical difference between a password manager and a bot. Either will be confused by the presence of pre-determined fields and fill them in, or be smart enough to use a browser rendering stack to determine final field visibility and fill in only those fields.

        • Actually, you bring up a good point. Now and then, my password manager fills in fields wrong, sometimes with different information than what is asked for and that I would not want to give to that merchant. When you can see it, you can catch and stop it. But when you can’t see an error, you don’t know what is happening in it.

  15. who pays the bill? does the credit card company?

    If the card is stolen, then surely the credit card company should pay the bill as there system allows the transaction? Or am I missing something?

    • No, the merchant that accepted the stolen card # is 100% responsible for the losses. Card issuing banks do not accept any responsibility for any fraudulent losses. The merchants are really the only party at risk for fraud. And banks offer very little protection for merchants. AVS is really all they offer us, and that is useless if the customer wants something shipped to an alternate shipping address.

      • Actually merchants can protect themselves by taking part in the 3D secure options, such as Verified by Visa, or SecureCode from MasterCard. If the merchant is enabled to accept those, they’re protected from charge back.

        • These services are great, but require the cardholder sign up for the service for one. And once enrolled, use a unique card number, or PIN for lack of a better term. How many of you reading are going to take the extra step to do this every time you order something online? (insert cricket sounds here.)

          • My point wasn’t cardholder participation, I know that is atrociously low. You’ve been saying that merchants have no recourse to fight chargebacks for online fraud but that’s not true. If the merchant participates in a 3D Secure program they can reject charge backs, whether the cardholder participates or not.

            Similar to EMV, MasterCard/Visa side with the higher technology and in ties the merchant wins.

    • As a full-time eBay seller for about 12 years, if a customer made a purchase using Billpoint (later this became Paypal), and disputed the charge with their credit card company, even 12 months later, then I was held liable and would have to pay the money back to Paypal, along with a transaction fee. This never happened to me personally, but it did happen to other sellers that I knew. The same held true for purchases made with stolen credit cards – as the seller of the item, you’re the merchant, not eBay or Paypal, and you’re the one left holding the empty bag.

  16. Disclaimer: I can’t speak for ALL card issuers. However, having worked for a major one for over a decade, and now managing my own portfolio, I would be HAPPY to work with merchants in verifying suspicious orders (Next day air types).

    While the call center can’t volunteer any information, we can confirm if you provide the correct phone with a Yes/No likewise with an email address.

    You can make this process even easier by asking the person placing the order enter the phone number listed on the back of the card.

    This is the perspective I have:
    1) Genuine order – Cardholder enjoys using my card brand, feels secure using it online.
    2) Fraud order – Prevents fraud, which I have to reimburse my cardholder for, pending chargeback. Even though liability is on merchant my card brand is still “damaged” by active fraud.

    So Win-Win-Win

    • Yes, most banks do offer a verbal verification for cardholder information. However, that is essentially the same as the automated AVS system. So not much more protection against fraud for the merchant, no matter how you verify, be it verbal or with electronic AVS. Bottom line, if you are the merchant, you are the only one at risk of loss for fraud, regardless of what steps you take to verify. If the cardholder disputes the charge for whatever reason, fraud, non-delivery, unhappy with product, etc, the funds will be taken from the merchant.

      And from my perspective, if I find a fraudulent order on my personal card and my bank issues me a refund via a chargeback, that is a win for me and not seen as a damaged brand at all.

  17. Mike –

    No credit card company will issue a card with a PO Box as a billing address.

    I love how these experts border on calling others ‘dumb’ when they have zero clue wtf they are talking about.

    • Certainly they will. I often have cards come through with a PO box as the billing address. This is verified with the card-issuing bank at least once a day here. Mike is correct.

    • I’ve gotten a card and then changed the address to a PO Box multiple times. Sure, I needed a physical address for 5 minutes when I applied for it, but that’s it. I’ve even had replacement cards shipped to the PO Box.

      Alternatively, a maildrop that uses street and apt# or suite# looks legitimate, despite being a bunch of mailboxes behind one door.

      And I ship to multiple unverified addresses with my cards fairly often. It’s very rare that I get a shipping address verification request.

    • I have multiple credit cards with a PO Box billing address. Just got a new one earlier this year.

  18. Get off your ass and go outside and deal face to face with people – or – run the risk of giving it away to another lazy person who feeds off yours.

  19. Most likely the fraudster used Amazon’s free tier instance (t2.micro).
    It had two huge advantages for him:
    1. he could verify his stolen credit card is working without noticing real CC owner. It’s free tier Amazon just verifies if CC is working but there is no charge. Verification without charge. Good chance to go unnoticed by real owner.
    2. if fraudster is from Russia he needs good proxy in USA to fight all anti-fraud triggers. Not well-known free public one not well-known commercial one. Setting his own private proxy in free tier t2.micro linux instance is trivial 5 minute job.

  20. In the past two months I’ve had three things I bought on ebay get delivered by amazon with 2 day prime shipping. Not sure if it is fraud because the price on amazon was lower than ebay. Maybe this is just someone getting frequent flyer miles on their own card and doing some arbitrage…

    • Between the eBay & PayPal fees totaling over 10%, it’s hard to see how one could arbitrage any credit card reward system to make that work.

  21. I like the idea with hidden fields – would that be a replacement for captchas?
    Basically hide captchas and don’t bother a human, but bother a bot- who sees the “hidden” field and has to solve the problem

    • How about insert a random code in the referrer to the shopping cart link? Because humans do things like bookmark pages, clear cookies, open from history, delete cache, and surf from foreign-host-proxied browsers. They’d be onto the community-help forums everywhere when the contest_for_bots_only_field displayed, which eventually, on one or another VPN, it would.

  22. In any way, shape or form does this end up being a process like the money mule? People work for almost a month for these crooks and then over time they simply pull the plug?

    In one part of the recruitment above it says they get to keep 50%, and then near the bottom it says 30%. Guess what comes out of that 30%….. the 10% for the ebay transaction and 3% for the paypal – or more.

    Even IF it was legitimate, it seems kind of low when it comes to making money at this sort of 3rd party sales.

    The ONLY thing different here is obtaining the catalog, (not from a primary contact email) seeing what they sell and then going out searching for these items via wholesale. If someone is going to do this sort of effort for 17% or so, a little more effort may net the a legitimate 50-70% profit.

    Sure thieves don’t care about what something will cost to ship to an individual – its stolen money. What happens when they modify their plans and put a crook at both ends? The Ebay seller could become a middle man to launder money for two crooks.

    I dont consider Ebay as a viable selling platform. I don’t sell on there anymore – it has multiple issues and when I called customer service to explain something, it has to be repeated several times to the person in an overseas call center. With ebay comes frustration, costs, competitors giving negative feedback, banned sellers reapplying with a different credit card and email, inconsistent ebay practices…..and the list goes on and on. For a handful of visitors to an item – its not worth handing ebay a handful of dollars. I’ll do my sales elsewhere.

  23. the same old core problem: failure to authenticate.

    the resolution might be found in building a PGP key device for general public use. Customers would authenticate their public key at a local DMV, County Records office, Credit Union or Notary Public — all places which currently must perform reliable authentication of personal identifications

    the PGP/key device must be a single purpose device NOT a “smart” phone app. NOT re-usable.

    • They come to me or I to them every time? I live 20mi. out in the rural routes. Closest private notary I know is nearly illiterate.

  24. Mikey doesn't like it

    Here’s an approach for dealing with suspicious “next day air” orders…

    Send the following (sample) confirmation response:

    “As part of our fraud alert system, we randomly ask buyers to help us confirm their security. To do this, we ask you to email or fax us an image of your credit card (front and back). As soon as we receive that, we will process your order — and in consideration for this added step, we will waive the fee for Next Day Air shipping.”

    Foolproof? No. But if you don’t get a response — or if you get an obviously photoshopped fake — you’ve just short-circuited a fraudulent orders. And for those which turn out to be legitimate, it’s a small cost of doing business more securely and safely.

    Worth a try?

    • And then you have credit cards being sent through email, which is an insecure method of communication. I can’t imagine anyone with any sort of security mindset would be comfortable emailing you images of their credit card.

    • I just call to verify. 9 times out of 10 a fraudster will put a disconnected phone # on the order. If my fraud score is 2 or more, I call the customer to verify. No need to make up fake stories about random checks or rely on faxes. Just be straight up. Customers are blown away that we do this and super appreciative. I thwarted a $2744.33 fraudulent sale this morning this way.

      • PS: The 1 out of 10 that actually post a phone # that works, when they answer and I know it is fraud, I introduce myself, say I am calling about their order and then ask “before we continue, who am I speaking with.” Hearing them scramble to find the name they used to place the order under is priceless. Usually after that question, the phone goes dead, and I have my confirmation that it was fraud. 🙂

    • @Mikey doesn't like it

      Anything worth failing is worth trying. Random is no good, you obviously just send verification records for chargebacks to some external collections dept.

  25. I was the unwitting buyer in one of these. I got the package shipped direct from Amazon, complete with receipt showing the seller had paid $5 more than he charged me on ebay. I complained to Amazon, saying that this was a hacked account or invalid card, but the response was “Since you have received the item we will close this fraud claim.”

  26. Credit card companies could prevent a lot of fraud by following the example of AMEX and Apple Pay. With every charge made to my friend’s card, he gets a nearly instant text message on his phone. This would stop a lot of fraudulent transactions very quickly.

  27. How about every time you use your debit or credit card, you either have to respond to a text from the card company or a phone call (if you don’t/can’t get texts). Who doesn’t have a cellphone that get texts these days? It would slow the line down a bit at the store but I’d rather have that then the current mess and I’d get confirm each and every charge as they are made.

    • Texts cost me extra, plus a cellphone isn’t exactly free, either. All we need is for those illegible ReCAPCHA hack-contests to start MSMing us RePEATEDLY when we fail to solve yet AnOTHER one.

  28. It may be bots or it may just be people surfing with a computer in EC2. In EC2 you can spin up a Windows instance as easily as a Linux instance, then you can use remote desktop to run a web browser or any other applications. It is also easy to set up a proxy server — either way the trail leads to a machine in EC2.

  29. There is another eBay scam, one which games their buyer protection system, which I was a victim of as a seller a few years back. I sold a fairly expensive used camera on eBay. The buyer running the scam, once they received it, claimed it was not as described. eBay really didn’t care what I said about how well my description matched the item, within a day they instigated a refund & back charged my PayPal account. When that happens, they hold the refund until the tracking number submitted by the buyer for the return shipping shows it was delivered, at which point they release the funds back to the buyer. Problem is, anything could be in the box shipped back, and in my case, it was not my camera, but a bag of rocks. (Which you can’t prove was what the buyer really sent back, as even photos of you opening the box could be staged for all eBay knows.) So the scam buyer got my camera and his money. To add insult to injury, both eBay & PayPal still charged me the transaction fees. I didn’t use eBay or PayPal again for over a year, I was so angry.

    • So then you filed a federal USPS mail-fraud case? I don’t get it. Maybe you didn’t use a major carrier but a ‘logistics’ cmpany: your loss. Follow through, as with any armchair-sport. They paid for return shipping. Least you could have done is stop their mail delivery. You could have redirected it just for spite.

      • You don’t use eBay much. As a seller, you have to prepay for return shipping if someone returns an item.

  30. Well crap. Now I know how I’ve been able to buy a product on eBay so cheaply.

    For me to buy the product (fitness drink) from the manufacturer is close to $150 with shipping. On eBay, it was $94. I purchased, and got the items direct from the manufacturer, with my name and address, but a different phone number. I figured it was a rep, using some type of loyalty points or some other discount, and selling against policy.

    Now, I’m pretty sure it’s exactly what was listed in this article. Makes sense, as no one could come up with how they were selling for the rep’s cost, plus then having to pay eBay.

    Guess I have to buy my stuff full price now.

    Now, I