1. Hope you and yours had some quite time and are good. Stay safe and have a safe and prosperous new Year 2016.

  2. If a perp can login to the victim’s account and change the email address, why wouldn’t they also change the phone number?

  3. I don’t see this as an IT problem, this is a business process problem. Broken fitbit? No problem, here is a prepaid shipping label, please drop the device in the mail and we will get your new device back out to you in 2 days. Don’t send out the new device until you receive the old one. Problem solved. No need to make it an IT fix. Don’t get me wrong, 2FA is great but this is a business process problem.

    • Unfortunately, companies want to have happy customers, and they don’t want their customers to have to wait days between previous product and replacement.

      There’s a risk they’ll give up and buy a competitor.

      That’s why this proactive shipping system is used.

      • Fraudsters have taken advantage of their customer friendly policies. They quesiton really comes down to what losses are they willing to accept to trade for customer service.

      • I’d rather wait and be annoyed than have to have to overall cost to all of the consumers GO UP due to this reckless friendly policy!!

    • Plus Fitbit will give you a new device even if you just lose your existing one. They are awesome to work with and this is probably why they can get hit for fraud. I’ve had really good experiences with the customer service so I hope the changes do not affect the good service I had become used to.

  4. Daddmac,
    To answer your question, usually with a 2 factor authentication you are required to authorize on login, so if they dont have access to the cellphone they cant login to change the details in the first place.

    Also many 2FA setups require a follow up code for any major changes such as email address or 2fa registered device.

    If you want to see it in action, setup a gmail account and enable it on your phone. Its pretty sweet!

    Ned R

    • I think I get it now, I may have lost context.
      1. Setup two factor authentication.
      2. The email and phone info cannot be changed without having the mobile for the authentication code.

      I was asking in the context of an account with single factor authentication being compromised, and then the 2FA scenario.

      My bad; thanks for the reality check!

  5. Just from the standpoint of FitBit, don’t they require the customer to return the old, non-functioning unit? I’m just not sure how big a problem this is for the vendor. Heck, I rarely can wrangle a replacement “widget” from a company when I’ve bought, paid and can produce a broken product with receipt, much less with nothing to show.

  6. Fraudsters can demand a “hot swap” give a stolen credit card number as collateral, and make off with the merchandise.

  7. This is the kind of news that makes be mad; because it is hard to find a good company that stands behind their product, and then this kind of dastardly thing happens!

    Perhaps if a serial number were required to be called in from the phone number on file for the customer in question, this would help. I realize fraudsters can fake caller IDs, so some other factor would need to come into play to minimize that possibility. I really wonder how they could come up with questions only the actual customer could answer without becoming just another data point the criminals already have on file for just about everyone in the US already! Email and possibly SMS are already compromised. Perhaps an automated phone verification service?

    • The SN of the device is probably accessible once you get access to the customer account.

      The way I see it, as told by other folks before: The customer must send the broken device first to receive a new one.

  8. Brian, please fix this sentence! “Bown the fraudsters will log in to the customer’s account and change the email address and on the customer’s account.”

  9. Every time I wanted a new product because of a problem the seller wanted me to send the old one back to them usually on my dime. If sellers did this whether they opened the box or not it would end this scam fast since the scammer doesn’t have the merchandise.

  10. I was wondering why Fitbit doesn’t require the caller to return the “defective” product with proof of purchase prior to sending out a new unit. And I wonder if these Fitbits have serial numbers. Seems like that would reduce the fraud since the perp would not be able to return the “defective” device, especially with the registered serial number. And if it had been purchased in a brick and mortar store (no emailed receipt) that would also make it more difficult for the perp to meet proof of purchase requirements .

  11. These skids really suck at opsec.

    Just google those handles in the screenshots.

    eg – Gerant007 – http://gerant-007.skyrock.com/profil/photos/1/122180634

    • And what makes you think it’s the same guy, aside from the nickname? Sure, there’s a couple of entries anyone can pull from Google on this nickname, but otherwise…

      Maybe the guy really sucks at opsec, maybe he just borrowed the nickname.

  12. At some point society is going to say ….”no more!” The issues discussed here in Brian’s most excellent website are less technical than they are social, political and technical. I personally believe that we should cut off the internet from North America until we figure out WTF is going on….

  13. I once had a set of nice, fairly expensive earbuds develop a short in the main wire. I contacted the company and they sent me a brand new pair, no questions asked. Great customer service and PR. Needless to say, I was quite pleased, particularly since I didn’t have to bother to return the defective pair. I’ve since returned to the manufacturer to purchase numerous items. Their service went a long way to earn my loyalty.

  14. Typo in the caption under the first screenshot: ‘waranty’

    American shops and firms seem insanely trusting compared to their European counterparts. Even if the company paid for delivery of the defective product back to them, it would be worthwhile to cut out fraud.

  15. Modern technology appears to be more ramshackle and flawed with every day which passes. Brian catalogues episode after episode of incompetence which seems to pervade every operator of information technology, large or small. With all elements of systems inherently visually concealed and therefore inherently impossible for the lay people who ‘control’ organisations and businesses to verify for themselves, I lose hope of the situation ever improving.

    We depend on vital yet fragile systems composed of many chain links which are vulnerable to intended and unintended disabling damage from unseen agents. The reliability of systems ultimately depend on difficult to verify diligence and trust-worthiness of countless individuals.

    Dilbert and his pointy-haired boss are symbolic of the problem.

    I like things like steam locomotives which display visual evidence of their vital workings. When you can see a leak or that something is missing or damaged or hear sounds or smell odours of distress, you can tell that something is wrong.

  16. The whole thing seems pretty ridiculous to me.

  17. With Account changes logging enabled the customer support representative should be able to see when the last details on the account were changed.

    Verifiable via a memorable word / or any saved payment cards or identification with the purported warranty claimant.

    This information will only be known to the actual original purchaser,

    Why does something that makes so much sense,
    Incorporated into the industry slower than a snail can move ?

    Loss prevention / fraudulent returns have a dedicated part of the budget where beyond a certain point risk can outweigh profitbability thus putting the company at risk.

    I understand that customer service and the image of the company is important but products cant just be freely replaced without auditing.

    • “With Account changes logging enabled the customer support representative should be able to see when the last details on the account were changed.”

      That’s IF anything actually gets logged.
      That’s IF those logs are not being edited/erased.
      That’s IF the customer support representative has access or even cares enough to read these details.

      These are computer files and database records.

      “This information will only be known to the actual original purchaser,”

      Then what good is it?
      This information must have a match to something on file in the database to be worth anything at all. You can do A=B, B=C, C=D but there still must be something that matches. Those computer files can be access and manipulated and copied.

      “Loss prevention / fraudulent returns have a dedicated part of the budget where beyond a certain point risk can outweigh profitbability thus putting the company at risk.”

      If any of this actually meant anything to the people in charge then we would see so much lack-of-security issues going on. It’s obviously not a big enough problem to convince enough customers to NOT put more money into it (which is the only way these companies will even think about focusing on these problems).

      “I understand that customer service and the image of the company is important but products cant just be freely replaced without auditing.”

      Yeah right! Maybe that’s the way things were 30-40 years ago. Maybe!

      If customer service were all that important to these companies, we wouldn’t have so much idiocy from them.

      Ya know, most companies give away quite a bit of stuff all the time. Alot of stuff gets bought in bulk anyway and there is no desire or time to mess with auditing anything. How many millions of fitbit items have already been produced?

  18. Maybe I am missing something here but.. Where is FitBit shipping these replacement items? Doesn’t the customers account have their home address?? When these bad guys hack the accounts are they changing the address information? Wouldn’t monitoring for activity involving address changes be fruitful for FitBit?

  19. How about some simpel auditing thrown in for good measure with the other suggestions. Like, Umm, I dunno, tracking changes to accounts! Like, Umm , I dunno, EMAIL ADDRESSES for one.

  20. Seriously Brian? There’s not enough real-live cyber incidents out there that you gotta report on small-time conmen making a play for cheap consumer electronics?

  21. Very nice article Brian.

    Here’s another angle on this. Over at Dell, either via insiders (support employees?) or stealing of their entire user / buyer database people are getting phone call’s from “Dell” with intimate details from Dell’s records (like the computer they have, the last issue they resolved with Dell on their computer etc.) and they offer to fix the problem the user has with their computer (that doesn’t exist) for a fee. With the added context of each user’s Dell support details this has the appearance of validity to fool alot of people.


  22. Great topic, and I also wanted to say I enjoyed seeing you quoted in an “American Banker, Bank Technology” article this morning.


  23. All they have to do is enable 2 step verification

  24. Nitesh nailed it. Recently updated attributes of an account should not be considered for account validation. It’s a fairly simple measure that greatly reduces fraud. Fraudsters, also, typically create simple patterns that are easy to identify and alert on.

  25. If anyone wants to register on leak here