Cybercrime takes many forms, but one of the more insidious and perhaps less obvious manifestations is warranty fraud. This scheme involves con artists who assume the identity of a consumer, complain that a given product has ceased to operate as expected, and demand that the retailer replace the article in question. Such claims turn into a loss for targeted merchants when the scammer hacks an unwitting customer’s account and replaces the customer’s email address with his own address and demands that the retailer ship him a brand new device.
Fitness tracking giant Fitbit recently found itself the target of such fraud in the last few months of 2015, when the company noticed large caches of data from customer accounts being posted to Pastebin. To the untrained eye, such data might seem at first glance to indicate that Fitbit had experienced a breach that exposed their user account data. Included in the data dumps posted to Pastebin were details about the make and model number of each user’s fitness tracker, as well as information about the last time the user had synced the device.
But a more nuanced look at the information posted to Pastebin and other public data dump sites indicates that Fitbit is just the latest victim of customer account takeovers powered by breaches at other e-commerce providers.
I reached out to Fitbit about this and the company’s security chief Marc Bown said the data appears to coming from a couple of sources: Customer computers that have been compromised by password-stealing malware, and customers who re-use the same credentials across a broad swath of sites online.
“They’re mainly interested in the premium devices,” Bown said, referring to the most expensive devices that Fitbit sells — such as the Surge, which retails for about $250. “Those are the ones that we’re seeing are most targeted for warranty fraud.”
Bown said the fraudsters will log in to the customer’s account and change the email address on the customer’s account. The scammers then call Fitbit’s customer service folks, claim that their device has stopped working, and demand a replacement.
“Basically, they start a support case with customer service, but before they do that, they change the email address on the account they hacked to an address that they control, and at that point they are the customer,” Bown said. “For a lot of customers, this ends up creating a pretty negative experience.”
Bown said after several weeks of battling warranty fraud, the company has more or less solved the problem by educating their customer service employees and assigning risk scores to all warranty replacement requests.
“Account takeover is a thing for all online organizations,” Bown said. “If we see an account that was used in a suspicious way, or a large number of login requests for accounts coming from a small group of Internet addresses, we’ll lock the account and have the customer reconfirm specific information.”
E-commerce companies can increase the level of security for user accounts by requiring two-step or two-factor authentication, which usually involves sending a one-time code to the user’s mobile device that needs to be inputted in addition to the customer’s username and password. Bown said Fitbit is considering adding this capability to user accounts.
“I’m not sure the type of user who is using the same password at every site is the great target for that,” Bown said. “But we should offer it, and it’s something we plan to offer in 2016 natively.”
Hope you and yours had some quite time and are good. Stay safe and have a safe and prosperous new Year 2016.
If a perp can login to the victim’s account and change the email address, why wouldn’t they also change the phone number?
That’s my question too. I don’t see how that makes it any more secure.
Changes shouldn’t be allowed to occur until after verification through the user’s current device.
With 2FA, the fraudster would be able to log into the customers account without the code that is sent to the phone.
*would not* be able to, not “would be able to”. Key word left out.
I don’t see this as an IT problem, this is a business process problem. Broken fitbit? No problem, here is a prepaid shipping label, please drop the device in the mail and we will get your new device back out to you in 2 days. Don’t send out the new device until you receive the old one. Problem solved. No need to make it an IT fix. Don’t get me wrong, 2FA is great but this is a business process problem.
Unfortunately, companies want to have happy customers, and they don’t want their customers to have to wait days between previous product and replacement.
There’s a risk they’ll give up and buy a competitor.
That’s why this proactive shipping system is used.
Fraudsters have taken advantage of their customer friendly policies. They quesiton really comes down to what losses are they willing to accept to trade for customer service.
I’d rather wait and be annoyed than have to have to overall cost to all of the consumers GO UP due to this reckless friendly policy!!
Plus Fitbit will give you a new device even if you just lose your existing one. They are awesome to work with and this is probably why they can get hit for fraud. I’ve had really good experiences with the customer service so I hope the changes do not affect the good service I had become used to.
To answer your question, usually with a 2 factor authentication you are required to authorize on login, so if they dont have access to the cellphone they cant login to change the details in the first place.
Also many 2FA setups require a follow up code for any major changes such as email address or 2fa registered device.
If you want to see it in action, setup a gmail account and enable it on your phone. Its pretty sweet!
I think I get it now, I may have lost context.
1. Setup two factor authentication.
2. The email and phone info cannot be changed without having the mobile for the authentication code.
I was asking in the context of an account with single factor authentication being compromised, and then the 2FA scenario.
My bad; thanks for the reality check!
However this approach won’t help with man-in-the-middle or other session hijacking attempts.
Just from the standpoint of FitBit, don’t they require the customer to return the old, non-functioning unit? I’m just not sure how big a problem this is for the vendor. Heck, I rarely can wrangle a replacement “widget” from a company when I’ve bought, paid and can produce a broken product with receipt, much less with nothing to show.
Fraudsters can demand a “hot swap” give a stolen credit card number as collateral, and make off with the merchandise.
This is the kind of news that makes be mad; because it is hard to find a good company that stands behind their product, and then this kind of dastardly thing happens!
Perhaps if a serial number were required to be called in from the phone number on file for the customer in question, this would help. I realize fraudsters can fake caller IDs, so some other factor would need to come into play to minimize that possibility. I really wonder how they could come up with questions only the actual customer could answer without becoming just another data point the criminals already have on file for just about everyone in the US already! Email and possibly SMS are already compromised. Perhaps an automated phone verification service?
The SN of the device is probably accessible once you get access to the customer account.
The way I see it, as told by other folks before: The customer must send the broken device first to receive a new one.
Brian, please fix this sentence! “Bown the fraudsters will log in to the customer’s account and change the email address and on the customer’s account.”
Every time I wanted a new product because of a problem the seller wanted me to send the old one back to them usually on my dime. If sellers did this whether they opened the box or not it would end this scam fast since the scammer doesn’t have the merchandise.
I was wondering why Fitbit doesn’t require the caller to return the “defective” product with proof of purchase prior to sending out a new unit. And I wonder if these Fitbits have serial numbers. Seems like that would reduce the fraud since the perp would not be able to return the “defective” device, especially with the registered serial number. And if it had been purchased in a brick and mortar store (no emailed receipt) that would also make it more difficult for the perp to meet proof of purchase requirements .
These skids really suck at opsec.
Just google those handles in the screenshots.
eg – Gerant007 – http://gerant-007.skyrock.com/profil/photos/1/122180634
And what makes you think it’s the same guy, aside from the nickname? Sure, there’s a couple of entries anyone can pull from Google on this nickname, but otherwise…
Maybe the guy really sucks at opsec, maybe he just borrowed the nickname.
At some point society is going to say ….”no more!” The issues discussed here in Brian’s most excellent website are less technical than they are social, political and technical. I personally believe that we should cut off the internet from North America until we figure out WTF is going on….
I once had a set of nice, fairly expensive earbuds develop a short in the main wire. I contacted the company and they sent me a brand new pair, no questions asked. Great customer service and PR. Needless to say, I was quite pleased, particularly since I didn’t have to bother to return the defective pair. I’ve since returned to the manufacturer to purchase numerous items. Their service went a long way to earn my loyalty.
Hey dcmargo. I wanted to ask you what company those earbuds were from? Thanks!
Hey dcmargo. I wanted to ask you what company those earbuds were from? Thanks!!!!
Typo in the caption under the first screenshot: ‘waranty’
American shops and firms seem insanely trusting compared to their European counterparts. Even if the company paid for delivery of the defective product back to them, it would be worthwhile to cut out fraud.
Modern technology appears to be more ramshackle and flawed with every day which passes. Brian catalogues episode after episode of incompetence which seems to pervade every operator of information technology, large or small. With all elements of systems inherently visually concealed and therefore inherently impossible for the lay people who ‘control’ organisations and businesses to verify for themselves, I lose hope of the situation ever improving.
We depend on vital yet fragile systems composed of many chain links which are vulnerable to intended and unintended disabling damage from unseen agents. The reliability of systems ultimately depend on difficult to verify diligence and trust-worthiness of countless individuals.
Dilbert and his pointy-haired boss are symbolic of the problem.
I like things like steam locomotives which display visual evidence of their vital workings. When you can see a leak or that something is missing or damaged or hear sounds or smell odours of distress, you can tell that something is wrong.
The whole thing seems pretty ridiculous to me.
With Account changes logging enabled the customer support representative should be able to see when the last details on the account were changed.
Verifiable via a memorable word / or any saved payment cards or identification with the purported warranty claimant.
This information will only be known to the actual original purchaser,
Why does something that makes so much sense,
Incorporated into the industry slower than a snail can move ?
Loss prevention / fraudulent returns have a dedicated part of the budget where beyond a certain point risk can outweigh profitbability thus putting the company at risk.
I understand that customer service and the image of the company is important but products cant just be freely replaced without auditing.
“With Account changes logging enabled the customer support representative should be able to see when the last details on the account were changed.”
That’s IF anything actually gets logged.
That’s IF those logs are not being edited/erased.
That’s IF the customer support representative has access or even cares enough to read these details.
These are computer files and database records.
“This information will only be known to the actual original purchaser,”
Then what good is it?
This information must have a match to something on file in the database to be worth anything at all. You can do A=B, B=C, C=D but there still must be something that matches. Those computer files can be access and manipulated and copied.
“Loss prevention / fraudulent returns have a dedicated part of the budget where beyond a certain point risk can outweigh profitbability thus putting the company at risk.”
If any of this actually meant anything to the people in charge then we would see so much lack-of-security issues going on. It’s obviously not a big enough problem to convince enough customers to NOT put more money into it (which is the only way these companies will even think about focusing on these problems).
“I understand that customer service and the image of the company is important but products cant just be freely replaced without auditing.”
Yeah right! Maybe that’s the way things were 30-40 years ago. Maybe!
If customer service were all that important to these companies, we wouldn’t have so much idiocy from them.
Ya know, most companies give away quite a bit of stuff all the time. Alot of stuff gets bought in bulk anyway and there is no desire or time to mess with auditing anything. How many millions of fitbit items have already been produced?
Maybe I am missing something here but.. Where is FitBit shipping these replacement items? Doesn’t the customers account have their home address?? When these bad guys hack the accounts are they changing the address information? Wouldn’t monitoring for activity involving address changes be fruitful for FitBit?
How about some simpel auditing thrown in for good measure with the other suggestions. Like, Umm, I dunno, tracking changes to accounts! Like, Umm , I dunno, EMAIL ADDRESSES for one.
Seriously Brian? There’s not enough real-live cyber incidents out there that you gotta report on small-time conmen making a play for cheap consumer electronics?
Very nice article Brian.
Here’s another angle on this. Over at Dell, either via insiders (support employees?) or stealing of their entire user / buyer database people are getting phone call’s from “Dell” with intimate details from Dell’s records (like the computer they have, the last issue they resolved with Dell on their computer etc.) and they offer to fix the problem the user has with their computer (that doesn’t exist) for a fee. With the added context of each user’s Dell support details this has the appearance of validity to fool alot of people.
Great topic, and I also wanted to say I enjoyed seeing you quoted in an “American Banker, Bank Technology” article this morning.
All they have to do is enable 2 step verification
Nitesh nailed it. Recently updated attributes of an account should not be considered for account validation. It’s a fairly simple measure that greatly reduces fraud. Fraudsters, also, typically create simple patterns that are easy to identify and alert on.
If anyone wants to register on leak here