Hacker News new | past | comments | ask | show | jobs | submit login
The Fraud Supply Chain (kalzumeus.com)
231 points by loosescrews on Dec 4, 2021 | hide | past | favorite | 68 comments



> So cashers [those who turn card numbers into cash] will do other things, both to achieve operational scale and to reduce their risk profile. One example is triangular e-commerce fraud, which (like much fraud) is so brilliant that if it weren’t absurdly evil you’d almost have to admire the folks who thought it up.

To paraphrase the steps involved, because the description doesn't quite make it clear how the casher gets paid without getting caught:

1. Casher sets up as merchant on e-commerce platform like Amazon.

2. Casher takes order from customer.

3. Customer pays with their own credit card.

4. Casher fulfills the customer order by ordering from another merchant (shipper), paying with the stolen card number. The casher creates a brand new account with the shipper just for this purpose. The casher gives the customer's contact information to the shipper.

5. Customer receives order from the shipper.

6. Shipper receives payment from stolen card.

7. Casher receives payment from customer card.

So the casher is paid by the customer, and the shipper is paid with the stolen card. To the shipper, it looks like the customer paid with a fake card. To the customer, it looks like the order was fulfilled as expected.

The shipper gets a chargeback from the card company. If it's not aware of the scam, it's likely to just accept and move on. But if the shipper gets a lot of these chargebacks and knows about the scheme, it can contact the customer (via the mailing address) to ask which e-commerce site the item was ordered from. This may or may not work because some customers will be reluctant to discuss that kind of thing over the phone. So the casher needs to spread the fraud around to lots of shippers and thereby make the investigation not worth the effort.


A couple of years ago there was a talk at defcon by Nina Kollars where she described how in her search for cheap Nespresso she came across a large number of eBay merchants selling Nespresso at prices that were significantly below the market price. She ends up discovering that this was triangular fraud. For anyone interested in understanding how this works I highly recommend reading the article below.

https://mashable.com/article/nespresso-money-mules-ebay-cred...


There's apparently a similar type of fraud currently popular over here (in Poland). It works like this:

1. You order a product, preferably something expensive and easy to sell. You request delivery to a package locker and payment via standard bank transfer. The site you're ordering from gives you an account number to transfer to, as well as an ID to put in the reference field.

2. You list something at the same price on our local equivalent of Craigslist.

3. When you find a customer, you tell them that you only accept payment via standard bank transfer. You give them the account number and reference ID from step 1. You never ship the offered item.

4. The customer makes the transfer and the item ordered in step 1 is delivered to a locker of your choosing. You can retrieve it and sell it legitimately.

5. When the customer from Craigslist doesn't receive the item they paid for, they go to the police. However, there's nothing linking you to their transaction, the seller of the item in step 1 is the primary suspect, as they're the ones who took their money in the first place. Even if they discover that there was a third person involved, they're usually extremely hard to find, as the footage from any CCTV equipment near the locker will be long gone.


Once saw a spate of this, but using Bitcoin and websites like local Bitcoin.

Fraudsters would setup a Cash -> Bitcoin transaction on local Bitcoin. Scam someone else into fulfilling the payment, then run off with the Bitcoin.

Then the victim looses their money, the Bitcoin seller is now in possession of effectively stolen funds. You don’t want to be the seller in this equation because from the banks perspective you look like the fraudster, and it’s likely you have bank accounts closed.


So the shop receives an order from the scammer named Joe but gets a payment from a customer called Bob, wouldn't that raise a flag?


The shop doesn't receive anything except a confirmation that the payment went through.

Those traditional bank transfers are set up by a payment gateway (Przelewy24, DotPay, Payu), which is linked to the marketplace (eBay, Allegro), on which the seller actually operates.

The seller definitely doesn't get your payment info, not sure about the marketplace, but I don't think they do.

Besides, if you live in Poland and opt for payment via traditional, old-style bank transfer, you're probably a very unsophisticated customer. Most likely, you're completely unbanked and will hand over cash to a relative who will make the transfer for you. Most people who own a bank account and have enough tech skills to make a purchase over the internet will use a different payment method.


A naively operating shop will pay zero attention to whom the payment comes from as long as it has a reference ID and amount that matches a real order.

And such payments can also be entirely legitimate, e.g. when Joe is a kid who wants to buy a gaming console and Bob is their father who pays for it.


Well remembered! This was an excellent talk. https://www.youtube.com/watch?v=2IT2oAzTcvU


There is another "fraud" which is sometimes considered to be financial arbitrage where an Ebay or Amazon seller sells a product in a country or territory that was intended for sale in another country or territory. An example being electrical goods from Hong Kong being sold in the UK market.

Many electrical products come with a plug adaptor for the main three types of electrical sockets and range of voltages, obviously due to British ties, there is English speaking manuals but manu manuals in practice have a range of languages in the documentation, and for all intents and purposes the product will work perfectly fine if used in the UK, yet exchange rates & taxes (or lack of) means its cheaper to get the product from Hong Kong and then ship to the UK.

People in Hong Kong ship goods in bulk from Hong Kong so they are already in the UK and then operatives in the UK set up an Ebay account so even Ebay or Amazon dont know.


That is simple geographic arbitrage; a common business model, not even "fraud". It may, at most, be a breach of some companies T&Cs, but breaking T&Cs is not normally a crime.


Fulfilment of the warranty is the fraud when the vendor goes bust. Whilst a contract is with the vendor and not the manufacturer, when the vendor goes bust/closes/stops trading, the warranty obligations transfer back to the manufacturer. So its a fraud because the manufacturer could refuse to meet any warranty obligations especially if they can prove it was a product sold in an over seas market and not the local market. This does happen, but its complex.


The vendor going bust isn't fraud. It's the vendor going bust.

If the vendor can't handle warranty obligations then (depending on your jurisdiction) they might be in trouble, but it still isn't fraud.

In the US, grey market good are generally legal (under first-sale doctrine). In the UK they aren't (under R vs C and others).


>The vendor going bust isn't fraud. It's the vendor going bust

Whilst its not fraud, the fact anyone including the former directors of now deceased company can also appoint their own liquidators, and liquidators generally work for who ever is paying the bill, it is all but fraud in name.


That maybe so, but it's those actions that are the problem.


I actually think I just stumbled across some websites doing this, this week.

They were selling power smart generators for <$100 USD. Both listing an address in Canada, but having a PayPal address that seems to go to someone in China, and not properly setup so any purchase becomes “goods”.

I couldn’t figure out exactly what the scam was… but it’s suddenly making sense !


You could combat that, as an individual fraudster, by having many fraud seller sites that each sell very popular, commodity items. The problem there is that everyone else would be doing the same thing.

You could get to a point where there is enough fraud in the marketplace, you might have one fraud seller, buy from another fraud seller, human centipede style. It would be really interesting if it formed a closed loop. I’m sure it’s happened.

You could avoid that by making a network of fraudsters, who know about each other and can avoid each other. But then you’re only as strong as the weakest link. As soon as someone gets caught, the authorities have the full list of the network, and everyone gets taken down.


The fraudsters are probably better off just accepting this as part of the cost of doing business. If they coordinate, a whole ring could be discovered at once. If they just accept that they'll be ripped off at the same rate as legitimate merchants, they avoid that particular weakness. They should still make money, right? If enough fraud exists in the marketplace that the fraudsters don't make money, the legitimate businesses (with legitimate expenses!) should go under first, at which point the whole marketplace would fall apart.


I guess it would be more efficient for fraudsters to say - any organization I have dealings with that I do not know is not a fraudster like me if they show fraudster like behavior I will henceforth treat as fraudster - that is to say 1 bad fraudster behavior from you no more dealings.


A simpler way for the shipper to avoid the chargebacks or otherwise figure out what site the item was ordered from might be to include a card in the packaging asking the user to submit some survey that happens to ask what site the product was purchased from, in exchange for a discount/rebate. Maybe mention the official sales channels and say that if it was purchased from another channel, it might not be legit


I feel like 99% of the time I order from a big online store, I get an invoice in the box anyway (which just says paid via PayPal or paid via card 123).


Sure, but at a customer I trash that immediately. I don't double check that it's my card. I imagine that 1/100 times might be enough to catch the fraud, but even getting thata y consumers to care would be an uphill battle without incentive.


>6. Shipper receives payment from stolen card.

Wasnt there something years back about merchants refusing to ship to addresses not associated with the payment method? Why would you ship something to midwest after being paid by the card registered to CA resident?


You make a business decision on how likely it is to be legitimate and, based on the margin profile of the business, whether you want to prioritize for conversions or for not being defrauded. Avoiding $10k of legit sales to save $1k of fraud is very plausibly not a winning strategy.

People do subjectively weird things, all the time at Internet scales.

Here’s a very real example: Amazon account opened in 1996 from Illinois. Credit card billing address in Chicago. Has never purchased electronics or anything over $200. Almost dormant for several years. 2007 rolls around and the account is accessed from a novel IP address in Nagoya and buys a $2k laptop for a person with an unrelated name living in Ohio.

Place your bets: was this transaction fraud?

No, it was not. I bought that laptop, on behalf of a coworker, an Indian woman working with me in Nagoya who had no credit card and no U.S. banking relationship. She had a member of her extended family, living in the U.S., and wanted to buy them a laptop to celebrate their entrance into University. She gave me physical yen for the laptop.

Impressively, IMHO, Amazon let this transaction go through without stopping me, though I was on pins and needles (and told her as much). I assumed this would trip every possible flag, and (as a Japanese salaryman) $2k was a lot of money to both of us.


Anecdotally Amazon seems to be more loose with accepting money than say eBay.

I've had multiple occasions where my Amazon purchases should have thrown red flags - mixed up Amazon accounts, wrong ip, wrong country, wrong name and it still went through.


Anecdotally Apple in Europe was fine to send an iPhone to a person in a different country, obviously different name, while opting out of 3d secure.


Might have something to do with Amazon selling 3rd party inventory and pushing any losses onto actual sellers.


Billing and shipping in the US and matching all card details are sufficient for most filters. A chargeback would be won by Amazon.


-Gifts

-Students studying in a different city/state for college but keeping their parent's home for billing purposes

-Recent relocation

-Staying with friends/family for a few weeks around holidays

etc.. Tons of valid reasons. Of course you reduce fraud as a merchant if you do that, but you also reduce your sales by quite a significant amount (and anger your customers), sometimes it's just not worth it.


here I am staying at my grandparents house for the weekend and I have decided to send something to them they will just love!

Oh here I am moved to Kansas in my new company provided house as part of relocation, but there are still somethings we need here I can see that already I will just pay for it with my CA card because I haven't got a new local one yet.

Obviously all these are edge cases but probably so are all those problems with paypal, google, amazon cancelling some customer's stuff and we get all upset about it here. So cancelling something because it looks suspicious is pretty unfair to people who haven't done anything wrong.


Because... gifts?


Recently I’m seeing more ’billing address must match credit card address’.


Broadly, and with caveats, Amazon could somewhat trivially prevent much of this by requiring authorization from the customer who originally uses a shipping address, before allowing someone else to use it.


It seems even more trivial for the payment card network to require 2FA so that a card number alone is insufficient to authorize a transaction.

I know BestBuy.com is able to do SMS 2FA with my Bank of America Visa credit cards.


Well, sure, if you can render stolen cards useless, then a host of problems go away.

Maybe that will happen at scale if more card issuers decide the inconvenience/friction to legitimate card users makes it worthwhile per the level of fraud they're seeing.

But, the solution to the address problem here assumes the current state of things.

And, there are other issues involving addresses that strictly validating the credit card wouldn't solve (like unsolicited package and brushing scams), as well as things I'm sure we've yet to consider.

In general, it would probably be a good thing for people to have better control of who can send what to their address.


2FA (in particular, the 3DS protocol) actually has a significant conversion problem, so it's not free.


What happens if you move? Can the new occupant of your previous residence no longer use Amazon?


>What happens if you move?

Heh. I knew that'd be the first question.

Yeah, that's one of the caveats. The auth email or SMS to the previous owner would allow them to indicate they moved. That would probably handle most cases quickly. But, if no response in x time, it could default to allow and/or if the new owner wants to be proactive, they can send proof of residence. A little bit of a PITA, but doesn't add much to the PITA moving already is. And, moving is pretty infrequent.

There's also billing address validation, as that frequently matches shipping address anyway.

This kind of validation would also help with other scams.


When ordering online, I, not from Amazon as I don't use it, quite regularly get a 60 second timeout requesting a payment be confirmed in my bank's app.

VisionPlus or one of the many other systems that may be employed in the chain of payment are configurable for many many such triggers or rules, change of address IIRC is a pretty basic one.


Furthermore, the ecommerce platform in step 1, which may or may not be the same platform as the one in step 4, would likely do nothing to combat the fraud, as doing so could lower the GMV.


I'm not super familiar with chargebacks but how would a shipper just blindly accept it? They're out of money and they have the details of the person who supposedly placed the order.


Isn't it a simple matter of cost/benefit? If you're out of 300 bucks, and you estimate there will be a X% chance of getting that back investing Y hours at Z salary, you have a rather simple equation.


This problem is solved in countries where bank transfer based online payments are popular. With such payments customers authorize a single money transfer to the seller for an exact sum of the transaction, instead of trusting the seller with a credit card data that can be then used to make any transactions.


These supply chains have existed since the early 90s, and it's kind of amazing that the only change since then is that carding now requires marginally sophisticated hacking. Up until the mid-2000s, the primary carding method was Google. There were many early shopping cart systems that stored card and customer information as plain text, and those text files were publicly accessible by default. It was so easy to google for credit cards, that you could actually find cards for a specific person if you wanted.


Most big tech is driven by he fraud of showing ads to those who are already going to buy the thing being advertised and charging a premium for it. Everybody knows about it but they continue engaging it and devising innovative ways to violate people's privacy and eroding freedoms in the name of such fraud!!


My current favorite is placing the "Next video" button next to the pause/play button so you accidentally click it and watch another ad. Or god forbid have a moment to think about what you're watching.

Previously they had another good scam going were some kind of "glitch" in android g maps would end up with the company phone number being clicked and ready to call. Did you know that a billion people found your business on gmaps? Buy our ad vouchers now.


Darknet Diaries episode "85. Cam the carder" had an interesting perspective on how things look from the other end, enjoyed it.

https://darknetdiaries.com/episode/85/


This reminds me of a very entertaining book - Kingpin by Kevin Poulsen. It vividly described aspects of that world, albeit from 10-15+ years ago and through the lens of a smaller more specific variety of real life characters.

The level specialization only seems to have risen since. When you have that, you get so many aspects that just look like legitimate office or tech work. Amazing considering that all those layers of abstraction must make it difficult to even comprehend. There must be smart people out there who really get it though, and they must occupy particularly safe niches in that ecosystem.


This was eye opening. Thanks.


So there's an ecosystem of crime just like the legit world? Does everyone work full time? I'd have thought many people would be part time. How big is the risk premium? Say you are a dev and you could do ordinary dev stuff for $200k, what can you get in this crime world and what would they pay you?



This post ignores the fact that most credit cards, at least for the EU payments, have mandatory two-factor authentication. It effectively kills the whole cardster business. It’s only the US payment processor that keep ignoring the two-factor authentication for online payments.


No it doesn’t. 2FA authentication is not mandatory for online transactions in the EU. That element of PSD2 has been delayed significantly, only in person transactions have that protection. Unfortunately in person transactions are the least risky from a fraud perspective because they don’t scale well.


PSD2 is fully enforced for banks in the EU/EEA, and not yet enforced for UK banks. But many transactions are exempted from 2FA authentication, if either the acquirer or issuer perceive the transaction as low risk. And transactions with only one leg in Europe have no regulatory requirement. So fraud is very much alive in Europe.


In my experience most banks do enable it. And if you use your card at a merchant you haven't used before it's almost always 2FA time.

I have no idea how effective this has been, but at least here [Hungary] banks went all in basically.


Made me buy the book so a triangular economy outcome of the good kind.


Stolen credit cards are not the goldmine that author assumes they are. The big money nowadays is in crypto fraud (YouTube scam video's, hacks, fake customer service, etc.).


Payments fraud is, and I mean this literally, not on the scale of a gold mine. It is on the scale of gold mining, as an industry.

"That sounds like a very hand-wavy claim, Patrick."

U.S. gold mine production in 2020: ~200 metric tons, which is about 6.4M troy ounces. $1.8k an ounce currently. That's +/- $11B.

Payment fraud worldwide is +/- $25B and the US has the plurality of it.


94% of gold mining is outside the US (because mining is hard, dangerous work, because it's often environmentally devastating, and because the US industrialized early and so has depleted its natural resources), so US gold mine production is not very relevant. Worldwide gold mining is about 3200 tonnes per year, so about US$190 billion. I guess you could say that US$25B is on the scale of US$190B, since it's smaller by less than an order of magnitude?

But the person you were replying to wasn't saying that payments fraud wasn't huge. They were saying that the bulk of payments fraud was no longer stolen credit cards, because now payments fraud happens mostly with cryptocurrencies. I have no idea if their point is correct, but I think you weren't really addressing it.


But as for much crime the payoff might not be as high as the damage.


Great post! As always. You mention that there aren’t many good books about this topic. You should fix that! ;)


If only there were a publishing house that cared an irrational amount about financial infrastructure, but where would one ever find that?

(No seriously speaking, would love to write a book someday, but not sure it would be this book, and between the day job and two young children I don't have a book in me at the moment unless I can clean the calendar for many months in a row and that doesn't seem rational given other uses of my calendar.)


For those not in the know, I think "where would one ever find that" is a joke about https://press.stripe.com/


Patrick, if you ever want to scheme on that one, let me know. I know a bit about the fraud, identity, and overall security side of things. ;)


> and the US has the plurality of it.

What does this mean? Are we breaking payments fraud down by countries? Continents? Currencies? Those can all have different "pluralities". There is no lower limit on what "the plurality of $25B" is.


There is no way to conveniently do "select sum(payment_amount) where country = 'US' AND was_fraudy from the_global_economy" but it's broadly estimated at +/- $10B, which is why why I said it was on the scale the gold mining industry, which I quoted. You're welcome to Google various estimates, though they'll end up over the map in the low 10 digits region.


The US usually gets attributed something like 40-60% of the value of global capital markets, so it seems to me a reasonable default assumption that it has a similar ratio of payments fraud, or illegal drugs, or whatever economic sector you might choose. Very likely a plurality, very possibly not a majority.


The author is literally writing about his lived experiences, he not assuming anything, just describing what he’s seen.

Having worked in a similar role, I can tell you he’s spot on. Payment fraud is huge and pervasive, especially in the US where the industry has found a way of shifting most of the cost on to consumers.


Just irks me this improper use of the term supply chain. To supply theft? It's like writing from legal bizzaro world.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: