Detective work and social engineering

Katamarino

Katamarino

Pattern Altitude
Joined
Dec 14, 2011
Messages
1,961
Location
Kent, UK
Display Name
Display name:
Katamarino
Bit of a fancy title really, but this morning I woke up to a $250 charge on my credit card from an online retailer that I hadn't authorised. I reported it to the card company, but was then curious to find out more.

I know that a vendor will not give out any personal information about orders to the card holder, for some reason protecting the privacy of the criminal is very important to them. So I came up with a story about my fictional young (4 year old) relative placing the order and managed to get the following info:

Name (but not exact spelling)
State of residence
e-mail service provider (but not exact email)

I also of course know the transaction amount, date, and billing details.

Any ideas about how to get more info? Ultimately I want an address. I was thinking of calling back the vendor with the extra info I have now, to try and get the phone number from the order, then call the number and say I'm from the vendor and need them to confirm the shipping address, but I'll need a solid story that would make the vendor feel like it makes sense to read out the number to me..
 
Ross I would be worried how they got your credit card info and ask that the account is closed and a new account set up. I would use a teenager rather than a 4 year old...:rolleyes:
 
All too often BofA notifies me that my card (among many others) has been compromised and they are sending another, with a different account number. Bery inconvenient for me when the card is known by a number of vendors, including those which have automatic sending of "stuff". Personally, I'm in favor of capital punishment for these thieves.
 
I think sometimes the way this scam works is that the thief sends the package to an unsuspecting third party then either steals it or comes up with some other way of intercepting it. So I wouldn’t be so quick to harass the addressee, because they might not be in on it.
 
Life is too short. Get whole and move on. You don’t want to associate with any of these people.Their lives are usually filled with tragic drama. Just be contented with the knowledge that the wheel of karma always turns. It is inescapable.
 
how do u know there's a phone # for the transaction? I guess u could call 'em up and say you got a new phone and wanted to check the last # they have on file for you, but I don't know why they'd have given a phone # with their purchase.
 
A lot of online retailers provide a link to the shipper's tracking number. You can literally see where the fraudulent purchases are going to be delivered to.
 
No plans to harass the addressee unless their response to my call is "Oh yes, we made that order". I know there's a phone number associated with it as the phone agent said so, but not what it was.

Not like I have much else to do while in lockdown!
 
I’d be afraid of calling whoever ordered it from your own phone, because now the scammer has a real phone number to associate with your account.
 
Dave Theisen said:
I’d be afraid of calling whoever ordered it from your own phone, because now the scammer has a real phone number to associate with your account.
Click to expand...

I filed a report with the with the sherrif's department for the county that address is in. They actually handed me off to a detective who specializes in computer crimes and ID theft. I never heard anything back. But, it gave me a little satisfaction. I also submitted an online tip to the FBI. Again, probably didn't amount to much. But, it made me feel better.

The credit card company ended up refunding all the disputed charges. Its all good, and I hope the thieves got their just reward.
 
Katamarino said:
Card has already been cancelled and new one on the way! Now I just want to mess with the thieves.
Click to expand...

Arrange to cut off their oil supply. A man in your position should be able to do that. :D
That'll teach 'em.
 
wilkersk said:
I filed a report with the with the sherrif's department for the county that address is in. They actually handed me off to a detective who specializes in computer crimes and ID theft. I never heard anything back. But, it gave me a little satisfaction. I also submitted an online tip to the FBI. Again, probably didn't amount to much. But, it made me feel better.

The credit card company ended up refunding all the disputed charges. Its all good, and I hope the thieves got their just reward.
Click to expand...
Unless the order was cancelled, they likely did indeed get their 'just' reward.
 
Ghery said:
All too often BofA notifies me that my card (among many others) has been compromised and they are sending another, with a different account number. Bery inconvenient for me when the card is known by a number of vendors, including those which have automatic sending of "stuff". Personally, I'm in favor of capital punishment for these thieves.
Click to expand...

I think I see what you did there....
 
You also don’t want to know the lack of security procedure INSIDE banks.

Remember PCI is only for their vendors. The banks do not meet their own published security standards for credit card handling.

I was able to prove once that a security breach that caused multiple cards, different numbers, to be run at the same vendor, wasn’t possible without a breach inside Barclays.

Their security dept suddenly wanted no more communication on the matter.

Have heard other “fun” stories over dinners from IT colleagues working for banking institutions.

It’s pretty much a fully compromised system with a lot of security theater surrounding it.
 
Here's a thought, tell the vendor that due to COVID 19 you have to quarantine and you are not sure which house to do it and want to know where the package is going so you can be there to pick it up.
 
I certainly wouldn't be contacting them from my own number - although if they've used my card, they probably already know my billing address!

I cancelled the order with the vendor on my first call just hours after it was placed, so they'll get nothing from this.
 
Well, I think I've had about as much fun as I can with this. I called the online retailer again with what must have been a believable story, as they gave me the phone number and the address for the order. I spoke to the person who ordered, pretending to be from the retailer, and they claimed that even though it was their name/address/phone number, they hadn't placed any order.

They could well have smelled a rat and be lying as they knew it was being checked, or they could be innocent and somebody else used their name/address/phone number (although that would be odd).

The only thing I haven't yet checked is what their email is; if the email confirmation went to them, then they're lying when they say they know nothing about it. I guess I'll see how bored I am tomorrow.
 
Katamarino said:
I called the online retailer again with what must have been a believable story, as they gave me the phone number and the address for the order. I spoke to the person who ordered, pretending to be from the retailer, and they claimed that even though it was their name/address/phone number, they hadn't placed any order
Click to expand...

Last year I was paying the credit card bill and there was a pending charge to a place in NYC for a Mac Laptop. Called Chase and they said thanks and we'll see what happens when it goes from pending to paid. They gave me the vendor's name. Called them and they had already shipped a new Mac Powerbook to me and sure enough here was tracking info to the house. All the info they had was right but I have two perfectly good Mac laptops and they said it was the first order I had ever placed with them. Called them back, they gave me a return # and FedEx picked it up and sent it back and they credited me. Odd stuff.
 
Normally thieves like this would ship stuff to public addresses or try to hunt the package so that it is untraceable for when they try to resell what they bought
 
Katamarino said:
Not like I have much else to do while in lockdown!
Click to expand...

انت بالبصرة؟ ما هي وظيفتك هناك؟


(زرت الشرق الأوسط وأفريقيا مع الجيش)

-إسحاق
 
Last edited:
denverpilot said:
You also don’t want to know the lack of security procedure INSIDE banks.

Remember PCI is only for their vendors. The banks do not meet their own published security standards for credit card handling.

I was able to prove once that a security breach that caused multiple cards, different numbers, to be run at the same vendor, wasn’t possible without a breach inside Barclays.

Their security dept suddenly wanted no more communication on the matter.

Have heard other “fun” stories over dinners from IT colleagues working for banking institutions.

It’s pretty much a fully compromised system with a lot of security theater surrounding it.
Click to expand...

I had to cancel a card because it was used by someone in another state. The new card they sent me, it was used before it ever arrived at my mailbox. I hadn't even activated it. Tell me how that happens without a security breach in the bank?

They didn't want to discuss it with me either.
 
I agree large parts of PCI are security theatre.
The majority of major controls in PCI can be directly traced to well publicized incidents.
However, it is not perfect.
Further banks are required to comply. The problem is PCI still has holes. A fair number of them. More on the internal control side.

Tim

Sent from my HD1907 using Tapatalk
 
tspear said:
I agree large parts of PCI are security theatre.
The majority of major controls in PCI can be directly traced to well publicized incidents.
However, it is not perfect.
Further banks are required to comply. The problem is PCI still has holes. A fair number of them. More on the internal control side.

Tim

Sent from my HD1907 using Tapatalk
Click to expand...

No argument on the controls but who required them to comply with PCI? If they do it, it’s voluntary, last time I read the spec. Not regulatory.
 
denverpilot said:
No argument on the controls but who required them to comply with PCI? If they do it, it’s voluntary, last time I read the spec. Not regulatory.
Click to expand...

Contractual. Visa, MC, Discover, AmEx, JCB.... the card networks will yank bank access if they fail PCI; or make them switch to a corespondent banking situation. The reason the contracts have teeth (in theory) is to prevent regulation.
PCI DSS was in direct response to the Feds establishing a committee to write security liability requirements if the card networks did not clean up their act.

Tim
 
Pugs said:
Last year I was paying the credit card bill and there was a pending charge to a place in NYC for a Mac Laptop. Called Chase and they said thanks and we'll see what happens when it goes from pending to paid. They gave me the vendor's name. Called them and they had already shipped a new Mac Powerbook to me and sure enough here was tracking info to the house. All the info they had was right but I have two perfectly good Mac laptops and they said it was the first order I had ever placed with them. Called them back, they gave me a return # and FedEx picked it up and sent it back and they credited me. Odd stuff.
Click to expand...

Somewhat recent trend for some of these folks is to place the order to the address on record with expedited shipping and stakeout the address on delivery day hoping to intercept the package before you even know the order was placed.
 
tspear said:
Contractual. Visa, MC, Discover, AmEx, JCB.... the card networks will yank bank access if they fail PCI; or make them switch to a corespondent banking situation. The reason the contracts have teeth (in theory) is to prevent regulation.
PCI DSS was in direct response to the Feds establishing a committee to write security liability requirements if the card networks did not clean up their act.

Tim
Click to expand...

Ah I see the disconnect here. I’m referring to the card companies themselves. They don’t meet it.

But you did hit on where I was going. They created a standard and don’t have to meet it themselves to avoid a real standard and legislation/oversight.
 
You must log in or register to reply here.
Back
Top