Fraudulent online transactions - The Bear and Badger

cosmicjellybean

JMW wrote:

I handed over almost £15k of my work's money to a scammer last month, on the basis of some chatty and very authentic-seeming emails with what I thought was a Partner (email address set up in his name). We only didn't lose it (because the authorisation came from me, with my correct access) because HSBC, thank god and I'll love them forever, flagged it as suspicious and handed it back when we called. Looking back I cannot believe how easily it happened, I put it down to extreme tiredness.

Having worked in IT over the last few years, the 'spoofed address' stuff at work is a nightmare. I dont blame people for falling for it, those guys are getting fucking good. We still get emails looking like they are from the CEO to specific people in finance. They even use his current signature.

Ive had a few cases of minor fraud immediately refunded, and one for car insurance (I don't own a car) which I spotted a day later. Most recently my PSN got hacked, but I put 2 step verification on anything I can these days. That helps.

LtPidgeon

cosmicjellybean wrote:

JMW wrote:

I handed over almost £15k of my work's money to a scammer last month, on the basis of some chatty and very authentic-seeming emails with what I thought was a Partner (email address set up in his name). We only didn't lose it (because the authorisation came from me, with my correct access) because HSBC, thank god and I'll love them forever, flagged it as suspicious and handed it back when we called. Looking back I cannot believe how easily it happened, I put it down to extreme tiredness.

Having worked in IT over the last few years, the 'spoofed address' stuff at work is a nightmare. I dont blame people for falling for it, those guys are getting fucking good. We still get emails looking like they are from the CEO to specific people in finance. They even use his current signature. Ive had a few cases of minor fraud immediately refunded, and one for car insurance (I don't own a car) which I spotted a day later. Most recently my PSN got hacked, but I put 2 step verification on anything I can these days. That helps.

I work in IT and we had a similar one for nearly £20k to our finance director. The first time it was a gmail address that appeared to be our MD, and the second attempt was when they had registered a domain name very bloody similar to our company name and I only spotted it after close inspection. It was only 1 extra character in the address that was almost invisible as it was an l after the letter d so was practically hidden. Sneaky bastardls.

cosmicjellybean

Jeeeesus. Well done for spotting that one!

LtPidgeon

cosmicjellybean wrote:

Jeeeesus. Well done for spotting that one!

I initially thought our mail server had been compromised until I saw it.

Diluted Dante

@theDJR

Does Virginia count?

[Deleted User]

I have a set of those knives (Furi btw). Very good they are too.

TheDJR

Diluted Dante wrote:

@theDJR

Does Virginia count?

It fucking should.

Webbins

I had a card scraped from using the pay at pump option at a nearby Shell station years ago. I initially noticed a couple of dodgy mobile credit purchases on my account and called the Halifax. After a quick look on the web I was amazed to find these pumps were using unprotected WiFi to the terminal in the station, so Johnny Twatbags could happy suit round the corner and scrape details to his heart's content. Halifax covered my small loss and the Shell station eventually dumped the pay at pump. Don't ever use this option now, I would hope those that operate the WiFi protect it.

[Deleted User]

Kow wrote:

If you have the address, then surely something can be done?

Just wanted to comment on this, because of an enquiry I had.

I took a report from a company regarding fraudulent use of a credit card. A former employee's company credit card had been used to buy jewellery from a large jeweller's online store. The company had never cancelled the card, and noticed when all of a sudden the normally empty statement had a couple of items on it.

Now, they had been reimbursed by their bank so normally, at that point, I would have to explain to the company that, as they are not out of pocket, they are not the complainer, and we won't do any enquiry unless the bank makes complaint (and if it's under £10k, the banks don't make complaint). However, given that it was important for them to know if their former employee, or any of their current employees who could have gained access to the card, were suspects, I made enquiry.

From the jewellers, I was able to get the delivery address for the goods. That address was in London. They were also able to furnish me with a number of failed transactions (attempted frauds) and, to make things better, a number of both successful and failed transactions for the same delivery address on a number of other cards. Somebody had themselves a nice fraudulent scheme going.

At that point, the locus of the crime is where the goods are headed, so I had to transfer the enquiry to the Metropolitan Police. They told me that they would only take on online credit card frauds where the bank in question handed them a package. (Basically, banks' fraud departments put together all the documentary evidence with all the required details, to save back and fore requests and warrants and so on.) None of the banks were making complaint, because no individual card had more than £10k of fraudulent transactions, and there are so many going on all the time, nobody there was joining the dots on these ones.

Now, if you can be arsed, you can ask banks to put together a package regardless. I've done it before when you know who the suspect is, and just need the evidence from the bank to charge them. The thing was, the banks said that it would need to be the Met requesting the package, and the Met were being pricks about it. I sent them all of the details, but as far as I know they did fuck all with it.

Frustrating.

Dinostar77

Online fraud is a pain, like others have said there is stuff you can do to try to keep yourself safe.

1. Always check the url of an email you think is suspicious and the reply email address.
2. Use two factor authentication on your email accounts. gmail will alert you with a text if your email account has been accessed by an unfamiliar device.
3.Lastpass is a good idea if you can't remember all your passwords. Passwords should be complex, phrases with special characters, numbers and capital that make no sense to anyone else are best. If you've ever seen a brute force attack or rainbow table attack you'll know just how easy it is to break passwords. also never store your online banking passwords anywhere but your head. And never use banking password anywhere else.
4. If you use firefox or chrome, use an addon called https everywhere, it forces your connection to a website to connect over https rather than http (more secure)
5. if you use public wifi, use a vpn (they aren't expensive) and man in the middle attacks happen alot over public wifi as its so insecure. especially if you do Internet banking.
6. dont do internet banking on your phone.
7. An obvious one use different passwords for different sites.
8. dont tick remember my credit card details on a websites. maybe a pain in the arse, but if your login details for a said site is compromised then at least they cant make purchases on your card.
9. Your digital identity is massively important, be sensible on the internet and remember there is not such thing as privacy on the Internet.
10. check the padlock on websites if your gonna buy something off it.
11. Dont open email attachments, if your unsure, download and scan with virus checker

LtPidgeon

I've just received an email from PayPal saying that they have found in my favour, thank god. If only they were a bit easier to deal with rather than only a web form to complete. At least I actually got to speak to someone from eBay about what went on.

It's a pisser that I've have to change all my passwords though just because of some prick. I'm convinced it was an inside job rather than a password breach.

[Deleted User]

Andy wrote:

Kow wrote:

If you have the address, then surely something can be done?

Just wanted to comment on this, because of an enquiry I had.

I took a report from a company regarding fraudulent use of a credit card. A former employee's company credit card had been used to buy jewellery from a large jeweller's online store. The company had never cancelled the card, and noticed when all of a sudden the normally empty statement had a couple of items on it.

Now, they had been reimbursed by their bank so normally, at that point, I would have to explain to the company that, as they are not out of pocket, they are not the complainer, and we won't do any enquiry unless the bank makes complaint (and if it's under £10k, the banks don't make complaint). However, given that it was important for them to know if their former employee, or any of their current employees who could have gained access to the card, were suspects, I made enquiry.

From the jewellers, I was able to get the delivery address for the goods. That address was in London. They were also able to furnish me with a number of failed transactions (attempted frauds) and, to make things better, a number of both successful and failed transactions for the same delivery address on a number of other cards. Somebody had themselves a nice fraudulent scheme going.

At that point, the locus of the crime is where the goods are headed, so I had to transfer the enquiry to the Metropolitan Police. They told me that they would only take on online credit card frauds where the bank in question handed them a package. (Basically, banks' fraud departments put together all the documentary evidence with all the required details, to save back and fore requests and warrants and so on.) None of the banks were making complaint, because no individual card had more than £10k of fraudulent transactions, and there are so many going on all the time, nobody there was joining the dots on these ones.

Now, if you can be arsed, you can ask banks to put together a package regardless. I've done it before when you know who the suspect is, and just need the evidence from the bank to charge them. The thing was, the banks said that it would need to be the Met requesting the package, and the Met were being pricks about it. I sent them all of the details, but as far as I know they did fuck all with it.

Frustrating.

Too busy shooting Brazilians in the head

poprock

Webbins wrote:

I had a card scraped from using the pay at pump option at a nearby Shell station years ago. I initially noticed a couple of dodgy mobile credit purchases on my account and called the Halifax. After a quick look on the web I was amazed to find these pumps were using unprotected WiFi to the terminal in the station, so Johnny Twatbags could happy suit round the corner and scrape details to his heart's content. Halifax covered my small loss and the Shell station eventually dumped the pay at pump. Don't ever use this option now, I would hope those that operate the WiFi protect it.

This is a terrifying one. I’m seeing more and more supermarket petrol stations that are pay-at-pump only. Gonna avoid those from now on.

Makes me think … I reckon more than 90% of the card terminals I use in pubs, restaurants, and small shops are wireless. No way all those small businesses are up on their Wi-Fi security. Presumably (hopefully) the terminal suppliers have some sort of obligation to ensure secure networks are used …

M0stly harm13ss

There is an industry standard for debit and credit card data security called PCIDSS (fascinating read). This includes data encryption and transmission standards.

All wireless card machines and apps etc must be compliant to be available to the market these days, but it doesn't stop old systems being used. There is a massive list and database of compliant systems on the PCI security council's website (approved PTS devices).

So basically, even if the network on which the devices sit is insecure, your data is encrypted and secure. If the card machines are up to date.

M0stly harm13ss

I'm a big hit at dinner parties and after dinner speaking engagements.....

poprock

GOOD INTEL.

So what’s the deal with the petrol pumps then? Think they’re just running outdated systems?

LtPidgeon

Can PayPal beeee any more shit? For some reason they have refunded me £13 and now the £260 has actually come out of my bank account. Would the fact that I removed my card from my account have anything to do with why the money hasn't gone back into my account?

cockbeard

Probably, they won't know where to send it, they'd attempt to do a refund to card

M0stly harm13ss

poprock wrote:

GOOD INTEL.

So what’s the deal with the petrol pumps then? Think they’re just running outdated systems?

Sounds like it. You can get in quite a decent amount of trouble though if you are found to be running a vulnerable system (environment) that is allowing fraud to take place. Firstly you may be audited by the trade body's forensic investigators (who will charge you for the privilege of telling you how bad your are), then they may well fine you. Not insignificant sums.

Plus these stories get out, once a garage has been outed as dodgy, the custom drops off quite significantly.

Webbins

Aye, my fraud was many years ago now, when pay at pump was in its infancy. You would hope retailers encrypt them now but how do you know? It was telling that Shell ditched them and they've not reappeared.

[Deleted User]

Petrol stations are shady as fuck though. Most people I know who have had their details skimmed have had it done at a petrol station or petrol station cash point.

cosmicjellybean

I remember during a quick course on fake card spotting the guy mentioning a gang buying a petrol station store with just the sole purpise of skimming cards all day long. Sounds mental, not sure if it was real or not.

LtPidgeon

A wee update - funds now in my account after I added my bank card again or else the bank reversed the transaction. Thank fuck.

PayPal are shocking to deal with in this kind of instance. Are there are similar services as I think I will be closing my account with them.

Yossarian

There may be similar services, but I'm not aware of any. They certainly won't be as widely accepted as PayPal.

M0stly harm13ss

For what exactly?

If you want to maintain separation between your current or savings accounts and eBay or the internet in general, there's nothing to stop you opening another current account, then transferring cash in and out and using the associated debit card to pay for things. With the advent of faster payments, where cash moves between providers almost immediately, this isn't a bad option these days, less risky but is obviously less convenient than PayPal. I have a spare current account that I use in this way, but also link to my PayPal account for convenience.

PayPal have to adhere to the same financial regs and standards of service etc as the banks, but provide this service in a different way to make their operating model as profitable as possible (hence all the web forms, etc). I've never explained unfair service from them in the past, but in comparison to a bank they aren't the easiest to speak to directly or transparent.

Howdy, Stranger!

Categories