Tag: fraud

Hack Attack

Imagine a plain brown box showing up at your front door with no indication of who or where it came from. The box is topped by a small white envelope with a card inside. In elegant script the card reads: Scan the QR code to see who sent you this gift! So you scan it. Congratulations – you’ve just given scammers access to everything on your smartphone.

I wish this story was a work of fiction but some day soon it could be coming to a doorstep near you. The gift box scam worked on my son’s friend and frankly I can’t say that it wouldn’t have worked on me. If someone sent you a gift and they wanted it to be a surprise, would the situation look much different than what I just described? Would you scan the QR code?

Do not scan!

I can’t explain how the simple scan of a QR code translates to the hack of a smartphone, but technology far outpaces my understanding of its capabilities these days. My first reaction to this story was to check my phone apps to make sure any “data-sensitive” ones were password-protected. My next reaction was to wonder if I could ever trust a QR code again.

Here’s a second bit on hacking, also passed along by my son. He said scammers now prey on public parking lots. Many of these lots use pay-by-app technology and the app can be downloaded onsite by scanning a QR code. Scammers simply place their own sticker over the one you’re supposed to scan and presto! – you’ve unknowingly given some level of data access to thieves. It reminds me of gas station scams where the pump credit card reader is retrofitted with a device capable of collecting your card’s data.

By comparison email and text scams now seem pedestrian, but boy-howdy they keep trying don’t they?  I got one just last week claiming I have a “USPS parcel being cleared, but the parcel is temporarily detained due to an invalid zip code”… and I’m supposed to click on a link so I can correct the zip code.  These phishing messages are so common they’ve become easy to spot, whether from the broken English or from the bizarre originating email address.  Phishing reminds me of those long-ago Nigerian princes who sought our help in exchange for “large sums of money”.

At least I’m not a head-over-heels fan of Brad Pitt.  Last month two women were scammed out of hundreds of thousands of dollars by five people in Spain, posing collectively as the actor in an online conversation.  The fraudsters were arrested, but you have to wonder about the naivety of people these days.  Do you really believe Brad Pitt would contact you to invest in one or two of his projects?  More importantly, would you invest this kind of money with anyone without meeting them in person first?

All of this hack-yacking brings to mind the 1970s counterculture bestseller Steal This Book.  From the title you’d expect to read about tricks of the hacking trade but it was a different topic entirely.  Steal This Book gave step-by-step instructions on how the average American could get free services and products courtesy of the federal government’s welfare programs.  The book was intended as a sort of protest against the powers-that-be, written by a well-known activist of the time.

[Side note: Steal This Book also explained how to create (underground) radio broadcasting and printing presses, start (non-violent) demonstrations, and make bombs with household materials.  You can still buy the book but I’m guessing the section on bombs has been removed.  And don’t ask me how many copies of the book were actually stolen.]

Not a good investment

The FBI’s website lists eighteen categories of common frauds and scams.  The examples I shared above fall under just one of these categories: “skimming”.  Some of the other categories are even more disheartening, like “holiday”, “elder”, or “romance”.  Collectively it’s a sad statement about the world we have to deal with.  So be skeptical, I tell you.  That unexpected gift at your front door is probably not a gift at all.  That QR code may create a connection you don’t want.  And “Brad Pitt”?  He has no interest in doing business with you.  He only wants your money.

Some content sourced from Wikipedia, “the free encyclopedia”.

Steal a Card, Any Card

Imagine a carefree Saturday at the mall. You’re shopping with friends for something you really need, or maybe it’s just a little retail therapy. Whatever the reason, the shopping and the purchases make for an enjoyable afternoon. In fact, you’re so satisfied you decide to add on dinner afterwards at a nearby restaurant. All in all a great day, until you wake up the next morning and discover a fraudulent purchase on your credit card. Even more disturbing, you realize the waiter at the restaurant was the odds-on criminal.

45 - nefarious

My mall story is not hypothetical but actual. My family and I went shopping last weekend, and within twenty-four hours of our purchases we were victims of credit card fraud. What is most aggravating to me is the basic chain of events that points to the nefarious waiter at the restaurant where we dined. Why him? Out of a dozen purchases that day, the restaurant was the only location where the credit card transaction took place out of my sight. Instead of the several point-of-sale mall transactions, the restaurant – as is typical – carried my card away alongside the bill, to be processed somewhere out of sight.  Also, the fraudulent purchase the following day was made at the department store adjacent to the restaurant.  It’s an easy-as-pie theory on what went down.

My experience begs the question: why do credit card companies include all of the critical information right on the card?  Write down (or phone-photo) the name of the cardholder, the sixteen-digit card number, the expiration date of the card, and the three-digit “Card Verification Value” (CVV), and you’re all set to assume the purchasing identity of someone else.

Google Authenticator, which sends a verification code to your phone that is required for login to certain apps, creates a secondary level of security that would significantly decrease credit card fraud. At the least, cardholders should be given a piece of data separate from what is printed on the card, so only they have every last piece of the purchasing puzzle.

Fortunately, credit card fraud is an inconvenience instead of an unexpected financial setback. My bank simply reimburses the amount in dispute, cancels the card, and issues me a new one. I can live with that (unless I owned the credit card company). What I can’t live with is the thieves who work the system. Thus did I send a note to the restaurant manager. I did not directly accuse the waiter as I really have no proof.  But I did provide enough detail that perhaps the manager will track the activities of his employees a little closer. My hope is that he discovers the criminal among his otherwise trustworthy staff.