fraud – Life In A Word

Card Tricks

Every now and then a blog topic appears out of nowhere, looks you in the face, and says BOO! Our credit union called on Sunday to alert us to possible fraud on one of our cards. They took us through the process of verifying a few suspicious transactions. Then they put the account on hold and began the process of issuing new cards. It was the usual over-the-phone slog. Provide member number here, confirm home address there, several requests of “Can you please hold for a minute?”, and so on. But “so on” went from minutes to tens of minutes. Suddenly it occurred to us: the credit card fraud was happening right in front of us.

If you’ve ever been a victim of fraud in any of its forms, it’s one of the most unsettling feelings I can ever describe. These cyber-thieves might as well just walk through your front door and help themselves to whatever they want. The fact that your phone sits on the counter patiently awaiting calls suggests you are open to the opportunity on any day, at any time. In this case I’m convinced the hack was deliberately timed. We were preparing dinner for visiting family on a weekend night. My wife and I were dashing about the kitchen with last-minute preparations The last thing we had time for was a phone call.

Trust can be established in the blink of an eye. The Caller ID on my wife’s phone showed the correct number and word-for-word name of our credit union. The caller identified himself in a business-like voice as an agent from the union’s fraud department. And shortly after calling, he sent us the typical text messages we’ve come to expect in these situations, showing our credit union’s logo and other validating information. In those first few moments of interaction, when your mind is focused on dinner and fraudulent charges, it just doesn’t occur to you to question the caller himself.

Of course, we committed a cardinal sin of fraud by simply answering the phone. Our credit union never has a live agent call us when they suspect fraud. Instead they leave a recorded message asking us to call back to verify the charges. When we call back we answer a few questions through an automated system, and the credit union takes it from there. Zero interaction with a real person from start to finish.

If there’s any good news in this experience, it’s that our Sunday evening caller didn’t succeed despite his determined efforts. After cutting short the call we promptly contacted our credit union and learned that yes, in fact, fraudulent charges had just been attempted on our card… and were declined. Whatever security bells and whistles were put in place to detect and deny this kind of activity worked exactly as they were meant to. But the fact remains, we pretty much opened the front door, greeted the scammer, and said, “Hey, come on in!”

The counter tactics for this sort of plunder are plentiful, of course. Some credit cards no longer use a static 16-digit number or security code. Most allow two layers of authentication before access. Others churn out text messages or emails when charges are considered suspicious. Then again, you can simply do what my mother-in-law does and pay for everything in cash. Not a bad idea to be honest, as long as cash remains an acceptable form of payment.

It’s disheartening to live in a world where others are desperate (or evil) enough to develop sophisticated, practiced methods to steal by simply getting you to pick up the phone. In truth, this bandit has done me a favor. He’s heightened my awareness to such card tricks by his single invitation to sit down at the table and play. The next time this happens (and there will be a next time) I’ll be watching the cards very carefully. And you can bet I’ll be watching the magician himself even more so.

Hack Attack

Imagine a plain brown box showing up at your front door with no indication of who or where it came from. The box is topped by a small white envelope with a card inside. In elegant script the card reads: Scan the QR code to see who sent you this gift! So you scan it. Congratulations – you’ve just given scammers access to everything on your smartphone.

I wish this story was a work of fiction but some day soon it could be coming to a doorstep near you. The gift box scam worked on my son’s friend and frankly I can’t say that it wouldn’t have worked on me. If someone sent you a gift and they wanted it to be a surprise, would the situation look much different than what I just described? Would you scan the QR code?

I can’t explain how the simple scan of a QR code translates to the hack of a smartphone, but technology far outpaces my understanding of its capabilities these days. My first reaction to this story was to check my phone apps to make sure any “data-sensitive” ones were password-protected. My next reaction was to wonder if I could ever trust a QR code again.

Here’s a second bit on hacking, also passed along by my son. He said scammers now prey on public parking lots. Many of these lots use pay-by-app technology and the app can be downloaded onsite by scanning a QR code. Scammers simply place their own sticker over the one you’re supposed to scan and presto! – you’ve unknowingly given some level of data access to thieves. It reminds me of gas station scams where the pump credit card reader is retrofitted with a device capable of collecting your card’s data.

By comparison email and text scams now seem pedestrian, but boy-howdy they keep trying don’t they? I got one just last week claiming I have a “USPS parcel being cleared, but the parcel is temporarily detained due to an invalid zip code”… and I’m supposed to click on a link so I can correct the zip code. These phishing messages are so common they’ve become easy to spot, whether from the broken English or from the bizarre originating email address. Phishing reminds me of those long-ago Nigerian princes who sought our help in exchange for “large sums of money”.

At least I’m not a head-over-heels fan of Brad Pitt. Last month two women were scammed out of hundreds of thousands of dollars by five people in Spain, posing collectively as the actor in an online conversation. The fraudsters were arrested, but you have to wonder about the naivety of people these days. Do you really believe Brad Pitt would contact you to invest in one or two of his projects? More importantly, would you invest this kind of money with anyone without meeting them in person first?

All of this hack-yacking brings to mind the 1970s counterculture bestseller Steal This Book. From the title you’d expect to read about tricks of the hacking trade but it was a different topic entirely. Steal This Book gave step-by-step instructions on how the average American could get free services and products courtesy of the federal government’s welfare programs. The book was intended as a sort of protest against the powers-that-be, written by a well-known activist of the time.

[Side note: Steal This Book also explained how to create (underground) radio broadcasting and printing presses, start (non-violent) demonstrations, and make bombs with household materials. You can still buy the book but I’m guessing the section on bombs has been removed. And don’t ask me how many copies of the book were actually stolen.]

The FBI’s website lists eighteen categories of common frauds and scams. The examples I shared above fall under just one of these categories: “skimming”. Some of the other categories are even more disheartening, like “holiday”, “elder”, or “romance”. Collectively it’s a sad statement about the world we have to deal with. So be skeptical, I tell you. That unexpected gift at your front door is probably not a gift at all. That QR code may create a connection you don’t want. And “Brad Pitt”? He has no interest in doing business with you. He only wants your money.

Some content sourced from Wikipedia, “the free encyclopedia”.

Steal a Card, Any Card

Imagine a carefree Saturday at the mall. You’re shopping with friends for something you really need, or maybe it’s just a little retail therapy. Whatever the reason, the shopping and the purchases make for an enjoyable afternoon. In fact, you’re so satisfied you decide to add on dinner afterwards at a nearby restaurant. All in all a great day, until you wake up the next morning and discover a fraudulent purchase on your credit card. Even more disturbing, you realize the waiter at the restaurant was the odds-on criminal.

My mall story is not hypothetical but actual. My family and I went shopping last weekend, and within twenty-four hours of our purchases we were victims of credit card fraud. What is most aggravating to me is the basic chain of events that points to the nefarious waiter at the restaurant where we dined. Why him? Out of a dozen purchases that day, the restaurant was the only location where the credit card transaction took place out of my sight. Instead of the several point-of-sale mall transactions, the restaurant – as is typical – carried my card away alongside the bill, to be processed somewhere out of sight. Also, the fraudulent purchase the following day was made at the department store adjacent to the restaurant. It’s an easy-as-pie theory on what went down.

My experience begs the question: why do credit card companies include all of the critical information right on the card? Write down (or phone-photo) the name of the cardholder, the sixteen-digit card number, the expiration date of the card, and the three-digit “Card Verification Value” (CVV), and you’re all set to assume the purchasing identity of someone else.

Google Authenticator, which sends a verification code to your phone that is required for login to certain apps, creates a secondary level of security that would significantly decrease credit card fraud. At the least, cardholders should be given a piece of data separate from what is printed on the card, so only they have every last piece of the purchasing puzzle.

Fortunately, credit card fraud is an inconvenience instead of an unexpected financial setback. My bank simply reimburses the amount in dispute, cancels the card, and issues me a new one. I can live with that (unless I owned the credit card company). What I can’t live with is the thieves who work the system. Thus did I send a note to the restaurant manager. I did not directly accuse the waiter as I really have no proof. But I did provide enough detail that perhaps the manager will track the activities of his employees a little closer. My hope is that he discovers the criminal among his otherwise trustworthy staff.