A regular calendar year is often peppered with defining moments and events. The world of sport looks to events like the Superbowl, the Champions League Final, the Monaco Grand Prix. The world of entertainment has Comic-Con San Diego, the Cannes Film Festival and the Oscars. Unsurprisingly the world of tech has its own moments, the e3 being one and the most famous of all being the Apple WWDC. It is at this event that Apple normally announces their new iPhones and when each country will get the license to sell their new phone. This is where our story starts.
In 2017, Apple announced the iPhone X to much fan-fare. It also announced that the phone would be launching in mid-November 2017, making it an ideal Christmas gift for the techies and showboats alike. As such, demand for the phone was extremely high and as per usual, when an item receives so much hype that demand far exceeds supply, it attracts the attention of fraudsters. Once the phone was made available for pre-order a group of people was quickly setup with the sole intention of buying as many phones as possible. This resulted in a systematic scheme designed to use stolen credit cards to purchase phones. The fraudsters left very little to chance and took precautions to ensure that their activity was not found out for quite a while.
The Setup
Before the pre-launch, the fraudsters in question had to identify where they were going to purchase the phones using stolen cards from. The retailer had to meet a few criteria. The retailer would need to have a physical presence, and have multiple outlets in multiple states. This criteria was easily met by many of the big box retailers in Australia.
Next, the fraudsters had to ensure that their victim was able to accept online pre-orders for the iPhone X. Again, most of the big box retailers met the criteria. However, only two retailers met the next criteria - the absence of 3DS. This was probably down to the fact that at that stage, 3DS was not mandatory as the Australian regulators found it to have too many vulnerabilities as discussed in a previous article. They now had their victims. Next, they had to ensure that they did not get caught.
The strategy to not getting caught was simple - they avoided the regular ways in which others got caught. This meant that the fraudsters had certain red lines that could not be crossed. Among them were : using one card more than once, using a different delivery address from that of the cardholder’s address, making multiple purchases from the same computer/IP, buying the iPhone using a new account and buying more than one phone from an account. They hoped that avoiding the common mistakes, they would be able to perpetuate the fraud unimpeded.
Lastly, they had to find a way to intercept the phone. This was where the fraudsters innovated by taking advantage of such a simple loophole that it took analysts two months to uncover. The interception happened before the phone left the store as the fraudsters would call the outlet they purchased the phone from, provide their order ID and ask if they could pick the phone up in person as they were in the vicinity of the store. This request was common enough for the store to not think twice about.
The execution
Once the system was in place, the fraudsters set out to do as much damage as possible. They were tactically astute enough to avoid the common mistakes that would result in getting caught. Almost every step they took was deliberate and to avoid detection.
The fraudsters started by making purchases via the retailers’ website using the cardholder’s exact information from phone number to address. This was done to bypass any risk checks the retailer might have in place like matching orders with any previous purchases and looking for changes. Providing the cardholder’s information also allowed the transaction to go unimpeded through the credit card address verification process or any other risk checks done by the credit card/payment processors.
Then, the fraudsters would choose a delivery date three days away. This meant that the retailers would process their order and allocate the phone for them. If they had opted for delivery the next day, the retailer might have called the cardholder to confirm the delivery address. Similarly, opting for delivery two days in advance could have resulted in the retailer calling to schedule early delivery if available. Knowing that the retailers would not prioritize a three day delivery request meant that the interception would be easy.
Then, one day after placing the order, the fraudster would call the retailer and inform them that they were nearby and they would like to walk into the store to pickup their phone. The retailer would oblige as this is a common practice and the fraudster would walk in, provide basic information such as order number, delivery address, phone number and maybe last 4 digits of the card. The fraudster would easily be able to furnish this information and therefore, would be able to receive the phone and exit the store. The fraudsters made sure to not repeat this process in the same store more than two or three times a day. Fraudsters were also not allowed to go back to the same store for a certain period of time to avoid being recognized.
Finally, the fraudsters limited how many phones a day they ordered/intercepted. This was done in order to keep the ratio of good to bad transactions low, thus avoiding detection as an ongoing modus operandi. This was critical to the long term success of the fraud as the retailer might have pulled the plug on pickups or online ordering of the iPhone if their payment processor informed them that it was responsible for high fraud rates.
By taking these precautionary measures, the fraudsters were able to hide their illicit activity in between all the legitimate transactions that fit the same pattern. Reports of unauthorized transactions started coming in ten to fifteen days after the first iPhone was recognized. This timeframe was not shortened in the ensuing weeks. Therefore, the retailer and payment gateways were seeing iPhones being purchased and had no idea which ones were fraudulent as there was a lack of a “smoking gun”.
The Trap
At this stage, the fraudsters were 6 weeks in and there were no indications of slowing down. The retailer and the gateway were inundated with chargebacks and authorized transaction reports and were wholly unable to distinguish between good and bad transactions. Everything was going to plan.
While the payment gateway and the retailer attempted to work together to mitigate losses, neither side were willing to implement strategies proposed by the other. The gateway suggested that the retailer call everyone who purchases an iPhone on the same day to confirm the order. The retailer did not have the manpower or infrastructure to do so. The retailer asked the gateway to make the call but the gateway was unable to do so as they provided a B2B payment solution and were therefore unable to speak to a customer about their transaction. The gateway suggested the retailer activate 3DS but doing so would be costly in terms of hardware and software upgrades and time it would take to get the solution up and running. The retailer asked for each transaction to be reviewed by the gateway and approved before the order could be confirmed but the gateway was unable to meet the turnaround time stipulated by the retailer due to a lack of resources and the sheer volume of transactions a retailer would receive in a day.
The retailer and the gateway decided to set a trap for the fraudsters. The gateway analysed all chargebacks received and compared the time of ordering location and machine identifications. They also asked the retailer to take note of what time an iPhone pick up occurred. Unfortunately not all branches kept methodical records and sometimes the information would not be forthcoming meaning the gateway could not do any analytics on the chargebacks.
However with the information that was provided it was clear to the gateway that there was no discernible pattern to identify which transactions were fraudulent. And such the strategy had to change and instead of finding and implementing a targeted solution the gateway and retailer need to utilise a one-size-fits-all approach. This meant that even good customers would need to experience some degree of friction when completing a purchase.
The solution was as simple as the loophole - instead of relying on real time analysis or complicated algorithms, the retailers would require anyone picking up an iPhone to provide a form of photo identification and the credit card used to complete the transaction.
Once this policy was introduced, fraud stopped as the fraudsters either claimed they did not have a form of photo identification on hand or refused to provide one. Without the ability to intercept the phone the entire scheme unraveled and disappeared.
Whilst this is an interesting story, it does go to show how a well-managed, precise team of fraudsters can do massive amounts of damage all by taking advantage of a few loopholes. If you want to know more or if you want to avoid falling victim to similar fraud, contact us today for a free, no obligation consultation.
Comments