One of the most common ways to commit credit card fraud is by creating a synthetic identity. When the fraud is discovered it’s tough to go after anyone, because the cardmember doesn’t exist!
But credit card fraud has become so easy that it can be done by a fish. In fact, that actually happened. (HT: Paul H)
A social media star has gained notoriety for showing fish playing video games. For real – they’ve come a big fish in a small pond. Their fish swim around, and where they swim in their tank operates the game controller.
Back in 2020, a team of Mutekimaru’s fish successfully finished Pokémon Sapphire, a feat that would take human players about 30 hours of gameplay to accomplish, but took the fish over 3,000 hours.
Well, the fish were playing Pokémon and the game crashed. There are many fish in the sea, and eventually they hit the right buttons. The fish wound up controlling the game into the Nintendo Switch settings, then onto the Ninetendo eShop. The login credentials and credit card info were saved, and…
The team of fish managed to add a whopping 500 yen to the console’s eShop account, which is about $3.80 in US dollars. …[A] refund from Nintendo has already been requested.
While that happened in Japan, credit card fraud is rampant anywhere. Recently have been numerous reports of attemped credit card fraud on Bilt Rewards card accounts. This has been misreported as a ‘hack’ when there hasn’t been any personal information disclosed.
Having fished for answers, it’s apparently a ‘BIN attack’ where someone constructs credit card numbers (because there’s a formula) and then tests those numbers on merchants with weak online security – where perhaps a computer-generated card number and expiration date are enough and no CVV code, name match or zip code are required. One of the most common merchants used, apparently, has been Amazon’s Brazil website.
- The fraudsters generate card numbers and test transactions using an online order
- If the order goes through they’ve got a valid card to commit fraud with
- However a lot of these transactions have been getting declined, though some have gotten through. They’re often caught by Wells Fargo before the consumer notices. Then they send out a new card to the customer.
- In many cases cardmembers have asked for courtesy points for their trouble, and have been given 1000 or 2000 points. In no case is anyone liable for these charges.
There’s really nothing unique about Wells Fargo or Bilt here, and they’re not the only one being targeted in this way by a wide margin. However the card is popular in the points and online card forums, so it’s discussed heavily, and it happens to be one that a particular ring targeted recently. My advice is… just keep swimming. And if caught in a net, ask for points.
In a sense the fraud ring isn’t doing that much different than what I used to do as a pre-teen. I can share this because it’s been nearly 40 years, and in the absence of terrorism-related activities transcending national boundaries for which risk of death is a foreseeable consequence, the relevant criminal statute of limitations is five years.
I used to be addicted to my 300 baud modem and Commodore 64 computer. I eventually upgraded to 1200 baud, but wasn’t interested in moving to 2400 baud because at 1200 you could only just keep up reading text as it came across the screen. Why would you need anything faster, since you couldn’t read at double that speed?
I’d spend a ton of time calling other computers around the country, and on Quantum Link (or Q-Link, the predecessor to AOL) when it charged 6 cents a minute. And that meant running up big long distance and credit card bills. It may smell fishy, but back then I was more afraid of repercussions from parents than the FBI. So I figured I could save on long distance by using dial-around codes (e.g. MCI, Sprint).
- Set up the computer to autodial other computers
- Using randomly-generated phone codes
- If my computer connected to the other computer, the phone code was valid
- Run this overnight, have a handful of working codes in the morning
This was known as ‘wardialing’. It wasn’t just blue boxes and red boxes generating tones. There were other fish in the sea that allowed for making calls without being charged. This actually charged the calls to someone’s account, they’d report it when they saw the bill and get a new account number (basically like credit cards, where the consumer isn’t liable).
Back in the mid-80s it was all pretty low-tech. Now it’s higher tech, but the AI-future is going to be even more so. It won’t just be brute force with generating theoretically valid card numbers and testing them. AIs will be tasked with both doing the fraud and defending against the fraud, and indeed some of the best fraud detection is already done by AI. I just wish the AI would award the apology points instead of having to ask for them!