[Pyxl101]

If they had taken credit cards, and made fraudulent transactions, maybe they could have made a few purchases in retail stores, but as soon as you detected that fraud you’d call the bank and issue a chargeback - a hassle but you’re not out any money.

Also, banks are smart. If a single CC is being simultaneously used in multiple physical locations, that’s an immediate red flag for fraud. My bank also asks for OTPs when I make online payments at novel/obscure websites.

A scammer who got my full CC number couldn’t make a fake physical card since it’s chip-and-pin; or at least not use it at any mainstream retailer which would require a chip transaction. So they’d be limited to online ones. I suspect the bank might even be passed the IP or other fingerprint details when authenticating the transaction, resulting in OTP requirements when risk is detected (online transaction from foreign country when I live in my country).

As long as you have a couple of CCs (so you can still pay for stuff if one gets deactivated due to fraud), CC fraud will typically be detected by the bank and refunded, along with new card issuance.

My main CC company will also text me randomly asking if any of the last three charges was unauthorized, with their details. Sometimes the card is paused until I respond. This most typically happens when I’m traveling. If I text back that they’re all legitimate then the card works again immediately; if one is fraudulent then they get me on the phone to confirm the details and issue a new card.

The CC companies seem to be pretty good about not having false alarms when you travel any more (though if you’re traveling internationally, giving them a heads up helps avoid issues) - I believe it’s simultaneous use from multiple geos that trips fraud alarms.

[Gh0stRAT]

RE chargebacks: stolen cards are often monetized these days with a scheme known as "triangle fraud". Here's how it works:

0) the scammer somehow acquires Person A's credit card info

1) the scammer sets up an online store on Amazon or similar and sells some popular item at a 20% discount (eg Nespresso pods)

2) the scammer doesn't actually have that item in stock, but when they get an order from Person B, they use the stolen card to place another order with a legitimate seller and set the destination address to Person B's address (basically drop-shipping but where the victim is paying for the cost of the goods being sold)

3) Now the scammer has received already-laundered clean money from an online transaction, and Person B got the product they wanted on-time and at a steep discount. They're happy, and certainly won't be complaining to their credit card company.

4) when Person A reports their card stolen and tries to perform a chargeback, the legitimate seller who acted as an unwitting drop-shipper ends up eating the cost.

[d4mi3n]

DEFCON 27 had a talk on exactly this by Nina Kollars, which I suspect is where the Nespresso reference comes from. It's an excellent overview of the topic of triangle fraud. :)

DEF CON 27 - Confessions of an Nespresso Money Mule Free Stuff and Triangulation Fraud: https://www.youtube.com/watch?v=4fYZpRBuh-s

[alexb_]

Almost impressed at the cleverness of this all! Especially since, if it's done right, all parties see "business as usual" - and even if they DO suspect a scam, nobody has any incentive past a moral one to say anything.

[danachow]

Wait what? The person with the stolen credit card will report the fraudulent charge causing a chargeback for the seller - how is that “business as usual”? If the business is getting hit with chargebacks they sure as fuck have a financial motivation if not moral one to report it.

This relies on churn and hoping that a percentage of the fraudulent charges go unnoticed. But if it’s oversight then it’s not really that party “seeing” anything.

[alexb_]

Someone noticing they are being scammed means that it's over anyways. What I'm saying is that, as the scam is happening, you are going to get at least 1 "legit" looking transaction where the cash is already in the scammer's hands. The person with the stolen credit card is often someone elderly or unable to notice major financial decisions, which makes them perfect marks for being scammed in the first place. What I'm saying is that, to all the parties involved except the scammer, there is no obvious signs that something fishy is going on.

[toyg]

Sadly in Europe a lot of these transactions are done on debit cards, which make redress much harder if not impossible - once the money is out of the account, it's gone for good. Banks may or may not eat the loss depending on a number of factors, size being one of them: 4+digit amounts will likely never be reimbursed.

But yeah, CC are safer, it's one of the things you pay for (typically by mean of higher prices, as merchants pass on their CC fees to customers).

[mcv]

> Sadly in Europe a lot of these transactions are done on debit cards, which make redress much harder if not impossible - once the money is out of the account, it's gone for good.

While this is true, it's also much harder to do a fraudulent payment. The card number itself is not enough; you actually have to go through the bank's payment system with its 2FA, and that's not something a thief can easily fake.