One would think that buying real goods on Internet with fake card numbers is not possible today. After all, there are many countermeasures that are quite hard to defeat, among which:
- You need to provide a 3/4 digit security code that is written on your card, and that is some kind of digital signature of the card number and expiration date.
- Your goods need to be delivered, which will undoubtedly lead you to major trouble, especially if you repeat your scam several times.
Well, things aren’t that simple. A gang presented as two countryside housewives has managed to steal around 200,000€ worth of goods before to get caught (here is an article about this, in French). The interesting part is how easy it has been to circumvent the complex security measures organized by online sites:
- First, avoid an immediate check of your credit card data, by buying items that are not too expensive, and by selecting options like “Pay in three easy installments” that will trigger a more complex, but less immediate procedure.
- Then, use slight variations of your name and address for the delivery. The idea is to ensure that computers will not match “John Doe” with “Jon Doh”, but that the postman will perform the same match successfully, and deliver the package.
I really love this scam, because it is so low tech. We design sophisticated countermeasures with ultra-secure smart cards, and we end up defeated by typos in names. According to the article, the victims are working on fixing the problem, but this is another endless quest: approximate matching is not that easy, and they will soon discover the joys of false positives. Good luck!