One of the most common ways to commit credit card fraud is by creating a synthetic identity. When the fraud is discovered it’s tough to go after anyone, because the cardmember doesn’t exist!
But credit card fraud has become so easy that it can be done by a fish. In fact, that actually happened. (HT: Paul H)
A social media star has gained notoriety for showing fish playing video games. For real – they’ve come a big fish in a small pond. Their fish swim around, and where they swim in their tank operates the game controller.
Back in 2020, a team of Mutekimaru’s fish successfully finished Pokémon Sapphire, a feat that would take human players about 30 hours of gameplay to accomplish, but took the fish over 3,000 hours.
Well, the fish were playing Pokémon and the game crashed. There are many fish in the sea, and eventually they hit the right buttons. The fish wound up controlling the game into the Nintendo Switch settings, then onto the Ninetendo eShop. The login credentials and credit card info were saved, and…
The team of fish managed to add a whopping 500 yen to the console’s eShop account, which is about $3.80 in US dollars. …[A] refund from Nintendo has already been requested.
While that happened in Japan, credit card fraud is rampant anywhere. Recently have been numerous reports of attemped credit card fraud on Bilt Rewards card accounts. This has been misreported as a ‘hack’ when there hasn’t been any personal information disclosed.
Having fished for answers, it’s apparently a ‘BIN attack’ where someone constructs credit card numbers (because there’s a formula) and then tests those numbers on merchants with weak online security – where perhaps a computer-generated card number and expiration date are enough and no CVV code, name match or zip code are required. One of the most common merchants used, apparently, has been Amazon’s Brazil website.
- The fraudsters generate card numbers and test transactions using an online order
- If the order goes through they’ve got a valid card to commit fraud with
- However a lot of these transactions have been getting declined, though some have gotten through. They’re often caught by Wells Fargo before the consumer notices. Then they send out a new card to the customer.
- In many cases cardmembers have asked for courtesy points for their trouble, and have been given 1000 or 2000 points. In no case is anyone liable for these charges.
There’s really nothing unique about Wells Fargo or Bilt here, and they’re not the only one being targeted in this way by a wide margin. However the card is popular in the points and online card forums, so it’s discussed heavily, and it happens to be one that a particular ring targeted recently. My advice is… just keep swimming. And if caught in a net, ask for points.
In a sense the fraud ring isn’t doing that much different than what I used to do as a pre-teen. I can share this because it’s been nearly 40 years, and in the absence of terrorism-related activities transcending national boundaries for which risk of death is a foreseeable consequence, the relevant criminal statute of limitations is five years.
I used to be addicted to my 300 baud modem and Commodore 64 computer. I eventually upgraded to 1200 baud, but wasn’t interested in moving to 2400 baud because at 1200 you could only just keep up reading text as it came across the screen. Why would you need anything faster, since you couldn’t read at double that speed?
I’d spend a ton of time calling other computers around the country, and on Quantum Link (or Q-Link, the predecessor to AOL) when it charged 6 cents a minute. And that meant running up big long distance and credit card bills. It may smell fishy, but back then I was more afraid of repercussions from parents than the FBI. So I figured I could save on long distance by using dial-around codes (e.g. MCI, Sprint).
- Set up the computer to autodial other computers
- Using randomly-generated phone codes
- If my computer connected to the other computer, the phone code was valid
- Run this overnight, have a handful of working codes in the morning
This was known as ‘wardialing’. It wasn’t just blue boxes and red boxes generating tones. There were other fish in the sea that allowed for making calls without being charged. This actually charged the calls to someone’s account, they’d report it when they saw the bill and get a new account number (basically like credit cards, where the consumer isn’t liable).
Back in the mid-80s it was all pretty low-tech. Now it’s higher tech, but the AI-future is going to be even more so. It won’t just be brute force with generating theoretically valid card numbers and testing them. AIs will be tasked with both doing the fraud and defending against the fraud, and indeed some of the best fraud detection is already done by AI. I just wish the AI would award the apology points instead of having to ask for them!
Fish don’t have the intelligence and competency sufficient to perpetrate an act that requires intent to commit fraud.
Gary Leff:international tween of mystery!
What other secrets lurk there?
Gary owned Commodore? Somehow I thought you were younger. Did you play The Quill?
We are at a point where it makes no sense why any fraud is tolerated whatsoever when the technology exists to easily prevent it. A simple fix is real time authentication of a transaction by text, secure app, or email between when the card is processed in the terminal or online and when it is approved. All people under 70 have smartphones with internet. The argument about businesses and cc companies not wanting to slow down the payment time in a business does not outweigh the fraud. 10 seconds extra to hit a yes or no on the cc app or open the email isn’t going to reduce use of credit cards as we’ve moved past cash being primary as a society.
Chip and pin in europe does not stop fraud completely because that can be hacked. If it’s adopted widely here, it will be hacked a lot. SMS isn’t ideal because that can be augmented with the cell number. An app approval pop up or email approval is a better option. It would make things a lot easier for consumers, businesses, cc processor, and the merchant and issuing banks not to have to deal with fraud.
Nice move, Gary. Straight out of Wargames, which is where I’d guess the term wardialing originated.
To be clear, it took a long time to break up Ma Bell’s monopoly. And when long-distance companies came on the market in the early-mid eighties, it wasn’t technically possible everywhere to switch things seamlessly. MCI, Sprint and the others gave you a six-digit code and a local number to call. Plus they had an 800-number you could call nationally.
So, do the math: 6 digits, 50000 customers = one in twenty is a winner.
Plus, there were BBSs where people would share lists of these.
There was one news article where someone got a monthly Sprint bill of 50 grand.
@Christian – Wikipedia says the term does come from Wargames, I remember seeing that film in the theaters! [But I guess what really dates me is that the first movie I remember seeing in the theater is Empire Strikes Back]
What an interesting (and unfortunate) story! It just goes to show how important it is to protect your credit card information, even in seemingly harmless situations like playing a video game. Kudos to the hotel for being vigilant and catching the fraud early on. – Pikazon
Wow, this story is insane! It’s scary to think that these fish were able to commit credit card fraud while playing a video game. It just goes to show that fraudsters can come in all shapes and sizes. As always, it’s important to keep a close eye on our finances and credit reports to prevent any unauthorized activity. Thanks for sharing this bizarre but eye-opening story. – Pikazon