>>So hi, I’m Kitty. >>[audience]
Hi Kitty. >>[laughs] Um I’m
known by you know a couple other
handles but mostly um in my work
day people call me Nina. Um
before I give my talk, as you
can see on the screen I do have
to say, I’m required actually,
to say um that the views
expressed here do not
necessarily represent the views
of the navy, the department of
defense, or the US government.
And I’m required to say that
because technically I’m a I’m a
fed I guess. In my work day I’m
a professor at the naval war
college inside the strategic and
operational research department.
Which really means that I study
um emerging technologies and how
they affect warfare and defense
and that would include the cyber
ring. And so that’s part of why
I follow your community. But um
all of that actually has
absolutely nothing to do with
what I’m talking about today. Um
last year right around August I
bought a used Nespresso maker
and so I just wanted to come and
talk about the story about what
happened. Um so with the company
Nespresso um the pods and the
makers are purchased mostly
online. There are some boutiques
across the country but by and
large, you can buy your coffee
from Nespresso directly from
their website and so with my new
used machine I realized that the
pods were really expensive. So I
decided that I’d have a look to
see if I could get them
somewhere for cheaper. Um and it
turns out you can. Um you can
get them on eBay. Um so in fact
scandalously cheap and I found a
listing um in which the current
bid was about half of what I’d
pay if I were buying directly
from Nespresso. So um the only
trick was that I had to buy 200
pods at a time. Um it’s not a
big deal, I drink a lot of
coffee so it seemed fine. I set
my bid. I wandered off um and
when I came back I’d won. So um
so I paid with paypal and I
moved on and a week or so later
my coffee arrived. Um but with
it also at my doorstep um in a
separate box um was this little
gem. It’s also here on stage. It
was a brand new espresso maker
in addition to the coffee that
I’d purchased. Um and so you’re
looking at a Nespresso Pixie.
It’s one of Nespresso’s most
compact little espresso makers.
It retails at about 280 dollars
and it takes the small coffee
pods that are about 70 cents a
piece. So this initially just
feels like an ordering mistake
to me. And so I go back to eBay
to figure out whether I had
accidentally pushed some buy it
now function um and uh purchased
it but I hadn’t. Um so I turned
to the packaging and boxes. I
opened them both up um and I
look over the tracking label and
I find out that not only um is
does the invoice have the same
uh sender and both are intended
to come to me um but they’re
shipped directly from Nespresso.
And they weren’t supposed to.
They were supposed to come from
some third party. Um so I turn
again to eBay to um to look at
the transaction and compare it
to the invoice and I find out
that the sellers name on eBay,
let’s call her Sue from Chicago,
um that accountholder’s name is
nothing like the accountholder’s
name on the on the Nespresso
side. We’re going to call him
George from Poughkeepsie. Um in
addition Sue from Chicago had a
zero zero seller rating and had
just opened her account um just
a couple weeks prior and the
only thing she was selling was
Nespresso. So at this point I’m
starting to think this looks a
little bit like fraud so I
decide I’m going to escalate,
I’m going to find out and I call
Nespresso. A little bit
reluctantly because um I’m sort
of greedy and I would really
like to keep the machine. Um so
I explained to customer service
that I had not ordered the
machine but I had ordered the
coffee um but I hadn’t purchased
it directly from Nespresso um
but instead from eBay and so she
could confirm to me essentially
that yes in fact George from
Poughkeepsie’s credit card had
been charged for both items. So
I said you might want to call
George and let him know or I’d
be happy to call George and
explain what is going on and
find out whether he had really
intended to send me this really
nice gift. Um and she noted that
she said she wouldn’t give me
his number. So I had no way to
prove any of this but I kept
thinking this is definitely
gotta be fraud but it wasn’t
clear to me who was losing out
in the game. Um but I told
Nespresso, please send me a
prepaid mailing label and once I
got it I would happily send back
their machine. This is a ploy
you know cause manufacturers
never want the machine back. Um
she took my information, sent it
to the fraud department um and
then told me to watch my mail
and if I and if they wanted it
back the fraud department would
send me a label. I obviously
still have the machine. But my
ethics are restored right? I’ve
reported the fraud and I get to
keep the machine. In the
meantime, I still can’t quite
figure out what’s happening. So
um I google around a bit and it
brings me to Krebs own security
site and I find this uh graphic
and it helps me explain sort of
what might be happening. So this
is triangulation fraud and if
you’re not familiar um you’ve
got a 3 part um triangle there
and the whole trick is to
convert a line of credit into
cash using the seams that happen
between companies and the last
step in that chain is the mule,
is what they call the mule.
That’s the person who is doing
the cash conversion. The
fraudster steals somebodies PI
and establishes a credit line or
they just go to a carding site
and get a card. Um the fraudster
identifies a major company, in
this case Nespresso, um and
they’re selling some luxury
goods um and they set up an
account with that company. The
target company usually has
really reliable fast shipping um
and a simple account system that
is um that doesn’t have too many
security checks to it. Then the
fraudster sets up their eBay
account, sets up a fake uh
profile and starts selling stuff
super cheap. Um when the auction
completes the eBay account um
the unsuspecting buyer sends
their money to eBay and they
have now become the mule. Right?
They have given the fraudster
the cash they need but remember
they’re selling, the fraudster
is selling something they don’t
actually own. And the eBay
process won’t complete until
there’s a shipping invoice
that’s that’s uh that’s
generated. So the next thing
that has to happen is your
fraudster uses the credit card
to buy the stuff directly from
the manufacturer, send it to the
buyer from eBay and then the
whole triangle is complete. The
shipping notification is
generated and everyone is happy.
The fraudster takes the money
from the sale, it pays eBay it’s
money from the commission and
relists for more items. It’s a
seamless triangle uh the buyer
has no idea that they’re a mule
and all that they know is that
they’re getting a really good
deal for really legit goods. Um
and so the incentive for
everyone to continue is um is to
to participate and keep quiet.
Unless of course that buyer is
me and you somehow sent me um an
espresso machine that I didn’t
order and I really wanted to
know why I got the extra machine
because I had been already made
happy by paying half price for
my coffee. So I had 2 theories.
1, this person or persons sucked
as bookkeepers and so I imagine
that maybe they were like copy
pasting from an excel
spreadsheet into the
manufacturer’s website and it
accidentally sent me an extra
coffee maker. Or 2, maybe they
wanted to buy my love. Like
maybe these triangles are so
fragile that the setup of these
accounts and the burn of these
credit cards are so fragile that
they’re trying to make me super
happy so that I won’t question
it and that I’ll just keep
buying. So the right thing to do
now that Nespresso has given me
this coffee maker um was to
embark on a campaign of research
and buy more coffee. [laughter]
I know. I know you’re thinking
I’m a terrible person um but
first this this is called
confessions for a reason and
second, I’m still guessing this
is fraud but I don’t really
know. Right? Like so how big is
this operation? Um so I needed
more data and specifically I
didn’t just need more data from
the 1 seller, what I wanted to
know is if this is some sort of
criminal underground gang like a
Nigerian um prince scam or some
IRS um gift card scheme. Right?
This should be happening at
scale in some way. Um so I
generate a series of questions.
I’ve way overthought this by the
way. I generate a series of
questions um and I try and
figure out who these thieves
are. Um to be clear, there are
plenty of thieves on eBay. I
just wanted to find these ones
specifically. Alright? So um I
ask are there other accounts?
Can I find those other accounts?
How fast do those account burn?
Um and most importantly can I
get them to make the same
mistake twice? Can I get them to
send me more extra free stuff?
[laughter] There’s no there’s no
greed in this it’s fine.
[laughter] Using eBay’s auction
search tool and the initial
account as the template I try
and find other recently created
account with 0 ratings selling
Nespresso. So 3 things. I need
them to sell Nespresso. I need
them to have the 0 rating and I
need that account to be
relatively new. Um so if the
fraud triangle is sloppy, as I
think they probably will be,
then there’s probably some
laziness. There’s some
duplication in description and
the use of images which makes
the search easier. If these
triangles are fragile, that
means they burn really fast and
I have to look at them often,
like every day. Alright? So eBay
lets you automate these searches
so I set my template and I set
the search for 200 capsules at
99 dollars. I searched for an
espresso machines as well but it
doesn’t it doesn’t kind of
creates any good pooling data so
I stick with just looking for
capsules. Um and each day I get
in my email inbox a report of
the results. Usually 100 or so
and I have to weed through them.
And at the outset it’s a little
bit hard. It takes me time to
find my specific set of coffee
thieves um because um while it’s
easy to find someone selling a
lot of coffee, it’s harder to
figure out where there when the
account is brand new and when
the account has a 0 rating. And
that’s actually due to eBay uh
to eBay’s design. So if you look
up at the image um you will see
those stars up there. One would
think that that’s the seller
rating. That’s not a seller
rating, that is actually a
generic review of what people
think of Nespresso coffee. But
it makes the buyer think that
that might be a seller rating
and so you feel calmer, you feel
like you’re more reassured. In
fact they bury the seller rating
for brand new accounts near the
bottom in tiny font. And then
similarly you have to click
through to find out when that
account was built. Now, that
takes some time. But the good
news is is that eBay’s website
wants to help me. Right? So
every time I do the search and I
resolve it it’s watching me do
that and so even when my clicks
proved unsuccessful it would
offer on the bottom of the
screen, here is some similar
items. Maybe you want to buy
from these people. And so often
I ended up uncovering uh the
accounts that I was looking for
through their own website
offering stuff to me. Um so like
a good researcher, I created a
spreadsheet to track each of the
unique accounts with their
opening date uh with their
ratings over time and eventually
when the counts go dormant,
everything they sold and how
much they profited. Um then I
selected 2 accounts opened
within 6 days of one another.
With those 2 accounts I made 2
separate purchases to try and
see um if they could send me
extra stuff. A week later I
received 200 pods of coffee plus
200 pods of coffee. [cheering]
Then a few days later I received
200 pods of coffee plus a brand
new milk frother. [laughter]
Retail value 119 dollars. I
didn’t really care for the
frother because I wasn’t really
a cappuccino person [laughter]
but I tried it out and it turns
out it’s really amazing so thank
you [laughter] fraudster
overgiver. I have upgraded to
cappuccino. Uh remarkable
really. Um but more importantly
[laughs] I found them.
[cheering] I found them Right?
And so by looking at these 2
brand new accounts, buying from
these 2 accounts, opened roughly
the same time um I I’d managed
to locate them. Right? Um they
were yes, using the same images.
Yes, using the same
descriptions. Um I tried to
write them emails and chat back
and forth, ask for different
flavors of coffee, sometimes
just to say hello. Um but they
never wrote back. Um I also did
by the way, look on eBay’s
reports page to try and report
these accounts because I
realized like that this is not
good. I shouldn’t participate in
this. Right? So it turns out you
can’t report fraud on eBay’s
website if you actually receive
the item. So there’s a thing for
“didn’t receive the item.”
There’s a thing for “damaged
goods received” but there’s
nothing for “I got extra stuff
and I’m trying to report this.”
Right? [laughter] So it didn’t
work out. So anyway okay so um
so I give up. So ok um so we’re
now 3 orders deep in my research
campaign. I isolate 2 other
closely paired sets of accounts.
I completed another 2 purchases
and the first order arrives
again. 200 pods. 200 more pods.
Alright? So I get twice the
amount of coffee again. But the
second one, something finally
interesting happens, the
fraudster wrote me a letter. It
looks like this. “Hello friend,
first thanks a lot because you
choose my listing to buy.
Second, I’m so so sorry because
this product is not in best
condition so I can’t send it to
you because I always want
everything best for you. My mom
has sick on hospital now so I
can find any other item in best
condition to ship to you and I
have to go to the hospital with
her now so um I hope you
understand for me and let me
cancel oder. Thank you and god
bless you!” What a nice guy. And
my money was refunded to me. So
of course I replied, “I’m super
sorry your mom is sick, um I
will order again in the future”.
Uh that account did close about
a week later. I was weirdly
sorry to see it go. [laughter]
Um but it was a super polite
fraudster and I really hope his
mom is okay. [laughter] On the
research side, I took that
letter of course as data. I
spent a few hours searching for
a tool. In my wild imagination I
was hoping that perhaps someone
had created a um like an
language engligh language
grammatical error guessor.
Right? And that it would somehow
like be a crappy version of
google translate except it would
attach like what other language
might be making these mistakes.
Turns out that tool doesn’t
exist. Project for you.
[laughter] In its place and in a
moment of poor judgement I
decided to ask my friends who
speak other languages whether or
not these errors looked
familiar. Nobody seemed to know
what I was talking about and it
started to feel a little racist.
[laughter] So I stopped that
line of inquiry pretty fast. But
I’m also you know broadly aware
that um fraudsters will emulate
not being able to speak English
to kind of throw you off their
trail so I don’t actually know
whether or not they’re domestic
or or um located in the U.S. So
anyway at this point the whole
coffee thing had gotten way out
of hand. My conscience
[laughter] is weighing on me. My
kitchen is a complete disaster
and it’s time to stop this game.
It really is. Um so I don’t need
that much coffee and I was about
a hundred dollars per data
point. Like each time I’m paying
about a hundred bucks to learn
more about these people. I am
not independently wealthy. This
is not a sustainable venture. So
um ok so here’s the final tally.
Um this is my this is a version
of my spreadsheet. All of those
accounts are dead now. Um so um
5 attempted purchases, um 4 were
successful. 1200 pods total. 1
frother. 1 espresso machine. I
spent just under 400 dollars. Um
the value again, not on sale,
Nespresso has good sales by the
way, um just under a thousand
dollars of goods received. Um in
October I took all this data
that I’d collected and complete
with the names, the invoices,
the accounts, um and everything
that I had in paperwork and I
sent it all to the FBI to try
and see if they could figure out
something to do with it. Um I
also reported all of this to
eBay and anybody else who would
listen. Um 30 following that
report, I I never got any
response back from the FBI but
30 days following that report um
the activity seemed to stop. So
maybe something happened. As far
as finding out who these people
were, um I didn’t have very
much. I really wanted to uncover
some kind of cool underground
like credit card scheme from
Morocco or something. Um but it
didn’t happen. There was none of
that was in the offing. Um but
this isn’t a hero story right?
It’s a confession. So um here’s
what I learned. When I started
telling people this story, when
I started explaining what was
happening to me, people often
told me that this was a
victimless crime. Um the more I
thought about it, that’s just
not true. Right? Um the little I
do know about George from
Poughkeepsie, cause I did a lot
of research on him to try to
figure out if I could contact
him, um and some of the other
account names, is it that they
were all over or at retirement
age. We’re talking about a
vulnerable population here.
Right? Um and these aren’t
victimless crimes. The victims
don’t know how to mitigate the
damage that’s happening to them.
They don’t even know it’s going
on. Um recovery from identity
theft works for people um uh who
are equipped to deal with it but
not the elderly. And so we’re
just not far enough along in
this nation trying to figure out
how to protect those people. Um
2, for this kind of scheme it’s
easy to be unknowingly
complicit. It’s also super easy
to be knowingly complicit. And
this is a story about
thresholds. So under a certain a
certain threshold um the
incentive is to cheat. EBay
doesn’t care. Nespresso doesn’t
care. At the end of the day
you’re getting you’re your goods
for cheap so your incentive is
to cheat as well. If it exceeds
the threshold everybody gets
excited. But before then it’s
all priced into the market. The
insurance cards have got it.
Everyone’s got it covered.
EBay’s got themselves covered.
And so really the only person
who is going to stop it is you
or me. And I’ve stopped. I won’t
do it anymore. It’s not okay. Um
all I have left is this
confession and my promise to
walk away from all of this. And
I have a lot of coffee.
[laughter] But maybe one I can
do one last good thing so um up
for auction is this wonderful
gently used Nespresso machine.
[laughter and applause] Whatever
coffee is left, you can have it.
Um bidding at, this is a
terrible idea by the way.
Bidding starts to uh right now
as soon as I can post it on my
Twitter account. Just go ahead
and um bid. It’s cash only. The
bidding tomorrow at 10 am. You
can come pick it up at Tamper
Evident Village um by the box um
um please bring. Don’t be a jerk
and bid and then not show up.
All of those proceeds will go to
the Diana Initiative. And I
promise you’ll watch all of that
transaction. It will be totally
transparent. It’ll be online. Um
but definitely um if you don’t
show up you’ll have the force of
public opinion and if this all
falls apart well it’s DefCon
anyway. Um that’s my twitter
handle. It’s nothing like my
handle but um but I don’t know I
will I will flash this again but
I just wanted to say one last
thing, which is thank you. You
guys are awesome. And a shout
out to my Mom and my Dad.
Alright so that’s my Twitter
handle so if you’re interested
in in owning this little little
baby um it’s all yours uh
bidding starts at a dollar. Just
wait for me to go ahead and
raise the um the twitter
account. Thanks. [applause]
