Coathangers for £140? An Etsy Hack
Coathangers for £140? An Etsy Hack
I heard from someone yesterday who had their Etsy account hacked. The first they saw of it, was rapid transactions for purchases from their account appearing on their banking app. These were all in the range of £50 to £100, and there were many of them.
The person tried to contact Etsy, but received a ticket saying that they would get back within 24 hours. Luckily they also called their bank, and they were able to catch the transactions as they went through. The bank could see exactly what the suspect transactions were, and immediately stopped them, and reassured the person.
The way the fraud seems to work is that the scammers setup fake sites in Etsy and are able to purchase their own goods with them. Money is quickly transferred to the scammer’s bank account and then moved quickly on to money launders. This account may actually be compromised bank accounts or ones that the scammers have managed to create for short-term gain. The sites are, of course, fake, and the shop names are fairly generic. Here is one, and which has two sales (both related to the scam):
But some of the shops for the purchases are still on-line. The following was one of the transactions that do not go through, but the site is still available:
The shop and the seller have now been taken down, yet. Overall the fraudsters get around the detection of their country of origin by using VPNs and proxies. In this case, the log of the details showed various places in the UK:
And here is one of the purchases — two coathangers for £140 (!!!!!):
But, it makes you think, and here are the some of the flaws:
- Esty doesn’t ask for a CVV number when a purchase is made. In this case, the credit card details were not compromised, it was just the account. While storing the CVV number is great for ease-of-use, but not good for security. In PCI-DSS, an e-commerce site should not store all the details of the credit card on the site and should leave some details to be prompted for. Unfortunately, many sites do not implement this, including Amazon.
- There is no two-factor authentication on the site. This must become a standard for all e-Commerce sites that store your credit card details. Many users feel reassured when they have to confirm something from their mobile phone, even if it is just an SMS message. The difficulty level that this adds for a scammer significantly slows them down.
- Etsy should have a hotline for fraud. The stress caused by users is high, and every minute users can see new transactions going through. I do not understand why there isn’t an immediate hotline connection to Etsy, and do put a stop on a user’s account.
There are other questions that relate to this:
- Surely coathangers selling for £70 each looks a bit strange? All of the other goods, eg a rubric cube, were selling in the £50-£100 range and look extremely overpriced.
- Surely sellers with no feedback yet should have additional checks on the sales, and multiple transactions on the same account to new sellers should be checked.
- Where is the feedback from the site to the buyer that something strange is going on?
- How are the scammers able to create fake bank accounts?
- How were the fake sellers not detected on the site? There was no photograph of the seller or details of the shop given. It is obvious they were quickly faked.
- Etsy should have in place detection software that detects a rapid amount of purchases and put a pause on them. I appreciate that this might have eventually kicked in, but there was no sign of this in this case.
- Did Etsy employ other methods to check the transaction, such as location tracking on the IP address? While they were all UK-based, they were from different places in the UK. Surely if someone was purchasing on the site on a short time, the locations would all be the same?
Conclusions
Please check your accounts where you have your credit cards. If your passwords is included in a hack, please change it, asap. And enable two-factor authentication on your accounts.