• 80 results
  • 1
  • 2
Posted by Rorie (2931 posts) -

People often ask me what I do around here, and it's a valid question, since so much of what I do is not publicly visible. Needless to say, there's a lot of weird stuff that Giant Bomb has going on in the background that other sites in the CBSi family don't have to deal with, largely because many of them don't feature subscription services, nor do they have storefronts through which they sell merchandise. So I figured I'd start writing the occasional blog about what keeps me busy on a day to day basis.

Lately it's been monitoring our store. You may have used the store in the past to get a t-shirt or poster or something, and if you did, then thanks! We don’t make a huge amount of money from the store, since we generally try to offer merchandise of a decent level of quality without making the prices too crazy, which means our costs are pretty close to the list price of most of the items we offer. We make some money on each order, but no one’s taking baths in Cristal or anything.

Normally, that’s all fine and good, except when we start getting people trying to make fraudulent orders, as has been happening with increasing frequency of late. Our store is run through Shopify, which automatically takes a look at each order and pops up various flags based on suspicious activity, such as billing address not matching where the credit card’s registered and CVVs not matching.

EDIT: To be clear, none of the below should be taken as an indicator that Giant Bomb has any kind of security issue with its store. We don't even have access to your credit card numbers; everything we do is through third-party vendors that keep all that stuff locked up good and tight. People are using credit card numbers they've stolen elsewhere; felt like a good idea to make that clear.

Those are both pretty good indicators that someone’s using a stolen credit card to place an order, especially the mismatched CVV. The CVV’s the little three-digit code on the back of the card that you’re usually asked to enter when placing an order online; the Payment Card Industry Data Security Standard prevents it from being stored, so when credit card records are breached, hackers usually just get the card number but have to make a guess at the CVV. It’s pretty rare that anyone using a valid card won’t know or be able to access their CVV, since it’s right there on the back of the card, so mismatched CVVs are usually an excellent indicator that an order is fraudulent.

(As an aside, I’m also the guy who has to report on our PCI compliance, which involves wonderful things like payment data flow diagrams and something called a PCI DSS SAQ. It’s pretty thrilling stuff.)

Anyhow, there are enough steps in our ordering chain that sometimes a fraudulent order will slip through, which will generally lead to a chargeback later on down the line. Since we keep records of where we ship, we can supply those to Paypal to prove that an order was shipped and signed for, which usually result in Paypal contesting the chargeback with the credit card company, after which I have no idea what happens. I presume that credit card companies simply eat a certain number of fraudulent charges as part of the cost of doing business.

Recently, though, there’s been a bit of an uptick in fraudulent orders to the store, mostly being placed from Venezuela with shipping addresses in southern Florida. From what I can tell, it looks like there’s some kind of well-organized credit card scamming gang that rip off tons of credit card numbers and convert them into physical goods before the numbers are shut down. That might sound paranoid, but googling some of the shipping addresses have led to things like Yelp listings for the businesses there, which in turn lead to plenty of reports of other merchants reporting the addresses being associated with stolen CC numbers. I guess someone in Venezuela or Miami really likes Giant Bomb, because they’ve been ordering plenty of merchandise over the past few months. Or they just use it to smuggle cocaine, or something. Edit: Someone on Twitter suggested that they might just be trying to place small orders to see which credit card numbers were still active before using them for large purchases elsewhere, which makes sense.

So, I’ve been trying to keep track of all the orders that are coming in and have been manually cancelling anything that looks suspicious. That hasn’t stopped the orders from coming in, of course, even though I make sure to send emails back indicating that the orders were cancelled because they’re suspected to be fraudulent. Not that anyone’s reading them; I’m pretty sure the email addresses are as fake as the orders themselves.

What’s interesting is that the orders from southern Florida have mostly subsided (with a few exceptions) in favor of orders from places like Lithuania, Tunisia, Albania, and other exotic locales. It’s interesting to see the purchasing habits of people who’re playing with other people’s money. One order was for a single t-shirt and a hoodie, but still managed to be $236 thanks to a mammoth $181 shipping charge. (If you’re ordering from eastern Europe, you might want to opt for something cheaper than overnight shipping.) What’s curious is that a lot of these new orders are passing the CVV checks. Presumably this means that these orders are being placed from credit cards that were actually physically stolen, or perhaps issued by legitimate vendors based on fraudulent applications.

I’ve been refreshing the orders page pretty regularly lately, examining all of the orders coming in, and cancelling all the fraudulent ones; at this point I'm pretty sure that I've pissed someone off, because the frequency has increased to the point where over half of all orders coming in are fraudulent, with over $1200 in fraudulent orders in the last couple of days alone. I’m not going to go into the criteria I use to detect suspicious orders, but suffice to say that the “is this order legitimate” game is pretty fun sometimes, especially since I rarely play actual games at work nowadays. Undoubtedly there’ll be a legitimate order that I accidentally cancel at some point, so if you wind up getting an order cancelled mysteriously, let me know and I’ll look into it. I'm looking into some Shopify apps that add a second level of protection against fraudulent orders in the meantime.

And that’s one of the things that I've been up to. So there!

Staff
#1 Edited by subrandom (117 posts) -

Rad. Also a bummer you don't write more forward facing stuff that often, you can still string some words together pretty damn well. Anyway, i find it super interesting to hear about jobs people have that are a little less common no matter how "flashy" or not they may be. Keep it up.

#2 Edited by Kaiserreich (705 posts) -

Just here for the puppies.

#3 Edited by ILikePopCans (755 posts) -

Huh, interesting stuff Rorie. Would not expect you to do something like that, figure that would be someone else job. Around how many orders are going in on a average day, if I may ask?

#4 Posted by PatVB (331 posts) -

Wow, I wouldn't have figured GB would see that level of fraud. Good looking out, Rorie!

PS: excellent image choices!

#5 Posted by Wrighteous86 (3782 posts) -

Who needs Papers, Please? when you can just play Is This Order Legitimate?

#6 Posted by Matoyak (290 posts) -

Actually pretty interesting stuff (Even if PCI DSS SAQ is an acronym I wouldn't want to meet in a dark alley). Always cool to learn about actual day-to-day workings of places like Giant Bomb. Thanks for sharing. :)

#7 Posted by roninhack (37 posts) -

Wielding the ban hammer well, sir. Thanks for fighting the good fight.

#8 Posted by zudthespud (3281 posts) -

It's really cool having you here Rorie, nice to know what you've been up to.

#9 Posted by ThunderSlash (1752 posts) -

These people are super ingenious when it comes to credit card laundering. There was a story a while back that detailed how they were buying Team Fortress 2 crate keys with the stolen cards and reselling the keys for Paypal money.

#10 Posted by tbecker38 (5 posts) -

Speaking of fraudulent activity, the real Matt Rorie would never write a thousand words without referencing puppies.

#11 Posted by Chop (1999 posts) -

Really cool read. I love hearing about back end stuff like this.

#12 Posted by DrDarkStryfe (1119 posts) -

Credit card fraud is on a huge uptick. We deal with a good three to four attempts a week anymore at my place of employment. It is starting to get a little out of hand.

#13 Posted by eccentrix (1569 posts) -

This is all super interesting. Thanks, Rorie!

#14 Posted by SSully (4199 posts) -

So that is why my 300+ dollar order for a shirt and hoodie never came. Damn you Rorie!

#15 Posted by benjo_t (152 posts) -

This was an interesting read, I look forward to more.

#16 Posted by Jabronie (21 posts) -

You don't understand, I need that hoodie immediately!!!

#17 Posted by Mento (2561 posts) -

It's kind of a shame GB has one of their best writers doing administrative work like this, but at least we get some cool stories of what life is like in the online t-shirt store trenches. Keep up the good work, Rorie.

Moderator
#18 Posted by Marokai (2986 posts) -

This is really crazy behind-the-scenes stuff. I feel a little bad for enjoying hearing about it when I know it causes you such a headache!

#19 Posted by MAGZine (438 posts) -

nothing more interesting than pci dss.

#20 Posted by beepmachine (618 posts) -

@rorie sounds like your own personal version of Papers Please. Thanks for all you do to further the cause of Glorious Giant Bomb!

#21 Posted by OneAndOnlyBigE (439 posts) -

As someone who works for a financial technology services company, I'm well versed in PCI compliance. Fun stuff.

#22 Posted by bkbroiler (1628 posts) -

So these fraudulent orders are from people who really, actually want Giant Bomb merch? Or are they somehow making money off the stuff they buy? Both realities seem absolutely nuts.

#23 Posted by Rorie (2931 posts) -

So these fraudulent orders are from people who really, actually want Giant Bomb merch? Or are they somehow making money off the stuff they buy? Both realities seem absolutely nuts.

Someone on Twitter pointed out that these are likely just test purchases where people are trying out card numbers to see which ones work before using them for huge purchases elsewhere, or reselling them. Sounds plausible.

Staff
#24 Posted by Ben_H (3366 posts) -

You didn't accidentally cancel my order for a sweater so it's all good for me. My order is on the way right now.

#25 Posted by ghoti221 (45 posts) -

My condolences - PCI and dealing with online shopping issues (from the service providers side) is always a pain.

#26 Posted by Tireyo (6426 posts) -
#27 Posted by arawk (190 posts) -

Thanks!

#28 Posted by csl316 (8770 posts) -

The PCI compliance system has 12 steps, which is 1.. 2...... 3 puppies worth!

Which is the grade I would give that web page's design.

#29 Posted by Little_Socrates (5677 posts) -
#30 Posted by MormonWarrior (2599 posts) -

Cool article. That's nuts how much fraud/attempted fraud goes on every day, and in such random places as the Giant Bomb store. Thanks for all your efforts!

And, my puppies: (Sophie, left, and Teddy, right)

#31 Edited by BoneChompski (213 posts) -

I think there are online vendors who are compromised and they never report the theft of their data out of fear of losing business. I've had two credit cards used for fraudulent purchases at different times, one of which was caught immediately and the other which the CC company made me eat of all outcomes. Either that or there are insider thefts at online retailers and meatspace retailers as well. Pretty easy to photograph both sides of a credit card quickly if you have access to one at your place of employment.

#32 Posted by TournamentOfHate (448 posts) -

This just worries me that somebody higher up is going to be like "Why are we paying you to go over orders that don't even make us money even if they're legit?" Then we lose the chance to buy GB merchandise(it just seems like the anti-management talk has been getting more frequent lately, and I don't want them forcing their hand into what GB does, and really I just hate to see how much it bothers you guys).

#33 Posted by forteexe21 (384 posts) -

Are the address always different? Cause i imagine itll be easy to block if its from a single address. Anyway, that sounds really bad and hope you find an easier way to filter those than manually checking each one.

#34 Posted by Overnumerousness (8 posts) -

Super Fascinating! Seriously Rorie, as someone who runs app support as well, this was an awesome read.

#35 Posted by The_Laughing_Man (13629 posts) -

Give us the fake delivery addresses and we can mess these guys up!

#36 Posted by noizy (669 posts) -

Yea. Getting credit card numbers is easy. Getting the CVV is harder.

#37 Posted by Rorie (2931 posts) -
Staff
#38 Posted by Rorie (2931 posts) -

@subrandom: Thanks. Yeah, I've been trying to write more. I have a bunch of half-written blog posts from my unemployed days that could probably be repurposed.

Staff
#39 Posted by Rorie (2931 posts) -

@ilikepopcans: Depends on the day. Usually no more than five-ten. It's not a high-volume operation, but then we haven't added any new merchandise in the last few months.

Staff
#40 Posted by Rorie (2931 posts) -

@mento: I find pretty much everything I do to be pretty interesting, and at any rate someone's gotta do it! Better me than Vinny or Jeff having to worry about this stuff.

Staff
#41 Edited by Rorie (2931 posts) -

@mormonwarrior: Cute! Do you always keep one shaved to help tell them apart?

Staff
#42 Posted by Toxeia (729 posts) -

What I'm gathering from this is that Giant Bomb merch ships with free cocaine. I better order me some hoodies.

#43 Posted by Mento (2561 posts) -

@rorie: Well, it was more of a "shame this has to be the way of things seeing as Giant Bomb's resources being stretched thin enough already" statement than a "shame the guys in charge are idiots and won't hire Rorie to write puppy reviews" one. It sounds like challenging work, at least. How similar is it to your producing work with Obsidian? (That is if you're allowed to talk about what you got up to.)

Moderator
#44 Edited by BisonHero (6569 posts) -

Haha, this read was more interesting than I expected it to be. Sure you're not sharing too much, Rorie? The compromised/hacked staff account issue from a few months ago comes to mind; why does CBSi's cyber crime unit/legal team/whatever handle that guy, but not these fraudulent orders?

#45 Posted by Ravenlight (8040 posts) -

Please blog about what you're up to more often! This was a super interesting read!

#46 Posted by yoldo1 (3 posts) -

That was an interesting read! Please post more.

#47 Edited by MormonWarrior (2599 posts) -

@rorie: No need. Sophie is my sister's dog and is always suuuuuper skinny. Teddy's getting old and sort of fat and is quite a bit bigger (relatively speaking) even though the photo doesn't show that well. He's a very special dog to us. We have a couple of dachshunds too, both sisters.

#48 Posted by rickyyo (143 posts) -

@rorie: Hey Rorie you mentioned Venezuela in this article. My mother is Venezuelan and is currently living there. Right now there is a lot of political turmoil, stealing, and murder. I'll ask her what the procedure for that kind of stuff is and why someone over there might do it. It seems like you nailed the right answer which is to verify whether the card they stole is legit. It just seems weird they would target the Giant Bomb store.

#49 Posted by The_Nubster (2175 posts) -

This is super interesting to read. Looking forward to more of it in the future! I always love me some inner baseball (that's a phrase, right?) from the places that I spend time at.

#50 Posted by Rorie (2931 posts) -

@rickyyo said:

@rorie: Hey Rorie you mentioned Venezuela in this article. My mother is Venezuelan and is currently living there. Right now there is a lot of political turmoil, stealing, and murder. I'll ask her what the procedure for that kind of stuff is and why someone over there might do it. It seems like you nailed the right answer which is to verify whether the card they stole is legit. It just seems weird they would target the Giant Bomb store.

I was reading something on this, and apparently some of the places in south Florida are used by people overseas who want to order stuff from the States but don't want to pay large shipping fees. So apparently some of these places consist of actual buyers who'll get a bunch of merchandise, ship all of it at once, and then reship it to the individual buyers back in the other country to cut down on costs. No idea if it's true or not!

Staff