Triangle credit card fraud, resulting in chargebacks on Shopify. Is eBay complicit?

A store I work on recently got hit by this. We had more than AUD$50k of "unfriendly" chargebacks in February that upon investigation, directly matched a pattern of eBay "triangle fraud".

The fraud from my investigation & research:

  • Parties involved:
    • ecom merchant (us)
    • ebay buyer (unknowingly used as a pawn in the fraud)
    • credit card owner (some unlucky anon person)
    • ebay lister (fraudster)
  • Method:
    • ebay lister discovers some high demand, high-value ecom products, and re-lists them on eBay "new, free shipping" at an extremely good discount over anything legit. A "too good to be true" price point.
    • a legit ebay buyer finds a product on ebay, sees a seller with some existing 5* feedback, hits buy now, uses a real (not stolen) credit card and checks out on eBay
    • ebay lister (fraudster) turns around and drop-ships the product from the ecom store, paying instead with a stolen credit card
      • new email address each time (which fraudster monitors)
      • dummy phone number
      • name + address is copy pasted from the ebay buyer
    • vulnerable ecom stores (with no fraud process in place) see payment, hit dispatch,
      • tracking details auto sent out to email on ecom order, which is likely monitored by fraudster
      • sometimes an additional step in here is a "parcel redirect" where a parcel is redirected to the actual address, to bypass a billing/shipping/credit-card address match requirement on checkout.
    • ebay lister (fraudster) sometimes even copies tracking details over to the ebay buyer as an ebay message
    • ebay buyer then recieves the order, they are satisfied. They got good product at a great price, purchased with their own legit card, on ebay from what seemed like a legit seller with good ratings.
    • the stolen credit card owner notices (or is alerted to) a suspicious looking transaction from their bank.
      • CC owner then contactsthen initiate a fraud claim, which results in the bank actioning chargebacks.
      • Typically a day to to a couple months after the order has been paid/dispatched
    • the ecom store then receives a chargeback, which will undoubtedly be declined by the bank if they try to dispute.
    • the ebay lister (fraudster) gets away with their Paypal withdrawls, with their payments coming from legit cards

Preventing it:

In my case was a combo of changing High Risk order handling automatic rules, and also playing wack-a-mole with fraud ebay listings with VeRO / DMCA takedown requests based on trademark violations.

Bizzarely, eBay is super quick to respond to trademark violations. But, if you try to lodge anything close to a dropshipping/credit-card fraud report, they throw up their hands and say "i dunno can't see it", if you are lucky enough to get a response at all.

Going back a bit:

We were only alerted a while back when a scheduled payout did not occur, due to our payment gateway pausing payouts due to a high rate of chargeback. It was really tricky to get to the bottom of what was happening and where these were coming from, involved basically googling some of the names, calling them and getting their eBay reciepts and discovering where it was all coming from.

Here's some more info:

What is eBay doing?

It seems like they are doing nothing to prevent this type of fraud. Doesn't matter that it's on their marketplace, large scale, right under their noses, they don't seem to give a shit. Is eBay complicit in enabling these specific type of fraud rings to operate? Personally I think they should be held liable to some extent. Put simply, eBay is happy to accept sale commissions even when product is being dropshipped using stolen credit card info.

So we have done what we can as an ecom store to take more responsibility and to protect ourselves. But I think there is an aspect of liability on eBay here. This whole thing seems very close to criminal negligence on eBays part, this should be something they are able to prevent with better fraud mechanisms. Criminal negligence? Class-action law-suit maybe?

Anyway thought I'd share my experience. Anyone else had similar happen?

submitted by /u/chewster1
[link] [comments]

Leave a Reply

Your email address will not be published. Required fields are marked *