Hacker News new | past | comments | ask | show | jobs | submit login
‘Catch Me If You Can’ Scam Artist Has a Warning for Today’s Consumers (wsj.com)
110 points by SREinSF on Sept 22, 2017 | hide | past | web | favorite | 72 comments

Why bother with check fraud that can get you in trouble, when people will give you millions willingly on crowdfuding website for 3D renderings?


$ 2,438,203





And you're not even obligated to fulfil anything, just demonstrate you've "tried" enough!

And if you're bad at 3D graphics, then make an ICO instead. All it takes is a Bootstrap template and PDF with some arcane math formulas in it (not necessarily valid).

> not necessarily valid

Which successful ICO?

The first one is existing product(s) --- Google "magnetic USB cable" for plenty of examples --- probably all made by the same small set of factories in China.


None of these existed before the Kickstarter though and I've tried about 10 different ones in Hong Kong and they where all complete shit. (most "work" but don't fit properly and the magnets are too loose or too strong)

I don't know for sure, but I would think that there is likely some kind of difficulty in sending high-speed signalling through a magentic field like that. I think there was a reason Apple only ever used magsafe for power.

Why don't you hold a magnet next to a USB cable and see if anything happens?

It's funny how I intuitively noticed that all 3 were likely to be scams (or just unlikely to be shipped due to a team's inability to see it through to shipping) just from:

- a lack of consistent, high-quality brand identity; you can notice design tropes that a novice/underpaid graphic designer would use

- use of generic/non-exclusive stock photography (this woman - https://c1.iggcdn.com/indiegogo-media-prod-cld/image/upload/... - is a meme: http://knowyourmeme.com/memes/ariane-the-overexposed-stock-p...)

- plain kitsch: https://c1.iggcdn.com/indiegogo-media-prod-cld/image/upload/...

It's funny how we have been trained into thinking a product is sub-par because the team didn't spend a lot of money on marketing material.

At that stage, the product is its marketing. You're selling the promise, as there's no physical product to evaluate on your own, or widely available reviews of your product.

When a company is really invested in a product, they put a lot of work on it, often worth much more the investment (in money, time, opportunity costs, mental energy etc). Scammers just want to pick the low hanging fruit.

Good marketing can be inexpensive, but it's not easy. Perhaps it's pick 3 of: cheap, effective, tasteful, easy.

really? that tipped you off?

not the fact the watch is breaking laws of physics (projecting black light), or shoes use display that doesnt exist?

Both have been destroyed on EEVBlog and other technical forums in mere days of showing up on KS.

Kickstarter is at least trying to avoid that:


A $10 rendering is a good test of that though. Most people aren't going to work very hard to get $10 back.

When I did a Kickstarter for a client they didn't allow renderings, yet a week after a bigger brand did exactly that, used only renderings. The "rules" are very loose on KS and the projects that I've backed that failed (7 of them totalling 2000$) where all recommended by KS staff.

Yeah, they basically disclaim any responsibility for ensuring the projects get done. But the TOS are trying to establish that you have a contract with the project and thus should have some recourse to get your pledge back if they fail to deliver.

As above, that doesn't work all that well for small sums, but I think it doesn't encourage a free for all either.

Have any that you backed succeeded?

Of course, many, about 10 of them. The most prominent being Oculus Rift and RigidBot (Though RigidBot wen't bankrupt due to severely underestimating shipment costs)

Not really, since that section places no time limit on when things have to happen, they are completely unenforceable. And even if they were, it's beyond the means of most people to actually go to court over the price they paid. IMHO the only purpose that section serves is to deceive potential backers into thinking they have some legal recourse.

GoFundMe scams are probably easier to pull off than Kickstarter scams.

But they're also fraud, which is riskier

> People go on Facebook and tell you what car they drive, their mother’s name, their wife’s maiden name, children’s name, where they’re going on vacation, where they’ve been on vacation.

Also, Equifax.

Equifax gets a lot of bad press because they made a ton of money while mismanaging people's personal information. Abagnale's point is that people go throwing around most of that same personal information around with no regard to their privacy.

> Mr. Abagnale now puts his skills to use teaching FBI agents around the country about cybercrime, identity theft and fraud. “Frank has a unique ability” to communicate, says the special agent in charge of the FBI’s Charlotte, N.C., field office, John Strong, who has worked with Mr. Abagnale on multiple occasions. “The guy is a genius.”

His masterpiece scam?

You didn't finish the article. He spent age 21 to 26 in prison. That's long, and it's the years when people usually develop their life direction and opportunities.

That he didn't turn back to crime after spending that time of his life in the best school for crime is surprising. Good for him.

That anyone knows about. He's a smart guy. 5 years of sitting and thinking, "Hmmm, how could I do this better next time and not get caught...?"

Not sure that it works like that in the solitary confinement of a French prison.

Good point. I need to learn more about this guy.

The interview is very light on details. Is it really so plainly simple to draft from a person’s bank account using only the information on a check?

Yes. If you can trick senior citizens into giving you the information over the phone, you've got a legitimate business in the eyes of the banking industry.

This was a scam that caught my grandmother 10 years ago. The New York Times did a story on the industry:

State regulators have tried to protect victims like Mr. Guthrie. In 2005, attorneys general of 35 states urged the Federal Reserve to end the unsigned check system... But the Federal Reserve disagreed. It changed its rules to place greater responsibility on banks that first accept unsigned checks, but has permitted their continued use.

...In all, Wachovia accepted $142 million of unsigned checks from companies that made unauthorized withdrawals from thousands of accounts, federal prosecutors say. Wachovia collected millions of dollars in fees from those companies, even as it failed to act on warnings, according to records.


I documented my failed effort to get Washington Mutual to reverse the checks written against my grandmother's account:


Yet another reason to never ever use a big bank.

That article is horrible... I'm so sorry.

Yes. I've had my entire bank account emptied of 25,000 in the 1990's by someone of a different ethnicity and gender who had simply went through a dozen drive throughs of my bank in different city to cash checks in about an hour in an amount under the one that would have required more attention (as explained to me by the bank. They simply wrote checks out for cash and used the memo "to purchase car") I lived in Austin and the thief did this in Houston. I don't know if this same scheme is possible today.

Who paid the piper on that one, you or the bank? Not familiar with the laws in Texas.

I had to sign a paper in the bank swearing I did not withdraw the money and would help the bank as a witness if they found the criminal and then they gave me the equivalent amount of money in my account. IIRC it was kind of weird because they had grainy video/photos of the woman committing the crime.

Don Knuth has considered it dangerous for years. http://www-cs-faculty.stanford.edu/~knuth/news08.html

Dangerous is relative. In the US you have roughly 60 days after a statement is received to escalate fraudulent transfers out of your account. If you file a complaint within this timeframe, your money will be returned. The problem of course is that if because that money was taken you miss your mortgage payment or car payment or student loan payment there could be associated fees from those lenders which you would be out. For businesses I think this timeframe may be as short as three days from the fraudulent transaction so in those cases it's a real problem.

Generally I recommend having two bank accounts, one which is rarely used other than for deposits and functions as a backup in the event your primary account is compromised. I also recommend not using a debit card and instead get the financial discipline to just pay off credit card balances each month and then use credit-cards for as much as you can from banks not tied to either your primary or backup checking account.

"In the US you have roughly 60 days after a statement is received to escalate fraudulent transfers out of your account."

You have 30 days from receipt of your bank statement. It's in the audio interview of which this article is an exerpt.

From the actual law:

"1. Unlimited liability applies. The standard of unlimited liability applies if unauthorized transfers appear on a periodic statement, and may apply in conjunction with the first two tiers of liability. If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period. The consumer's liability for unauthorized transfers before the statement is sent, and up to 60 days following, is determined based on the first two tiers of liability: up to $50 if the consumer notifies the financial institution within two business days of learning of the loss or theft of the card and up to $500 if the consumer notifies the institution after two business days of learning of the loss or theft."


"If a periodic statement shows an unauthorized transfer made with a LOST OR STOLEN DEBIT CARD"

That's very specific. When it comes to check fraud, I'm going to trust the guy who has spent his career working with the FBI on check fraud.

You can very easily avoid this by opening two bank accounts in the same bank and using online interface to transfer just as much as you need into your working account. Don't write or even create checks for the secondary account and don't disclose the account number to anyone for any reason.

>> using online interface to transfer ...

I see where you went wrong there. Have them disallow internet access to your accounts. Easy for you, easy for hacking.

I'm amazed what banks will re-enable with a simple phone call as long as you have a name, current address, SSN, and birthdate. But yes, it's a good step to take and makes it just that much harder to compromise an account so it's a good thing to do.

The odd this is, most people have physical access to a local branch of their bank. I know those are closing as people do more stuff online, but that's my point. We're trading convenience for security. Apparently the banking system isn't all that secure to begin with, so moving it online may really be the wrong thing to do.

I prefer two separate institutions for one reason: things like the Equifax breach. If someone attempts to impersonate you at your bank they could gain access to both accounts. If you have a 'silent' account somewhere else, they'd need to do account recovery at that location as well. The odds of that happening tends to be much lower.

I also like having two institutions, since one of the biggest threats is ATM card skimming. More machines are moving to EMV, but it's trivial for someone to set up a fake ATM or skimmer, siphon up magstripe data and PINs, and drain accounts. While you are not responsible for fraud, most institutions will freeze the account for 30 days (which is legal) while they investigate.

If that checking account has money for your rent or credit card bills, it could be disastrous.

So I use a separate account at a separate institution for my "spending money". All I use it for is to withdraw money at ATMs.

Yes, but that is also why people with money don't keep it in their checking account. Checking account just hold the money that you need to pay your immediate bills. your "life savings" flow through other savings, money market, and investment accounts. So if your checking account is compromised, you do lose some money and have some hassles to go through... but they aren't going to get everything else.

If you call your bank they will ask you for your account number (found on the check), Name (on the check), Address (on the check) and date of birth (not on the check), information about recurring deposit or last deposit (not on the check), and that's pretty much it. I always feel like this is something you can find out by buying someone a beer.

Once you have that first batch of data couldn't you forge the last deposit by depositing a small amount of money? After that you'd know when it happened and how much it was.

True, but that would make it pretty easy to find you unless you use someone else's account.

yes, there is zero confirmation on stuff like ACH transfers, all you need is an account number, which is contained on the checks.

But how exactly does an ACH transfer work? I assume it can’t be done anonymously. Wouldn’t it be incredibly simple to find the culprit and reclaim the funds (using the article’s gas station clerk example)?

> But how exactly does an ACH transfer work?

If you want this from a developer perspective, the subject is discussed in great detail in the following blog post series.

How ACH works: A developer perspective - Part 1 => http://engineering.gusto.com/how-ach-works-a-developer-persp...

How ACH works: A developer perspective - Part 2 => http://engineering.gusto.com/how-ach-works-a-developer-persp...

How ACH works: A developer perspective - Part 3 => http://engineering.gusto.com/how-ach-works-a-developer-persp...

How ACH works: A developer perspective - Part 4 => http://engineering.gusto.com/how-ach-works-a-developer-persp...


HN Meta Discussion : https://news.ycombinator.com/item?id=7636066

I'm not a cybercrime expert, but AFAIK once the fraudulent ACH goes through it's a matter of cashing out the money (to literal cash or resalable goods) before the ACH is inevitably reverted. This leaves the recipient account with a negative balance so it can basically only be used once.

That's pretty much it exactly. You use two stolen accounts. One with a large balance, one without. ACH from one to the other with a fraudulent. Hire someone to go into the bank in person and withdraw cash. You're done.

The account to which your money is fraudulently transferred might not even belong to the criminals. They probably have access to multiple compromised accounts and can shuffle money between them to throw off investigators.

Are cheques still a thing? I haven't seen one in about ten years, maybe more.

A checking account and paper checks are almost mandatory in the US. If you need to make a large payment to an individual or small business, say a landlord or someone doing work on your home, it's still usually the preferred payment method. It's not that there aren't electronic alternatives, it's that most of the alternatives involve someone paying (often significant) fees.

For example, my rental company accepts online payments via credit/debit card, but if I do that they charge a $30 "convenience fee" for my $900 rent payment. I could set up automatic payments by giving them permission to draft from my checking account, but I refuse to do that since it removes the only leverage I have should a dispute occur. The only remaining options to pay without fees are cash or check, so every month I put a paper check in the mail.

In the US there's really only two payees the average person writes a check out to, the government (to pay taxes), and your landlord (to pay rent).

10 years ago if you hired someone to do a job around the house you might have to pay with check. In the last 2-3 years I've had a couple contractors work on my house and they've all taken credit cards (as well as the others I got quotes from but didn't hire). So now I won't even consider a contractor who doesn't take credit cards.

I’ve previously noticed that places that spell it ‘cheque’ use the payment method less than those who spell it check.

Probably because they are no longer issued or accepted in Europe. Europay pulled the plug on them in 2002.

I'm 26 and I have literally never seen a check in my entire life, I don't even know how one would go about issuing one? It seems like such a US-exclusive thing, together with card payments that require signatures.

I've never seen a check either, but signatures are still a thing in Germany (but not very often).

Not if you live in Europe. Cheques weren't used anymore anyway, but they finally pulled the plug on them at the end of 2002.

European here. Nope. You are talking about Eurocheques.

Of course, what other kind is there in Europe ?

This is why you should really consider having fraud insurance as a backup, like Zanders or even lifelock. Especially of you have any sizable cash in you bank account.

No point, banks are liable for fraud rather than the consumer. I believe consumer's liability is capped at $50-500 depending on how quickly the fraud is reported. Just make sure you don't wait past 60 days to report. Credit cards have even more protections.

These plans rarely pay out, and you'll likely spend more on subscription fees than they'd return to you in fraud payments.


Thanks for the feedback. You got me thinking I should be more critical of Zanders and whether they actually pay out. I'm gonna check with my insurance agent and see what he offers , at least he would be an advocate for me.

FYI: banks are liable only for PERSONAL accounts. If you have a BUSINESS Account that gets hit by fraud, the bank is not liable. Thats where fraud insurance is most important

I don't know about Zanders (never heard of them) but LifeLock is nothing but a scam, nobody should every purchase LifeLock for anything ever.

To protect against this scam, just don't keep your money in your checking account, simple! My checking account has a balance of zero 99% of the time. If I do a billpayment for $325.45 then I transfer $325.45 to the checking account a minute before I issue the billpay. If I write out a check for my taxes (the only checks I every write) then I transfer the money into the account while I am writing out the check. The only money goes in is when it's already planned to go out.

I keep $150 in a separate checking account that I access with ATMs if I need cash on the go.

>tfw you realize Bitcoin and Monero are more secure than your US banking account.

When are we going to stop the stupid practice of using serial numbers and strings for identity and start using strong cryptography to establish identity, authorized signatures, etc?

If strong cryptography is used, the customer won't get any money back in case of fraud.

Good luck proving a manufacturer key generation screwup on smart cards for example. Things like this happen.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact