I'm a scam prevention expert and I got scammed

Well, most IP cameras cannot be accessed this way when you look at the global pool of IP cameras. However many on them on Amazon, particularly from OEM companies like Reolink that are more of a custom relabeller vs. a real camera manufacturer have all kinds of backdoor access methods.

Best practice is to put your IP cameras on a separate isolated network, connected to a dual-NIC recorder/PC running trusted software (eg: not some random DVR/NVR on Amazon) for recording and viewing. This is not a perfect solution, but it at least takes you far away from the path-of-least-resistance pool of devices with weak cybersecurity that are prone to various exploits.

And this is why my reolink cameras are on a subnet without access to the internet. The only thing it can reach is my home assistant and open source NVR.

This internet of things future is frightening. I don't feel comfortable buying any new product.

None of my negative reviews about scammers have ever been approved by Amazon. I have just started taking my business elsewhere.

Amazon filter out those sort of reviews "because theyre not about the product but the supplier". Of course, they don't make it easy to report the supplier.

I've bought ssr relays rated at 40A, with the actual picture of the real product shown. What I got was a fake that was literally an electrical fire waiting to happen. Maybe my complaint to support actually made it to the supplier, because they Photoshop blurred the product picture listing so the real brand name was obscured. Still had phony specs though.

At this point I only really buy things from Amazon that are essentially fungible. Cables, adapters, toiletries, tools, none of these matter enough to me to care about exactly what I get, as long as it’s roughly what’s in the picture, and to be honest they’re not even worth counterfeiting.

For everything else there’s rarely a reason to not buy directly from brands or niche specialist retailers. Customer support is typically better, warranties are often better, repair processes are better, and that’s not to mention the issue of counterfeiting.

Man that annoys me so much, in my case it was a silent removal. You're not aware that your review was removed.

The things I don't buy from Amazon Prime really anywhere are replacement batteries.

Disputing the transaction with your card issuer is the only answer companies will understand. The company wins as long as more users eat the losses (essentially giving Amazon free money) than those actively fighting for their money back.

Well. Not directly. But same outcome. No actual conspiracy or collusion necessary.

Amazon profits so much that they're content to eat the rampant fraud and waste, than to run a proper legit market place.

This is quite a jump to conclusions. The alternative theory of the customer service rep googling a phone number and getting the wrong one is far more likely. Or, it's possible that the company's own seller login was compromised and a scammer changed their contact number.

The idea that a wildly successful multi-billion dollar company would actually set up such an easily-noticed system where they "get a cut" of phishing scams is outlandish.

If you watch Jim Browning or some of the other people that investigate such scams you'll realize that it's not just a couple of idiots in a boiler room; those operations have all the hallmarks of a legitimate company including layers of management, offices, them having meetings to discuss new scam strategies/etc and the scammers being actual "employees" on a standard (low) wage + commission, so I definitely wouldn't be surprised if something like this would happen especially if they've already got a network of local accomplices to launder the stolen money that can easily be repurposed to sell products at cost (in fact that could also be used to launder money, win-win situation right there!).

Using this logic, you could quickly dismiss all criticisms of any company. It's not a very compelling argument, especially because no one is arguing that individual, atomic, anecdotal comments describing negative experiences with Amazon represent a statistically significant evaluation of Amazon as a company.

I try my best to not buy from third party sellers. Then I occasionally get surprised that I am buying from a third party seller. So I simply stopped because the perceived risk is too high. Amazon is overpriced anyway so why bother buying from them?

> just cheap knockoff stuff.

By that you mean overpriced dropshipping from aliexpress.

Where do you shop instead?

shipping both ways is 100% not free in canada. I went to price match a power supply I had just purchased and they said they don't price match. I said no worries since it's unopened I'll return it and buy it again and they quoted me $30 shipping to return it. I had prime and it was a prime item.

I've also reported businesses who sneak 'give us a 5 star review and we'll give you $30' cards into their parcels and amazon did absolutely nothing.

Amazon is amazing until you realize it isn't. I got rid of prime and suddenly I found myself spending less money on junk because I wasn't incentivized to get junk by the prime membership. If I have to wait to have enough stuff for free shipping minimums I can wait enough to look locally and 1/2 the time I can find it locally for similar cost and the other 1/2 it turns out I never needed it just wanted it.

Highly recommend getting rid of prime and taking a couple months off ordering anything from them - you'll find out not only is amazon not worth it, they're easily replaced.

Maybe that, to some degree. But amazon.de has a lot of problems, too.

There are a lot of fishy listings, but it's also often quite easy to detect those fishy offers, because the German text is usually full of grammar and spelling errors, and often obviously a result from Google translate, and often not even fully translated, with larger parts still in (shoddy) English. Outright counterfeit products seem to be somewhat rare still, at least from what I observed, but there is quite a number of low quality knockoffs.

Or e.g. multiple journalists reported on review-rigging operations - usually organized through whatsapp, and using regular folks for a few bucks as "mules", to get some coveted "verified buyer" reviews. Or bait-and-switch listings, where they had an original listing which gathered some good/ok reviews, and then they repurpose that listing for another product, while keeping their stars.

Or e.g. there was a report about one guy who got like 10 - 20 packets a day with junk he never ordered, every day, over months. Apparently some shady sellers got hold of his info, and were using him as a "garbage bin" for excess stock[0]. While he wasn't charged for any of the products or shipping, he still ended up in a situation where his door bell rang a few times a day, and he ended up throwing away most of the stuff, having to properly dispose of it. And when contacted, amazon just told him to throw away the stuff he doesn't want. It's unlikely he was the only involuntary garbage bin victim.

[0] It wasn't clear why they did that. Maybe to inflate sales numbers to get higher ranked in the amazon search? Or because just shipping it through amazon to some random people might be cheaper than just keeping that stuff in the amazon warehouse or disposing of it properly?

> I think ordering on amazon has become a little like getting your car towed.

Apparently especially in Ontario…

https://www.thedrive.com/news/44749/inside-the-tow-truck-maf...

I'd like to see an economist's view on how the free market is failing here, and what we can do about it.

Tow drivers make a lot of money. They do a lot of subcontracting and mutual aid type arrangements.

Except Amazon started as a third-party marketplace. This isn't *new*, some of us just have really short memories. For the first several years the only first-party sales they did were in books (and not all books on the store even at the beginning). They've expanded into other first-party categories, but there are much fewer first-party categories than people assume. (And always have been.)

The big thing that changed isn't the third-party marketplace on Amazon, it's that they increasingly and intentionally blurred the lines between "third-party" and "second-party" marketplaces. Any third-party that uses "Fulfilled by Amazon" logistics (warehouses, shipping) just about gets automatically upgraded in the Amazon user experience to "second-party" even if Amazon has no deeper working relationship with the third-party than "Fulfilled by Amazon".

Some of that intentional blurring of the lines is also questionably Dark Patterns intentionally designed to confuse consumers in just exactly what categories Amazon supports directly (first-party) and which ones are third-party, and more importantly which ones are first-party usually versus third-party today (such as sold out goods). They want to give consumers the illusion of an "everything store" that is never out of stock. That's never the practical reality, and the illusion may be evil from the perspective of shadily pushing consumers to unvetted third parties due to Dark Patterns that back that illusion.

That doesn't follow. Just because an online retailer grows it doesn't mean they have to start allowing third-party sellers. In fact, seeing what is happening to Amazon's reputation, that seems like a bad long term move.

Short termisum might win out, but it is not a foregone conclusion.

Ordered some things from walmart.com, half of it was third-party sellers. They were sort of transparent about it, though, and the quality was at least what I'd expect from inside a Walmart.

Target and Wal-Mart also sell third party shit. It's easier for me to just buy directly from brands I like, or to shop for them on a couple outlet sites I trust (so far) to sell legit (overstocked or lightly damaged) top-quality stuff and not lower-quality second- or third-tier versions (as some outlet stores do), than figure out how to avoid or disable displaying third party sellers on a bunch of different sites.

By the time you factor in the time and frustration for that, any savings (which isn't even guaranteed) doesn't look like great ROI anyway. Plus, even Amazon often won't carry the full range of a brand's products, so I get more options shopping this way.

God I wish walmart’s site was better, it is like punishment shopping there, why does home depot outclass them in every way?

As someone who has contributed legitimate reviews on Amazon, I think "all lies" is a bit of an exaggeration.

Interesting. I would have lumped them all together. Why do you trust reviews on Target but not Amazon?

Just FYI weary = tired … wary = suspicious.

> It seems like Amazon doesn't commingle inventory if there is an official store.

Is there any confirmation of this? I've seen assertions both ways.

Wrong opening hours on Google is a niggle for me. And having been on the other side of the equation, changing the hours Google says a business is open is not always straightforward.

Yeah, you hear about this with the people who get taken in by Grubhub or whoever that's spoofing a restaurant's phone number/ordering site. I would never take a third-party source as authoritative, but apparently people do it.

Honestly, how do you know what the right number is though? Everybody outsources their stuff. The real website is at jordans-eatery.outsourcedsite.com. Or maybe the guy at jordans-eatery.seo.com is taking calls and placing orders to the real site at a markup. Or maybe the real number is on jordans-eatery.com. Or maybe it's none of those.

Apple Maps from my experience is quite bad about this. I know of one city where it happily provides the locations of four DHL counter locations even though there is only one. Numerous other store locations on Apple Maps also often do not exist, so however they are sourcing their data is full of errors or outdated information.

I've had that happen to me as well - person finds a wrong number online someplace, calls me, and then is mad at me that I am not who they are looking for...go figure.

I think this might just be a people thing? I've had the same experience (some one calling for the YMCA, I inform they have the wrong number, they proceed to argue and berate me) but they probably just misdialed.

Not that I don't also feel like Google search results have gone down hill.

My friend booked one international flight with departure and destination having 12+ hours timezones difference. The email listed the departure time & duration of journey and arrival time, all in local times (as expected). Gmail auto creates an event about flights and hotel bookings, and thus shows the correct departure time, duration & then that AI simply added that duration to departure, and showed departure city's time flight lands. Wrong. My friend, no blame, believed it; until I pointed it out.

“It says on their website this is the number!”

"What do you think is more probable: that the website is wrong or that I don't know who I am?"

As someone why buys a lot of cycling parts online, there are many mom/pop bike shops with web storefronts, that are very reasonably priced and often include "free" shipping. Stop giving bezos your money, you have no excuse.

As someone in Europe, Amazon would be the last place for me to look for bike parts. We have so many great options, including huge online retailers (Bike24, bike-components, bike-discounts, just to mention a few), all of which I've ordered many times from, and was pretty much always happy. Local bike shops may be more expensive, but then you support your folks, which might come in handy later, when you need servicing for something that you don't have the tools for...

The thing with bikes and bike parts is, details matter, two seemingly similar looking parts might be completely different, and there are many small parts that have many options (length, material, color, thread type etc). So unless you really know what you are doing, it's very easy to mix things up - that is true for the consumer too, of course :) Any non-bike-specific webshop is doomed for this reason, except for some special items, eg. eletronics.

One thing I noticed is that these days there are more and more small shops that are legit online, they may not be offering small parts, but I bought a bike from one such shop 2 years ago, and it was heavily discounted, the bike was exactly what they said it would be, it was in stock and was shipped within a week to another EU country no problems.

Many years ago, I have worked in a call centre for a bank and the process for calling customers was exactly what you’d expect from a scammer.

In the standard/credit card section (not, for example, credit card debt collections), it was rare to have to make outbound calls, but when they were needed, no information could be given out until the customer answered security questions. Some customers questioned this because it was exactly what they’d been told never to do. They were told that of course it was right to be cautious, and they could call back, but that they would need to wait in the queue and likely speak to a different person. This was all before they could even be told what they were being called about.

Perhaps half the people questioned the process upon receiving the call (“you called me, and you want ME to prove who I am?”, but very few hung up and called back.

From memory, this was mostly improved later on - no security questions needed unless some sort of action needed to be taken on the account.

Many banks today have communications preferences options and I've told all of my banks that do to never call me directly. If I receive any sort of legitimate call from them I immediately follow up with a strongly worded letter that they should not have called me and violated their own security policies.

The only thing we can do about "bank behaviors make it easier for scammers" is to change bank behaviors. It's not an easy process, but unfortunately it is a necessary process.

He is looking for a definite red flag that it's a scammer. This is a terrible strategy and he should know better. One suspicious act and you should hang up and call the number on the back of the card. Really you should just not take calls from the bank ever and call back on the number on the card.

If you’ve ever tried to get a crypto token listed on an exchange, its just as bad in that arena even though it seems so far behind the scenes.

The process to get listed is the same as a scammer’s process to ensure you get listed.

Some exchanges will say “no we would never handle this with DMs over telegram”

/gets listed by being introduced to someone with a DM over telegram/

Probably because the phone number is calling about a scam (fradulant charge), and then when they hang up, people report the phone number as a scam because they don't understand the difference.

Some scammers are making fraudulent charges, then calling victims as the bank to “fix” them. Skips over a bunch of red flags because the bank has every reason to be calling.

I accidentally won a radio contest many years ago in this way. I heard "you are caller 2" and then the DJ hung up. I stayed on because I was confused and then a few seconds later he picked up again and said you are "caller 4". So I just stayed on and eventually said I was caller 10 and the 10th caller won the prize. I assume he was switching back and forth between two internal phone lines.

I was confused because I was calling to make a song request and had no idea that this contest was initiated because they had just played a certain song.

Just FYI, this does not and never applied to mobile phones or any kind of entirely digital (SIP, etc) phone system.

Modern "landlines" when used with DSL or fibre are also no longer "true" landlines, instead the modem/router acts as a SIP client and gives you an FXS port to plug an analog phone into. While it could theoretically emulate this behavior (by keeping the SIP session open for a few more seconds), I don't believe any of them do - in any case it's trivial to test by calling a different phone that you control, hanging up on your "landline" and seeing whether the other phone hangs up immediately (it should) or if the line is held open for some more time.

If this is still a thing (I frankly don't see the purpose of it), it would only apply to real landlines where your phone is directly connected to your phone socket without a modem/router in between.

Even already knowing about this I'm still mystified that landlines work this way on every occasion that I'm reminded of it. Does anyone know if there is, or at least was, a justification for this mode of operation? Was it at least of any use to anyone back around the 1900s or whenever or is it just another "we do it because that's how we've been doing it" residue that hasn't been cleaned yet?

I can confirm that at least once this happened to my family in Italy about 20 years ago.

The most anecdotal statement ever, but a data point nonetheless.

It even makes the news [0] periodically. Watch the video, especially 2:22-2:36 which reiterates the PSTN behavior.

[0] https://bc.ctvnews.ca/beware-of-the-delayed-disconnect-phone...

Was this common in the US? I spent a bunch of time on the phone in the late 90s at several of my family members houses (I was a social kid) and any time someone hung up I'm pretty sure I'd hear the busy signal if I left the phone unhooked long enough.

What the actual f. I feel like the only commenter here who wasn't aware of this. Thankfully I don't use landlines, but still, that is beyond crazy to me.

Back when I was in high school and landlines were still a thing, we used to prank our friends this way sometimes.

scammer plays a dial tone after the 'hang up' and while dialing.

Yes, and this is how it works as another responder mentions.

The thinking by phone companies is essentially: guy calling pays for the call, so we can milk each call for a few extra cents each time even if they're shady or a wrong number.

Apparently it is a feature Called Subscriber Held (CSH).

https://security.stackexchange.com/a/100342/143105

TL;DR It was just how analog phone worked, users came to rely on it, digital exchanges reimplemented it (with a timeout)

Unless both sides hang up, there's something like a 10-20 second window where the call is held open. Hanging up, picking up within 10 seconds and dialing, means you're still connected to the original caller. If they're clever, the might even detect the click of you hanging up, and play a dialtone for when you pick back up, and stop playing it when you start to dial.

I could see this working if the other end played a click followed by and dial tone sound.

No dial tone and no ring… Seems a difficult mistake to make but then again, I regularly surprise myself with my errors.

> Did they mimic a "brnnnnggg brnnnggg" sound when he dialed?

Yes: https://bc.ctvnews.ca/beware-of-the-delayed-disconnect-phone...

Looks like you would have fallen for it.

The connection isn't always torn down immediately. Different switches behave differently in this regard. I remember a long time ago being trolled by a friend of mine who refused to hang up. I wanted to call someone else, but every time I picked up the handset to dial out, he was still on the line laughing at me.

So if you're served by a switch that operates this way, the scammer just holds the line open, plays dialtone and ringback tones appropriately, and you're none the wiser.

I just don't care. I don't want to risk getting scammed for a few bucks that I was not expecting. Give the $5000 to someone else, I'm fine.

I do not envy the Apply Pay team's challenge to have onboarding systems that span the vast disarray of bank systems (because I know some of my banks and how technically behind they can sometimes be, and I know mine aren't the worst offenders). It is probably a small miracle of engineering and patience that Apple Pay onboarding works at all. (And obviously it is complex enough scammers are using it as an excuse to scam, given the article contents here.)

Yes, this! I had an email from a 3rd party telling me about required training, click the link and use my employee credentials to log in.

Other training has been posted as a to-do in our individual HR account portal, and this was an external site, so it set off warning flags. Not only that, the name of the 3rd party was a legit company, but the site the email linked to was not that company's domain. Big red flag! Curious as I am, I run whois on both domains. Completely different registration info!

So, confident I've identified a phishing attempt and concerned it might have been shotgunned to many people, I notify the appropriate people. Was it a scam? Nope! In fact the person I notified was quite frustrated because a month earlier there had been an email that, sometime in the future, there would be $X training coming up. Yeah, a month later I had no recollection of a generic HR notification that (when I looked in my archive) made no mention that it would not be using the standard secure MFA HR portal used to link out to all other training.

This was all about 4 months after a similar required security training, which was accessed via the usual HR portal, and which listed about half a dozen phishing red flags that the new training violated. But not to worry, my workplace takes security seriously. I guess their seriousness is just very unevenly distributed. It's a good thing we're not really a high value target for hackers.

He was the CTO of a reasonably large hedge fund at the time, so it's reasonable to think he was the target of a spear fishing attack. If you don't need the magnetic strip to actually be magnetic, I don't think making a fake credit card is much different from making a fake ID.

Though, I suppose it's possible he was telling me a tall tale, he's generally trustworthy.

The two additional explanations would be that he was confused about what was going on, or that there was genuinely a mixup at his bank. If he was confused about what was going on, it would seem that he would have needed to have gotten a card that he didn't remember applying for, and being confused about which bank issued it. The spear fishing and mixup at his bank both sound like million-to-one odds to me.

So now, re-evaluating things based on what I've learned about banks in the past 15 years, maybe his bank grew organically by acquiring several other banks, and has incomplete consolidation internally. Maybe he requested a card from one subsidiary of the bank, forgot about it, and called another subsidiary of the bank (the one that gave him his first card), which had no idea what was going on. The internal structures of large banks are much more disjoint than I realized 15 years ago.

You're absolutely right. People do unquestionably want security! They want privacy too!

The issue that the parent is alluding to is that the same users who want these things seem unwilling to make decisions or change behavior to get that security or privacy. Those of us working with security and privacy often wind up with the sense that users want them, but also that users expect them to be automatic and perfect and free. This starts with the computer-illiterate user who finds passwords confusing and goes all the way to developers who find it irritating to be forced to update the libs in their docker images.

Are there better ways? I sure hope so. So far we don't have simpler forms of maintaining true security or simpler forms of reliability. We just have cheaper ways of maintaining a sense of security - and that's theater.

I don't blame people for wanting faster horses. We don't have them on offer though, so in the meantime it might be nice if they were willing to consider what's available.

Oh I didn't mean to suggest the brevity was your doing. I've seen it the short way first-hand, but yes, more typically it's pretty decent, as you've clarified.

Unfortunately, there are all sorts of ways to phish links. https://en.wikipedia.org/wiki/Phishing#Link_manipulation

The link may look similar or even appear identical, and still be under control of the scammer.

Similar to just not trusting incoming phone calls, you can't really trust incoming links via standard email, without some definitive way of validating the sender.

Does a "scam prevention expert" really need to read that fine print to know not to provide a one-time code to an inbound caller?

> like, "is the sum of the last four digits even?" or "is the sum evenly divisible by 3?"

Exactly. After only a few of these you have an equivalent security level to checking the four digits directly but at each step of the way there is a 50% chance that the attacker, not knowing the number yet, gets it wrong and you stop giving more info. If they do a thousand calls a day, they'll still get some people, but it's probably not you so that's at least a small win.

You might enjoy learning about PAKE/SPEKE, which has similar properties.

> An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties (Wikipedia: PAKE)

Just enough enjoyment to then get depressed wondering why nobody is using these nice things

My mom would only have a 50% chance of correctly adding four single-digit numbers, and if she had to divide them by 3, she'd be lost.

She's an intelligent woman who's just lousy at arithmetic. I'd guess hers would be approximately the median experience if something like this became standard.

What I was suggesting wasn't asking the account holder, but asking the bank. With a little training, the call center reps should be able to handle adding together the last few digits of a card number.

I agree that asking account holders for this would be confusing, but since the bank is the one calling in this case it makes sense that the caller (bank) should provide information first.

Of course, it appears that in this guy's case, not even this would have worked, since they apparently had his full card number.

For sure. I wonder what the state of the art is in human-friendly challenges.

The dataset for hashed credit card numbers is small enough that it can be easily represented in a static lookup table, or brute forced.

The author very kindly addresses my comment in a PS:

I also, admittedly, allowed my cynicism toward my own industry and Wells Fargo to cloud my judgment; I didn't know the first thing about Apple Pay or Google Pay prior to this incident, but I don't have particularly positive experiences or feelings toward either company, and it's extremely common for the process of fixing someone else's mistake on large tech platforms to be nightmarishly convoluted.

Ultimately she did realise & fix her mistake - at some pace - lost nothing, and got an up-close view of a scam in progress.

> I'm not trying to pile on them but the reason people are questioning their credibility is that they fell for a pretty basic scam.

Yeah, I've read the armchair quarterbacks around here thinking they wouldn't be the ones to get duped if it was them.

Of course, I'll bet if they did get duped, they wouldn't post about it on social media because a bunch of folks would come out of the woodwork to point out how stupid they were.

Personally, I read this accounting and thought "You know, for all my own knowledge about how these scams work, I might've been caught by this one." This specific example strayed into spearphishing territory given the knowledge the attacker had of the victim. This wasn't just an average war dialler. And the time investment, alone, on the part of the attacker makes this unusual compared to your average phone same.

But hey, maybe I'm just not bright enough to hang with the cool kids around here.