Return to site

Big Fraud Comes to Big Tech

· Articles

I have a confession to make. I learned to defraud Amazon a few years back (without actually doing so). I had an expensive bottle of whisky which was a planned holiday treat delivered to me. Only, when I opened the box with the Amazon smiley on the side, it was a cheaper bottle – same brand, but aged for 10 years rather than the 18 years I had been anticipating. Full of customer indignation, I called up Amazon and said that although I had tried to get a return through the website, I had been refused. The kind customer service agent told me that it was just because the item in question was alcohol, they couldn’t accept returns. And then, to forestall my sputtering, told me that I could keep the bottle sent in error, and they would dispatch a new one to me for free.

Well, it appears that Amazon (or more accurately its independent and mostly unverified delivery chain) have discovered a trick or two, as well.

Michael is a tech-savvy data scientist inthe entertainment industry and has an interest in cybersecurity. He’s also pretty street smart, having backpacked his way around the world, and is not the kind to be easily taken in by a con artist or street mugger. Recently, Michael bought a new laptop, and found a good deal online at Amazon UK.

“I was really pleased”, he said, “as Amazon have a reputation for quality customer service. I was confident that if anything went wrong, Amazon’s A-to-Z guarantee would take care of it”. As the delivery day dawned, Michael received an email from Amazon warning him that his delivery driver would expect a PIN – a 6-digit number which he would share with the driver so that the driver would be sure to give the laptop to the correct person. PIN in hand, when the doorbell rang Michael opened the door and showed the email, complete with details of the laptop and PIN, to the driver.

The driver entered the PIN into his delivery PDA and told Michael that the PIN was incorrect. Concerned, Michael showed him the email and asked him to check again. The driver refused to give Michael the box, and left, leaving Michael confused and a little frustrated. This only increased when a notification from Amazon told him that his precious laptop had been successfully delivered. Highly concerned, Michael emailed Amazon customer services who told him that the PIN was proof of delivery, and despite his repeated protests, each was met with the same response.

Michael recounts, “The most peculiar thingto me is that after I gave the PIN to the thief (and possibly after I showed him the e-mail from Amazon that revealed what was in the package), he spoke to someone on the phone in a language that I didn't recognise.”

A little internet research shows that discussion boards such as Reddit are rife with stories of high value items – phones, laptops, and jewellery all going missing, with Amazon adamantly refusing any responsibility at all. This wave of crime in multiple geographic regions suggests that this may be the work of what police forces somewhat coyly refer to as “serious and organised” activity, with the poor customer left in a position of having to be their own expert in the labyrinthine world of payment card liability rules.

Credit card companies have rules for participation called “Operating Regulations” or OpRegs for short. Every bank that signs up to participate as an issuer (giving logo-branded cards to their customers) or an acquirer (taking card payment messages from retailers and converting them into real money) agrees to abide by the OpRegs. Acquirers agree that the retailers and other card acceptors (known in the payments ecosystem as merchants) that they connect will abide by the rules as well (for example, compliance with PCI DSS is one of the things that merchants agree to.

Consumer rights laws also apply, depending on the country in which the cardholder lives. However the OpRegs generally state that in the event of a dispute, it is the issuing bank's job to protect their customer, and ultimate accept liability if a transaction goes awry. Of course, there’s a fair amount of argument between issuers and acquirers, as no bank wants to accept a loss if they can possibly avoid it. When, as often happens, the acquirer loses the argument, they try and push the loss down to the merchant, which in this case is Amazon. What Amazon have done to give themselves some evidence to push back against their acquirer is to implement the PIN system, accompanied by the internal mantra that the PIN is secure and if Amazon have the PIN from the driver, then the parcel must have been delivered.

But there’s no system that is 100% secure, and fraudsters, especially organised gangs, are determined and resourceful in finding loopholes.

So the questions that need to be asked are:

  • Where does liability lie for adisputed delivery paid for using a branded payment card?
  • Are Amazon correct in implictlyassuming that their delivery PIN system shifts liability to the cardholder?
  • How does this fit in withOperating Regulations and Consumer Credit legislation?

Of course, there are several more questions that could be posed to Amazon, mainly the apparent end of the A to Z guarantee, and a new rule of caveat emptor.

— Jonathan Care | jcare@mountainstorm.net | Lion Briefs Contributor
(C) 2022 Mountain Storm Ltd.