Defending Against Liar Buyer Fraud

It's a common fraud on sites like eBay: buyers falsely claim that they never received a purchased item in the mail. Here's a paper on defending against this fraud through basic psychological security measures. It's preliminary research, but probably worth experimental research.

We have tested a collection of possible user-interface enhancements aimed at reducing liar buyer fraud. We have found that showing users in the process of filing a dispute that (1) their computer is recognized, and (2) that their location is known dramatically reduces the willingness to file false claims. We believe the reason for the reduction is that the would-be liars can visualize their lack of anonymity at a time when they are deciding whether to perform a fraudulent action. Interestingly, we also showed that users were not affected by knowing that their computer was recognized, but without their location being pin-pointed, or the other way around. We also determined that a reasonably accurate map was necessary -- but that an inaccurate map does not seem to increase the willingness to lie.

Posted on January 21, 2015 at 6:31 AM • 25 Comments

Comments

joebob2000January 21, 2015 10:36 AM

I think that if this is employed en masse it will see a similar pattern of use as the calorie counts on restaurant menus: it will be effective psychologically, until the users become desensitized and then it will only have a tiny effect. Since most liar buyer fraud is from one-time offenders, this might be enough to make it a valuable tool in that domain. However in the larger security realm, actual user tracking and heuristics behind the scenes will go a lot farther than security theater.

bungaJanuary 21, 2015 11:17 AM

It sounds ridiculous to me. Why does the buyer need to see a map pinpointing his location in order to alter his behavior, if he has just typed in his home address into the site, telling the website where he wants the package to be posted, plus his credit card details including the address where the card is registered? "Oh really, you figured out where I live? No s**t, I just told you!"

TerroristJanuary 21, 2015 11:20 AM

"an inaccurate map does not seem to increase the willingness to lie"

Hell, if I got an inaccurate map after typing in my address (plus credit card postcode) into the site, that's when I'd really start worrying!

ScamBayJanuary 21, 2015 3:05 PM

I stopped using Ebay. Ebay was OK during the 1990's before all the scamsters found out about it. I read about a scam where the shipper sends an empty box out via USPS with a tracking code. Shipper addresses the empty box to a wrong address in your neighborhood. The USPS tracking code only tracks the package to the address block of your neighborhood. Not to the actual address it's delivered at.

So the USPS tracking code shows the empty box as being delivered, even though it was actually sent to one of your neighbor's addresses, not your address.

I've been ripped off by Amazon.com too. I bought a 1 year Xbox Live subscription card from Amazon after a Ebay seller tried to ripping me off. I figured I'd just buy it through Amazon after that. I still ended up getting ripped off!

The Xbox card Amazon sent me came in a clear plastic package. The package was still sealed so I though everything was good. I waited a few months before trying to open the package and use the card.

Once I opened the package, I noticed the back of the card was already scratched off. Upon further examination of the plastic package, I noticed someone took a razor knife and slit the packaging enough to slip the card out. They then used the card, then slipped the card back into the packaging and sent it back to Amazon and got the money back.

Then Amazon sent me the card. I didn't notice a small section the packaging was slit, so I ended up getting ripped off over $50. Do you think Amazon would have believed me if I tried telling them the truth? Hah! If you answered yes you're delusional.

The internet is full of scam artists. I hate doing business over the internet. If you do business over the internet. You better use a credit card so you can issue a charge back. And inspect your merchandise immediately upon delivery. If your merchandise never comes, screw the "dispute resolution" crap and just issue a charge back through your bank.

ZaphJanuary 21, 2015 4:02 PM

@scambay

Actually I thin Amazon would have believed you unless you have a history of problems with them.

Z

Kalle Olavi NiemitaloJanuary 21, 2015 5:15 PM

I wonder if these security measures can scare a buyer from truthfully reporting that the item did not arrive.

DanielJanuary 21, 2015 5:16 PM

"Amazon Mechanical Turk"

ROTFLMAO.

For those of you who don't know the average "wage" on Mechanical Turk is $2.00/hr.

"We recruited 2364 Amazon Mechanical Turk workers from the United States to perform a simple task in which each subject was asked to choose what five avatars out of a collection of a hundred most closely represented him or her, and indicate the city and state where he or she was located, paying each subject 10 cent for their participation"

That, fellow readers, is a the real fraud.

u6January 21, 2015 5:42 PM

Farmer ran ad: 2 year old cow, can't see how you can lose. He was sued after the cow walked into a lake and drowned. Buyer told judge the blind cow lost him money. Farmer said the ad said can't see. Court sided with seller. Buyer beware.

OldschulJanuary 21, 2015 6:33 PM

"Never buy a pig in a poke." Amazing -- my grandfather foresaw the internet in 1925.

RoboticusJanuary 21, 2015 7:30 PM

Can someone please explain how "it has the semblance of a victimless crime". I honestly do not understand that. Maybe it's because I do the ebay sales for a small business, and see pretty often how it affects us, but I cant see how it would seem to anyone to be a victimless crime any more than plain theft would.

Name Withheld January 22, 2015 12:12 AM

Has anyone yet run into attempted medical tests being run on you via your computer without your knowledge or permission. This happened to my wife's computer and I don't know if one or both of us were being targeted. However, this is a rather serious matter in that medical tests without a persons permission were addressed at the proceedings of Military Tribunal One at the "Doctor's trials" in Nuremburg. A number of doctors were hung and many received long prison sentences but testimony was presented which really indicted the whole medical profession of Nazi Germany, except for a few I imagine. We all know the story of children with disabilities and those with mental illness being quietly sent away to their deaths and this happened all over Germany.

Bruce I'd appreciate if you would cover this in a future column. The rules are very clear and were laid out at Nuremburg and using our computers to do medical tests clearly puts the perpetrators in the same categories of Nazi's, no matter how innocent the perps may see their conduct.

Has anyone else had this happen. I found out because some whistleblower laid the files on our desk. This happened on my wife's Microsoft Signature PC and Microsoft abandoned us and now our Signature is just a Dell. Microsoft apparently wants nothing to do with what happened.

Does anyone have any suggestions on how to handle this illegal conduct and where and who I should go to? The EFF has declined my request for help and so far the only choices I can come up with is the ACLU and a former President of the Trial Lawyers Association who I clerked for during law school and he is one of the most preeminent trial lawyers on medical matters in the country although he primarily does malpractice. Although I want an apology more than anything else.

This hasn't been something that I've ignored, I have a long history of mental issues and paranoia but when it's in writing and on your computer it's hard to convince yourself that no sane person would do such a thing. But so they did, causing me mental stress that I can't begin to describe here.

Anyone have any suggestions. I have no idea who the "sleep studies" people are but I know Microsoft HAS to known.

What would everyone else here do?

Here's a few links:

https://en.wikipedia.org/wiki/Doctors%27_trial

The "Nuremburg Codes" were laid down at the tribunal and are cited in many places, many major medical schools have web pages devoted to these trials and I assume most doctors, before graduation, must familiar themselves with the codes. I won't go through all the one's violated in our case, because the first one on the list is enough. Permission of the patient MUST be obtained.

http://www.jewishvirtuallibrary.org/jsource/Holocaust/Nuremberg_Code.html

Does anyone have any idea what I should do. There have been a few moments during these last six months or so when I really thought I was losing it, and in fact, on one occasion I had a panic attack and had to go to the emergency room and I am sure this event played a major role in my agitation. Any suggestions would be greatly appreciated. I hope this is not being done on a major scale but creeping fascism is something that is hard not to notice in the country that I truly love and hate to see being systematically destroyed. The EFF said they don't care about this.

bobJanuary 22, 2015 10:11 AM

Oddly, I just bought a phone on ebay last week and it was shipped via USPS but they apparently orbited my block (where I've lived for 26 years) 3 times and were unable to find my house and did a missed approach and returned the item to the sender. They manage to find me 4 times a week to give me AT&T U-verse ads, why the amnesia now? The address shown on the tracking page was correct.

I was suspicious it was some sort of scam (altho thats not indicative of much - these days I assume EVERYTHING on ebay is a scam), especially when the sender said that the box was damaged during the trip and the cellphone was destroyed.

But I got my money back so I dont see how a scam would work. Maybe it was insured for more than I paid for the item? Wouldnt they have to prove the value of something? Or can you show a receipt from 3 years ago for an iphone4 and now use that to get $600 back?

EvanJanuary 22, 2015 10:16 AM

I don't get it, what's so hard about paying the extra buck or so for delivery confirmation? I get that some thing are just too cheap to justify it, but then you write the loss off as the cost of doing business anyhow.

I sold a few things on eBay and Half.com and always paid for delivery confirmation. Not doing that is just dumb.

bobJanuary 22, 2015 10:17 AM

I believe they are right, tho. I used to be the snack-O at a facility where we provided coffee and had a dish you (were supposed to) put money in to pay for the coffee. I also did this a decade later when I sold bagels for the office party fund.

In both cases they had been LOSING money and I moved the function into my office where people were now in sight (even if way across the room) when they took coffee/bagels.

And - in both cases the revenue jumped up tremendously after the items were no longer anonymously out in the hallway unwatched.

Sad.

Dirk PraetJanuary 22, 2015 11:20 AM

@ Name Withheld

Has anyone yet run into attempted medical tests being run on you via your computer without your knowledge or permission.

I don't know of any such cases.

I have a long history of mental issues and paranoia ...

Did you receive any medical or psychological treatment for those ?

... in fact, on one occasion I had a panic attack and had to go to the emergency room and I am sure this event played a major role in my agitation.

It most probably did. If suffering from anxiety on a regular basis, you should ask your doctor to prescribe Xanax. When an episode sets on, it usually takes about 15 minutes to kick in. Meanwhile have a candy bar or soda pop containing lots of sugar and go outside for a walk, preferably accompanied by someone who is familiar with anxiety and can talk you down. You may also benefit from mindfulness or traditional zen meditation training to regain some peace of mind (if you can afford it).

VincentJanuary 22, 2015 12:53 PM

I recently heard a talk of a psychologist about insurance fraught. He concluded that the best way to prevent fraught was to prime people with a picture of themselves, as most fraught seems to happen casual, and most people do not want to picture themselves as dishonest.

He joked that the best measure might be placing a mirror in front of people while they do the paperwork. Even asking for a signature before filling in the claims (instead of in the end of the form) had some significant effect in experiments.

Might be that confronting people with their whereabouts and some kind of "registration" triggers self-reflection?

The talk was held by Horst Müller-Peters. Unfortunally scholar does not list any English publications by him on that topic.

BPJanuary 22, 2015 4:27 PM

Dirk
I've been taking medication for panic attacks for almost 30 years. I have worked hard to stay sane, having been hospitalized twice in the past and there is no pain greater than "losing it" or as I sometimes call it "going down to crazy street". I've prided myself on overcoming my inability to tell reality from fantasy through paranoia but what people have been doing here, it's written down and I can't ignore that, should be a crime. I hate to say it here to you folks, but I get a small thrill seeing Barret Brown go to jail.

The funny thing about it all is that I never had any paranoia related to computers until about 6 years or so go. We all know what started then. I think they all should be in jail.

Tony H.January 22, 2015 8:05 PM

@ Evan "I don't get it, what's so hard about paying the extra buck or so for delivery confirmation? I get that some thing are just too cheap to justify it, but then you write the loss off as the cost of doing business anyhow."

As the paper points out, confirmation, even with a signature, is virtually useless. Delivery services do not log the address they delivered to in any meaningful way (such as taking a timestamped picture of the box being handed over, or at least of the doorway with house or suite number), so who knows who actually received or signed for the package? At best you may get them to tell you the rough GPS location or the delivery route, but both are close to useless in a large office or apartment building.

I encountered a version of this recently myself: I ordered an item from an eBay seller in China, paid them for tracking+signature, and around the expected date got a tracking update from the post office with the status of "delivered", and with someone else's scrawled signature. According to the post office, UPU regulations require that the sender initiate any tracing. Sure - my Chinese eBayer who sells 1000s of items a month and has limited English is going to do all that for nothing for my $20 item... A few days later the delivery guy showed up with my package, but only because the business (in the same office building) who had received it realized it wasn't for them and returned it to him. Even if there had been a post office trace, they would no doubt have concluded that it had been delivered correctly. I or the incorrect recipient or the post office employee could equally have been the culprit. Who would eBay blame in this case if I had complained? How would they decide if I was a scammer or honest? My eBay record is perfect; the seller has about a 1% complaint rate. It could go either way. Maybe eBay would decide in my favour, or then again maybe against me because the seller does way more business with them, would have little incentive for a complex scam, etc.

Nick PJanuary 23, 2015 12:03 AM

@ late squid

They're *really* behind the discussions we had here with RobertT despite the amount of brains and money behind their operation. I've already narrowed it down much further than that where the fabs can be semi or untrusted. If they understood the problem, their solution would be $5-20 million dollars. Let's see how long it takes them to recreate my answer.

WaelJanuary 23, 2015 1:57 AM

@Nick P, @late squid,

The diagram with the "Checking for Discrepancies" title resembles a prison, ie: @Clive Robinson's arrangement. The "Checker" in the diagram is a variation of the warden in the prison. Can't you see the similarities?

See that horsey riding on the skateboard? He'll enter your castle one of these days ;) Wait! He's already there!!! How will you get him out?

JMUJanuary 23, 2015 4:58 AM

It sounds ridiculous to me. Why does the buyer need to see a map pinpointing his location in order to alter his behavior, if he has just typed in his home address into the site, telling the website where he wants the package to be posted, plus his credit card details including the address where the card is registered?

Because the buyer is stupid?

The whole point is deterring the not-so-smart lot. The smart scammers will have no trouble to lie with a straight face over a complaint form, considering the complete lack of proof of delivery.

WooJanuary 23, 2015 6:56 AM

Is the USPS really that crappy? "Delivery services do not log where they delivered".. "empty box delivered"..
When I (in Germany) order something to be shipped via registered/insured parcel, the delivery driver will ask for me personally, or my parents who they have a receiving authorization for. They keep the signature made on their PDA thingie on file for a certain time, and in case of disputes will provide a printout or image to the people involved. If I have any doubt of correct delivery (i.e. the package is damaged or shabbily sealed, or the sender has a doubtful reputation), the driver will wait for me to open the package before I sign it as received, or take it back as rejected. This has worked fine for >2k ebay purchases until now.
(on the other hand, I only had about a handful purchases yet where there was something wrong with the delivery.. e.g. once I ordered a TV which I never received, but the signature on file had nothing in common with my name or usual signature, which in turn ended in an insurance claim and a prosecuted delivery guy).
If the USPS don't have the time or manpower to insure correct delivery despite their significantly high prices, perhaps that's the point where pressure needs to be applied, instead of ebay.

Vicenzo VolkerOctober 14, 2015 9:10 PM

Tracking it seems is a system by the post office and eBay to make money. It is not "Proof of Delivery" as eBay will tell you "they don't know what was in the package", even signed for items are not proof. In my experience the post office denies all loss claims due to insufficient packaging, will waste your time on the phone and give you a case number that does absolutely nothing, does not contact the handlers or carrier involved in not scanning an item, and withholds the results of any investigation from the injured parties, refuses any compensation including not refunding postage for lost or undelivered items.
They don't lose many items, less than 3 percent, but their lack of security procedures are a part of a large and growing criminal culture that has learned to target the more valuable items. It is disturbing to experience packages that never advance from a distribution center, never get past a destination post office or never depart the initial drop point. Things don't disappear,... just the public's money and belongings.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.