How to make a deposit on Kickstarter, receive goods + take your money? The story of one deception



    Technically savvy attackers come up with new methods of enrichment, sometimes very unexpected and unusual. So, on Kickstarter the other day, an attacker was identified who introduced a new user fraud system: he made a contribution to support the project (sometimes, the maximum possible contribution), waited for the successful completion of the campaign, after which the shipment of goods began, and demanded his money back from the payment system ( chargeback ).

    During this time, the money has not yet had time to finally be debited from the attacker's credit card, and usually during this period you can cancel your order, having received the money back. In a standard situation, with any product, it is simply impossible to receive the goods, and then money - as the store owner immediately debits the buyer’s card as soon as the goods are sent.

    However, with Kickstarter, things are a little different. The fact is that despite the successful completion of the financing campaign, followed by the dispatch of the goods to the contributors, the campaign creator does not deduct money from the card of such people. Money is debited by the payment processor, in this case, Amazon Payments. And this system is not able to track whether the person who sent the request for a refund received the goods.

    Thus, it becomes possible to make a contribution for a campaign on Kickstarter at the end of the funding period (and determining whether the campaign is successful or not is, of course, not difficult). Then we wait until the campaign closes and the goods are shipped. And after that - we demand to perform a chargeback. Typically, money is returned to the card without further investigation (after all, according to the payment system, the goods have not yet been shipped), and the attacker receives both the goods and their money.

    It is this method of cheating the creators of campaigns on Kickstarter that the user of the Encik Farhan system chose (whether it was one person, or a whole team, it is unlikely to be able to find out). He made more than a hundred contributions, sometimes at the maximum rate, then he waited for the campaign to close, send the goods, and demanded money back.

    It was possible to track him completely by accident, and this was not done by the project’s security system, but by one of the creators of the Kickstarter campaign. He received the required amount for his project, sent the goods to all participants, and then received a letter from Amazon Payments, where it was written that one of the depositors is demanding money back. Fortunately, this investor was the only one who made the maximum contribution of $ 1,000, and, after an additional investigation by the injured, the Kickstarter team finally drew attention to the situation.

    Now the Encik Farhan account, its chargebacks have been canceled, and Kickstarter + Amazon Payments are working to ensure that such situations do not recur in the future. Why this has not been done before, because the situation is quite predictable? Who knows.

    Via theverge

    Also popular now: