ID Thieves Hijacking Accounts To Cash In On Bogus Warranties

In a pre-online era, when we made most purchases in person, getting a warranty replacement on a broken product often required taking the defective item back to where you bought it. But now that we’re all buying things online, a number of retailers are willing to ship you a replacement on the understanding that you’ll immediately return the original item. ID thieves are taking advantage of this goodwill, hijacking customers’ accounts and convincing companies to send them free replacements for items they never bought.

Cybersecurity journalist Brian Krebs recently looked into a spate of warranty fraud attempts involving Fitbit products.

Toward the end of 2015, large amounts of Fitbit customer data was being posted online — the kind of data you’d need to make a warranty claim on a broken device.

But this information apparently didn’t come from some sort of data breach at the fitness accessory company. Instead, it was gleaned from various sources — password-stealing malware, careless Fitbit customers who use common passwords or the same email/password combination across multiple accounts.

Once an ID thief accesses a customer’s account, they can change its associated email address so that the customer isn’t alerted to future communications.

“[A]t that point they are the customer,” explains Fitbit’s head of security, telling Krebs that the fraudster will then call up Fitbit to file a warranty complaint and get a replacement.

“They’re mainly interested in the premium devices,” like the $250 Fitbit Surge, he says.

Since ill-gotten electronics are often sold for significantly less than their retail price, it makes sense that scammers would go after the most expensive items.

The Fitbit exec says that the company has put new systems in place and re-trained its warranty folks in an effort to end the hemorrhaging.

“If we see an account that was used in a suspicious way, or a large number of login requests for accounts coming from a small group of Internet addresses, we’ll lock the account and have the customer reconfirm specific information,” he tells Krebs.

Fitbit says it is planning to beef up protection against ID theft by offering two-factor authentication — which requires that the user not just enter a password, but also a unique code sent to their phone or other device — but the company’s security chief is realistic and doesn’t really expect less-savvy Fitbit users to take advantage of the improved security.

“I’m not sure the type of user who is using the same password at every site is the great target for that,” he points out.