Today, I learned a lesson about how crime does in fact pay and how ill-equipped we are to stop it.

Someone spammed me and bought an iPad with my credit card

This morning, I woke up to more than 200 emails from various websites either confirming my sign-up or requesting my confirmation to do so. I also got an iMessage about picking up an iPad today I had not ordered. And Chase helpfully listed the $2,200 for my on my credit card bill as a pending transaction.

I knew when and where the fraudster would be

At this point, I knew that someone tried to steal the iPad and when and where they would need to be to pick it up. I knew this 3h before the pickup would happen. In fact, I am writing this 20 minutes before that pickup. Alas, I was unable to stop it:

Limiting further damage to myself

My first move was to lock my credit card. I also learned that one cannot mark pending charges as fraudulent, only posted ones.

I also checked all my major accounts for suspcious logins. Thankfully, I could quickly rule out a sophisticated attack which circumvented my many layers of password managers and hardware tokens.

Contacting the Apple Store in question did not work at this time, as they were not open yet.

Reporting the crime that is about to happen

I then proceeded to file a report with the Bellevue Police online. I have reason to believe that that is where my credit card information, phone number and email address where stolen: I dined at a restaurant there last night. I booked the table via OpenTable, which shared my email address and phone number with the restaurant. I paid with the card later used to pay for the iPad. That order contained my email address and phone number.

I then called the Bellevue Police to follow up and let them know when & where the fraudster would be to pickup the iPad. Turns out it is not their jurisdiction because identity theft happens where you live from a legal standpoint regardless of where it happens in the real world. They connected me with the King County Sheriff who after verifying my address promised to send someone to my house. Not the Apple Store where the pickup is about to happen, to my house. Needless to say, they never showed.

Apple’s reaction

Past 10AM, I was able to contact the Apple Store, and they were happy enough to cancel the order. Whether or not they would want to do something about the fraudster walking into their store soon is “up to the store”. Sure enough, they connected me with the store which told me that they can’t do anything without law enforcement and then put me on hold longer than I could wait.

The perfect crime?

This particular fraud did not succeed, thankfully: The order is cancelled and the credit card used is deactivated and will be replaced. I will have to deal with the spam from the many websites in the next few months.

However, the fraudster is going to be undiscovered and unpunished and can just try again. This is despite knowing when and where the fraudster would be 3h in advance of the crime. I am sure this play works for many people with less anal prudent and entirely appropriate cyber security processes in place.

Stay vigilant!