 So, hi. I'm Kitty. Um, I'm known by, you know, a couple other handles, but mostly, um, in my workday people call me Nina. Um, before I give my talk, as you can see on the screen, I do have to say, I'm required actually to say, um, that the views expressed here do not necessarily represent the views of the Navy, the Department of Defense, or the U.S. government. And I'm required to say that because technically, I'm a, I'm a fed, I guess. Um, in my workday, I'm a professor at the Naval War College inside the Strategic and Operational Research Department, which really means that I study, um, emerging technologies and how they affect warfare and defense. And that would include the cybering. And so that's part of why I'd follow your community. But, um, all of that actually has absolutely nothing to do with what I'm talking about today. Um, last year, right around August, I bought a used Nespresso maker. Um, and so I just wanted to come and talk about the story about what happened. Um, so with the company Nespresso, um, the pods and the makers are purchased mostly online. There are some boutiques across the country, but by and large, you can buy your coffee from Nespresso, directly from their website. And so with my new used machine, um, I realized that the pods were really expensive. Um, so I decided that I'd have a look to see if I can get them somewhere for cheaper. Um, and it turns out you can. Um, you can get them on eBay. Um, so in fact, scandalously cheap, and I found a listing, um, in which the current bid was about half of what I'd pay if I were buying directly from Nespresso. Um, the only trick was that I had to buy 200 pods at a time. Um, it's not a big deal. I drink a lot of coffee, so it seemed fine. I set my bid, I wandered off, uh, and when I came back, I'd won. So, um, so I paid with PayPal, and I moved on, and a week or so later, my coffee arrived. Um, but with it, also at my doorstep, um, in a separate box, um, was this little gem. It's also here on stage. There was a brand new espresso maker in addition to the coffee that I'd purchased. Um, and so you're looking at an Nespresso Pixie, it's one of Nespresso's most compact little espresso makers. It retails at about 280 dollars, and it takes small coffee pods. They're about 70 cents a piece. So this initially just feels like an ordering mistake to me. And so I go back to eBay to figure out whether I had accidentally pushed some buy it now function, um, and, uh, purchased it. But I hadn't. Um, so I turned to the packaging in the boxes, I opened them both up, um, and I look over the tracking label and I find out not only, um, is, does the invoice have the same, uh, sender, and both are intended to come to me, um, but they're shipped directly from Nespresso. And they weren't supposed to, they were supposed to come from some third party. Um, so I turn again to eBay, um, to look at the transaction and compare it to the invoice, and I find out that the seller's name on eBay, let's call her Sue from Chicago, um, that account holder's name is nothing like the account holder's name on the, on the Nespresso side. We're gonna call him George from Poughkeepsie. Um, in addition, Sue from Chicago had a zero, zero seller rating and had just opened her account, um, just a couple weeks prior. And the only thing she was selling was Nespresso. So at this point I'm starting to think, this looks a little bit like fraud. So I decide, I'm gonna escalate, I'm gonna find out, and I call Nespresso. A little bit reluctantly because, um, I'm sort of greedy and I would really like to keep the machine. Um, so I explained to customer service that I had not ordered the machine, but I had ordered the coffee, um, but I hadn't purchased it directly from Nespresso, um, but instead from eBay. And so she could confirm to me essentially that yes, in fact, George from Poughkeepsie's credit card had been charged for both items. So I said, you might wanna call George and let him know, or I'd be happy to call George and explain what's going on, um, and find out whether he really had intended to send me this really nice gift. Um, and she noted that, but she said she wouldn't give me his number. So I had no way to prove any of this, but I kept thinking, this has definitely gotta be fraud, but it wasn't clear to me who was losing out in the game. Um, but I told Nespresso, please send me a prepaid mailing label. And once I got it, I would happily send back their machine. This is a ploy, you know, cause manufacturers never want the machine back. Um, she took my information, sent it to fraud department, um, and then told me to watch my mail. And if, uh, if they wanted it back, the fraud department would send me a label. I obviously still have the machine. But my ethics are restored, right? I've reported the fraud and I get to keep the machine. In the meantime, I still can't quite figure out what's happening. So, um, I Google around a bit and it brings me to Krebs on security site, and I find this, uh, graphic and it helps me explain sort of what might be happening. So this is triangulation fraud and if you're not familiar, um, you've got a three part, um, triangle there and the whole trick is to convert a line of credit into cash using the seams that happen between companies. And the last step in that chain is the mule, is what they call the mule. That's the person who's doing the cash conversion. The fraudster steals somebody's PII and establishes a credit line or they just go to a carding site and get a card. Um, the fraudster identifies a major company, in this case Nespresso, um, and they're selling semi-luxury goods, um, and they set up an account with that company. The target company usually has really reliable fast shipping, um, and a simple account system that is, uh, doesn't have too many security checks to it. Then the fraudster sets up their eBay account, sets up a fake, uh, profile and starts selling stuff super cheap. Um, when the auction completes, the eBay account, um, the unsuspecting buyer sends their money to eBay and they have now become the mule, right? They have given the fraudster the cash they need, but remember, they're selling, the fraudster's selling something they don't actually own. And the eBay process won't complete until there's a shipping invoice that's, uh, that's generated. So the next thing that has to happen is your fraudster uses the credit card to buy the stuff directly from the manufacturer, send it to the buyer from eBay, and then the whole triangle is complete, the shipping notification is generated, and everybody's happy. The fraudster takes the money from the sale, it pays eBay its commission, and relests for more items. It's a seamless triangle, uh, the buyer has no idea that they're a mule and all they know is that they're getting a really good deal for really legit goods, um, and so the incentive for everyone to continue is, um, is to participate and keep quiet. Unless of course that buyer is me, and you somehow sent me, um, an espresso machine that I didn't order, and I really wanted to know why I got the extra machine because I had been already made happy by paying half price for my coffee. So I had two theories. One, this person or persons sucked as bookkeepers, and so I imagined that maybe they were like copy pasting from an Excel spreadsheet into the manufacturer's website and had accidentally sent me an extra coffee maker. Or two, maybe they wanted to buy my love. Like maybe these triangles are so fragile that the setup of these accounts and the burn of these credit cards are so fragile that they're trying to make me super happy so that I won't question it and then I'll just keep buying. So the right thing to do now that Nespresso has given me this coffee maker, um, was to embark on a campaign of research and buy more coffee. I know, I know you're thinking I'm a terrible person, um, but first this, this is called confessions for a reason. And second, I'm still guessing this is fraud, but I don't really know, right? Like so how big is this operation? Um, so I needed more data. And specifically I didn't just need more data from the one seller. What I wanted to know is if this is some sort of criminal underground gang, like a Nigerian, um, print scam or some IRS, um, gift card scheme, right? This should be happening at scale in some way. Um, so I generate a series of questions. I've way over thought this by the way. I generate a series of questions, um, and I try and figure out who these thieves are. Um, to be clear there are plenty of thieves on eBay. I just wanted to find these ones specifically, alright? So, um, I ask are there other accounts? Can I find those other accounts? How fast do those accounts burn? Um, and most importantly, can I get them to make the same mistake twice? Can I get them to send me more extra free stuff? There's no, there's no greed in this. It's fine. Using eBay's auction search tool and the initial account as the template, I try and find other recently created accounts with zero ratings selling Nespresso. So three things. I need them to sell Nespresso. I need them to have a zero rating and I need that account to be relatively new. Um, so if the fraud triangle is sloppy, as I think they probably will be, then there's probably some laziness. There's some duplication and description and the use of images, which makes the search easier. If these triangles are fragile, that means they burn really fast and I have to look at them often, like every day. Alright? So, eBay lets you automate these searches. So I set my template and I set the search for 200 capsules at $99. I search for espresso machines as well, but it doesn't, it doesn't kind of create some any good pooling data. So I stick with just looking for capsules. Um, and each day, I get in my email box a report of the results, usually 100 or so, and I have to weed through them. And at the outset, it's a little bit hard. It takes me time to find my specific set of coffee thieves. Um, because, um, while it's easy to find someone selling a lot of coffee, it's harder to figure out where they're, when the account is brand new and when the account has a zero rating, and that's actually due to eBay, uh, to eBay's design. So if you look up at the image, um, you will see those stars up there. One would think that that's a seller rating, that's not a seller rating. That is actually a generic review of what people think of Nespresso coffee. But it makes the buyer think that that might be a seller rating, and so you feel calmer, you feel like you're more reassured. In fact, they bury the seller rating for brand new accounts near the bottom in tiny font. And then similarly, you have to click through to find out when that account was built. Now, that takes some time. But the good news is, is that eBay's website wants to help me, right? So every time I do this search and I resolve it, it's watching me do that. And so even when my clicks proved unsuccessful, it would offer on the bottom of the screen. Here are some similar items. Maybe you want to buy from these people. And so often I ended up uncovering the accounts that I was looking for through their own website offering stuff to me. So like a good researcher, I created a spreadsheet to track each of the unique accounts with their opening date, with their ratings over time, and eventually when the accounts go dormant, everything they sold and how much they profited. Then I selected two accounts opened within six days of one another. With those two accounts, I made two separate purchases to try and see if they could send me extra stuff. A week later, I received 200 pods of coffee, plus 200 pods of coffee. Then a few days later, I received 200 pods of coffee, plus a brand new milk frother. Retail value $119. I didn't really care for the frother because I wasn't really a cappuccino person, but I tried it out and it turns out it's really amazing. So thank you, fraudster overgiver. I have upgraded to cappuccino. Remarkable really. But more importantly, I found them. I found them, right? And so by looking at these two brand new accounts, buying from these two accounts opened roughly the same time. I had managed to locate them, right? They were yes using the same images, yes using the same descriptions. I tried to write them emails and chat back and forth, ask for different flavors of coffee, sometimes just to say hello. But they never wrote back. I also did, by the way, look on eBay's reports page to try and report these accounts because I realized like this is not good. I shouldn't participate in this, right? So it turns out you can't report fraud on eBay's website if you actually receive the item. So there's a thing for, didn't receive the item. There's a thing for damage to goods received but there's nothing for, I got extra stuff and I'm trying to report this, right? So it didn't work out. So anyway, okay. So I give up, right? So okay. So we're now three orders deep in my research campaign. I isolate two other closely paired sets of accounts. I complete another two purchases and the first order arrives again. 200 pods, 200 more pods. All right? So I get twice the amount of coffee again, but the second one, something finally interesting happens. The fraudster wrote me a letter. It looks like this. Hello, friend. First, thanks a lot because you choose my listing to buy. Second, I'm so, so sorry because this product is not in best condition so I can't send it to you because I will always want everything best for you. My mom has sick on hospital now so I can find any other item best condition to ship to you and I have to go to the hospital with her now. So I hope you understand for me and let me cancel odor. Thank you and God bless you. What a nice guy. And my money was refunded to me. So of course I replied, I'm super sorry your mom is sick. I will order again in the future. That account did close about a week later. I was weirdly sorry to see it go, but it was a super polite fraudster and I really hope his mom is okay. On the research side I took that letter of course as data. I spent a few hours searching for a tool in my wild imagination. I was hoping that perhaps someone had created a like an English English language grammatical error guesser right and that it would somehow like be a crappy version of Google translate except it would attach like what other language might be making these mistakes. Turns out that tool doesn't exist. Project for you. In its place in a moment of poor judgment I decided to ask my friends who speak other languages whether or not these errors looked familiar. Nobody seemed to know what I was talking about and it started to feel a little racist. So I stopped that line of inquiry pretty fast. But I'm also you know broadly aware that that fraudsters will emulate not being able to speak English to kind of throw you off their trail so I don't actually know whether or not they're domestic or located in the US. So anyway at this point the whole coffee thing had gotten way out of hand. My conscience is weighing on me. My kitchen is a complete disaster and it's time to stop this game. It really is. So I don't need that much coffee and I was about a hundred dollars per data point like each time I'm paying about a hundred bucks to learn more about these people. I am not independently wealthy. This is not a sustainable venture. So okay so here's the final tally. This is my this is a version of my spreadsheet. All those accounts are dead now. So five attempted purchases. Four were successful. 1200 pods total. One frother. One espresso machine. I spent just under four hundred dollars. The value again not on sale and espresso has good sales by the way. Just under a thousand dollars of goods received. In October I took all this data that I'd collected and complete with the names from the invoices, the accounts, and everything that I had in paperwork and I sent it all to the FBI to try and see if they could figure out something to do with it. I also reported all of this to eBay and anybody else who would listen. 30 days following that report. I never got any response back from the FBI but 30 days following that report the activity seemed to stop. So maybe something happened. As far as finding out these people were, I didn't have very much. I really wanted to uncover some kind of cool underground like credit card scheme from Morocco or something. But it didn't happen. There was none of that was in the offing. But this isn't a hero story, right? It's a confession. So here's what I learned. When I started telling people this story, when I started explaining what was happening to me, people often told me that this was a victimless crime. The more I thought about it that's just not true, right? The little I do know about George from Poughkeepsie because I did a lot of research on him to try and figure out if I could contact him. And some of the other count names is that they were all over or at retirement age. We're talking about a vulnerable population here, right? And these aren't victimless crimes as the victims don't know how to mitigate the damage that's happening to them. They don't even know what's going on. Recovery from identity theft works for people who are equipped to deal with it, but not the elderly. And so we're just not far enough along in this nation trying to figure out how to protect those people. Two, for this kind of scheme, it's easy to be unknowingly complicit. It's also super easy to be knowingly complicit. And this is a story about thresholds. So under a certain certain threshold, the incentive is to cheat. eBay doesn't care. Nespresso doesn't care. At the end of the day, you're getting your cheats, your goods for cheap. So your incentive is to cheat as well. If it exceeds a threshold, everybody gets excited. But before then, it's all priced into the market. The insurance cards have got it. Everyone's got it covered. eBay's got themselves covered. And so really the only person who's going to stop it is you or me. Then I've stopped. I won't do it anymore. It's not okay. All I have left is this confession and I promise to walk away from all of this. And I have a lot of coffee. But maybe one, I can do one last good thing. So up for auction is this wonderful, gently used Nespresso machine. Whatever coffee is left, you can have it. Biddings, this is a terrible idea by the way. Biddings starts right now as soon as I can post it on my Twitter account. Just go ahead and bid. It's cash only. The bidding ends tomorrow at 10 a.m. You can come pick it up at Tampa Evident Village by the box. Please don't be a jerk and bid and then not show up. All of those proceeds will go to the Diana initiative. And I promise and you'll watch all that transaction. It'll be totally transparent. It'll be online. But definitely if you don't show up you'll have the force of public opinion. And if this all falls apart, well it's DEF CON anyway. That's my Twitter handle. It's nothing like my handle. But I will flash this again. But I just want to say one last thing, which is thank you. You guys are awesome. And shout out to my mom and my dad. All right. So that's my Twitter handle. So if you're interested in owning this little baby, it's all yours. Bidding starts at a dollar. Just wait for me to go ahead and raise the Twitter account. Thanks.