How to make a contribution to Kickstarter, get the goods + pick up your money? The story of one deception

Technically savvy attackers come up with new ways of enrichment, sometimes very unexpected and unusual. So, on Kickstarter the other day an attacker was identified who introduced a new system of user fraud: he made a contribution to support the project (sometimes the maximum possible contribution), waited for the successful completion of the campaign, after which the shipment of goods began, and demanded his money back from the payment system ( chargeback )

During this time, the money has not yet had time to finally be deducted from the attacker's credit card, and usually during this period you can cancel your order after receiving the money back. In a standard situation, with any goods, to receive the goods, and then the money is simply impossible - because the store owner immediately writes off funds from the card of the buyer as soon as the goods are sent.
')
However, in the case of Kickstarter, the situation is slightly different. The fact is that despite the successful completion of the financing campaign, with the subsequent expulsion of goods to people who have made a contribution, the campaign creator does not write off money from the card of such people. Money is debited by the payment processor, in this case Amazon Payments. And this system is not able to track whether the product received the person who sent the request for a refund.

Thus, it becomes possible to make a contribution for a campaign on Kickstarter at the end of the funding period (and it’s easy to determine if a campaign is successful or not). Then we wait for the closing of the campaign and the shipment of the goods. And after that - we demand to execute chargeback. Usually, money is returned to the card without additional investigation (after all, according to the payment system, the goods have not yet been shipped), and the attacker receives both the goods and his money.

It is this method of deception of the creators of campaigns on Kickstarter that the user of the system Encik Farhan chose (it was unlikely to find out whether it was one person or a whole team). He made more than a hundred contributions, sometimes at the maximum rate, then he waited for the campaign to close, to send the goods, and demanded money back.

They managed to track him down completely by accident, and this was not done by the project security system, but by one of the creators of the Kickstarter campaign. He received the required amount for his project, sent the goods to all participants, and then received a letter from Amazon Payments, where it was written that one of the depositors was demanding money back. Fortunately, this contributor was the only one who made a maximum contribution of $ 1,000, and, after an additional investigation by the victims, the Kickstarter team finally paid attention to the situation.

Now the account is Encik Farhan, its chargebacks are canceled, and Kickstarter + Amazon Payments is working to ensure that such situations do not recur in the future. Why was this not done before, because the situation is quite predictable? Who knows.

Via theverge