Fitbit, warranty fraud, and hijacked accounts

Online account hijackings usually end up with the account owners being the main victims, but there are fraudsters out there who are more interested in ripping off companies than end users.

Case in point: recent warranty fraud attempts aimed at Fitbit, the company that creates and sells a range of wearable activity/fitness trackers.

In the last few months of the past year, the company’s customer service employees were bombarded with emails apparently coming from registered customers who bought one of their devices, claiming their device is not working as expected, and asking that the product be replaced.

Seeing apparently nothing wrong with the request – the email came from the email address associated with the registered customer, and contained correct information about the sold device – customer service approved many of the requests and sent a new device to the address provided by the scammer.

But when FitBit started to notice large caches of data from customer accounts being posted to Pastebin, they became suspicious. They didn’t suffer a breach, so where was this information coming from?

Best they could find out is that the data was coming from hijacked customer accounts, and these were compromised either by criminals using password-stealing malware or by trying out stolen login credentials for other online accounts (the victims re-used the credentials).

According to Brian Krebs, criminals are also selling hacked Fitbit user accounts on underground forums.

The fraudsters would access the compromised accounts, change the email address associated with it to one of their own, then contact Fitbit’s customer service and make their claim.

Fitbit chief security executive Marc Bown says that they have managed to solve the problem of fraudulent warranty requests by educating customer service employees about the problem and by assigning risk scores to all the requests.

“If we see an account that was used in a suspicious way, or a large number of login requests for accounts coming from a small group of Internet addresses, we’ll lock the account and have the customer reconfirm specific information,” he told Krebs.

Bown is not sure that offering a 2-factor authentication option is a perfect solution to this problem – after all, someone who reuses his or her password repeatedly accross the Internet could not be expected to realize why 2FA is a good idea – but says that they will likely offer it starting this year.

For a European like myself, the idea that a company would so (relatively) easily replace a broken device with a new one without receiving the broken device and/or a proof of purchase from the user first is unbelievable, and it seemed to me that this type of fraud could simply not exist.

Obviously, I was wrong. Comments on Krebs’ post showed me that US companies, in fact, do do such things, because customers will be unsatisfied for waiting too long for a replacement.