Dell: How someone got a free laptop at my expense

2016, May 18    

I received my credit card statement on May 10, 2016 with a charge from Dell computers for close to 4000 dollars.</p>

A call is quickly placed to my credit card company to dispute the charge as I never ordered anything from Dell lately.  I'm told my credit card will be cancelled and a new one will be sent through the mail in approximately a week.  Near the end of the call my bank suggests that I speak with Dell regarding this if I want to find out some information on my own.

First I login to my dell account that is protected by a 17 character password consisting of mixed-case numbers and letters to see what's happening.  The only thing I see is my last order dated January 2016.  I call Dell and try to find out what's happening here.

Lo and behold when I start speaking with their customer service they ask me if I'm enjoying my new Alienware laptop.  Interesting.  I quickly respond saying that I never placed the order, my credit card has just be cancelled and that this is a fraudulent transaction.

The representative explains to me that I placed an order on April 6, 2016 for an Alienware laptop.  This laptop was delivered to my home address on April 14, 2016 at 1:10PM and was signed by myself!

I ask why I don't see this order on my online account?  No answer.

I immediately assume that someone created a second account with all my personal information and ordered it that way.  They can't confirm.

I ask whether or not they log ip addresses on a purchase since I've had a static ip for close to 10 years now.  Unknown.

I must wait until they "investigate".

Meanwhile, I'm on the phone getting my credit report to see if this breach is further reaching.

A call is received from the shipping company the next day asking me about the package.  They send me the signature of the received package.   The signature is clearly not mine or anyone else's at the residence.  Interesting.

Tuesday, May 17, 2016 I receive an email stating that my card has been reimbursed.
I call up Dell to try to get some more information the same day.  What a nightmare this was!

Transferred 3 times, reps who can't help and are rude.   I had one who directly accused me of trying to scam Dell.  What a joke.

I finally get through to a manager.  I try to explain the situation for the fourth time now.  I keep asking about the secondary account as I still to this day do not see the charge under my Dell account.  He puts me on hold and does a "refresh" on the account.  Suddenly, I see the fraudulent charge!  I ask why this charge wasn't on my account in the first place?  Some unacceptable response and continues to blame me for not checking my credit card bills.  Unbelievable!

I cannot screen for fraud on Dell because their order system is obviously broken.  I've never heard of a company that does not show the items ordered under your recent transactions.  This is a HUGE security issue and according to your customer representatives this is commonplace.

Furthermore I asked if it's normal for a transaction ie. 4000 dollars to pass without any communication regarding the legitimacy of the order.  As I've seen in the past, Apple caught a fraudulent charge before they processed it for around 1000 dollars.  This "manager" said they absolutely do not and they routinely let 20,000 dollar transactions on a non-business account go through without batting an eye.
Now I know that my actual account was compromised.  The account is obviously still active as I was logged into it.  Unbelievable!  What sort of company does not lock an account once fraudulent activity has been reported?  I asked for the account to be deleted and I can't login to it at the moment.  The question is if it's deleted or merely closed could not be provided.  Typical.

Now the burning question is how was this compromised in the first place.  Dell doesn't seem to care as they tell me my original account was used to make this purchase and yet still kept it active after all this.

I'm not sure if Dell accounts store credit card information or not.  I never got the chance to look.  If they do then an account breach would make it easy to order something if the credit card is on file.  If not, the breach widens considerably.  The question is how did the attacker get the username and password combo?

As previously mentioned this is a relatively secure password when compared to most.  A 17 character password consisting of mixed-case numbers and letters stored in a password manager with a 30+ character password on an encrypted filesystem is doing my due diligence.  I find it quite unlikely it was taken from my machine.  The security of third parties; who knows.

Now to the question regarding the supposedly "delivered" package.  There can only be two possible explanations here.  The delivery person came to the address and signed for the package himself (to get around the gps tracker) or the actual thief was waiting in or around my address.  The later is disturbing but most likely the case.

Over the years I've had lots of people who have delivered packages to my door.  Sometimes you might catch the delivery person while exiting or entering your premises.  Sometimes they state they have a package for Mr/Mrs X, while others ask who you are in relation to the name on the package and others simply don't care.  The fact that the thief already had my information made it quite easy to impersonate me but in my case they didn't attempt to forge my signature.

The signature in question.

The signature in question.

I have to wonder what this person actually did?  They knew from the tracking details that a package was on the truck for delivery at 8:18 AM, so were they actually waiting around my residence all that time until 1:10 PM?  Does this not set off red flags for the delivery person?  What happened after the thief signed for it?  Pretend to walk towards to residence or say they were walking to their car?

All I know is that this is quite the lucrative scam.  The lack of an invoice on my compromised account did not help matters as the only way to discover the fraud would be to wait for the package to show up at my residence (if the thief didn't catch it) or wait for my credit card bill. I only got a true notification a month later via my credit card statement.  Good luck trying to find what happened in the meantime.

This laptop would have been flipped on Craigslist, Kijiji or even Ebay by now.

All I know is that due to the discussion with these customer representatives today you no longer have a customer.  My account has been deleted by my request, more than likely not purged.

The lack of true follow up detailing the situation along with the above mentioned security issues are enough reasons to take my business elsewhere.

The business structure of Dell along with those of other companies inhibits any real dialog and seems genuinely uninterested about the actual cause and prevention of incidents like mine.

Nobody has any real authority to get real answers and solutions.   The notion of executive customer care has long since been supplanted by the call center buffer.

Here's some interesting articles:

Ottawa Police warn of delivery scam

Latest tech support scam stokes concerns Dell customer data was breached
Scammers know customers' phone numbers, PC serial numbers, and support history.

2016-05-26

I'm starting to receive the Dell automated junk mail delivered to my door for the rest of my natural life. It's such a nice reminder of past events.

Alienware mailer front. Alienware mailer back.

Still no response to my emails that were sent to my original contact at Dell. No return phone calls either. Unacceptable.

2016-06-16

Dell decides to send me the same junk mail as posted above and I mean EXACTLY the same!  Did they think I lost a copy?