In the category of “we can’t handle email right” again, or at least, they haven’t convinced me they can: the email that is this blog’s domain name plus .me.com is apparently on someone’s list of “valid emails you can put in forms”, or there’s a tool that exists somewhere to grab an email off one of the numerous breaches that included it, because it gets used by random people around the world to sign up for stuff.
This is definitely an “I’m doing this on purpose” because the name is unusual for anyone who doesn’t speak Bahasa Indonesia, and I have never yet had a fraudulent sign-up from Indonesia.
As I do for my other email, I usually punish them by resetting the password and locking them out of the account. For dating apps I add a really savage profile about how dumb they are.
But every once in a while there’s one I can’t do this for — Capital One, for instance, allowed ROBIN JEAN (yep, it was all caps) to supply the me.com address as their email for a credit card without verifying that it was accessible by their customer. Their password reset requires, if I recall, the account number to do a reset, so there’s nothing I can do about that one except complain every month when the balance email shows up. (We’re three months in; hasn’t helped, though they keep swearing they’ll fix it.)
The one I’m writing about today, however, is one that leaves me gobsmacked. And somewhat alarmed.
On July 1, I got a purchase confirmation from Roblox that read like this (please note that I do not have a Roblox account):
Thank you for your purchase on Roblox, the online gaming platform that is powering imagination globally! Please contact us at roblox.com/support, or call us at +1-855-333-4734 if you have any questions about this charge. Your 6/28/2020 3:11:10 AM order: Item Purchased: Roblox Premium 2200 Item Price: CAD25.99 Next Renewal Date: 7/28/2020 Total: CAD25.99 Billing Information: sdf sdf pemungkah@me.com Visa ending in 1563 sd sd fsd v6e United States Username: 45dfgerdfwerewr Sale ID: 543250908 You will be charged CAD25.99 per month for this service until you cancel. You can cancel at any time by going to the billing tab of the account settings page and clicking cancel membership. If you cancel, you still will be charged for the current billing period. We hope you enjoy your membership!
Let’s just luxuriate in the utterly transparent fakery of that address and username for a minute.
It is blatantly obvious that whoever is using this credit card is not on the up-and-up. So I immediately tried to reset the password. Nope. No password reset email. Well, they allow several other authentication schemes, maybe I can’t reset it this way . I’ll make sure that Roblox Support knows about this; possibly unauthorized, fraudulent charges are most certainly going to be a serious issue for Roblox, and they’ll want to be sure that they’ve protected whoever this actually was, and they’ll take quick action to fix this.
Ha. No.
I spent the next eleven days simply trying to communicate that someone was very possibly committing fraud, that I had evidence, and that maybe they should do something.
Roblox “support” spent that time sending me their form emails about unauthorized charges. Once I battered my way past that, I said, fine, you can’t tell me anything. Please make sure my email is removed from your system.
They couldn’t find it.
I supplied the email with full headers.
Still couldn’t find it.
Do you have any explanation as to how this order ended up in my mailbox, then? Because it certainly was not me or anyone in my household. I would think this would be an issue, that there are orders going out to emails that you don’t have any record of.
Time passes. Crickets.
Then I get the automated “you haven’t replied and we want to close this ticket so our KPIs look good” email. All right, I will explain it carefully so we can perhaps get an understanding going here.
Hi. Look. This should not be as hard to understand as it seems to be. I forwarded you an email I got. It came to my email address, and had my email address in the purchase record. The data in the purchase record is obviously random typing on the keyboard. It’s not my credit card. It is, however, my email. SOMETHING must have created this purchase. There has to be an audit trail that points back to some account that this purchase order is associated with, and some transaction that initiated it. Whatever account it is. Whatever purchase it was. NONE OF IT should be associated with my email. Have I made it clear?
Reply:
To assist with or provide information about any account, we must first verify account ownership. Unfortunately, there is no email address or purchase information associated with the account. Without this information, we are unable to verify ownership or assist further with the account. Please make sure that with any account you create, you add and verify your email address. This will allow us to verify ownership and also allow you to use the reset password feature.
What did I just send you, other than the complete email, with all the headers, containing the account name, the email address, the literal transaction ID for the possibly fraudulent sale…? So I gave up.
I’m guessing that they may actually have caught that it was bogus right away, and immediately deleted the account, and the stonewalling is to prevent me trying to social-engineer my way into, I don’t know, getting them to confirm the credit card is good or something.
I’m guessing that there is a record that this account was deleted because of fraud, but because of policy they can’t tell me that.
But we’ll never know. To whoever owns the credit card, sorry, I did my best. I hope they did protect you, or that you catch the charge and dispute it.
I’ll just say that I don’t feel warm and fuzzy about the whole thing.
Leave a Reply
You must be logged in to post a comment.