37 comments

[ 3.2 ms ] story [ 77.5 ms ] thread
(comment deleted)
Schiit Happened is one of the best HW startup book I ever read, so many gems inside. Somebody extract the chapters from the forums and created pdf out of it (with permission of author) and you can download it from here: https://mega.co.nz/#!RU0SVD5I!9Dn7tK_tXDvjoRCfJ7vV5JFn43-lu1...
I wish I could upvote you, but HN doesn't let story submitters upvote first level comments.
What? It doesn't let story submitters downvote, but upvoting should be possible.
Yup, can't up or downvote. I suspect its a bug, I should be able to upvote.
Is the linked story in that book? The chapters don't line up.
Nope. Chapters from 2015 (last three) are not included.
The three newest chapters form a new book, starting again at chapter 1. The linked story is from the new book, the pdf is the old book.
Schiit is probably my favorite start up of all time, and it is great that they're writing about it, and I suggest everyone read the entirety of the Book of Schiit.

The Book of Schiit TOC is here: http://www.head-fi.org/t/701900/schiit-happened-the-story-of...

Disclaimer: I have a Schiit Bifrost Uber USB and Schiit Asgard 2 on my desk. They are amazing, worth every penny.

Why isn't there a centralized black list of addresses that are known to have received fraudulent orders? Just like with IP addresses that are known to have spammed.
Dynamic IPs, proxies, (purposely or accidental) open APs, stolen phones, etc.
So what? Dynamic mailing addresses?
He's referring to physical addresses, not "IP" addresses.
It's been a while since I've done an integration with fraud prevention systems, but the credit bureaus do offer functionality like this - for instance, they can give you a red flag back if an address has been used by a number of different identities within a certain time period. This is important because often times a scam artist will have a drop that's been working well for them and they will use it for multiple scams simultaneously.
You can use Blockscore (YC S14) for this. When you verify a user's identity, the result tells whether the address has a history of high risk activity
There are but think more deeply about it. If someone uses a vacant house as a drop and then someone moves in, should the new owners / tenants be penalized? What about mailbox services with a shared address? I personally use a UPS Store for all my mail. If it was blacklisted I wouldn't be able to order anything online.
Of course it would be just as problematic as blacklisting IPs, if not worse. But at least it is something.

First of all, you don't block the order if billing and shipping addresses are the same, even if blacklisted. Another important thing would be, an address is blacklisted only in the case of a proven fraud, not just suspected. Next, apartment/house sharing would be problematic for the tenants, well then co-habitants or the landlord will have a good reason to throw the fraudster out.

>well then co-habitants or the landlord will have a good reason to throw the fraudster out.

But how would the landlord or co-inhabitants know? And even if it were proven, it would still not be a straightforward task to deal with such people.

The aggressive self-righteousness described in the article is very typical of criminal types. This makes them very convincing at playing the victim when they are challenged. They can very easily turn the tables on you, even to the point where you are the one facing sanctions, and even paying compensation.

There are many.

However, they're usually curated and distributed for enterprise customers, which means you may be paying a huge subscription fee (6 figures yearly wouldn't be uncommon) for access to that list.

Fraud is such a big problem that companies can easily charge a massive premium for anti-fraud services and software.

(comment deleted)
Just finished the book, and yes it's probably one of the most inspirational books on startups out there. Getting too technical at times, then too businessy...

Got me thinking that this is a kind of an open-source business. Apart from financials pretty much everything else is done openly through this "ongoing book": R&D, production issues, sales, customer support. Kudos to this guy and a big thank you for sharing all this.

(Though I still don't get the reasoning behind the name of the company. I honestly wouldn't have bought anything from them if not this brilliant book.)

(comment deleted)
I can't say I understand the name either; I think it may have been a mistake. But I am a happy owner of a Schiit amp and DAC, and I absolutely love their startup tales, so they could call the company "Horse Fuckers Ltd." for all I care.
The name you give is a statement of a kind. Like it or not it's your attitude towards your own products and your customers too. Schiit was meant to be cheap but great quality, so I could interpret it as "somewhat sophisticated shit", hence the unusual spelling. I know, it was meant to be funny and slightly controlversial, but you always have a wide choice of names that meet both criteria. And what you choose in the end is your statement.
It's good to see a business sharing stories of having been scammed - a lot of times start-ups are so involved in the process of growing the business and making sales that they forget to remember to train their sales team to have good operational security.

A start-up that I worked for got taken for over $100K by a scam artist who, believe it or not, used a picture of a famous middle-eastern leader on a fake driver license to open an account - I'm not kidding. The guy was instantly recognizable from any recent TV news story, and yet the scam artist pasted that picture onto a drivers license (that had otherwise legit information on it) and faxed that in when he opened an account. After opening the account, the scam artist then filed a change of address, which shifted the shipping destination from a swanky neighborhood full of mansions (where the scam artist had stolen an identity from) to a dilapidated building in a really bad part of town. The operations team didn't catch any of this, and shipped the merchandise.

They were only able to get the feds to catch the guy when he showed up and tried to pull off a second heist a few months later.

I suspect the photo was a kind of test to see if the target was asleep at the wheel. If the photo had been instantly recognized, the scammer would have simply moved on in search of softer targets.
It is a kind of reverse Pons Asinorum.
The irony of it was that they already had a whale on the hook. The person whose identity that they had stolen was someone with an incredible net worth. They actually had direct access to his bank account and funded the account on our side with an ACH transfer. The bank reversed the transfer once the guy figured out his account had been hit, but by then it was too late on our side and the goods had already gone out the door.

I have no idea why they used that picture - they took a template driver license, populated it with the guy's personal information, pasted the picture on it, then faxed it to us. I suppose they figured it would be so grainy from the fax that it wouldn't be obvious, or maybe they just did it for the lulz.

"No processor, no matter how good, and no matter how iron-clad their policies may seem, will take 100% liability for scammers. Yes, even PayPal, with their “100% guarantee against fraud.” This is the reality. There’s a lot of fine print for them to hide behind."

My experience having a merchant account that accepted credit cards was that payment processors accept absolutely NO liability. The merchant pays 2-3% (more for AMEX) and is usually on the hook for 100% of the fraud.

Exactly. If there is a chargeback, it's a chargeback. That comes straight out of your merchant account, you don't get paid.

Further, your monthly fees and percentage may go up if your chargeback rate is not kept at a reasonable rate... IIRC there is a fairly direct relationship there. If you can manage to be a low-chargeback account, you can negotiate better deals.

Get a better processor then. MIDs will fight for you, because of the intermediary fees.
Great post, and something not many people consider when starting a startup.

This happens with any mid-high ticket item you sell, unfortunately. I ran a hosting company for 6 years and we had rampant fraud even back then. The "tells" were often the same--high-$ orders submitted by someone who hadn't talked to you first, etc.

I do remember a couple of gems from my time running the company. Once, I had a friend who lived in the UK at the time call during UK business hours to verify that a customer had actually placed a large order. (This was back >10 years ago when calling the UK from the US was quite expensive--it was easier and cheaper to have my friend call!) It turned out the order was for real, and we got a happy new customer.

On the flip side, we had a customer order and pay for a server for 6 months with no usage. Suddenly he started using it--for spam! Usually when this happens it means the server has been hacked. Not in this case, however. The dude was a bona fide spammer wanted by the FBI. We seized the server, called the FBI and reported it.

The guy had the nerve to then charge back ALL of his 6 months of hosting through Amex. (Turns out that was part of the scam--Amex allows you to charge back exactly 6 months of purchases.) We filed a counterclaim with Amex, but they sided with him (any merchant who accepts Amex will not be surprised by that story.) We contacted Amex directly letting them know their card holder was a spammer, but he charged tens of thousands of dollars a month on the card and we got nowhere. I suspect in this day and age of social media, we would have gotten a lot farther with it.

Years later, I heard Microsoft, of all companies, finally tracked him down and got him arrested: http://www.nbcnews.com/id/18955115/ns/technology_and_science... He had the nerve to use his real address with us, too, which I hope helped the FBI's case. I have the dubious honor of having talked to him on the phone when he was spitting mad after we shut his server down.

There are some real whackjobs out there. Unfortunately, you'll often meet them when you run an online business.

So how do you prove yourself if ID is no longer accepted? It does happen that I travel to somewhere and need various stuff stat. Especially if it's a consulting gig stretching to months. You can't prepare for everything, hell, sometimes you can't prepare for anything, it's just put down the phone, throw clothes in the suitcase, airport, next you can breathe a little you are on another continent. Crazy life.

Obviously, I only have a Canadian credit card. In the past, this was settled via a quick passport and/or credit card scan. And I understand you guys... but please understand me as well.

Do you buy lots of high end audiophile stuff on very short notice for consulting gigs? If so it seems like cultivating a personal relationship with your vendors would probably pay out in spades. If not, I'm not quite sure what your problem is unless you need high end audio gear in every hotel room you visit?
No, but I suspect if high end audio gear dealers rule ID scans out then others will too.
Not to be spammy or anything, but since I had a great response to helping out four different teams with fraud detection, I'll drop this here:

If anyone experiences things like this, or are wary of it happening to your business/startup/whatever, and would like some advice on how to either avoid it or identify it, my email's in my profile.

I wrote the book.