[ic] Heads up about a security flaw with UPS's new Delivery Intercept service

Louie Martinez louie at kopykake.com
Tue May 8 19:48:51 EDT 2007

On friday morning my company received a number of orders through our
interchange web store. The odd thing we first noticed was many of the
orders were similar, 2 of the same item at $250 a piece. Our invoicing
and shipping systems are all tied into interchange so the orders were
shipped out friday afternoon to be sent 3 day select.

On Monday morning is when we noticed the orders were all similar so we
called UPS to use their UPS Delivery Intercept to stop the products from
being delivered since it appeared to be fraud. Each order used
legitimate information for the credit card and card holder address,
going to a variety of different places in the US. When we called UPS to
stop the orders, they had told us that we had called earlier that
morning to have all those orders redirected to a new address in Maine.
UPS had went ahead and had the orders redirected to Maine because all
they asked for was the tracking number (which was automatically emailed
out to the customer's email address they provided, friday at end of day
when we closed out our shipments for the day in UPS Worldship), our UPS
shipper ID (which is the first 6 digits in the tracking number after the
1Z...  duh) and our company address (which is on our website).

So the person who ordered all these items called them up claiming to be
our company and had them redirect the packages to a new address. As far
as the credit card processor was concerned, all the info was legitimate,
and UPS dropped the ball by letting ANYONE with half a brain to request
the order be diverted to a new address. We would have never known until
people started calling us screaming about their credit cards. We just
happened to catch it in time and stop every order.

UPS apparently does not care when we brought this to their attention.
They simply said not to send out the tracking numbers which is idiotic.
Most customers who order online want to track their packages.

So be on the lookout for multiple legitimate orders being placed from
the same IP address. We're just a small company and this happened to us,
so it might be happening everywhere.

Thank you for your time. Sorry to be off topic for this group but I felt
it was best to get this info out there to help other online merchants
protect themselves.
Louie Martinez
Systems Administrator
Kopykake Enterprises
louie at kopykake.com	
(310) 373-8906	(800) 999-5253 (310) 375-5275 FAX

More information about the interchange-users mailing list