The Economy of Online Crime

hdtv writes "You might call the thugs or thieves, but on their own closed forums and referral-only Web sites, they value honesty and reputation. Fortune magazine looks into the black market for stolen credit card numbers and identities. What's interesting is that so few of the criminals retrieve their information via breaking into online stores." From the article: "Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common 'phishing' scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data."

Phising getting more and more "important"

[Opportunist]

No kidding. We're seeing an incredible increase in phishing attacks, either in the form of fake pages (and the corresponding spam mails telling you to go there), or in the form of trojans that hook into the browser.

It's interesting. Place a person, a very clever person, master degree in commerce or law, with a Ph.D., people who're worth their 6 digits a year, place them in front of a computer and you will be amazed. Something inside this computer turns the smartest person into a gullible idiot.

Ok, idiot being too hard a word. But it is VERY intriguing to see people who would never ever fall for a con job in real life to fall without even thinking twice for one online.

And I wonder why. What makes an e-mail more credible than snail mail? If they got a mail from their "bank", telling them to send their CC number or other details, they would NEVER do that. Online? No problem.

Why? Why are online scams so much more successful than offline?

Re:Phising getting more and more "important"

[datafr0g]

Why? Why are online scams so much more successful than offline?

It's easier to attempt to scam more people at a time online, thus the ratio of suckers is higher.
Also, and more importantly, most people still don't understand the internet / web / email, etc and how it all works. So they're going to be in a far more vunerable position online. Most people don't think to check to see what web site that link takes them to - it looks like eBay - that's good enough. Most people wouldn't even think to look at that ugly URL bar in the browser and why would they - they can't make sense of it - dozens of letters, numbers and squiggles.

Learning the internet is like learning another language and another culture in the real world and it can take a great deal of time and experience to get to grips with it. For example, I bet it's much easier to scam a tourist or a new immigrant visiting your local country than it is to scam them in their home country.
You move to a new country - most people will learn as much as they can about it. You want to use the internet? same thing - but how many people are there who really want to learn about it - most people just want to use it but it doesn't work that way. Well it can, but like in the real world - you end up making yourself more vunerable and more susecptable to making mistakes.

Re:Phising getting more and more "important"

[JMemmert]

Why? Why are online scams so much more successful than offline? As far as I understand the mechanisms, there's several at play:

• The technicalities of spoofing an address are lost on most people. So "if it says it's from my bank and it looks like it is, so it must be".
• The second problem, to me, is pattern recognition. We've been trained to identify stores or banks by their corporate identity. It is perfectly obvious that the combination of that color and that logo represents that corporation. Nobody else uses these colors, this logo. So everything with these characteristics is automatically associated with that corporation. And since item one is not understood, there's no reason to doubt that assumption.
• The third problem is that people want to believe. They want to believe that something is done to keep them and their money safe because it is oh so unsafe and dangerous out there. This has a much wider area of applicability, of course, but on topic, the fact that the bank does something to keep my money safe is good. I want to keep my money safe and so do they. If they want my cooperation in doing that, that's fine. It's in my interst as well. And since they do not understand the implications of spoofing, they accept things on face value. You probably know that line of thought.
• The fourth problem that I see is that we've gotten used to being treated as a number. So a mail that does not correctly identify me with my full name and only states "Dear Sir or Madam" or "Dear Customer" is considered acceptable.
• The fifth item I think plays a role is the fact that non-technical computer users have become accustomed to do things that they do not understand. If you told them that performing a rain dance every morning over their machine will keep it from crashing, they will do it, because it's no more arcane to them than a sequence of finger-breaking key combinations that they are so accustomed to. This extends to error messages and application failures, etc. Even when there's evidently a problem, the software more often than not does a rotten job at explaning what's wrong. This is why "we have increased the security of your credit card. Please enter all your data." works so fine. It's nonsensical, but it's no more arcane than any number of other messages our machines give us every day.
• This leads into the last issue of today. Tunnel-vision. I believe that computer users know exactly as much as they need to to perform a specific task. They look neither left nor right. The classic example is people overlooking UI elements that are right next tho those they've been using for years, simply because they do not use them. Once you leave that comfort zone of things that they know and use regularly, all is new, all is strange. And they have learned that it's lots of work to find out what is going on. It's easier to go with the flow. Unfortunately.

Re:Phising getting more and more "important"

[AhtirTano]

Why are online scams so much more successful than offline?

Immediate response without time to think about it.

I once got a phishing email supposedly from Amazon.com. I had had too much to drink, and I had been up for about 20 hours. I clicked the link and gave them my Amazon password, where they had access to my credit card information, address, etc. As I hit enter, the fact that it was fake finally penetrated the fog in my head. I quickly changed the password on my account, and have not had a problem. I would not have fallen for the scam if I weren't drunk and/or very tired. I would not have fallen for it if it was a snail mail message.

My roommate almost fell for a telephone scam. He was pretty high when the call came, so was only a little bit suspicious about a call from a "government office" at 9pm on a Friday night. I stopped him.

We both have advanced degrees.

(Secondary moral: Pot and alcohol do make you do stupid things you wouldn't do otherwise.)

Re:Phising getting more and more "important"

[MukiMuki]

Actually, it's quite possible to use snail mail to this day to get compromising information. Phishers just pose them as contest entries, and ask for information like a social security number, birth date, etc. A lot of people are more than willing to jot this down if it looks like a prize is headed their way.

Some less-than-scrupulous telemarketers do the same thing by calling people and telling them that they just won something, and then asking for a subscription to a magazine or whatnot as almost a side portion of the call. However, cancelling the latter results in a hang-up.

Finally, sending a million letters via USPS costs something like $380,000. Sending a million phishing emails is considerably cheaper and more likely to get the info you want.

Finally, on an off-topic note... Dear Slashdot : Make Plain Old Text the fucking default or give me the option to. WTF is WRONG with you.

Re:Phising getting more and more "important"

[JMemmert]

I agree with the statements you make about pattern recognition skills.

However, I believe that the skillset you describe is too narrow.
As far as I can tell, most people are well able to distinguish two banks based on their flyers, even if you remove the names of the banks. They don't read the text, they don't look at the offerings, they merely look at the colors, layout and the logo.
On this level, pattern recognition works just fine for them and it's usually enough.
And since trademarks prohibit someone else from using that combination of colors, fonts and logos, this, eroneously, serves as a unique identifier.
Once a "document", electronic or not, passes the initial, faulty "test" of validity, based on colors, layout, logos, it's considered to be valid. No questions asked.

As for the level of pattern recognition you mention, not being able to identify structural components of a page or URL, I agree. Most people don't understand that unless they have been shown.
For most people, the WWW consists of links and pages. The fact that each page has a unique name that can be decomposed is something unknown. They live in a world of "blue underlined text that brings them to other pages", so to speak.
I've seen uses browse without the navigation bar, simply using their bookmarks, the history and search engines (and keyboard shortcuts to go back). For them, the actual text of an URL has no meaning. You might call that faulty pattern recognition, but I believe it's more along the lines of faulty usage patterns. Ymmv, of course.

Phishing

[Joebert]

What if thoose sites are phishing sites setup by law enforcement to catch phishers ?
What kind of criminal masterminds would fall for their own scams ?!

The banks really don't seem to care...

[Ritz_Just_Ritz]

They are raking in such huge margins on credit card debt that until very very recently, they seemed to more or less wink at online fraud. Only now that it's starting to really cut into their margins are they really taking notice and making half-hearted attempts to deal with the problem.

As much as I want to blame the "online idiot" who falls victim to phishing and other scams, the banks really bear a lot of blame themselves for making it so damn easy to steal from these people.

Re:The banks really don't seem to care...

Why would they care? Banks never EVER lose a dime on fraud, except for a some labor involved in procesing chargeback requests. ALL fraudulent transactions and chargebacks are immediately deducted from the vendor's account. The customer is fully protected. The banks NEVER take a loss. Only the vendors get farked. Over and over again.

Yes, I am a vendor with my own merchant account. :-(

Honesty and reputation?

[77Punker]

Honesty my ass. They're all just being extra careful not to get caught.

Well, whatya know...

[ZoomieDood]

There's honor among thieves....

Re:Will the real site please stand up.

[patio11]

Yeah, I use Bank of America, and their SafeKey thing, well, points for effort guys. I barely understood what was going on and I knew, going into the signup, what the whole purpose was. Basically, it works like this: you're told to pick a picture from a random set of them. When you sign into the bank, signon takes two steps if its from a computer that hasn't used your account recently: first, you put in your userID and state. Then you are taken to a *second* page, which shows the photo you picked and asks for your password. The idea is the photo is another secret known only to you and the bank, so if you go to The Bank of America Website you'll see that the photo was not the one you picked, and so you'll realize "Wow, phiser! No thanks"

Here's the problem: the whole rationale behind the process goes WAY over the head of the average user. I watch my non-technical sister signing up for this thing. You might as well have written the interface in Chinese (oh, bad example, she reads that fine -- Swahili, then). And I had to spend 15 minutes looking through pages of randomly generated photos (they're all clipart of iconic things -- a bowl of fruit, a watch, etc) until I found one that I'd remember after two months without seeing it. For my mother (the archetypical phishing victim, knows nothing about technology and forwards every "If you send this to 15 people Bill Gates will cure cancer!" email she gets), I think this whole process would be hopeless.

Re:I do systems work for a major card issuer....

I'm the master of shipping for an internet merchant who slings several million bucks of loot a year. And by "master of shipping", I mean "it's pretty much all my problem".

I know what a fradulent order looks like, I can successfully pick them out -- but nobody wants to know about this stuff. The credit card companies couldn't care less, I've tried. Police departments? Nobody cares. This is my best effort here, folks -- without actually hiring private detetives and/or ninja, I can't do any more than just passively block the order and let the thief try a new sucker. Hell, the CC company won't even pass my alert on to the next potential sucker.

Nobody wants to hear about this.