Slashdot Mirror

← Back to Stories (view on slashdot.org)

A New Approach To Reducing Spam: Go After Credit Processors

Posted by timothy on from the now-drag-out-the-list-of-why-it'll-fail dept.

WrongSizeGlass writes "A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a 'choke point' [PDF] that could greatly reduce the flow of spam. It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies — one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies. If a handful of companies like these refused to authorize online credit card payments to the merchants, 'you'd cut off the money that supports the entire spam enterprise,' said one of the scientists." Frequent Slashdot contributor (and author of a book on Digital Cash) Peter Wayner wonders if "the way to get a business shut down is to send out a couple billion spam messages in its name."

36 of 173 comments (clear)

  1. Competitors by bleble · · Score: 2

    So, they will just open new credit card processors, or worse yet, start spamming random websites to get them shut down? Great way to take your competitor down.

    1. Re:Competitors by spun · · Score: 2

      Well, the way I see it, we have two choices: make some laws and put some cops on the most effective beat we can; or we can accept that we will not regulate this area of human interaction and live with the consequences. On the gripping hand, there is always the avenue of educating the populace. My credit union has signs up for people to read while waiting in line laying out how to detect and avoid problems with online scams and spam.

      Regulate and you have the problem of regulatory expense and potential for capture, and potential freedom of speech issues. These issues have been dealt with successfully in similar contexts before, so we know we could do it right here.

      Don't regulate and, for example, you get your grandma in the hospital because she bought bad drugs online, or your dumb cousin gets scammed out of his life savings and family honor requires you to take the law into your own hands because no one else will and you go to Africa, track the scammer down, and get shot in the head. I jest at the deregulator's expense, but I'm sure there are solutions to those problems too, like:

      Education. If buying from spammers is bad, spend the money you would have spent regulating them and locking them up, and educate people as to why it is bad for them. The problem with education is that it sometimes goes by other names, like propaganda and indoctrination. If your group gets branded 'spammers' unfairly, who do you appeal to, and how?

      Luckily, we have a solution to all of this, and it is called a constitutional democracy. Now we just have to use it.

      --
      - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    2. Re:Competitors by interkin3tic · · Score: 2

      If your group gets branded 'spammers' unfairly, who do you appeal to, and how?

      The people themselves. Via unsolicited mass e-mailings.

    3. Re:Competitors by RobDude · · Score: 5, Insightful

      Laws are entirely theoretical until they are enforced. Until that point there is no difference between a law and a polite suggestion. The posted speed limit only has meaning if and only if there is a system that enforces that law. IE - in many parts of the US, there are many roads where 'everyone speeds'. Because 'everyone knows' cops won't pull you over until you are going some arbitrary speed faster.

      The problem with cyber crimes (including credit card theft and identity theft) is that there is (largely) no enforcement. We don't enforce those laws. Mostly because we can't.

      If we can make another aspect of these crimes both illegal and enforceable, then we could cut down on the crimes. But as it is now - there is no risk to the criminals. This is a true example that just happened to me on Monday....I had a friend whose e-mail was hacked and the hacker sent out e-mails to everyone on his contact list (from his e-mail address) saying he needed money. The IP address originated from Nigeria.

      Call up the police and get them to act on that.
      Go to the FBI website and report that IP address.
      Call the local Nigerian officials and tell them what has happened.

      All of them will laugh at you and say, 'Never send money to someone without verifying their identity'. We blame the victim. We say, '*YOU* need to be smarter and avoid dangerous activities'. Nobody *does* anything. I had a similar experience when my credit card number was used fraudulently....the investigation only went far enough to determine if *I* used the card. They didn't even try to track down the crook who used it.

      Could you imagine if we did this with other crimes? The public outcry that would come from it?

      "Well, most rapes happen at parties with alcohol and young males - it's too bad you got raped, but hey, next time....avoid parties with college guys and alcohol"
      "Well, most hate crime happens to someone who is ethnically or racially different from the local population.....it's too bad you got your house burned down - but you should live with your own kind...."

      But with cyber crime - that's exactly what we do.

      "Well, memorize a different, complex, long, secure password for every site you log into. And change them. Frequently!"

      I'm not against prevention, but it's a shame that we stop at that point. The only international cyber criminals that get caught are the ones who go far beyond scamming regular people. IE - steal my credit card, nothing happens to you. Defraud my wife, nothing happens to you. Hack into a large company and get a LOT of money or a LOT of information - you might get caught.

  2. 95%? by superdave80 · · Score: 4, Informative

    Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

    1. Re:95%? by Anonymous Coward · · Score: 2, Informative

      Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

      Which the article mentions and states that it would result in increased costs for the spammers.

  3. Fight Fire with Fire by retroworks · · Score: 4, Interesting

    I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.

    --
    Gently reply
    1. Re:Fight Fire with Fire by FudRucker · · Score: 5, Interesting

      but not just one fake credit card number, send them billions or trillions of them, just flood their system to the point that the credit companies just throw in the towel and refuse to process products advertized by spammers, spam the spammers, give them a large heaping helping of their own medicine...

      --
      Politics is Treachery, Religion is Brainwashing
    2. Re:Fight Fire with Fire by retroworks · · Score: 4, Interesting

      Tough Crowd! Sorry for not explaining that the credit card companies can generate a number for this purpose which would appear to be a real number but they would not execute payment. I'm assuming that at least one bank could be found that doesn't like spam. I'm not saying there isn't a reason it cannot be done, just that I've never understood why not, and the retorts here don't really resolve that.

      --
      Gently reply
    3. Re:Fight Fire with Fire by bleble · · Score: 5, Funny

      That's fine, as long as you filter MY credit card number out of your random number generator, thank you very much.

      Sure! Just post your credit card number here and everyone promises to filter it!

    4. Re:Fight Fire with Fire by Anonymous Coward · · Score: 4, Insightful

      Next possible spam :

      Hi, we are a new anti-spam group generating random cc to bring down spammy sites. We want to ensure your card is not billed accidentally. Please send us your valid credit card number so that we can filter out yours.

      Thanks
      Anti spam group

    5. Re:Fight Fire with Fire by Opportunist · · Score: 2

      Not at all. But all those numbers have to be processed by the CC clearing system. How happy do you think they're gonna be with a merchant that sends a few million fake CCs per second? And how long 'til they shut him down?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Fight Fire with Fire by _KiTA_ · · Score: 4, Insightful

      I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.

      Because one is legal, the other is not.

      We worship Capitalism in the west, as much if not more so than freedom. While distasteful, spam is pure Capitalism -- people do it cause it works. Intentionally flooding the system with fake orders goes against the holy tenants of Capitalism, ergo, it would not only be illegal, it would be actually investigated. Rule #1 of America, you never get in the way of someone making money.

      (Rule #1.1 is "Unless someone making more money objects," of course.)

    7. Re:Fight Fire with Fire by Khyber · · Score: 4, Interesting

      I just tried it, and it fucking worked. I used a totally unknown e-mail account and just socially-engineered my brother.

      I have ZERO faith left in humanity.

      You're fucking evil and insightful.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    8. Re:Fight Fire with Fire by martin-boundary · · Score: 2
      I think what the OP is saying is that flooding the spammers' system with fake purchase requests using fake credit card details would cause the spammers' payment computers to be flagged automatically by the credit card processing companies, causing the spammers' systems to be penalized where it hurts them.

      There's no need to design the credit card numbers close to legitimate, since the purpose is to make the purchase bounce. They just have to look good to the spammers' frontline purchasing web forms, so that they get passed along. But they shouldn't look legitimate to the banks.

      Presumably, this is in contrast to the research oriented approach which requires investigating and tracking down the complex web of financial relationships to find out who handles the money for the spammers, and then shut them down.

      The OP's idea is automatic, because the fake purchase requests travel through the spammers' network like regular requests, so there's no need to figure out what the spammers' network looks like.

      The problem is of course that some legitimate businesses could be flooded too, this is vigilantism and fraud.

    9. Re:Fight Fire with Fire by plover · · Score: 2

      The idea is that you get someone else to shut them off for a different reason: bandwidth, inability to pay hosting provider, whatever.

      However, retroworks' idea is likely to be too risky for a bank to try. If a bank "approves" an authorization, they are contractually taking on the obligation to pay. They can't lie about it, or they can be sued. Even by a spammer.

      --
      John
    10. Re:Fight Fire with Fire by rickb928 · · Score: 3, Interesting

      Don't bother. The processors have fraud detection systems that are sensistive to a few card numbers. Any processor tryng to spam the actual issuers will find out quickly it won't work.

      Really.

      But going after the few processors that serve the majority of spammers is not impossible. Perhaps better to answer the spam and buy stuff, then dispute the charges, and taint the spammers so much that the processors have to give up on them. And the spammers won't be able to just move to a new processor - they tend to share data on deadbeat 'merchants'.

      Except this doesn't work well enough to deal with the offshore poker houses. Better to get the spammers labeled as illegal. Card issuers hate that.

      Good luck. I'm not hopeful.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    11. Re:Fight Fire with Fire by hedwards · · Score: 2

      Blue frog was having some luck doing something along those lines. Basically whenever a subscriber got an email from a spammer, they would send one unsubscribe request to the ISP for the whole group. If that failed, they would instruct the client to leave a generic opt out at the advertised website. And the total number of requests would typically overwhelm the server as most of the spammers were using botnets to send the spam, but only a small number of servers to actually take orders. Which was totally legal as it was individual clients leaving precisely one opt out request per email received, not leaving multiples per spam message.

      It seemed to be working until they gave up.

    12. Re:Fight Fire with Fire by StripedCow · · Score: 2

      The best way to fight spam is still to "steal back" the time the spammer has stolen from you. Just order a product with a wrong credit card number. Let the spammer take some time figuring it out. Then contact him, ask him some questions, etc... keep him on hold for some time. If everybody did that, then there would be no spamming at all.

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
    13. Re:Fight Fire with Fire by StripedCow · · Score: 2

      Or better, place an order for an "erectile enhancement kit" you read about in your email, with your own credit card number. Use the credit card company's address as the shipping address. Then call the credit card company and declare that an unauthorized payment has been made, and make them roll back the transaction.

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
  4. Where's the weak link? by Ruke · · Score: 2

    The study identified 3 top payment-processors for spam sites. Surely these processors aren't the weak link; their business model is to process payments for spammers. You can't simply ask them not to process spam payments - there is a financial disincentive for them to do so.

    We could move one rung up the ladder, and ask Visa and Mastercard not to authorize any paments to these top-3 processors. However, we've just "widened" the narrowest point, plus, these companies have a financial incentive to grin and pass the buck. Maybe less so; I'd be interested in the number of consumers who later try to contest these payments, but I'm willing to bet that dealing with fraction of unhappy customers now is less expensive than the net amount the credit cards pull in while processing these shady payments. Otherwise, Visa would have done something by now.

    1. Re:Where's the weak link? by bleble · · Score: 2

      I don't even think the number of unhappy customers is that big. They do actually send the products you order. It's just the patent-holding pharmaceutical companies that are unhappy with people ordering cheaper drugs from 3rd world countries.

    2. Re:Where's the weak link? by Dahamma · · Score: 2

      Actually, moving up to the credit card companies would hugely narrow the bottleneck. You convince VISA, Mastercard, Discover, and Amex to adopt a policy of refusing transactions from any institution knowingly processing spammers' requests, and you're pretty much done. Convincing all of the random shady "banks" around the world to do the same would be a LOT harder (until they lose all credit card processing capability unless they comply!)

      I do agree that if they really cared, the problem would already be solved - because the solution is just so damn easy...

    3. Re:Where's the weak link? by plover · · Score: 2

      Actually, moving up to the credit card companies would hugely narrow the bottleneck. You convince VISA, Mastercard, Discover, and Amex to adopt a policy of refusing transactions from any institution knowingly processing spammers' requests, and you're pretty much done.

      Let me see if I understand this idea well enough to hear one side of the phone call.
      Us: "Hi, Visa, it's us, and we're fighting spam. Please shut off these following merchants who sell via spam."
      Us: "Why yes, we do believe you're correct in that they do $80,000,000.00 per year of business with you."
      Us: "Yes, we know you take 3% of that money in interchange fees."
      Us: "Well, no, we're not going to make up the $2,400,000.00 in lost revenue, we just want you to help us end spam."
      Us: "Um, because you care about the problem of spam?"
      Us: "Hello?"
      Hmm ... I think AT&T dropped the connection.

      --
      John
    4. Re:Where's the weak link? by hedwards · · Score: 2

      Unfortunately, that's typically not true. They do actually send products, but they're frequently tampered with and contain little if any of the ingredients promised. Which means that not only are the people paying money for less than what they were wanting, they might end up with dangerous drug interactions when the medication isn't what they think it is.

      Additionally because these firms don't employ doctors or pharmacists there's no way of knowing what sorts of dangerous side effects are going to be over looked to make the sale.

    5. Re:Where's the weak link? by Dahamma · · Score: 4, Insightful

      Yep, that's exactly what would happen when you ask them to voluntarily lose revenue for the sake of general goodwill.

      If, however, you make it illegal to knowingly process payments from a merchant using (already illegal) spam to generate sale (after proper notification from a government entity), that would be a different story.

      Here's how a similar process already works today:
      US govt: "Here's the merchant number of an organization that may or may not be funding terrorist organizations. Shut it down."
      [...approximately 2.5 seconds later...]
      VISA: "Done! Would you like us to destroy their credit rating and kidnap their dog as well?"

  5. It's the business model, stupid by amicusNYCL · · Score: 4, Insightful

    If a handful of companies like these refused to authorize online credit card payments to the merchants

    You suggest that as if this specific activity was not these people's business model. A credit processor in Azerbaijan doesn't just one day decide to start processing spam purchases, they open their business specifically for that purpose. Good luck getting them to switch business models just because you want them to.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    1. Re:It's the business model, stupid by insecuritiez · · Score: 4, Informative

      Yes it is the business model of these banks. However, they are processing through a credit network (Visa / Mastercard) and consumers credit cards are backed by an issuing bank (think Chase, Citibank, etc). Either the credit network or the issuing bank can prevent the transaction without the cooperation of the shady acquiring bank. In fact, there is a "Merchant Category Code" (food, entertainment, drug stores and pharmacies, etc) that the credit network requires be on each transaction and requires to be correct. The credit network or issuing banks don't have to stop all credit transactions to the offending acquiring banks, they can just stop drug stores and pharmacies transactions. You should read the paper.

  6. Hilarious by airfoobar · · Score: 5, Insightful

    This approach is already being used against the "evil pirates", but they haven't even gotten started on the spammers. Getting their priorities straight: they go after the teenagers sharing music first instead of the real criminals sending out phishing emails, viruses and shit like that. FTW.

  7. Re:What laws are they breaking? by rossjudson · · Score: 2

    It's against the law to send the spam. Visa is aiding and abetting the crime by handling the transfer payments from US banks to the foreign banks through its payment network. If this study is accepted, it will be hard for them to deny accurate and full knowledge of their role in the crime. Each link in the financial chain is explicitly aware of nature of the transaction, save the originating bank in the US.

    I don't believe it is a simple thing to set up a new credit card processor, at these scales. Doesn't Visa have to authorize each credit card processor? Spammers won't be able to create credit card processors on the same scale as their URL creation. Visa has solid statistics on processor creation now. They can watch for skews to understand unusual new processor applications.

    Visa should be running a constant program of low-level buys from spammers, tracing the transactions through, just like these researchers did. Visa would then have complete and accurate data on the pipeline, and they could shut it down completely.

    Unless they don't want to, of course. Which is exactly true. The only thing that will force it to happen is legislation.

  8. Questions answered in this thread... by nweaver · · Score: 5, Informative

    I'm one of the MANY coauthors of this paper. Myself or others will try to answer questions in this thread.

    --
    Test your net with Netalyzr
    1. Re:Questions answered in this thread... by StefanSavage · · Score: 2

      Reprising a previous comment:

      While the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. If you got these three banks out of the game, there would be others to replace them. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.

    2. Re:Questions answered in this thread... by Paradise+Pete · · Score: 2

      actually i think the "error" is that Others or Myself is reversed

      The order doesn't matter. "Myself" is just plain wrong there. Myself is proper when you are both the subject and the object, as in "I did it myself."
      An easy way to know is to simply remove the other person. You certainly wouldn't say "Myself will answer," or "Please give it to myself." Adding another person doesn't change that.

      BTW, that same test works for knowing whether to say "Robert and I" or "Robert and me," as in "Please give them to Robert and me." (Not I in this case.).

  9. Re:Obligatory checklist by insecuritiez · · Score: 2

    ( ) You read the paper
    (X) You did not read the paper

    The paper specifically covers merchant relationships with acquiring banks and credit processing. Purchases were done to track the credit processing. It isn't possible to anonymously spoof that. Also, stopping the transactions is more legislative than market-based.

  10. Like Wikileaks by nbauman · · Score: 2

    They already refuse to process payments to Wikileaks.

  11. Re:Not new by WrongSizeGlass · · Score: 2

    However, whoever wrote this summary got one thing wrong at the end. A "Joe Job" - sending out fake spam to smear someone you dislike - is useless.

    I submitted the story but did not write the following:

    Frequent Slashdot contributor (and author of a book on Digital Cash) Peter Wayner wonders if "the way to get a business shut down is to send out a couple billion spam messages in its name."

    The above was added by the editor. The article and linked PDF are about cutting off the payment processing for those selling the "spammed" products in order to indirectly reduce the amount of spam. They are not about going after companies who send the spam (either under their own name or those of others).