The Economy of Online Crime 119
hdtv writes "You might call the thugs or thieves, but on their own closed forums and referral-only Web sites, they value honesty and reputation. Fortune magazine looks into the black market for stolen credit card numbers and identities. What's interesting is that so few of the criminals retrieve their information via breaking into online stores." From the article: "Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using 'pharming' sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common 'phishing' scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data."
Phising getting more and more "important" (Score:5, Insightful)
It's interesting. Place a person, a very clever person, master degree in commerce or law, with a Ph.D., people who're worth their 6 digits a year, place them in front of a computer and you will be amazed. Something inside this computer turns the smartest person into a gullible idiot.
Ok, idiot being too hard a word. But it is VERY intriguing to see people who would never ever fall for a con job in real life to fall without even thinking twice for one online.
And I wonder why. What makes an e-mail more credible than snail mail? If they got a mail from their "bank", telling them to send their CC number or other details, they would NEVER do that. Online? No problem.
Why? Why are online scams so much more successful than offline?
Phishing (Score:5, Insightful)
What kind of criminal masterminds would fall for their own scams ?!
The banks really don't seem to care... (Score:4, Insightful)
As much as I want to blame the "online idiot" who falls victim to phishing and other scams, the banks really bear a lot of blame themselves for making it so damn easy to steal from these people.
Re:The banks really don't seem to care... (Score:5, Insightful)
Yes, I am a vendor with my own merchant account.
Re:Phising getting more and more "important" (Score:5, Insightful)
It's easier to attempt to scam more people at a time online, thus the ratio of suckers is higher.
Also, and more importantly, most people still don't understand the internet / web / email, etc and how it all works. So they're going to be in a far more vunerable position online. Most people don't think to check to see what web site that link takes them to - it looks like eBay - that's good enough. Most people wouldn't even think to look at that ugly URL bar in the browser and why would they - they can't make sense of it - dozens of letters, numbers and squiggles.
Learning the internet is like learning another language and another culture in the real world and it can take a great deal of time and experience to get to grips with it. For example, I bet it's much easier to scam a tourist or a new immigrant visiting your local country than it is to scam them in their home country.
You move to a new country - most people will learn as much as they can about it. You want to use the internet? same thing - but how many people are there who really want to learn about it - most people just want to use it but it doesn't work that way. Well it can, but like in the real world - you end up making yourself more vunerable and more susecptable to making mistakes.
Re:Phising getting more and more "important" (Score:5, Insightful)
Honesty and reputation? (Score:5, Insightful)
Re:Phising getting more and more "important" (Score:3, Insightful)
Immediate response without time to think about it.
I once got a phishing email supposedly from Amazon.com. I had had too much to drink, and I had been up for about 20 hours. I clicked the link and gave them my Amazon password, where they had access to my credit card information, address, etc. As I hit enter, the fact that it was fake finally penetrated the fog in my head. I quickly changed the password on my account, and have not had a problem. I would not have fallen for the scam if I weren't drunk and/or very tired. I would not have fallen for it if it was a snail mail message.
My roommate almost fell for a telephone scam. He was pretty high when the call came, so was only a little bit suspicious about a call from a "government office" at 9pm on a Friday night. I stopped him.
We both have advanced degrees.
(Secondary moral: Pot and alcohol do make you do stupid things you wouldn't do otherwise.)
Re:Phising getting more and more "important" (Score:2, Insightful)
Some less-than-scrupulous telemarketers do the same thing by calling people and telling them that they just won something, and then asking for a subscription to a magazine or whatnot as almost a side portion of the call. However, cancelling the latter results in a hang-up.
Finally, sending a million letters via USPS costs something like $380,000. Sending a million phishing emails is considerably cheaper and more likely to get the info you want.
Finally, on an off-topic note... Dear Slashdot : Make Plain Old Text the fucking default or give me the option to. WTF is WRONG with you.
Well, whatya know... (Score:2, Insightful)
Re:Will the real site please stand up. (Score:4, Insightful)
Here's the problem: the whole rationale behind the process goes WAY over the head of the average user. I watch my non-technical sister signing up for this thing. You might as well have written the interface in Chinese (oh, bad example, she reads that fine -- Swahili, then). And I had to spend 15 minutes looking through pages of randomly generated photos (they're all clipart of iconic things -- a bowl of fruit, a watch, etc) until I found one that I'd remember after two months without seeing it. For my mother (the archetypical phishing victim, knows nothing about technology and forwards every "If you send this to 15 people Bill Gates will cure cancer!" email she gets), I think this whole process would be hopeless.
Re:Phising getting more and more "important" (Score:2, Insightful)
I agree with the statements you make about pattern recognition skills.
However, I believe that the skillset you describe is too narrow.
As far as I can tell, most people are well able to distinguish two banks based on their flyers, even if you remove the names of the banks. They don't read the text, they don't look at the offerings, they merely look at the colors, layout and the logo.
On this level, pattern recognition works just fine for them and it's usually enough.
And since trademarks prohibit someone else from using that combination of colors, fonts and logos, this, eroneously, serves as a unique identifier.
Once a "document", electronic or not, passes the initial, faulty "test" of validity, based on colors, layout, logos, it's considered to be valid. No questions asked.
As for the level of pattern recognition you mention, not being able to identify structural components of a page or URL, I agree. Most people don't understand that unless they have been shown.
For most people, the WWW consists of links and pages. The fact that each page has a unique name that can be decomposed is something unknown. They live in a world of "blue underlined text that brings them to other pages", so to speak.
I've seen uses browse without the navigation bar, simply using their bookmarks, the history and search engines (and keyboard shortcuts to go back). For them, the actual text of an URL has no meaning. You might call that faulty pattern recognition, but I believe it's more along the lines of faulty usage patterns. Ymmv, of course.
Re:I do systems work for a major card issuer.... (Score:1, Insightful)
I'm the master of shipping for an internet merchant who slings several million bucks of loot a year. And by "master of shipping", I mean "it's pretty much all my problem".
I know what a fradulent order looks like, I can successfully pick them out -- but nobody wants to know about this stuff. The credit card companies couldn't care less, I've tried. Police departments? Nobody cares. This is my best effort here, folks -- without actually hiring private detetives and/or ninja, I can't do any more than just passively block the order and let the thief try a new sucker. Hell, the CC company won't even pass my alert on to the next potential sucker.
Nobody wants to hear about this.