Follow Slashdot stories on Twitter


Forgot your password?

Comment Re:Because going to another provider wouldn't occu (Score 1) 173

Like they wouldn't go to another provider... much like they do now if they get shut down.

Of course they would. However, th key issue is the cost structure on each side. For us to discover the identify of the new bank being used takes a few minutes (seconds if we had direct access to VisaNet) and negligible cost (I just need to authorize a purchase from the site). There is no technical reason I'm aware of that you couldn't implement an issuer blacklist at similar time scales if you wanted to (I can think of lots of reasons it might not be a good idea to automate this, but the main point is that the time scale is short). Compare that to how much time and cost you think it takes to find a new bank willing to accept high-risk merchants. Its certainly doable, there area number of such banks, but its orders of magnitude more time.

Comment Re:It's the business model, stupid (Score 1) 173

Yes it is the business model of these banks. However, they are processing through a credit network (Visa / Mastercard) and consumers credit cards are backed by an issuing bank (think Chase, Citibank, etc). Either the credit network or the issuing bank can prevent the transaction without the cooperation of the shady acquiring bank.

This is precisely right. We too would expect that convincing foreign banks to dump their customers would, at best, be a slow process and would be unlikely to succeed as an general approach. Moreover, its not even clear if such activities are illegal in the jurisdiction of all these institutions (at some level these are all IP crimes after all). However, the money for these purchases is primarily from the US and thus direct interventions by domestic issuers is likely to be as effective as shutting down the acquiring institutions.

Now a separate question is whether this makes political and economic sense as a matter of public policy. That is certainly open to debate and there are probably reasonable arguments on both sides.

Comment Re:Good idea, but... (Score 1) 173

In general, the payment tier is only an appropriate point of intervention for those activities that are monetized via direct consumer payment. So it is appropriate for things like spam-advertised goods, fake-AV, gambling, porn, etc.... things for which it is hoped that the recipient will provide a credit card number to finance the underlying advertising activity. It is not useful for scams that employ an out-of-band payment scheme (e.g., pump-and-dump) or that are fundamentally focused on theft (e.g., phishing, 519, malware vectors, etc)

Comment Re:Fight Fire with Fire (Score 1) 173

I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.

You can, but the processors all use standard fraud detection policies that will detect this activity and filter it out unless you do a very good job (from experience, it can be tricky making a purchase if you are not who you say you are... there is a real learning curve here). You'd need valid cards for which you have an associated name and street address that will pass an AVS check, a range of distinct e-mails (and not from public Web mail) and IP addresses. However, with enough work it would be doable... although probably in violation of Federal and State law in the US.

- Stefan

Comment Re:95%? (Score 1) 173

Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

This is correct; while the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.

Comment Re:Attacks (Score 5, Informative) 133

> In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake.
I'd be surprised if you're not misremembering... both because we hadn't spoken publicly about concrete remote vulnerabilities before our NAS briefing and because some of this is not true. In particular, steering is not electrically intermediated on most cars (new electric cars aside) and we've never demonstrated acceleration control (engine start/shutdown, yes... acceleration no... although I'd be surprised if it wasn't possible).

Comment Re:Repeat after me (Score 1) 371

"There are no other obvious variables."

Yes, actually there are. From my testing (in a different post) I showed that you get different rates with each new load as long as you aren't sending cookies. Whatever he was doing to test cookie-wise was wrong (which should have been obvious considering he was re-installing browsers to clear cookies, wtf?).

So yes, this was absolutely a case of correlation != causation.

Comment User-agent is not relevant (Score 1) 371

$ for i in {1..2000}; do curl 2>/dev/null | grep "as low as" -m 1 | cut -d ">" -f 3 | cut -d "%" -f 1; done | sort | uniq -c
        420 2.30
        499 2.70
        428 3.10
        653 3.50

So for 2000 samples (with the default curl user-agent) we get
2.3% (~21%)
2.7% (~25%)
3.1% (~21%)
3.5% (~33%)

Now let's try it again with a firefox for windows user agent.

$ for i in {1..2000}; do curl --user-agent 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101012 Firefox/3.6.11 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101012 Firefox/3.6.11' 2>/dev/null | grep "as low as" -m 1 | cut -d ">" -f 3 | cut -d "%" -f 1; done | sort | uniq -c
        395 2.30
        536 2.70
        450 3.10
        619 3.50

So for 2000 samples (with the firefox user agent) we get
2.3% (~20%)
2.7% (~27%)
3.1% (~23%)
3.5% (~31%)

This deviation does not seem statistically meaningful to me, I would conclude that user agent is not relevant, at least not between firefox and curl.

Comment Who cares what diseases or afflictions he has? (Score 0, Redundant) 452

"Gary McKinnon, still suffering from Asperger's syndrome, depression, anxiety, and panic attacks, has one last chance to avoid extradition from the UK to the US to face charges of hacking into NASA and Pentagon computers in search of information on UFOs."

I'm sorry, what relevance does his Aspergers, depression, anxiety, panic attacks, or ingrown toenails have to do with anything? He broke into government systems repeatedly, end of story.

Comment Not our claim... :-) (Score 5, Informative) 353

As a co-author of this work, I should be clear that we never suggested that we have a perfect spam filter per se, simply a new tool that has the benefit of being orthogonal to existing techniques. For _existing_ botnets, our filters are extremely good, but the paper is also quite clear about the variety of ways that spammers might try to evade the approach.

Slashdot Top Deals

Beware of the Turing Tar-pit in which everything is possible but nothing of interest is easy.