×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A New Approach To Reducing Spam: Go After Credit Processors

timothy posted more than 2 years ago | from the now-drag-out-the-list-of-why-it'll-fail dept.

Spam 173

WrongSizeGlass writes "A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a 'choke point' [PDF] that could greatly reduce the flow of spam. It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies — one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies. If a handful of companies like these refused to authorize online credit card payments to the merchants, 'you'd cut off the money that supports the entire spam enterprise,' said one of the scientists." Frequent Slashdot contributor (and author of a book on Digital Cash) Peter Wayner wonders if "the way to get a business shut down is to send out a couple billion spam messages in its name."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

173 comments

Competitors (2)

bleble (2183476) | more than 2 years ago | (#36197306)

So, they will just open new credit card processors, or worse yet, start spamming random websites to get them shut down? Great way to take your competitor down.

Re:Competitors (2)

spun (1352) | more than 2 years ago | (#36197642)

Well, the way I see it, we have two choices: make some laws and put some cops on the most effective beat we can; or we can accept that we will not regulate this area of human interaction and live with the consequences. On the gripping hand, there is always the avenue of educating the populace. My credit union has signs up for people to read while waiting in line laying out how to detect and avoid problems with online scams and spam.

Regulate and you have the problem of regulatory expense and potential for capture, and potential freedom of speech issues. These issues have been dealt with successfully in similar contexts before, so we know we could do it right here.

Don't regulate and, for example, you get your grandma in the hospital because she bought bad drugs online, or your dumb cousin gets scammed out of his life savings and family honor requires you to take the law into your own hands because no one else will and you go to Africa, track the scammer down, and get shot in the head. I jest at the deregulator's expense, but I'm sure there are solutions to those problems too, like:

Education. If buying from spammers is bad, spend the money you would have spent regulating them and locking them up, and educate people as to why it is bad for them. The problem with education is that it sometimes goes by other names, like propaganda and indoctrination. If your group gets branded 'spammers' unfairly, who do you appeal to, and how?

Luckily, we have a solution to all of this, and it is called a constitutional democracy. Now we just have to use it.

Re:Competitors (0)

The Dawn Of Time (2115350) | more than 2 years ago | (#36197798)

Further regulation can only help so much. It's not like making illegal stuff more illegal does anything to stem the tide.

Re:Competitors (5, Insightful)

RobDude (1123541) | more than 2 years ago | (#36198150)

Laws are entirely theoretical until they are enforced. Until that point there is no difference between a law and a polite suggestion. The posted speed limit only has meaning if and only if there is a system that enforces that law. IE - in many parts of the US, there are many roads where 'everyone speeds'. Because 'everyone knows' cops won't pull you over until you are going some arbitrary speed faster.

The problem with cyber crimes (including credit card theft and identity theft) is that there is (largely) no enforcement. We don't enforce those laws. Mostly because we can't.

If we can make another aspect of these crimes both illegal and enforceable, then we could cut down on the crimes. But as it is now - there is no risk to the criminals. This is a true example that just happened to me on Monday....I had a friend whose e-mail was hacked and the hacker sent out e-mails to everyone on his contact list (from his e-mail address) saying he needed money. The IP address originated from Nigeria.

Call up the police and get them to act on that.
Go to the FBI website and report that IP address.
Call the local Nigerian officials and tell them what has happened.

All of them will laugh at you and say, 'Never send money to someone without verifying their identity'. We blame the victim. We say, '*YOU* need to be smarter and avoid dangerous activities'. Nobody *does* anything. I had a similar experience when my credit card number was used fraudulently....the investigation only went far enough to determine if *I* used the card. They didn't even try to track down the crook who used it.

Could you imagine if we did this with other crimes? The public outcry that would come from it?

"Well, most rapes happen at parties with alcohol and young males - it's too bad you got raped, but hey, next time....avoid parties with college guys and alcohol"
"Well, most hate crime happens to someone who is ethnically or racially different from the local population.....it's too bad you got your house burned down - but you should live with your own kind...."

But with cyber crime - that's exactly what we do.

"Well, memorize a different, complex, long, secure password for every site you log into. And change them. Frequently!"

I'm not against prevention, but it's a shame that we stop at that point. The only international cyber criminals that get caught are the ones who go far beyond scamming regular people. IE - steal my credit card, nothing happens to you. Defraud my wife, nothing happens to you. Hack into a large company and get a LOT of money or a LOT of information - you might get caught.

Re:Competitors (0)

Anonymous Coward | more than 2 years ago | (#36198542)

Could you imagine if we did this with other crimes? The public outcry that would come from it?

Other crimes are not 'cyber' (what an asinine moniker) crimes. You can't get raped in Los Angeles by a guy sitting in his house in Assendofnowherevostok, Russia. Some bigoted, Rapture-worthy trash in Uganda can't throw a punch at your lesbian friend without being in the same physical vicinity as said friend. There are very good reason that 'cyber' (I cringe every time I type it) crimes are NOT treated in the same manner as other crimes, and the general public is damned well aware of why that is.

Now, we could of course, change all this. We could sign extradition and other treaties out the wazoo; we could Free the Shit(tm), Bush Style, out of any nation who doesn't play ball. We could give up any pretense of sovereignty and self-rule.

As for me, I'll happily risk my fortune to prevent that. Better some Russian thug is buying vodka and midget porn on my dime (probably thanks to Sony, hah!) than to condemn the world to a soul-crushing bureaucracy so great that the horror of it nearly defies the imagination.

Re:Competitors (1)

Ethanol-fueled (1125189) | more than 2 years ago | (#36198700)

IE - in many parts of the US, there are many roads where 'everyone speeds'. Because 'everyone knows' cops won't pull you over until you are going some arbitrary speed faster.

From the Wikipedia, and I know its true because I live there. Quote-mined for clarity:

In California...Drivers moving slower than the general flow of traffic are required to stay in the right-most lanes (by California Vehicle Code (CVC) 21654) to keep the way clear for faster vehicles and thus speed up traffic. However, faster drivers may legally pass in the slower lanes if conditions allow (by CVC 21754). But the CVC also requires trucks to stay in the right lane, or in the right two lanes if the roadway has four or more lanes going in their direction. The oldest freeways in California, and some freeway interchanges, often have ramps on the left, making signs like "TRUCKS OK ON LEFT LANE" or "TRUCKS MAY USE ALL LANES" necessary to override the default rule. Lane splitting, or riding motorcycles in the space between cars in traffic, is permitted as long as it is done in a safe and prudent manner.[2]

As long as you are an average driver, you can abide by the choice phrase "flow of traffic" and that's the easiest way to cope with it. Otherwise the whole thing looks like a group of nested if-else statements gone horribly wrong.

Man, if there's one thing that the more boring states got right, it's the Texas turnaround [wikipedia.org] and the Michigan left. [wikipedia.org]

Re:Competitors (1)

L0rdJedi (65690) | more than 2 years ago | (#36199256)

IE - in many parts of the US, there are many roads where 'everyone speeds'. Because 'everyone knows' cops won't pull you over until you are going some arbitrary speed faster.

From the Wikipedia, and I know its true because I live there. Quote-mined for clarity:

In California...Drivers moving slower than the general flow of traffic are required to stay in the right-most lanes (by California Vehicle Code (CVC) 21654) to keep the way clear for faster vehicles and thus speed up traffic. However, faster drivers may legally pass in the slower lanes if conditions allow (by CVC 21754). But the CVC also requires trucks to stay in the right lane, or in the right two lanes if the roadway has four or more lanes going in their direction. The oldest freeways in California, and some freeway interchanges, often have ramps on the left, making signs like "TRUCKS OK ON LEFT LANE" or "TRUCKS MAY USE ALL LANES" necessary to override the default rule. Lane splitting, or riding motorcycles in the space between cars in traffic, is permitted as long as it is done in a safe and prudent manner.[2]

As long as you are an average driver, you can abide by the choice phrase "flow of traffic" and that's the easiest way to cope with it. Otherwise the whole thing looks like a group of nested if-else statements gone horribly wrong.

That's because of a bunch of stupid laws that get passed many years apart with no care of the previous law. It use to be very simple. Slower traffic stay to the right (it is still marked like this on many four lane highways, but hardly anyone follows it). Then the speed limit got reduced from 65 to 55 (I know it went back up many years ago, but there are still freeways marked with 55) and now the "fast lane" is no longer fast. I've seen stories on the news where a policeman is giving a reporter a ride and they're watching someone tailgate because they're doing 55 and the other driver wants to go faster. Do they move to the right? No. They ask why the other driver doesn't slow down.

The reason for the "TRUCKS MAY USE ALL LANES" is because on some freeways, and this is mostly coming into LA County from the north (as far as I've ever seen) there are lanes specifically for the trucks. You won't see very many cars on them and they're usually pretty empty, even when the freeway is filled with cars. It's because those roads usually have only one or two lanes and they're specifically meant to get the big trucks out of the traffic. Having an 18 wheeler stuck in stop and go traffic is a lot worse than letting them take a different route (the route is usually longer anyway).

Re:Competitors (1)

Corbets (169101) | more than 2 years ago | (#36199146)

Call up the police and get them to act on that.
Go to the FBI website and report that IP address.
Call the local Nigerian officials and tell them what has happened.

All of them will laugh at you and say, 'Never send money to someone without verifying their identity'. We blame the victim. We say, '*YOU* need to be smarter and avoid dangerous activities'.

In the end, as you point out, we CAN'T do anything else. And instructing somebody to think before acting in future situations isn't blaming the victim, it's protecting them against future incidents.

People need to take personal responsibility rather than falling for every get-rich-quick scam. As for identify theft and other cybercrimes, well, when other actions are possible (such as tracking the perpetrators within the country and arresting them) the FBI does that sort of thing. Not particularly well, yet, but their capabilities are improving.

Re:Competitors (1)

L0rdJedi (65690) | more than 2 years ago | (#36199278)

'Never send money to someone without verifying their identity'

Why would anyone ever do anything but this? If you get an email from a friend saying he needs money, wouldn't you at least pick up the phone and attempt to reach them first? Don't you think if they really needed money, they'd find a way to call you rather than send you an email?

Re:Competitors (1)

spun (1352) | more than 2 years ago | (#36198178)

Further regulation can only help so much. It's not like making illegal stuff more illegal does anything to stem the tide.

Really? If we shot all spammers, it might deter some. There are other problems with that, but generally, when a crime is hard to catch and prosecute, we increase the penalty to increase the risk/reward ratio. Deterrence is, theoretically, one of the reasons we punish criminals.

In another sense, if we put more cops on this particular beat, we would catch more criminals. And if we regulated more effectively, we might manage to cut off a choke point in the process completely.

Re:Competitors (2)

interkin3tic (1469267) | more than 2 years ago | (#36198074)

If your group gets branded 'spammers' unfairly, who do you appeal to, and how?

The people themselves. Via unsolicited mass e-mailings.

Re:Competitors (0)

Anonymous Coward | more than 2 years ago | (#36198600)

It's actually a constitutional republic.

Re:Competitors (1)

Fjandr (66656) | more than 2 years ago | (#36197852)

start spamming random websites to get them shut down

Only if those websites also happened to use the same shady credit card processors. Which is not likely.

95%? (4, Informative)

superdave80 (1226592) | more than 2 years ago | (#36197322)

Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

Re:95%? (2, Informative)

Anonymous Coward | more than 2 years ago | (#36197370)

Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

Which the article mentions and states that it would result in increased costs for the spammers.

Re:95%? (1)

StefanSavage (454543) | more than 2 years ago | (#36197864)

Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

This is correct; while the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.

Re:95%? (1)

jklovanc (1603149) | more than 2 years ago | (#36198022)

Possibly because 95% of the spammers have tried other services but were only accepted by these three. If they were cut off by these three they might not be accepted by other vendors and their money would be cut off. Maybe the other 5% are just operating low volumes and under the radar.

Re: 95% (1)

geekmux (1040042) | more than 2 years ago | (#36198478)

Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

Look deeper. The only thing this proves is there are still that many gullible idiots out there who will gladly swipe a credit card for magic penis enlarging cream.

It really is sad when spam can't die due to lack of profitability.

Re:95%? (1)

Stan92057 (737634) | more than 2 years ago | (#36199360)

The spammers might change but there customers are not likely to switch payment type IE your big 3. If i get refused because of what CC i use then the sale is lost. And I'm guessing most of the people who are buying drugs through spam are because they cant afford the drugs because they are too expensive,tight budgets, live on just SS.

Fight Fire with Fire (4, Interesting)

retroworks (652802) | more than 2 years ago | (#36197326)

I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.

Re:Fight Fire with Fire (1)

SheeEttin (899897) | more than 2 years ago | (#36197362)

With what? Fake credit card numbers? They'll immediately be rejected by the system.

Re:Fight Fire with Fire (5, Interesting)

FudRucker (866063) | more than 2 years ago | (#36197422)

but not just one fake credit card number, send them billions or trillions of them, just flood their system to the point that the credit companies just throw in the towel and refuse to process products advertized by spammers, spam the spammers, give them a large heaping helping of their own medicine...

Re:Fight Fire with Fire (1)

StripedCow (776465) | more than 2 years ago | (#36197500)

That's fine, as long as you filter MY credit card number out of your random number generator, thank you very much.

Re:Fight Fire with Fire (5, Funny)

bleble (2183476) | more than 2 years ago | (#36197526)

That's fine, as long as you filter MY credit card number out of your random number generator, thank you very much.

Sure! Just post your credit card number here and everyone promises to filter it!

Ok, here's my number (0)

Anonymous Coward | more than 2 years ago | (#36198318)

1234567812345678

Oh, and the CVN is 900

Re:Ok, here's my number (0)

Anonymous Coward | more than 2 years ago | (#36198420)

What's the name, billing address and expiry date too? I can also filter those out.

Re:Fight Fire with Fire (4, Insightful)

Anonymous Coward | more than 2 years ago | (#36197566)

Next possible spam :

Hi, we are a new anti-spam group generating random cc to bring down spammy sites. We want to ensure your card is not billed accidentally. Please send us your valid credit card number so that we can filter out yours.

Thanks
Anti spam group

Re:Fight Fire with Fire (4, Interesting)

Khyber (864651) | more than 2 years ago | (#36197754)

I just tried it, and it fucking worked. I used a totally unknown e-mail account and just socially-engineered my brother.

I have ZERO faith left in humanity.

You're fucking evil and insightful.

Re:Fight Fire with Fire (1)

bleble (2183476) | more than 2 years ago | (#36197878)

Rather than making assumption about the whole humanity, maybe we should make assumptions about the intelligence of your family when other brother replies to random emails with his cc number and the other one spends friday nights trying to socially-engineer and hack his brother.

Re:Fight Fire with Fire (0)

Anonymous Coward | more than 2 years ago | (#36197736)

And now you know the secret behind the national debt -- Congress critters clicking on Viagra ads...

Re:Fight Fire with Fire (0)

Anonymous Coward | more than 2 years ago | (#36198062)

Do I hear a Blue Frog croaking? http://en.wikipedia.org/wiki/Blue_Frog

It turned out to be very effective, so effective that it simply vanished....

Re:Fight Fire with Fire (1)

IonOtter (629215) | more than 2 years ago | (#36198692)

It didn't vanish on it's own. It was taken down by a very concerted attack by criminals who resented it's success.

I thought I'd read somewhere that PharmaMaster had been relieved of his gray matter by a "common street thug" wielding a ball-peen hammer and a desire for easy cash.

Re:Fight Fire with Fire (0)

Anonymous Coward | more than 2 years ago | (#36198764)

What you're describing is a distributed denial-of-service attack on the spammer's business. Something like it has been tried before - but instead of sending credit card numbers, it just makes repeated hits on the spammer's webpage until it goes down. Unfortunately, it's illegal - and there's no one with a sufficient profit motive to do it despite that.

Re:Fight Fire with Fire (1)

Opportunist (166417) | more than 2 years ago | (#36197612)

Do not ignore the obvious: DDoS. Try to get your server to process a few million requests per second. Can do that? Try a few billion. At some point, your expense to run the server gets out of hand.

Re:Fight Fire with Fire (0)

Anonymous Coward | more than 2 years ago | (#36198774)

Maybe it should be another target for me... i mean anoymous

Re:Fight Fire with Fire (1)

bleble (2183476) | more than 2 years ago | (#36197368)

Of course it can generate millions of orders for viagra. You want to sponsor this with your own credit card, or how did you plan to get past the payment stage?

Re:Fight Fire with Fire (4, Interesting)

retroworks (652802) | more than 2 years ago | (#36197484)

Tough Crowd! Sorry for not explaining that the credit card companies can generate a number for this purpose which would appear to be a real number but they would not execute payment. I'm assuming that at least one bank could be found that doesn't like spam. I'm not saying there isn't a reason it cannot be done, just that I've never understood why not, and the retorts here don't really resolve that.

Re:Fight Fire with Fire (1)

insecuritiez (606865) | more than 2 years ago | (#36197774)

Yes but they can also just shut down the transactions. Why DoS something when you can just turn it off? That's what the paper advocates.

Re:Fight Fire with Fire (2)

Opportunist (166417) | more than 2 years ago | (#36197622)

Not at all. But all those numbers have to be processed by the CC clearing system. How happy do you think they're gonna be with a merchant that sends a few million fake CCs per second? And how long 'til they shut him down?

Re:Fight Fire with Fire (4, Insightful)

_KiTA_ (241027) | more than 2 years ago | (#36197708)

I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.

Because one is legal, the other is not.

We worship Capitalism in the west, as much if not more so than freedom. While distasteful, spam is pure Capitalism -- people do it cause it works. Intentionally flooding the system with fake orders goes against the holy tenants of Capitalism, ergo, it would not only be illegal, it would be actually investigated. Rule #1 of America, you never get in the way of someone making money.

(Rule #1.1 is "Unless someone making more money objects," of course.)

Re:Fight Fire with Fire (0)

Anonymous Coward | more than 2 years ago | (#36197868)

It goes against the holy people who live in Capitalism? Who are these people, and how can I find them (to spam them)?

Re:Fight Fire with Fire (0)

Anonymous Coward | more than 2 years ago | (#36199354)

Tenets, not tenan

Re:Fight Fire with Fire (0)

Anonymous Coward | more than 2 years ago | (#36197806)

http://en.wikipedia.org/wiki/Blue_Frog

Re:Fight Fire with Fire (1)

StefanSavage (454543) | more than 2 years ago | (#36197918)

I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.

You can, but the processors all use standard fraud detection policies that will detect this activity and filter it out unless you do a very good job (from experience, it can be tricky making a purchase if you are not who you say you are... there is a real learning curve here). You'd need valid cards for which you have an associated name and street address that will pass an AVS check, a range of distinct e-mails (and not from public Web mail) and IP addresses. However, with enough work it would be doable... although probably in violation of Federal and State law in the US.

- Stefan

Re:Fight Fire with Fire (2)

martin-boundary (547041) | more than 2 years ago | (#36198770)

I think what the OP is saying is that flooding the spammers' system with fake purchase requests using fake credit card details would cause the spammers' payment computers to be flagged automatically by the credit card processing companies, causing the spammers' systems to be penalized where it hurts them.

There's no need to design the credit card numbers close to legitimate, since the purpose is to make the purchase bounce. They just have to look good to the spammers' frontline purchasing web forms, so that they get passed along. But they shouldn't look legitimate to the banks.

Presumably, this is in contrast to the research oriented approach which requires investigating and tracking down the complex web of financial relationships to find out who handles the money for the spammers, and then shut them down.

The OP's idea is automatic, because the fake purchase requests travel through the spammers' network like regular requests, so there's no need to figure out what the spammers' network looks like.

The problem is of course that some legitimate businesses could be flooded too, this is vigilantism and fraud.

Because going to another provider wouldn't occur (1)

jhoegl (638955) | more than 2 years ago | (#36197344)

Like they wouldn't go to another provider... much like they do now if they get shut down.

Re:Because going to another provider wouldn't occu (1)

StefanSavage (454543) | more than 2 years ago | (#36198164)

Like they wouldn't go to another provider... much like they do now if they get shut down.

Of course they would. However, th key issue is the cost structure on each side. For us to discover the identify of the new bank being used takes a few minutes (seconds if we had direct access to VisaNet) and negligible cost (I just need to authorize a purchase from the site). There is no technical reason I'm aware of that you couldn't implement an issuer blacklist at similar time scales if you wanted to (I can think of lots of reasons it might not be a good idea to automate this, but the main point is that the time scale is short). Compare that to how much time and cost you think it takes to find a new bank willing to accept high-risk merchants. Its certainly doable, there area number of such banks, but its orders of magnitude more time.

Where's the weak link? (2)

Ruke (857276) | more than 2 years ago | (#36197382)

The study identified 3 top payment-processors for spam sites. Surely these processors aren't the weak link; their business model is to process payments for spammers. You can't simply ask them not to process spam payments - there is a financial disincentive for them to do so.

We could move one rung up the ladder, and ask Visa and Mastercard not to authorize any paments to these top-3 processors. However, we've just "widened" the narrowest point, plus, these companies have a financial incentive to grin and pass the buck. Maybe less so; I'd be interested in the number of consumers who later try to contest these payments, but I'm willing to bet that dealing with fraction of unhappy customers now is less expensive than the net amount the credit cards pull in while processing these shady payments. Otherwise, Visa would have done something by now.

Re:Where's the weak link? (2)

bleble (2183476) | more than 2 years ago | (#36197546)

I don't even think the number of unhappy customers is that big. They do actually send the products you order. It's just the patent-holding pharmaceutical companies that are unhappy with people ordering cheaper drugs from 3rd world countries.

Re:Where's the weak link? (2)

Dahamma (304068) | more than 2 years ago | (#36197982)

Actually, moving up to the credit card companies would hugely narrow the bottleneck. You convince VISA, Mastercard, Discover, and Amex to adopt a policy of refusing transactions from any institution knowingly processing spammers' requests, and you're pretty much done. Convincing all of the random shady "banks" around the world to do the same would be a LOT harder (until they lose all credit card processing capability unless they comply!)

I do agree that if they really cared, the problem would already be solved - because the solution is just so damn easy...

It's the business model, stupid (4, Insightful)

amicusNYCL (1538833) | more than 2 years ago | (#36197390)

If a handful of companies like these refused to authorize online credit card payments to the merchants

You suggest that as if this specific activity was not these people's business model. A credit processor in Azerbaijan doesn't just one day decide to start processing spam purchases, they open their business specifically for that purpose. Good luck getting them to switch business models just because you want them to.

Re:It's the business model, stupid (4, Informative)

insecuritiez (606865) | more than 2 years ago | (#36197672)

Yes it is the business model of these banks. However, they are processing through a credit network (Visa / Mastercard) and consumers credit cards are backed by an issuing bank (think Chase, Citibank, etc). Either the credit network or the issuing bank can prevent the transaction without the cooperation of the shady acquiring bank. In fact, there is a "Merchant Category Code" (food, entertainment, drug stores and pharmacies, etc) that the credit network requires be on each transaction and requires to be correct. The credit network or issuing banks don't have to stop all credit transactions to the offending acquiring banks, they can just stop drug stores and pharmacies transactions. You should read the paper.

Re:It's the business model, stupid (1)

StefanSavage (454543) | more than 2 years ago | (#36198014)

Yes it is the business model of these banks. However, they are processing through a credit network (Visa / Mastercard) and consumers credit cards are backed by an issuing bank (think Chase, Citibank, etc). Either the credit network or the issuing bank can prevent the transaction without the cooperation of the shady acquiring bank.

This is precisely right. We too would expect that convincing foreign banks to dump their customers would, at best, be a slow process and would be unlikely to succeed as an general approach. Moreover, its not even clear if such activities are illegal in the jurisdiction of all these institutions (at some level these are all IP crimes after all). However, the money for these purchases is primarily from the US and thus direct interventions by domestic issuers is likely to be as effective as shutting down the acquiring institutions.

Now a separate question is whether this makes political and economic sense as a matter of public policy. That is certainly open to debate and there are probably reasonable arguments on both sides.

Hilarious (5, Insightful)

airfoobar (1853132) | more than 2 years ago | (#36197402)

This approach is already being used against the "evil pirates", but they haven't even gotten started on the spammers. Getting their priorities straight: they go after the teenagers sharing music first instead of the real criminals sending out phishing emails, viruses and shit like that. FTW.

Lemme tell ya what you gotta do.... (1)

pr0f3550r (553601) | more than 2 years ago | (#36197434)

1) Post the names of these payment processing companies and their mail servers.
2) Link how these processing companies are responsible for attacks on the Pirate Party and Anonymous.
3) ??????
4) Profit

Re:Lemme tell ya what you gotta do.... (0)

Anonymous Coward | more than 2 years ago | (#36197616)

not your personal army

Re:Lemme tell ya what you gotta do.... (1)

somersault (912633) | more than 2 years ago | (#36197742)

They might as well do something useful for a change. Spam isn't his personal problem anyway, it's a global nuisance.

What laws are they breaking? (1)

e9th (652576) | more than 2 years ago | (#36197458)

Not that I think that handling credit card payments for spammers is a good thing, but are these middlemen actually violating any laws that would justify shutting them down?

Re:What laws are they breaking? (2)

rossjudson (97786) | more than 2 years ago | (#36197590)

It's against the law to send the spam. Visa is aiding and abetting the crime by handling the transfer payments from US banks to the foreign banks through its payment network. If this study is accepted, it will be hard for them to deny accurate and full knowledge of their role in the crime. Each link in the financial chain is explicitly aware of nature of the transaction, save the originating bank in the US.

I don't believe it is a simple thing to set up a new credit card processor, at these scales. Doesn't Visa have to authorize each credit card processor? Spammers won't be able to create credit card processors on the same scale as their URL creation. Visa has solid statistics on processor creation now. They can watch for skews to understand unusual new processor applications.

Visa should be running a constant program of low-level buys from spammers, tracing the transactions through, just like these researchers did. Visa would then have complete and accurate data on the pipeline, and they could shut it down completely.

Unless they don't want to, of course. Which is exactly true. The only thing that will force it to happen is legislation.

Re:What laws are they breaking? (0)

Anonymous Coward | more than 2 years ago | (#36198262)

Oh, it's even easier than this.

Mastercard, Visa, etc know what you're purchasing already. They could update their system to store digital "receipts" and attach those to an email address. This would require the merchant to provide a detailed "customer" receipt and in case of a dispute. Then if a merchant is flagged too many times they could investigate.
[ ] Line item is counterfeit/fake/illegal (for items purchased online and significantly not as described, eg counterfeit and bootleg items)
[ ] Line item does not match what was purchased (for items purchased online or in person where the item purchased and item printed are not the same)
[ ] Line item was not authorized (for items and charges added without authorization, eg gratuities, regulatory access fees, taxes, paypal fees, that were not in included in the purchase price, but added without the purchasers knowledge.)
[ ] I did not purchase from this merchant (For "my credit card was stolen/skimmed")

Just click the credit card statement online, and select the purchase that seems questionable. Then draw a "box" around the line item that is in question.

Spam can be legal (0)

Anonymous Coward | more than 2 years ago | (#36198440)

Actually, the law says that spam (defined as unsolicited bulk commercial emails) is a legal and legitimate form of advertising as long as you meet certain rules like not providing false headers and offering an opt-out. Google CAN-SPAM Act. It's analogous to unsolicited credit offers you get in the mail.

Law breaking doesn't occur unless the spammer is taking control of botnets, spoofing headers, or intentionally trying to defraud recipients with counterfeit/illegal products, phishing scams, etc. All common occurrences, I'll admit, but not all unsolicited bulk email falls into this category. People apply the term 'spam' too loosely.

Questions answered in this thread... (5, Informative)

nweaver (113078) | more than 2 years ago | (#36197592)

I'm one of the MANY coauthors of this paper. Myself or others will try to answer questions in this thread.

Re:Questions answered in this thread... (0)

Anonymous Coward | more than 2 years ago | (#36197760)

Myself or others will try to answer questions

You misspelled "I". That's pretty good. I'd never before seen a one-letter word misspelled.

Re:Questions answered in this thread... (1)

da cog (531643) | more than 2 years ago | (#36198264)

Myself or others will try to answer questions

You misspelled "I". That's pretty good. I'd never before seen a one-letter word misspelled.

Presumably he figured that his time would be better spent battling the evil forces of spam then carefully proofreading his Slashdot comments, but I suppose that not all of us share the same priorities.

Re:Questions answered in this thread... (1)

RobertLTux (260313) | more than 2 years ago | (#36198578)

actually i think the "error" is that Others or Myself is reversed (but grab and eight-grade English teacher to confirm)

Re:Questions answered in this thread... (1)

da cog (531643) | more than 2 years ago | (#36198762)

Indeed, most likely the sentence was correct in an earlier form and then he made a last-minute edit that introduced an error, as I have done on many occasions.

Re:Questions answered in this thread... (1)

martin-boundary (547041) | more than 2 years ago | (#36199062)

I wouldn't grab an eight-grade English teacher if I were you. First, you might be mistaken for a pedophile, and secondly, eight-graders generally don't know English that well, let alone teach it.

Re:Questions answered in this thread... (0)

Anonymous Coward | more than 2 years ago | (#36199280)

So what if the big 3 are shut down or coerced to stop their spammer-related activities? The other 5% will pick up the slack and grow big won't they?

Obligatory checklist (1, Redundant)

dkleinsc (563838) | more than 2 years ago | (#36197610)

Your post advocates a

( ) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Obligatory checklist (2)

insecuritiez (606865) | more than 2 years ago | (#36197764)

( ) You read the paper
(X) You did not read the paper

The paper specifically covers merchant relationships with acquiring banks and credit processing. Purchases were done to track the credit processing. It isn't possible to anonymously spoof that. Also, stopping the transactions is more legislative than market-based.

That might work... (0)

Anonymous Coward | more than 2 years ago | (#36197626)

Or you might find that when you cut off a head of the Hydra two grow to replace it.

What Bank? (0)

Anonymous Coward | more than 2 years ago | (#36197694)

The PDF mentions more than 3 different banks. None of them are Danish.

The other article says that all transactions goes though one of tree financial companies. And one of these are based in Denmark.

Can someone clarify this inconsistency for me ?

( And you guessed right. I am from Denmark. )

Re:What Bank? (1)

StefanSavage (454543) | more than 2 years ago | (#36198372)

Is suspect that the times article is referring to DnBNord Latvia which I think also has a Danish branch. I think they are all technically owned by DnB NOR in Norway.

- Stefan

Fortune cookie (0)

Anonymous Coward | more than 2 years ago | (#36197866)

So that was what was rotten in state of Denmark!

Good idea, but... (1)

dskoll (99328) | more than 2 years ago | (#36197912)

It's a great idea to go after payment processors. I bet it could stop a lot of spam.

But there's a lot more spam besides the ones that try to sell you something quasi-legitimately. Going after payment processors won't do anything to stop phishing attacks, lottery scams, Nigerian scammers, porn ads, wacko conspiracy theorists or questionable "newsletter" subscriptions. Also, the big spam rings will take advantage of dumb spammers who don't realize they'll get cut off for spamming. Unfortunately, there is no shortage of dumb spammers.

Glancing at my traps, I would guess that about one in five of the spams would be affected by cracking down on payment processors.

Re:Good idea, but... (1)

StefanSavage (454543) | more than 2 years ago | (#36197946)

In general, the payment tier is only an appropriate point of intervention for those activities that are monetized via direct consumer payment. So it is appropriate for things like spam-advertised goods, fake-AV, gambling, porn, etc.... things for which it is hoped that the recipient will provide a credit card number to finance the underlying advertising activity. It is not useful for scams that employ an out-of-band payment scheme (e.g., pump-and-dump) or that are fundamentally focused on theft (e.g., phishing, 519, malware vectors, etc)

Who you gonna call? (0)

Anonymous Coward | more than 2 years ago | (#36198042)

Who you gonna call? The internet police. You just got back traced.

Not new (1)

damn_registrars (1103043) | more than 2 years ago | (#36198124)

I've been saying for years that the only way to stop spam is to go after the money that keeps it going. I have the comment history here to back that up, as well.

However, whoever wrote this summary got one thing wrong at the end. A "Joe Job" - sending out fake spam to smear someone you dislike - is useless. I've seen plenty of them in the past, and the result is questionable at best. People who dislike spam won't see it, and those who buy spamvertised products will just be confused by it.

Regardless, I'm glad to see that more people are realizing that indeed spam is an economic problem, that needs to be solved with economic solutions. No amount of filtering or homicide will bring about an end to spam; only economic actions will.

Re:Not new (2)

WrongSizeGlass (838941) | more than 2 years ago | (#36198418)

However, whoever wrote this summary got one thing wrong at the end. A "Joe Job" - sending out fake spam to smear someone you dislike - is useless.

I submitted the story but did not write the following:

Frequent Slashdot contributor (and author of a book on Digital Cash) Peter Wayner wonders if "the way to get a business shut down is to send out a couple billion spam messages in its name."

The above was added by the editor. The article and linked PDF are about cutting off the payment processing for those selling the "spammed" products in order to indirectly reduce the amount of spam. They are not about going after companies who send the spam (either under their own name or those of others).

If they refused (1)

Pf0tzenpfritz (1402005) | more than 2 years ago | (#36198270)

If a handful of companies like these refused to authorize online credit card payments to the merchants, 'you'd cut off the money that supports the entire spam enterprise,' said

...if the pope refused to be catholic. I think, there might be some reason, why only these few companies are processing all these transactions.

Problem (1)

PPH (736903) | more than 2 years ago | (#36198304)

Are these three credit card processors in cahoots with the spammers? Or are they being used only because they are cheap? How much of these three processors' business is derived from spam (95% of spam transactions doesn't mean the same thing as 95% of these processors business is derived from spam).

What, legally, can one do to prevent other payment processors from picking up the slack? Legitimate business is legal and, as a payment processor, how do I know the transaction originated from spam? Why should I play cop?

If these three outfits handle 95% of the spam-originated transactions, this still might be a small part of their non-spam volume. What legal justification do you have for leaning on them and harming the legitimate part (majority) of their business? If they are cheap processors, it is probably because they don't exert too much effort chasing iffy clients around. Crack down on them, or impose additional customer quality checks and you'll harm them and many honest but low margin vendors. But the Visa/MasterCard/Amex ogliopoly will love you.

Buy software? (1)

sunfly (1248694) | more than 2 years ago | (#36198358)

If I thought my hard drive was failing, I'd buy a new hard drive, not software to fix a worn hardware problem. I don't get it.

Anonymous? (0)

Anonymous Coward | more than 2 years ago | (#36198574)

Seems like killing 3 credit card processors like this would be well within the reach of an outfit like anonymous... if they're really up to fight the good cause.

Another patriot act? (1)

Americium (1343605) | more than 2 years ago | (#36198602)

Just how the anti money laundering act section of the patriot act chased billions out of the country, so will any of these other measures. Tax havens exist and will never be removed unless a global police state is enforced.

Nigerian scams exist because banks give out money before the check clears, very easy to change that law/regulation/business practice.

Credit card scams hurt credit card companies, they have plenty of resources to not allow these scams to take place. If I try to purchase items overseas I get a call from my credit card company checking to see if it was legitimate first. Obviously this extra cost isn't worth the very small amount stolen in scams, or other credit card companies would follow suit.

Seriously? in 2011? (1)

TheABomb (180342) | more than 2 years ago | (#36198622)

Hasn't Gmail more or less made the problem obsolete? Or am I supposed to shed a tear for people who willfully refuse to use freely-available tools that already do the job they're struggling with?

Re:Seriously? in 2011? (1)

ssj152 (803281) | more than 2 years ago | (#36198872)

uh, what exactly are you referring to? How does Gmail solve anything related to spam and credit card processing?

cash money (0)

Anonymous Coward | more than 2 years ago | (#36198712)

The truth is that the CC companies don't care if the transactions are fraudulent or not, as long as they get their fees. The reason they don't and never will shut down spammers is because they make plenty of money off them.

Getting them to stop. (0)

Anonymous Coward | more than 2 years ago | (#36198714)

I don't know, I've always thought having them branded with 5 inch letters, then drawn, quartered, and left naked by the roadside was a pretty good way to get them to stop spamming. :-)

Kill it with FUD (1)

Marrow (195242) | more than 2 years ago | (#36198832)

People are taking an enormous risk purchasing these products. So make the risks seem so high they justs wont do it.
1. They never got what they ordered.
2. They got sugar pills.
3. They got mislabeled pharma that fucked them up. Heart meds, psychotropics
4. They got their card defrauded.
5. It got sent to their next door neighbor
6. They got something instead that was really illegal and they got arrested, lost their job, etc.
7. It was a mega-dose and they had to go to emergency. And then had to explain it.

At the very least, there should be a real report as to what these things are and if they are dangerous.

Send Seal Team 6 (0)

Anonymous Coward | more than 2 years ago | (#36199098)

oops, DEVGRU, after them. The guys should be rested and ready by now.

Where to go for help? (0)

Anonymous Coward | more than 2 years ago | (#36199368)

Posted anonymously as I want to keep my job and my nick as much separated as possible.

I work for a company that distributes both Visa and MasterCard.

We have a department that tries to find fraud and it is a moving situation all the time. We even try to be pro-active and contact cardholders or sometimes even block them without contacting.

e.g. we know that the card can't be physically in New York and in Sydney. This is easy for stolen cards. Internet payment is another situation. Transactions are done almost immediately and we only see the merchant and not so much the bank behind it.

Although I am not working on the fraud-prevention department, I am sure they will be interested in at least looking at the possibility to work together. So where could I send an email to from my work address to get more information to give to the fraud department?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...