Illustration from the cover of the Canadian Cyberfraud Handbook: “The Conjurer”​: Hieronymus Bosch and workshop (circa 1450 –1516)

Cyberfraud at Scale

Bad Privacy Blog by Claudiu Popa
8 min readAug 25, 2019

What is the Mystery Ingredient that Allows Scams to Grow and Thrive in the Underground Economy?

It may be vaguely unsurprising that vast social networks and marketplaces like Facebook, Amazon and even the global banking system are the inadvertent and passive incubators of a flourishing underground economy they do not control.

Have you ever browsed online marketplaces like Amazon and Ebay for arbitrary items and come across a number of reasonably priced products, while the occasional listing is priced at literally hundreds of times the going price? What’s going on there? There’s no reason to believe the sites that host these products don’t realize they’re listing fake products or are playing a key part in enabling money laundering activity. But the kind of rigid enforcement that would eliminate these millions of transactions would also impact the bottom line, eliminating highly profitable transactional fees. After all, vendors would simply take their business to a competing platform. Caveat emptor.

When Facebook sees literally any message with an urgent tone, demanding action or suggesting participation in a contest or a protest, the intent is obvious: to influence people at scale.

When a bank cashes a large personal cheque from a different financial institution, the probability counters internally tick up to indicate that an overpayment scam might be in progress and it would take infinitesimal effort to send the recipient a quick email to say “hey, congrats on that fat cheque you just dropped in, but please give us 10 days to make sure it’s legit; we wouldn’t want you to fall for any silly scam”. Nor would we want to charge you any fees for bounced cheques or other related penalties.

It’s not like platforms don’t want to completely eliminate deceptive practices and get a competitive bump in credibility. It’s certainly not like they don’t want to stamp out fraud and look great doing it. Both institutions and organizations revel in empowering themselves using the good will afforded by the illusion of filling in that penultimate row in Maslow’s hierarchy of needs, giving the vulnerable masses a warm and fuzzy feeling that only a magnanimous, protective authority can.

Organizations care about customer loyalty because without it, they cease to exist, much like the thousands of extinct gods that preceded today’s final handful of surviving deities that now struggle to inclusively represent the crumbling foundation of archaic belief systems.

All institutions absolutely value public trust when data breaches occur. When tacit containment is no longer an option, a variation on a carefully scripted message is trotted out: “Rest assured, we have the highest respect for you, our valued clients. Privacy and security are of paramount importance around these parts.” But that assurance hinges on the fulcrum of financial incentives: when customer trust means that legitimate profits outweigh the windfalls from enabling fraudulent activity, it’s a no-brainer. Crank the knob on that oxytocin secretion and emphasize with emotional intensity the care and love the organization has for the customer. In the failing case, the tacit endorsement of should be flagged as “probably fraudulent” behaviour will be the status quo until anyone with a sufficiently large megaphone can demonstrate that anything fishy is going on.

When the opportunity for explosive growth is spread across so vast a geography that business ‘unicorns’ risk getting kicked out of their exclusive clubs, then it is perhaps time to review the strict definition of integrity. After all, they are merely hard-working service providers, so when it comes to protecting customers, one can only do so much. A year or two of credit monitoring will suffice. An insincere letter of apology will surely be more than enough.

Let the chips fall as they may.

Though contrived, this handy phrase has its unverifiable roots in antiquity. Its overuse merely stems from the lazy application of the second half conveniently lifted from a proud latin legal phrase that can be powerfully summed up in four words:

Fiat justitia ruat caelum

Let justice be done though the heavens may fall

The relationship between ethical responsibility and risk salience can be finely contentious, so it is important to be more inclusive rather than risking to present insufficient accommodation for (the principle of) completeness. And so it is that the fraud taxonomy that served as the basis of the Cyberfraud Reference Library included with my cyberfraud handbook by the same name, included 42 types of cyberfraud assiduously sorted into 10 classes of deceptive practices that form the basis of the Cyberfraud Classification Framework.

The Answer to the Ultimate Question

While we did not explicitly set out to hit the number forty-two, it was a pleasant coincidence-voire-inevitability given that it purports to be the answer to life, the universe and everything. But the keen eye will notice the inclusion of cyberfraud categories — such as Dark Pattern Techniques (Class J.10.1) whose mere presence in this schema is an indication that one should resist the temptation to simplify judgment by absolving the platform or service provider responsible for playing an enabling part in the any system where cyberfraud has made a home.

In fact, when Thomson Reuters published the Canadian Cyberfraud Handbook in late 2017, we saw the opportunity to set the record straight on what cyberfraud really means. A banal pointer to petty online scams and financially motivated social engineering exploits no longer suffices to encompass the scale of the beast. Cyberfraud is fraud, but it is augmented by computer systems and boosted by the vast scale of Internet connectivity:

Cyberfraud [noun /ˈsaɪ.bə.frɔːd/]

Any unconscionable act, dishonest conduct, deceptive activity or deceitful omission that uses computer technologies or digital connectivity to defraud the public, or any person out of assets, property, money, valuable security or service (e.g. by using mobile connectivity or Internet messaging to manipulate another person to give something of value).

The definition is inclusive, because it needs to scale down to the individual transaction as much as it needs to elegantly include apathetic authorities. All parties, from potentially vigilant but greedy individuals-turned-victims to passive-aggressive enablers play their parts and prioritize their actions — or lack thereof — based on their own incentive structures.

As Bill Nye, the Science Guy has been fond of saying for decades, consider the following:

  • social media platforms harbour hundreds of millions of fake accounts and fail to censor polarizing ‘free speech’ with global and often deadly consequences
  • advertising platforms making only banal attempts at solving the problem of fake clicks and digital advertising fraudcosting the industry billions
  • educational institutions enabling big data aggregators to systematically monetize children’s information — under the guise of modernization and edtech — pretending that it is just anodyne student data well outside the parental sphere of comprehension and authority, meanwhile enabling identity compromises that may impact victims for generations to come
  • cryptocurrency markets effectively masquerading as innovative platforms while providing global cybercrime with a intangible foundation designed to maximize profit and minimize accountability when the inevitable data breaches occur.

Over the past weeks and months, we have seen fines and penalties exceeding previous million-dollar levels. Remember how recently those were considered astronomical? Now fines are well into into the tens (Google, $57 million) and hundreds of MILLIONS of real-world dollars or euros (British Airways and Marriott).

The dichotomy between a intangible asset and a victimless crime

Neither the public nor Facebook even blinked at the announcement of a five thousand million dollar fine. 5000 million dollars is simply the new cost of doing business at scale. But for the individuals whose data it is intended to somehow retroactively protect by setting an example, this doesn’t translate into much of anything. Equally unsatisfying was the recent $700 million Equifax settlement that translated into $125 per US victim (who will need to exercise a certain degree of persistence in claiming it).

When LinkedIN’s breach resulted in the unprecedented liberation of 164 million usernames and passwords, it became a data trove for cyberfraud, enabling small time players and organized criminals syndicates to exploit victims en masse. It was a gold rush whose ripples continue to this day, with all those passwords — now in the public domain — feeding cracking algorithms used to brute-force accounts of all kinds.

LinkedIN password rainbow tables are the first place cybercriminals and security researchers look when they need to take over accounts, or test any defenses. At the time of the initial breach in 2012, LinkedIN indicated that security remediation costs exceeded $1M, which may have been impressive back when starter homes were still priced at those levels, but today, it’s an insignificant amount. The company said that it planned to spend “between $2 million and $3 million on security improvements” ostensibly to regain the trust of the public. I’m sure the public was duly impressed.

In 2015, LinkedIn paid $1.25 million to settle a pesky class action lawsuit. A company spokesperson said LinkedIN agreed to the settlement “to avoid the distraction and expense of ongoing litigation.”

When it comes to accountability, when is it adequate, appropriate and sufficient?

To be realistic, can there ever be a system where sufficient controls are in place to keep monstrous organizations accountable? While with the exception of politics, industry-specific mechanisms exist to shame individuals who abuse public trust and exploit their victims, large entities are largely resilient to such checks and balances.

The seductive appeal of scale as an aggregator of implied public endorsement is on full display online. Online marketplaces have grown so large that daily transactions can easily cover most fees, penalties and settlements. Social media and search giants have monetized eyeballs to such a degree that profits could easily buy themselves out of any situation. The financial system knows all about inherent risk and is able to invisibly mitigate it to its own benefit. But never mind the proletariat, where does that leave the public?

Too big to be accountable

Too big to fail is now a wholly inadequate and nearly obsolete phrase. Why almost? Because it was always about accountability. Too big to be accountable more adequately captures the essence of today.

The middle-class consumers of what are now subscription-based services (because evidently everything is a recurring cost in the modern economy) rarely see any option but to settle for the cheerful rhetoric: “we are not responsible for your losses, we are merely the platform that makes your modern, luxurious life more convenient. We are the middleman, allowing you to turn your once unaffordable existence into a series of transactions. Yes, we profitably process the transactions that have come to punctuate your temporary life and have conveniently converted your personal identity and limited attention into currency you need to continuously spend, because we regretfully can’t let you bank it. Although you are our valued customer, you are also the metered product of the bizarro knowledge economy and we definitely care about you in general, at least as an amorphous mass of exploitable raw material”.

--

--

Bad Privacy Blog by Claudiu Popa
Bad Privacy Blog by Claudiu Popa

Written by Bad Privacy Blog by Claudiu Popa

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, written & edited by Claudiu Popa; author, educator, booknerd.