The problem with internet fraud is that no one is really trying to make the fraudsters accountable for their actions, instead what they’re doing is essentially “shoo’ing them away”, and fraudsters after being shoo’ed away simply try again until they, almost invariably, eventually do succeed.
Subsequently, the industry of fraud is generally lucrative and is thus constantly growing.
When I worked at Blizzard, there were many mechanisms in place to spot fraudulent credit card transactions and cancel them before they actually billed the card holder, but there was no process for reporting the fraudsters to prevent them doing the same thing again tomorrow.
This is probably the same strategy that every company does, because there is no practical action any company can do to try make fraudsters accountable and thus discourage them from simply trying again.
So the problem of fraud is getting ever bigger and increasingly unmanageable and out of control.
The problem is a non-trivial political one, governments need to create task forces to work to reduce the size of the fraud industry, perhaps by catching fraudsters and making them accountable.
The problem is even harder than simple political will though, because it’s cross jurisdictional, meaning governments of different countries all need to work together on this.
This may seem impossible at the moment, but I believe until it is achieved fraud is only going to get increasingly worse.
Well what can you do? Trace their IP back to a VPN or web of proxies? Or more likely grandmas infected Windows XP computer? Then what? Start kicking doors down?
Going to get the FBI involved for a $20 purchase?
Reminds me of Lebowski asking the cops about his Credence tape.
Sure, why not? And if you're at the scale is Blizzard I'm sure it's a lot more than $20.
We're collecting all kinds of information these days. Surveillance capitalism is a common term for it. Data is gold they say. So why not give that data to people that can use it to stop crime?
Blizzard doesn't get paid for reporting fraud. They lose money. So what's the incentive for them to give a damn? They'll just push it back to the CC companies to deal with, if anything.
Do you only do things that you get paid to do?
At work? 100% yes. If it's out of scope for my role or the project, it gets kicked up.
So if it is out of scope for your role or the project you mention the issue to someone else who's job it is to resolve those types of problems or do you make no such report and just hope they figure it out themselves? It's unclear which you mean.
If we are talking about credit card fraud for World of Warcraft accounts, the cost to fight it is far higher than ignoring it or kicking it back to your credit card company. There is 0 incentive for them to care other than doing the bare minimum because it's not their problem, it's the credit card company's problem.
They offer MFA and that's all they should have to do.
Did you dodge the question because you knew that you couldn't be consistent or because you felt that bringing up a new topic was better?
I don't buy this and it sounds incredibly myopic. If it wasn't "their problem" then they wouldn't be doing anything about it. Which the OP talked about. So they aren't just taking the money and letting the credit card companies handle it, that doesn't even make any sense. Credit card companies have to get the money back. Honestly, it sounds cheaper to report it if reporting it leads to a significant reduction because you then have to pay fewer people to deal with this issue and process far fewer charge-backs. It's not much work to do (literally create a program to automate filling out a forum to the gov). We're arguing over less than a week's amount of work.
Plus, it's the right thing to do. Idk about you, but money doesn't run my entire life. Letting it seems incredibly myopic as well. Money is just a tool to help me better my life but it sure isn't the only way to do that. And if we're not trying to do "the right thing" then the fuck do we even have a society for? Seriously, please reconsider your actions, because you're enabling the shittiness in society. I'm not saying you gotta be a saint, but if there's a pretty cheap action you can do to make your society any bit better, just do it.
Because they're in Russia or North Korea, and their bosses bosses are good friends of local police and secret services.
What exactly can FBI do about them?
Well I guess to be fair it would be a matter of Homeland Security. Either way, there are agencies who's directives are about dealing with international fraud. Global commerce comes with global agreements.
1) There's certainly cards coming from non completely sanctioned countries. This means legal pathways.
2) If fraud is prevalent and these numbers can be tracked it makes for better policy decisions. It's not uncommon knowledge that we don't have the best privacy and security. This is at least ammo to do something about it.
Legislation can be changed so people are considered responsible for the abuse that comes from their network unless they can pass the buck to someone else. This will quickly cause those Windows XP machines to fall off the internet unless their owners fancy constantly being bogged down in legal trouble.
The alternative is effectively saying that theft under 20 bucks is decriminalized?
San Francisco is trying that right now, aren't they? How's that going for them?
Those who tried to convince a police officer to investigate a bike theft can tell you that the threshold is actually higher.
$20 seems cheap; not long ago scooter operators would lose hundreds to theft at least, with little interest.
Probably anything under $1000, yes.
From the article as an example of what doesn't scale:
"...He was going through emails in his inbox, then responding to questions in the craigslist forums, and hopping onto his cellphone about once every ten minutes. Calls were quick and to the point "Hi, this is Craig Newmark from craigslist.org. We are having problems with a customer of your ISP and would like to discuss how we can remedy their bad behavior in our real estate forums". He was literally chasing down forum spammers one by one, sometimes taking five minutes per problem..."
Seems like it's possible but not feasible to build a pipeline to scale out that sort of behavior.
Why not? It doesn't have to the founder on every call if you are looking to scale.
It depends if your revenue scales as fast as abuse scales.
Amazon should be able to keep on top of fraud easily, twice the sales means twice the revenue means they can afford twice the fraud checks, if they want to. That fake $30 "2tb microsd card" puts $30 of real money in their bank account.
But for something like Twitter, revenue is only vaguely related to number of tweets. That "elon musk wants to give you free dogecoin" tweet doesn't make them a cent.
Then their business isn't viable.
The alternative is that we allow businesses to externalise those costs onto society.
When I was at FastMail I did a lot of very manual work to not just block spammers and other abusers, but to make their life as difficult as possible. That included figuring out how to notify the people running the servers they used (including sometimes finding the IRC chat for the folks on that server and telling them they had an intruder). One of my favorite things was to redirect bounce messages that were targeted at innocent FastMail customers to the actual spammer's email address -- which I found stopped the spam from them very quickly, once their inbox filled up with thousands of bounce messages!
Personally, I think it's reasonable to care about such things, and to try to do something about it. If no-one cares or tries, then sucky people will just suck even more.
Thx for this detailed feedback.
Is there any reason why you did change mail away from Fastmail after such a long time and now use Google as Mailserver?
This is why I have a problem with a lot of the legal structure and incentives. If you measure in number of arrests you aren't solving the problems. I'm not sure there's any good metric to measure that.
To take an analogy I'll mention the drug war. The main target was always low level drug dealers and users. They're easy to arrest and easy to say you're doing something. But they are fairly inconsequential to the business of selling drugs and thus the availability on the streets. But it's orders of magnitude harder to go after the root of the problem. I don't want to detract this conversation with the other aspects or conspiracies (real or contrived), but just focus on the incentive structures. I think the same is here. Blizzard gets no short term reward for reporting fraudulent activity. It's hard to know if they get long term. But at the end of the day it would be the right thing to do.
That's what matters. Doing the right thing. Move fast and break things it's a great strategy. But it can't be used in isolation. If it is you're left with a trail of destruction which never gets cleaned up. It's hard to quantify objectives and so every objective function is misaligned. You need to rely on humans to see through that and correct the course as best they can. You need both the people pushing to move fast and the people pushing to slow down and repair. There's a harmony in that competition. Pick your camp but recognize that there's value in the other one too.
I don't think so, on the contrary, they ignore the dealers in vain hope to catch some "big fish", but there are no big fishes there.
I find that a strange comparison. Certainly there are bigger fish to fry. In both drugs and credit cards there is a whole ecosystem. Cards probably more straight forward as these are typically being sold on websites and you thus have a clear marketplace. Which I'd differentiate a marketplace from a dealer on a corner. Go after the people who are the generators. That's people making the drugs or people stealing the cards in the first place. What do you mean there's no "big fish." If we're going to use a fish analogy it's not the size I care about, but the type.
I mean it's probably a guy who knows someone who can cook meth, rather than a servant of some kingpin who is running a massive drug conglomerate hiding who knows where.
Okay? But somewhere down the line is the person cooking meth. I'm not sure what you're getting at.
I mean, the problem with the War on Drugs is that the drugs were only ever a symptom—while it's true that some small percentage of people would try, and get addicted to, drugs otherwise, the vast majority of addicts were people trying to fill a major hole in their lives. Treating addiction as a disease instead of a moral failing or a crime, legalizing drugs, and making sure that people who want to quit have resources available to do so, are all vastly more effective at reducing the illegal drug trade, as other countries have found.
In a similar way, a huge amount of this fraud would disappear if we took more known-to-be-effective measures to combat poverty (because many of these fraud techniques rely on hiring a whole bunch of desperate people to help keep it going): things like providing housing, single-payer health care, and universal basic income.
No argument here, and it should be unsurprising I agree, since I'm arguing to not go after users. But also remember we can say the same about internet fraud. I'm all for addressing the roots of the problem. Big fan of ensuring there's a floor to living standards. But admittedly that's not the whole problem and fixing these things is incredibly complex. But I would say treating the addiction is a different side since that's downstream of production. Though complex because we do need to produce some drugs but we shouldn't need to spill blood to do so.
Indeed—that's basically my point, too! :-D
When it comes to the war on drugs there's a perverse incentive problem - said war provides endless amounts of easy to catch/prosecute crime which can be used to meet & exceed their performance targets without much effort. So there might not be too much incentive to kill this "cash cow" of low-level users/dealers by actually curtailing upstream supply.
This might not be too different from the payment anti-fraud industry (which is just varying degrees of snake oil). There are solutions that can be implemented such as actually strong two-factor authentication that could cut down on payment fraud dramatically but this would significantly reduce demand for this industry, so a lot of the field has a monetary incentive to keep the underlying primitives not so secure as to keep demand for their snake-oil.
Exactly my point.
From the article:
An international, multi-government taskforce is one solution, potentially. Maybe not. For the problem presented at the top of the article, shopping locally seems like an easy win in comparison.
An international, multi-goverment task force is no solution for the routine wire fraud that impacts most consumers. Due to corruption, incompetence, and political disputes, the countries where most of that fraud originates won't participate in a meaningful way.
what would be good incentives to make companies like blizzard start reporting fraudsters?
I am thinking along the line: companies can pay $X to make a report, and will receive $X5 if that reports leads to a fine. And they have to pay additional $X10 if that reports turns out to be frivolous. (If the report appears to be valid, but doesn't result in a fine, than they get no payoff).
My worry is that bad incentives would lead to over-reporting or some other bad thing.
Having someone to report them to?
I think we don't hold them accountable for the same reason we generally accept panhandlers (which is usually technically illegal in most jurisdictions). If we hold them accountable, where do we send them? Jail? Does that actually fix the problem, or does it just hide it under a societal rug?
and the companies have no incentive to investigate fraud further once it has stopped, especially if they fraudsters are international.
It's even less trivial when corporation-on-consumer fraud has been normalized (see dark patterns, or companies outright taking money for no/sub-par service). Suddenly starting to prosecute fraud would inconvenience some deep-pocketed entities.