street prices for digital goods?

Leichter, Jerry leichter_jerrold at emc.com
Thu Sep 11 10:52:24 EDT 2008 

On Thu, 11 Sep 2008, Peter Gutmann wrote:
| ...I've been (very informally) tracking it for awhile, and for generic
| data (non-Platinum credit cards, PPal accounts, and so on) it's
| essentially too cheap to meter, you often have to buy the stuff
| in blocks (10, 20, 50 at a time) to make it worth the sellers while.
But this implies there is something very wrong with our current
thinking about attacks.

If, as is commonly assumed, hackers today are in this as a business,
and are driven by then the value of a credit card number is determined
exactly by the most money you can turn it into, by any approach.  If
I have a credit card number, I can turn it into money by selling it,
or alternatively I can buy stuff and sell that instead.

Now, there are costs involved with buying goods, receiving them,
and reselling them; and also there's some probability that the
credit card providers will notice my activity and block my
transactions.  (There's of course also the possibility that I
get caught and sent to jail!)  If the costs of doing this business
are fixed, I can drive them to zero by using enough credit cards,
and there are clearly plenty around - but see below.  So the only
significant issue is variable costs:  For every dollar I charge on
a card, I only get back some fraction of a dollar, based on my per-
transaction costs and the probability of my transaction getting
rejected.  This probability grows with the size of the transaction,
so the actual optimal strategy is complicated.

Still ... if you can *buy* a credit card number for a couple
of cents, its actually *value* can't be much higher.  Which
implies that something in the overall system makes it difficult
to monetize that card.  I'm not sure what all of them are, but
we can guess at some.  The card providers *must* be rather good
at blocking cards fairly quickly - at least when large amounts
of money are involved.  That is:  The probability of being
blocked must go up very rapidly with the size of the transaction,
forcing the optimal transaction size to be small.  If it's
small enough, then fixed costs per transaction become significant.
And something blocks the approach of "do many small transactions
against many cards" - presumably because these have to be done
in the real world, which means you need many people going to many
vendors picking up all kinds of physical objects.

Whatever the causes ... if it's cheap to *buy* credit card
numbers, they must not really be worth all that much!

                                                        -- Jerry


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list