street prices for digital goods?

Richard Clayton richard at highwayman.com
Thu Sep 11 10:58:57 EDT 2008 

In article <48C77368.1010504 at eecs.berkeley.edu>, David Molnar
<dmolnar at eecs.berkeley.edu> writes

>Dan Geer's comment about the street price of heroin as a metric for 
>success has me thinking - are people tracking the street prices of 
>digital underground goods over time?

up to a point... see the other responses

> The Symantec Threat Reports do seem 
>to report advertised prices for a basket of goods, starting in Volume XI 
>(March 2007) and running through the present. For example, Volume XI 
>Table 3 states a Skype account is worth $12, valid Hotmail cookie $3, 
>etc. These are interesting, 

yes :)

I've been thinking about this for some time -- I have found that it
makes for some interesting questions to corporate types presenting
"ain't it awful" PowerPoint slides that they don't quite understand :)

>but it's hard to see changes since they're 
>reported as a band of prices presumably aggregated from many different 
>sources.

Indeed, but deeper than this, you have to ask yourself what the price
means...

>I'm curious because it would be interesting to look at the "street 
>price" for a specific online bank's logins before and after the bank 
>makes a change to its security practices.

exactly so ...   if the price of BoA cards was $2 and is now $1 does
this mean:

(a) production surplus -- so the scammers are cutting each other's
throats to offload their stashes

        is this because the bank's security is rubbish?

        is it because everyone has decided to attack this particular
        bank under the assumption that it is _the_ Bank of America? or
        because a new kit has come out for them to use

(b) consumption scarcity -- no-one wants to buy

        is this because the bank's back-room operations are excellent
        and so it is hard to extract value?

        is it because the people who can cash the cards out have all the
        cards they can handle at the moment?

(c) adulterated supply -- only one card in 800 is any good

        it's sometimes claimed that the loss per card is around $800, so
        if lots of the numbers don't work you need to reduce the price
        per card

(d) incompetent pricing by the sellers

        the real price should be much higher, but the sellers have been
        persuaded that $1 is fair reward for their effort and so they
        don't attempt to get any more for their goods

(e) incompetent pricing by the buyers

        most cards are worthless because the bank's back room operations
        are so good, but not all buyers have realised this so they
        overpay

and probably (f)... onwards as well

viz: in the absence of evidence that an efficient market is operating
and without clear evidence of what price elasticity there is, it is
almost impossible to draw conclusions about bank (in)efficiency from
merely observing average prices :(

There's a similar issue relating to the relative cost of cards and
"whole life" details. The latter are more expensive, but perhaps only by
a factor of 10-20. Is this a reflection of restricted supply? or does it
reflect a paucity of buyers (you might use these details to scam the
cost of a medium-size dwelling) or that there are very few buyers who
are prepared to handle a specialist product...

There is undoubtedly an interesting econometrics paper to be written
here, but it will rely upon not only extensive data from the Underground
Economy but also on good data from a bank (or banks) -- and this is
impossible to obtain at present :(  One then needs to tease out enough
"almost the same but not quite" scenarios to be able to isolate the
various factors and thereby put some numbers to the model...

>finally, does anyone happen to know of a good review of how the focus on 
>street price has performed as a metric for drug interdiction?

it usually demonstrates that the police overpay :)

and that leads on to a further problem with the Underground Economy
monitoring. You are only seeing "list prices" and anyone in business
knows that you don't need to pay list price!

-- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list