street prices for digital goods?

Allen netsecurity at sound-by-design.com
Thu Sep 11 14:22:07 EDT 2008 


Peter Gutmann wrote:
> David Molnar <dmolnar at eecs.berkeley.edu> writes:
> 
>> Dan Geer's comment about the street price of heroin as a metric for success
>> has me thinking - are people tracking the street prices of digital underground
>> goods over time?
> 
> I've been (very informally) tracking it for awhile, and for generic data (non-
> Platinum credit cards, PPal accounts, and so on) it's essentially too cheap to
> meter, you often have to buy the stuff in blocks (10, 20, 50 at a time) to
> make it worth the sellers while.  I haven't tracked the big-ticket items like
> PPal accounts with guaranteed minimum balances (rather than just any generic
> PPal account) because the offerings are too ephemeral, you might get "PPal
> with minimum $5K balance" advertised for a few weeks, then "Platinum Visa" for
> a few weeks, and then something else again.
> 
>> I'm curious because it would be interesting to look at the "street price" for
>> a specific online bank's logins before and after the bank makes a change to
>> its security practices. (One not particularly great example of a change:
>> adopting EV certs.) Alternatively, look at the price of some good before and
>> after a prosecution. If this has already been done, my apologies, I'd
>> appreciate the pointer.
> 
> I'm not aware of anyone having done this, mostly because the data doesn't seem
> to be available.  The phishers don't sell (e.g.) BofA accounts specifically,
> they sell whatever's available - you get a block of X accounts or cards from
> various banks, whatever's at hand when you buy.  The only way to see whether a
> measure was effective would be to keep buying blocks over time and see what
> the mix of banks was, and even then it'd be pretty unscientific because you'd
> be getting lots from random phishing sources or data thefts which might
> (coincidentally) be targetting one particular bank and not another.  Given the
> diverse sources for this stuff, it's likely that even the vendors only have a
> vague idea of what the statistics are.

Hi gang,

I have a question about all this. There seems to be a disconnect 
between the approximate prices mentioned here - too cheap to only 
do small transactions, etc - and what I have seen when looking at 
various of the sites. Maybe I'm missing something and you could 
correct my thinking.

At http://www.voy.com/211320/ I see figures that appear to be for 
  a single card and I would not call them "cheap." This one from 
the first of the month seems typical:

> best dumps for sale -- dumpsale, 09:44:39 09/01/08 Mon [1]
> 
> USA Canada Australia
> visa classic 10$
> visa gold/platinum/bussines/signature 20$
> master card 10$
> infinite 50$
> amex 10$
> 
> Europe Asia
> visa classic 50$
> visa gold/platinum/bussines/signature 80$
> master card 50$
> infinite 120$
> 
> ICQ: 430439968
> E-mail: dumpsale at yahoo.com

The cheapest price here is $10, I assume this is per card, correct?

If that is correct, what I see typically is that the order has to 
be a minimum of $500 if the money is sent Western Union. This 
means 50 cards at most. Most of the stuff I've seen is that they 
"validate" but do not guarantee the cards and don't give refunds.

It would seem to me that one would have to have a fair size 
infrastructure and capital to make this work as it almost certain 
that some of the cards will fail. Plus it takes people time to 
call the issuer and go through the process of changing the 
mailing address as well attempting to increase the limit line of 
credit available. This would mean that from the time of purchase 
of the card it might be a week or more before they know that the 
new limit has been approved.

This ties up capital so one wouldn't think the crooks would do 
one dump, scam all they can then start the process over again, 
but rather have a continuous stream working so they have cash flow.

So are we really talking mostly about bigger operations than the 
local operator one sees mentioned in the paper from time to time?

Thanks,

Allen


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list