Re: street prices for digital goods?
John Ioannidis wrote: Hmmm... a how about a market-data feed for warez? That would be useful for research. My colleague Karl Chen pointed out that it would probably be more useful for the underground market. For the case of drug street prices, the U.S. Drug Enforcement Agency does keep a database of prices, called STRIDE, obtained from informant and undercover agent buys of drugs. These are records from actual buys, so they partially address the concern Richard Clayton raises about going by advertised list price -- but there are concerns (to which Richard alludes) about whether agents systematically overpay or informants systematically lie about the price they paid for drugs in order to pocket the difference between money given to them for drug buys and the actual price. STRIDE also includes data on purity of drugs assayed in DEA labs. This includes drugs seized by the feds, but not usually drugs seized by local agencies. There's actually a trio of papers here in particular that might be of interest to people who want to look at possible parallels between data gathering on drug street prices and illegal digital goods. The first is an overview paper that discusses the conceptual and practical problems in doing price and purity analyses over time for illegal drugs. The paper also points out some interesting features of the drug market. For example, the author points out that drugs are "experience goods." That is, the purchaser does not know the actual quality of the good until after making the purchase. For drugs, quality means purity of the drug. What this boils down to is that when looking at time series of drug street prices, it turns out you need to model what the buyer believes the purity of the drug will be to make sense of the data. "Price and purity analysis for illicit drugs: Data and conceptual issues" J.P. Caulkins Drug and Alcohol Dependence , Volume 90 , Pages S61 - S68 http://linkinghub.elsevier.com/retrieve/pii/S0376871606003061 (Unfortunately the article is behind a paywall.) The second looks at the STRIDE data and argues it is not suitable for use in economic analyses of the drug market. The primary criticism is that the data are mainly gathered from buys intended to produce evidence for busts, except for a smaller program aimed solely at heroin. They are therefore not a uniform sample of any kind. More interesting to me, however, is the author's contention that the data are not internally consistent: he is able to separate out prices reported by the DEA from prices reported by the DC metro police, then does a analysis showing that the two agencies report a statistically significant difference in prices. He concludes that the difference is greater than can be accounted for by normal price differences within a single city and that therefore something is wrong with the data. "Should the DEA's STRIDE Data Be Used for Economic Analyses of Markets for Illegal Drugs?" Horowitz, Joel L http://www.biz.uiowa.edu/econ/papers/uia/STRIDE_rev1a.pdf The third and final paper is a rebuttal of the second. The authors claim that the second paper improperly lumps together retail and wholesale purchases of illegal drugs. They also claim that the second paper does not properly account for the relationship between price and purity of a drug. Once they toss the appropriate magic indicator variables into their regressions and stratify by purchase type, the supposed conflict between DEA and DC police reported prices disappears. Why the DEA STRIDE Data are Still Useful for Understanding Drug Markets Jeremy Arkes, Rosalie Liccardo Pacula, Susan M. Paddock, Jonathan P. Caulkins, Peter Reuter NBER Working Paper No. 14224 Issued in August 2008 http://www.nber.org/papers/w14224 (Also paywalled, unfortunately) What is the relevance to us? Well, I see a couple of points: 1) Like drugs, compromised PayPal accounts appear to be experience goods. In the case of drugs, quality is purity. In the case of compromised PayPal accounts, quality is something like the amount of money that can be successfully moved out of the account. Therefore, I would expect the same kind of modelling the buyer's "expected quality" of the good would be useful for us. In particular, failing to take it into account when analyzing price series could lead to the same kind of internal inconsistencies noted by Horowitz. Not clear to me where other illegal digital goods stand. Botnets for example seem easy enough to test whether they are real. Also as Peter Gutmann points out, escrow services are possible and exist with illegal digital goods to aid fair exchange -- this is not reported for drugs. 2) Unlike STRIDE, the data sets we have reported so far were gathered specifically for research in mind, and not as part of some other mission. Unfortunately, they still are almost certainly not uniform samples of illegal prices, and unlike STRIDE, as pointed out, they are not actual t
Re: street prices for digital goods?
Allen <[EMAIL PROTECTED]> writes: >I have a question about all this. There seems to be a disconnect between the >approximate prices mentioned here - too cheap to only do small transactions, >etc - and what I have seen when looking at various of the sites. Maybe I'm >missing something and you could correct my thinking. The difference is that you're paying for service with the higher-priced vendors (and this is something new that's only really come in in the last couple of years). Cheap ones are just a dump of some looted merchant database or whatever where you may or may not get the data after paying some fly-by- night operator and when it arrives half the cards will be invalid. The premium-priced ones are established vendors charging for the level of service they provide: You get a guaranteed-good card (typically with 48- or 72-hour replacement guarantee), you can use escrow services to guarantee delivery of goods, you may get a tech support hotline (assuming you speak Russian), and so on (it varies from seller to seller, obviously). But what you're paying for isn't really the card but the level of service that comes with it. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: street prices for digital goods?
Peter Gutmann wrote: David Molnar <[EMAIL PROTECTED]> writes: Dan Geer's comment about the street price of heroin as a metric for success has me thinking - are people tracking the street prices of digital underground goods over time? I've been (very informally) tracking it for awhile, and for generic data (non- Platinum credit cards, PPal accounts, and so on) it's essentially too cheap to meter, you often have to buy the stuff in blocks (10, 20, 50 at a time) to make it worth the sellers while. I haven't tracked the big-ticket items like PPal accounts with guaranteed minimum balances (rather than just any generic PPal account) because the offerings are too ephemeral, you might get "PPal with minimum $5K balance" advertised for a few weeks, then "Platinum Visa" for a few weeks, and then something else again. I'm curious because it would be interesting to look at the "street price" for a specific online bank's logins before and after the bank makes a change to its security practices. (One not particularly great example of a change: adopting EV certs.) Alternatively, look at the price of some good before and after a prosecution. If this has already been done, my apologies, I'd appreciate the pointer. I'm not aware of anyone having done this, mostly because the data doesn't seem to be available. The phishers don't sell (e.g.) BofA accounts specifically, they sell whatever's available - you get a block of X accounts or cards from various banks, whatever's at hand when you buy. The only way to see whether a measure was effective would be to keep buying blocks over time and see what the mix of banks was, and even then it'd be pretty unscientific because you'd be getting lots from random phishing sources or data thefts which might (coincidentally) be targetting one particular bank and not another. Given the diverse sources for this stuff, it's likely that even the vendors only have a vague idea of what the statistics are. Hi gang, I have a question about all this. There seems to be a disconnect between the approximate prices mentioned here - too cheap to only do small transactions, etc - and what I have seen when looking at various of the sites. Maybe I'm missing something and you could correct my thinking. At http://www.voy.com/211320/ I see figures that appear to be for a single card and I would not call them "cheap." This one from the first of the month seems typical: best dumps for sale -- dumpsale, 09:44:39 09/01/08 Mon [1] USA Canada Australia visa classic 10$ visa gold/platinum/bussines/signature 20$ master card 10$ infinite 50$ amex 10$ Europe Asia visa classic 50$ visa gold/platinum/bussines/signature 80$ master card 50$ infinite 120$ ICQ: 430439968 E-mail: [EMAIL PROTECTED] The cheapest price here is $10, I assume this is per card, correct? If that is correct, what I see typically is that the order has to be a minimum of $500 if the money is sent Western Union. This means 50 cards at most. Most of the stuff I've seen is that they "validate" but do not guarantee the cards and don't give refunds. It would seem to me that one would have to have a fair size infrastructure and capital to make this work as it almost certain that some of the cards will fail. Plus it takes people time to call the issuer and go through the process of changing the mailing address as well attempting to increase the limit line of credit available. This would mean that from the time of purchase of the card it might be a week or more before they know that the new limit has been approved. This ties up capital so one wouldn't think the crooks would do one dump, scam all they can then start the process over again, but rather have a continuous stream working so they have cash flow. So are we really talking mostly about bigger operations than the local operator one sees mentioned in the paper from time to time? Thanks, Allen - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: street prices for digital goods?
In article <[EMAIL PROTECTED]>, David Molnar <[EMAIL PROTECTED]> writes >Dan Geer's comment about the street price of heroin as a metric for >success has me thinking - are people tracking the street prices of >digital underground goods over time? up to a point... see the other responses > The Symantec Threat Reports do seem >to report advertised prices for a basket of goods, starting in Volume XI >(March 2007) and running through the present. For example, Volume XI >Table 3 states a Skype account is worth $12, valid Hotmail cookie $3, >etc. These are interesting, yes :) I've been thinking about this for some time -- I have found that it makes for some interesting questions to corporate types presenting "ain't it awful" PowerPoint slides that they don't quite understand :) >but it's hard to see changes since they're >reported as a band of prices presumably aggregated from many different >sources. Indeed, but deeper than this, you have to ask yourself what the price means... >I'm curious because it would be interesting to look at the "street >price" for a specific online bank's logins before and after the bank >makes a change to its security practices. exactly so ... if the price of BoA cards was $2 and is now $1 does this mean: (a) production surplus -- so the scammers are cutting each other's throats to offload their stashes is this because the bank's security is rubbish? is it because everyone has decided to attack this particular bank under the assumption that it is _the_ Bank of America? or because a new kit has come out for them to use (b) consumption scarcity -- no-one wants to buy is this because the bank's back-room operations are excellent and so it is hard to extract value? is it because the people who can cash the cards out have all the cards they can handle at the moment? (c) adulterated supply -- only one card in 800 is any good it's sometimes claimed that the loss per card is around $800, so if lots of the numbers don't work you need to reduce the price per card (d) incompetent pricing by the sellers the real price should be much higher, but the sellers have been persuaded that $1 is fair reward for their effort and so they don't attempt to get any more for their goods (e) incompetent pricing by the buyers most cards are worthless because the bank's back room operations are so good, but not all buyers have realised this so they overpay and probably (f)... onwards as well viz: in the absence of evidence that an efficient market is operating and without clear evidence of what price elasticity there is, it is almost impossible to draw conclusions about bank (in)efficiency from merely observing average prices :( There's a similar issue relating to the relative cost of cards and "whole life" details. The latter are more expensive, but perhaps only by a factor of 10-20. Is this a reflection of restricted supply? or does it reflect a paucity of buyers (you might use these details to scam the cost of a medium-size dwelling) or that there are very few buyers who are prepared to handle a specialist product... There is undoubtedly an interesting econometrics paper to be written here, but it will rely upon not only extensive data from the Underground Economy but also on good data from a bank (or banks) -- and this is impossible to obtain at present :( One then needs to tease out enough "almost the same but not quite" scenarios to be able to isolate the various factors and thereby put some numbers to the model... >finally, does anyone happen to know of a good review of how the focus on >street price has performed as a metric for drug interdiction? it usually demonstrates that the police overpay :) and that leads on to a further problem with the Underground Economy monitoring. You are only seeing "list prices" and anyone in business knows that you don't need to pay list price! -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: street prices for digital goods?
On Thu, 11 Sep 2008, Peter Gutmann wrote: | ...I've been (very informally) tracking it for awhile, and for generic | data (non-Platinum credit cards, PPal accounts, and so on) it's | essentially too cheap to meter, you often have to buy the stuff | in blocks (10, 20, 50 at a time) to make it worth the sellers while. But this implies there is something very wrong with our current thinking about attacks. If, as is commonly assumed, hackers today are in this as a business, and are driven by then the value of a credit card number is determined exactly by the most money you can turn it into, by any approach. If I have a credit card number, I can turn it into money by selling it, or alternatively I can buy stuff and sell that instead. Now, there are costs involved with buying goods, receiving them, and reselling them; and also there's some probability that the credit card providers will notice my activity and block my transactions. (There's of course also the possibility that I get caught and sent to jail!) If the costs of doing this business are fixed, I can drive them to zero by using enough credit cards, and there are clearly plenty around - but see below. So the only significant issue is variable costs: For every dollar I charge on a card, I only get back some fraction of a dollar, based on my per- transaction costs and the probability of my transaction getting rejected. This probability grows with the size of the transaction, so the actual optimal strategy is complicated. Still ... if you can *buy* a credit card number for a couple of cents, its actually *value* can't be much higher. Which implies that something in the overall system makes it difficult to monetize that card. I'm not sure what all of them are, but we can guess at some. The card providers *must* be rather good at blocking cards fairly quickly - at least when large amounts of money are involved. That is: The probability of being blocked must go up very rapidly with the size of the transaction, forcing the optimal transaction size to be small. If it's small enough, then fixed costs per transaction become significant. And something blocks the approach of "do many small transactions against many cards" - presumably because these have to be done in the real world, which means you need many people going to many vendors picking up all kinds of physical objects. Whatever the causes ... if it's cheap to *buy* credit card numbers, they must not really be worth all that much! -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: street prices for digital goods?
Damien Miller writes: -+--- | | > David Molnar <[EMAIL PROTECTED]> writes: | > | > >Dan Geer's comment about the street price of heroin as a metric for | > >success has me thinking - are people tracking the street prices of | > >digital underground goods over time? | > | > I've been (very informally) tracking it for awhile, and for generic | > data (non- Platinum credit cards, PPal accounts, and so on) it's | > essentially too cheap to meter, you often have to buy the stuff in | > blocks (10, 20, 50 at a time) to make it worth the sellers while. | | At such cheap prices, it must be close to the point where it would | be worth it for the the card issuers to buy the numbers as a loss | mitigation measure. | I have had a guy who wished to remain nameless claim that he makes a fine living breaking into the machines of black-market card sellers and copying the card numbers they have for sale. He then (he says) takes those card numbers to the issuing banks and sells those numbers to the banks so that the banks can prophylactically cancel the soon-to-be-affected cards. He claimed to get 50c/card. All hearsay... --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: street prices for digital goods?
On Thu, 11 Sep 2008, Peter Gutmann wrote: > David Molnar <[EMAIL PROTECTED]> writes: > > >Dan Geer's comment about the street price of heroin as a metric for > >success has me thinking - are people tracking the street prices of > >digital underground goods over time? > > I've been (very informally) tracking it for awhile, and for generic > data (non- Platinum credit cards, PPal accounts, and so on) it's > essentially too cheap to meter, you often have to buy the stuff in > blocks (10, 20, 50 at a time) to make it worth the sellers while. At such cheap prices, it must be close to the point where it would be worth it for the the card issuers to buy the numbers as a loss mitigation measure. -d - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: street prices for digital goods?
David Molnar <[EMAIL PROTECTED]> writes: >Dan Geer's comment about the street price of heroin as a metric for success >has me thinking - are people tracking the street prices of digital underground >goods over time? I've been (very informally) tracking it for awhile, and for generic data (non- Platinum credit cards, PPal accounts, and so on) it's essentially too cheap to meter, you often have to buy the stuff in blocks (10, 20, 50 at a time) to make it worth the sellers while. I haven't tracked the big-ticket items like PPal accounts with guaranteed minimum balances (rather than just any generic PPal account) because the offerings are too ephemeral, you might get "PPal with minimum $5K balance" advertised for a few weeks, then "Platinum Visa" for a few weeks, and then something else again. >I'm curious because it would be interesting to look at the "street price" for >a specific online bank's logins before and after the bank makes a change to >its security practices. (One not particularly great example of a change: >adopting EV certs.) Alternatively, look at the price of some good before and >after a prosecution. If this has already been done, my apologies, I'd >appreciate the pointer. I'm not aware of anyone having done this, mostly because the data doesn't seem to be available. The phishers don't sell (e.g.) BofA accounts specifically, they sell whatever's available - you get a block of X accounts or cards from various banks, whatever's at hand when you buy. The only way to see whether a measure was effective would be to keep buying blocks over time and see what the mix of banks was, and even then it'd be pretty unscientific because you'd be getting lots from random phishing sources or data thefts which might (coincidentally) be targetting one particular bank and not another. Given the diverse sources for this stuff, it's likely that even the vendors only have a vague idea of what the statistics are. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: street prices for digital goods?
Sigh... typing in a moving vehicle. This is the right URL, verified by cut&paste. http://geer.tinho.net/ieee/ieee.sp.geer.0801.pdf Sorry. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: street prices for digital goods?
David Molnar writes, in part: -+--- | Dan Geer's comment about the street price of | heroin as a metric for success has me thinking - | are people tracking the street prices of digital | underground goods over time? This material is in fact tracked but not so publicly reported. You named the obvious sources, but no one to my knowledge publishes regularly. I previously committed myself to doing this annually, and am about to convince myself to go quarterly. See http://geer.tinho.net/ieee/ieee.geer.0801.pdf for what I am (lightheartedly) talking about. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
street prices for digital goods?
Dan Geer's comment about the street price of heroin as a metric for success has me thinking - are people tracking the street prices of digital underground goods over time? The Symantec Threat Reports do seem to report advertised prices for a basket of goods, starting in Volume XI (March 2007) and running through the present. For example, Volume XI Table 3 states a Skype account is worth $12, valid Hotmail cookie $3, etc. These are interesting, but it's hard to see changes since they're reported as a band of prices presumably aggregated from many different sources. I've also seen price anecdotes from Team Cymru. Plus of course the "Nature and Causes of the Wealth of Internet Miscreants" paper from CCS 2007. Is there a continuous feed of prices published anywhere (besides the underground servers, of course), or is this still something where you have to go gather data yourself if you want it? I'm curious because it would be interesting to look at the "street price" for a specific online bank's logins before and after the bank makes a change to its security practices. (One not particularly great example of a change: adopting EV certs.) Alternatively, look at the price of some good before and after a prosecution. If this has already been done, my apologies, I'd appreciate the pointer. finally, does anyone happen to know of a good review of how the focus on street price has performed as a metric for drug interdiction? that is, I could imagine cases where some specific intervention causes street price to rise but this doesn't lead to a corresponding improvement in things like deaths from drug overdose, number of people using, etc. Does that happen in practice so far as we know or not? -David Molnar signature.asc Description: OpenPGP digital signature