My Rude Awakening
Like many people, I shop online using a credit card. I've been doing this for years, and I periodically examine my credit card account for signs of suspicious activity. There are times when I am out of town for long spells (for example, I might be in Alaska photographing
grizzly bears), and I might not be able to review my account for months.
In the Fall of 2005 my credit card number was compromised — maybe during one of the much-publicized data leaks that reveal millions of credit card names and numbers at once, or perhaps by way of an incautious or crooked online vendor that I had patronized — I may never know. In any case, a few months later I noticed some transactions that appeared to be fraudulent — a well-known Internet service provider had been charging my card for three months, and there was also a one-time charge of $100.00 that was harder to identify, because it had been made by a PayPal account holder.
I called my bank's fraud department and denied any knowledge of the service provider charges. In a show of efficiency, the bank's representative called the service provider while I was on the line and the provider identified the charge as payment for a Web site. I realized this was totally bogus and I said so. The bank removed those charges right away (and I cancelled my card to prevent further abuse).
As to the service provider's charges, the entire process was fast and efficient, and couldn't have taken more than 15 minutes. But there remained the matter of the $100.00 PayPal charge, which was harder to identify because it was made by an anonymous PayPal subscriber rather than a named business.
I was optimistic, but I shouldn't have been. My optimism came from the idea that a vendor who charges a credit card has to justify the charge — they have to show that the card holder actually made a charge. Even though I said I didn't recognize the charge and thought it was fraudulent, I couldn't
prove it was fraudulent. As it turns out, under current law the burden of evidence wasn't mine, it belonged to whoever owned the PayPal account — he would have to prove that it was a legitimate charge. The bank assured me they were looking into it, and the charge was taken off my account.
As I put down the phone, I thought the system had worked and the affair had ended. I am in some ways rather naïve.
A Reversal of Fortune
A few months later, the $100.00 charge reappeared on my account, and I received a letter from the bank saying "... We have determined that no billing error has occurred in this instance." I still could not locate any record of my having made a purchase for that amount, despite the fact that I keep a dated hard copy for each online transaction. So I called the bank and asked them what vendor was involved, and what was I supposed to have purchased?
They didn't know.
I shifted into astonishment mode (which, if you are familiar with red-headed people, you will realize can happen with amazing swiftness). How could the bank claim they had "determined" the charge was legitimate if they didn't know what was purchased, or from whom?
They couldn't answer.
In their letter, the bank told me I had to sort it out, that it was up to me to find out what was going on. It seemed my bank was shifting the burden of evidence onto me. I happened to know this is not how credit card transactions are handled, but before trying to fight my own bank, I decided to call PayPal and get as much information as I could.
The PayPal call only served to increase my astonishment level. According to the information provided by a helpful PayPal representative, I realized someone had gotten my name and credit card number, acquired as much personal information about me as they could find online, and then opened a PayPal account
in my name.
This was why my bank had demanded that I sort it out — as far as they were concerned, this wasn't a case of someone with a PayPal account making a bogus charge against my credit card, it was
me making charges through a PayPal account opened under my own name. In other words, this was a case of lightweight identity theft — I call it "lightweight" because as soon as the fraud is detected, the charges are removed from the credit card, the card is cancelled, and the house of cards collapses. "Heavyweight" identity theft, by contrast, would be the acquisition of both a credit card number and a Social Security number. If that had happened, I would not be writing this article — I would be too busy trying to reassemble my life from a lot of tiny, scattered pieces.
Vindication and More Astonishment
The PayPal representative realized I was the victim and he decided to coöperate with me by walking the line between providing the kind of information anyone can obtain, and the kind that requires a subpoena. I found out what had been purchased, under my name, using my credit card — and get this: it was for a service that hires poor people in third-world countries to click on Web page advertisements.
Then I put it all together, to the degree that I could with the limited information obtainable without a court order — it appears some bottom-feeder had:
- Gotten my credit card number,
- Used it to purchase a Web site,
- Populated the site with advertisements from businesses willing to pay for each click, then
- Paid a service to find poor people to click the advertisements.
All this using my stolen credit card number. What a business! No overhead, pure profit!
I called my bank and described what I had found out. After hearing my recital, they reluctantly threw in the towel and removed the $100.00 charge from my card, again.
Credit Cards and Online Transactions
Most people believe if an outright fraudulent transaction — that is to say, not a dispute over a purchase, but misuse of the card by a third party — appears on a credit card, all the cardholder needs to do is call the bank and complain, and the bank will remove the charge. This is not necessarily true.
First, banks have every incentive to assume and argue that transactions are legitimate. Charges that are successfully removed by a cardholder, but not repaid by any vendor, only serve to increase the bank's operating expenses and ultimately burden all users of the system — vendors and cardholders alike.
Second, if there is any reasonable doubt about the cardholder's claim, the bank isn't going to act precipitously in a way that produces more unfairness. In this case, all the bank needed to hear was that the PayPal account was in my name, and they dropped their inquiry (but for some reason they didn't tell me the PayPal account was in my name — the PayPal representative told me this later).
Like banks, online businesses have their own incentive to minimize revelations of online fraud. If the public got the idea they were taking a risk by shopping online, this would hurt a relatively new and very profitable sector of the economy. Between banks and Web businesses, both protecting their interests, I believe the public only hears a small bit of the true rate of online fraud.
A digression. To escape detection, a smart credit card crook would only charge a small amount to each of a large set of stolen cards, hoping his activity will not be noticed by the cardholders. But most criminals are not smart. This criminal made too many purchases, and even put a recurring monthly charge, on just one card. I could hardly be expected not to notice the pattern.
But how many people carefully review their credit card statements and try to connect each transaction with a specific memory (or printed record)? I think the average consumer is an easy target for a credit card scam, if the perpetrator can resist becoming greedy.
Legal Issues
I would like to know a number of things about this case. I would like to know how the perpetrator got my card number, whether this person has victimized any other people, and the detailed story of his activities (as opposed to my sketchy reconstruction above). I would also like to see this person prosecuted, which would simultaneously remove him as a threat to society and reveal the details of his crime.
As I see it, with my limited knowledge of this affair (because I don't have the subpoena I would need to examine the PayPal account information in detail), the perpetrator committed the following crimes:
- Identity theft (e.g. creating a PayPal account in my name, then using it to commit fraud). This is now a federal crime.
- Credit card fraud.
- Click fraud (cheating advertisers by hiring people to click online advertisements, people who are not legitimate customers).
- Being really, really stupid (I guess that's not a crime, otherwise the entire U.S. Congress would be arrested).
At the time of writing, I am trying to decide what to do, and the authorities might decide to prosecute the perpetrator. I just don't know how likely such a prosecution is, but I certainly would make myself available to testify (and I have signed an affidavit to that effect). I am still considering my next move.
Online Advertising and Marketing
In this section I will try to show the connection between my story and the "big picture" of online business, advertising, and economic issues.
When I first got involved with the Internet, about 15 years ago, I saw it as a way for people to efficiently do research and communicate with each other. At that time it was not clear that the Internet would ever become a matter of interest to the public at large — it was then primarily a playground for academics and computer hobbyists.
My assumptions were based on personal tastes, but even I ought to have seen the Internet's potential for commerce. My excuse is that I am not very interested in commerce — I find it boring.
But not everyone finds the prospect of online commerce boring. Many people saw some marketing potential, and realized the advantage that an Internet-connected computer has over a television set, the prior advertising delivery technology. Back when television was the darling of advertising, a company might spend millions of dollars on an advertising campaign, carefully crafted by experienced professionals, in the hope that an army of consumers, with known and severe attention-span deficits, might see the advertisement, leave their beloved television set, drive to the nearest shopping center, and purchase the advertised item before their memory of it evaporated. What are the chances?
A computer, by contrast, is the perfect answer to attention-deficit disorder. A consumer can sit at a computer and see dozens of advertisements per minute — many more than can possibly be squeezed onto a television screen — and they can purchase each and every one of the useless baubles being advertised by simply clicking a mouse. No getting up, no driving to a shopping center, no gap between instant and gratification.
That was the computer's advantage. The drawback is that a networked computer is like a television set with a billion channels — the marketers had to think of a way to move people to specific Web sites, in a vast sea of choices.
So, to put this in the simplest terms, when an advertiser wants to move a consumer from Web site A to business site B, he puts a small advertisement on site A, sometimes including a small graphic image, but certainly also containing a link to the desired destination site. Click, move.
But why would Web site A be willing to deface their lovely Web page with a low, pandering commercial appeal? Simple — the advertiser is willing to pay each time a visitor clicks the advertisement and is moved to the business site.
But the payment can't be very much, can it? After all, anyone could go to Web site A and just click away, for no particular reason. In fact, many pay-per-click fees are tiny, but if the site hosting the advertisement is prestigious enough, and if the business being advertised is profitable enough, the so-called "click-through" rate can be as high as $100.00
per click. I'll say that again ... one hundred dollars ...
per click.
Given this fact, anyone who still thinks it isn't possible to make money on the Internet is living in the past. When the system works as it should, an online business may thrive, and $100.00 per click will be seen as money well spent. When the system fails, as it sometimes does, the visitors doing the clicking are not really potential customers (some aren't even human), and the fraud problem has become one of the biggest challenges facing Internet commerce.
Click Fraud
Advertisers look on Web pages as virtual real estate, and the virtual equivalent of a highway billboard is an advertising link. If you intend to construct a billboard next to a well-traveled road, you may have to pay a farmer a fee for the loss of that part of his property. If you intend to place an advertisement on a Web page, the arrangement is a bit different.
It's not practical to track how many people read the advertising on a physical billboard, so the advertiser simply pays the landowner for the inconvenience of allowing the sign on his property. But it's easy to track how many people pay attention to online advertising — if a visitor clicks an advertisement, that action moves the visitor from the hosting Web page to the target of the advertising (and the visitor's click is recorded in both the original and destination site's log files). The visitor might then buy something — at least, that's the theory.
From an economic standpoint, pay-per-click is much more efficient than guessing whether the public will read a particular billboard (the advertiser doesn't have to pay until a visitor clicks), and pay-per-click is just one example of the Internet's effect on economic transactions. It is an emerging principle that an online market tends to be more efficient than the brick-and-mortar kind. The purchaser of advertising can track, click by click, how many people responded to which advertisements, and they can correlate the effect of their advertising campaign on their bottom line, using copious computer records.
As much as I personally hate the commercialization of the Internet, it is perfectly obvious that computers are producing a revolution in markets and marketing. It is nearly impossible to inappropriately price a commodity online, when a client can discover what the lowest price is in a matter of seconds by "shopping around" with his mouse.
So far we've discussed the positive, some might say naïve, view of pay-per-click advertising. A visitor clicks an advertisement, some of those visitors eventually buy something, and the original hosting site gets paid by the click. Now for the downside. What prevents the owner of the original site from repeatedly clicking his own page, thus accumulating fraudulent click fees?
As the reader may have surmised, advertisers now recognize this problem exists. The big players (Google, Yahoo, etc., as well as individual advertisers) have begun working on fraud detection methods. For example, a lot of clicks, all from the same Internet address, suggests fraud, as do a lot of clicks emanating from an advertiser's business competitors (meant to run up the competition's advertising costs with no corresponding increase in business).
In principle, it should be possible to establish an identifying pattern, a "fingerprint," associated with fraudulent activity, and prevent it, by simply filtering out the offenders and by prosecuting the big cheats. This sounds relatively easy — all one need do is process the Web site log files and apply computer algorithms to detect the offenders through patterns of behavior.
In principle, that would be child's play.
The Rise of BotNets and PoorNets
A few years ago, there were two really annoying online groups. One group, mostly young male students, wrote nasty computer viruses and worms (let's call them pathogens), while the other group pushed spam advertising into everyone's e-mail account. The students wrote pathogens for the sheer malicious pleasure of it, while the spammers represented a sleazy business with profits and expenses.
The pathogen writers had great computer skills but no money, while the spammers, who had money but no computer skills, were being thrown off one network after another. It was inevitable that these two groups would see the potential for a marriage made in hell. I would have described this as a Faustian bargain, with the spammers as Mephistopheles and the pathogen writers as Doctor Faustus, except the latter already have no souls, so the comparison doesn't work.
The problem for the spammers had been that spam e-mails could be traced to a specific place of origin, and that place could be shut down. For a while, shutting down spam servers was seen as the obvious solution to the spam problem. Faced with this shutdown, the spammers realized the pathogen writers could create a virtual infectious agent that would:
- Take over random, unprotected Internet computers,
- Propagate itself from there to other computers,
- Listen for orders from a central control source,
- Send out spam messages relayed from the source,
- "Click" advertising on specified Web pages, and
- Display advertising on the compromised computer.
In this new scheme, a pathogen would propagate across the Internet, infecting tens of thousands of computers, all then available to carry out arbitrary tasks under the control of a central node. Once the central node sends out an order, the slave machines carry out the instructions — spam messages, virtual clicking on advertising, various other kinds of attacks — but the attacks would emanate from
tens of thousands of different Internet addresses, rather than one. Each of the slave computers has a separate, unique address and physical location, and this makes controlling spam, click fraud and other kinds of attacks virtually impossible.
In the above described scheme an infected computer is called a "bot," meaning an automaton, and the assemblage is called a "botnet," a network of bots. The botnet solves the spammer's problem, that of having a single location from which the messages originate, and it also undermines click fraud detection, which relies on resolving patterns of clicks emanating from specific Internet addresses.
A legitimate e-mail typically arrives from a random Internet address, and (before botnets) spam filtering schemes typically detected messages from specific blacklisted addresses and deleted them. Now that there are botnets, these spam control methods fail completely, which is why more than half of all Internet e-mail traffic consists of spam.
As to click fraud, a legitimate visitor clicks an advertising link from a random Internet address, while a potentially fraudulent clicker repeatedly appears from the same address, or can be identified by address as a competitor of the business paying for the advertising. Most click fraud detection methods rely on these patterns to eliminate fraud. Just as with spam, now that there are botnets and poornets, these detection methods are no longer effective.
A "PoorNet" is sort of like a botnet, except instead of using compromised computers, this scheme relies on hiring tens of thousands of people who, apart from owning a computer, are poor and desperate enough to click on advertisements (or compose and mail spam messages) all day long. Poornets are less likely to run afoul of the law, because while a botnet is illegal by its very existence, a poornet node (that's "a person" in the outdated terminology) has to actually do something and then be detected.
In order for botnets or poornets to fraudulently click advertisements and escape detection, each Internet address must not appear too often in the advertiser's records, so the "poornet nodes" must roam over a great number of targeted sites, rather than dwell too long at any single site. And that poses a tricky problem for those who want to defraud online advertisers.
In principle, a single person wishing to defraud advertisers could personally hire a huge number of poornet nodes, to avoid creating a pattern in the advertiser's logs. But that would be terribly expensive. It would be much better to have a central clearinghouse that already possessed a poornet and that contracted with many different clients wishing to defraud different advertisers. That way, many clients could exploit the large poornet at once, increasing efficiency, decreasing the cost per client and reducing the chance of detection.
At this point, the reader may wonder what I've been smoking. Isn't this just science fiction — the idea of a central clearinghouse that connects many people wanting to generate bogus traffic aimed at selected Websites and advertisers, to a large, diverse worldwide poornet, willing to visit Websites (and perhaps fraudulently click advertisements) for a small wage?
All I can say is, I didn't make this up — there really are such clearinghouses, and the perpetrator who used my credit card contracted with just such a business to create pretend traffic and perhaps also to try to produce bogus advertising clicks on his own Website (the one he purchased with my card). There are many such businesses, and this is just an example:
businesstraffic.com. It is likely that this business is legal, but I think the individual actions of the poornet nodes (remember, that's "people") are not legal.
When I got the name of this business from PayPal as part of my investigation, I visited the site. At first I couldn't figure out what the business did, how it made money. I had to browse and read for some time before it dawned on me how this business fits into the big picture, and how it represents an improvement over other approaches:
- Option a: A client could hire a huge number of poornet nodes to click those few advertisers or sites of interest to that particular client. Not very cost-efficient.
- Option b: A lot of clients wishing to exploit pay-per-click could hire one or a few poornet nodes. Cheap, but too easy to detect.
- Option c: A lot of clients could join forces with a lot of poornet nodes, by way of a clearinghouse. Each poornet node cycles through a huge number of Websites, thus evading detection. A good balance of economy and low risk of detection.
On that basis, it should not surprise anyone that such clearinghouses and poornets/botnets now exist. And the existence of these parasitic networks should put the big players on alert that the problem of click fraud is now going underground, and will soon be beyond detection. This may pose a much bigger threat to the credibility of online advertising than most people realize.
Conclusion
I am not young and I've had a lot of adventures, including sailing around the world alone in a small boat. Based on my adventures, I thought I knew what sorts of people occupied this planet. But the Internet has educated me in new varieties of sleaze, of sorts I might not have experienced any other way.
In the course of my unplanned Internet education, I've run into hundreds of people in various contexts — parents asking me to mentor their kids, but with
bizarre hidden agendas, students asking for help with homework, but actually expecting me to do it for them, and outright criminals without any pretense — and I now have a better grasp of the low things people are capable of than I had acquired in the non-virtual world. In a way, and like my earlier marketing examples, my experience also reflects the sheer efficiency of the Internet, but this time in dispelling illusions.
The Internet is an amazing resource — one might describe it as a bright virtual avenue of libraries, encyclopedia and shops. But alongside the avenue is a dark trench, and the trench is much deeper than I realized. The trick everyone needs to learn is how to walk the avenue without being dragged into the trench.
Updates
A few months after I wrote this article, my bank finally came clean about the chances for a prosecution. According to my bank, they, and the police agencies, don't bother pursuing criminals who steal less than about US$5000.00. The criminals typically know this unwritten rule, so they avoid charging too much on any single stolen credit card. In other words, the police know exactly what a criminal prosecution would cost, but because the criminals know this too, they stay below the threshold of action. It's a classic parasitic relationship, in which the parasite knows better than to kill its host.
I was shocked to discover there was no chance for a prosecution. I wonder whether people who use credit cards (nearly everyone in the Western world) fully realize what a burden is placed on the system by this epidemic of fraud. In traditional societies, betweeen a farmer's field and his dinner table, as much as 1/3 of the grain might be eaten by insects, rodents and other parasites. In this modern society, we have our own parasites, and it seems the banks and police are philosophical about their presence, as though they were just a new breed of cockroach — easy to spot, hard to exterminate.
Another related item. In
this story, Google has decided to pay as much as US$90 million to settle a class-action lawsuit by a group of online advertisers who claim to be victims of click fraud. Google's made its settlement offer before a trial date had been set. Yahoo, another of the plaintiffs named in the suit, has decided to fight.