Hacker News new | comments | show | ask | jobs | submit login
A way to take out spammers? 3 banks process 95% of spam transactions (arstechnica.com)
121 points by stonemetal 2385 days ago | hide | past | web | favorite | 28 comments

The paper itself (linked to in the article) is pretty accessible, and a good read. Interesting that they noted for their research, 93.18% of the requests were for pharmaceuticals.

As for the banks: Azerigazbank in Azerbaijan, St Kitts & Nevis Anguilla National Bank in St Kitts &Nevis, and Danish-owned DnB Nord in Latvia, there is some more interesting factoids in the actual paper:

"most herbal and replica purchases cleared through the same bank in St. Kitts (a by-product of ZedCash’s dominance of this market, as per the previous discussion), while most pharmaceutical affiliate programs used two banks (in Azerbaijan and Latvia), and software was handled entirely by two banks (in Latvia and Russia)"

As well as the fact that most of the merchant codes were correct:

"For example, all of our software purchases (across all programs) were coded as 5734 (Computer Software Stores) and 85% of all pharmacy purchases (again across programs) were coded as 5912 (Drug Stores and Pharmacies). ZedCash transactions (replica and herbal) are an exception, being somewhat deceptive, and each was coded as 5969 (Direct Marketing—Other)."

It does make one wonder if spam is a solvable problem.

DnB Nor, the largest Norwegian bank, just happened to buy a Latvian bank with customers dealing in the spam business. DnB Nor has stopped their engagement which these customers. Source: http://www.facebook.com/DnBNOR/posts/229307870419535 (in Norwegian).

Unfortunately it's likely the spammers are simply going with whichever bank is easiest to work through.

Any changes will just cause them to move to the next easiest option.

Sure, but in the banking world "next easiest option" does not equal "easy option". Switching banks is considerably more difficult than switching hosts.

Plus, most banks are pretty traceable overall. They have document keeping requirements if they want to deal with other banks and governments. No bank is an island.

In an interview on NPR, the lead writer of the paper explained that while there's no shortage of banks willing to process spammers' transactions, they can take down a merchant account in a matter of hours but it takes days to set a new one up so, at least right now, the advantage would go to the defense. (If banks make setting up new merchant credentials near frictionless then we're back to square one. And we know we can't do anything about banks.)

I think they surely have a backup merchant account for such cases.

Credit card processors love the money but will absolutely shut down people based on bad PR.

If TechCrunch published a monthly list of what spammers are using what credit card processors/merchant banks they'd put a huge dent in the business.

I'm not sure that enough "normal" people would read TechCruch for credit card processors to care. But it would be a good start, at least.

The mainstream press would pick it up, and put a "big business is evil" spin on it. No way would they risk that, not with all the flak banks are getting right now.

Sure, just like if you take out the 3 guys in charge of Al Queda, you would end terrorism.

If those 3 guys in charge are the bottleneck of Al Queda, then it's a serious blow to terrorism. But terrorist networks operate with independent cells, their bottleneck being more about resources and less about leadership. Freezing bank accounts, shutting down operations that are financing terrorism does a lot more good than the killing of Bin Laden.

In the case of spam, banks know when transactions are made for fraudulent products. For this whole industry to work you need their cooperation as online transactions are only possible through banks.

Take this away and I could see spammers in real trouble.

My hunch is that even if all banks magically cut off spammers in a hypothetical scenerio, the spam industry will figure out a way to collect payments, even if it means collecting cash.

Of course this may reduce their margins. But there is one cure for it: send more spam!

> Of course this may reduce their margins. But there is one cure for it: send more spam!

Actually, that's not true. The cost of sending spam is very low, but it is NOT zero. If the profits are lowered (by making payments difficult to collect) and the costs raised (by better blocking of mail, forcing botnets and such) until these cross, then spamming will become unprofitible. Then it will rapidly disappear.

Once killed off, like an infection it may STAY gone. The anti-spam infrastructure we have put in place over the years (spam filtering tools, blacklists of open relays, etc) would remain. The infrastructure (like affiliate programs) that supports the spammers would die off. That would make it MUCH harder for someone to begin spamming again.

then spamming will become unprofitible. Then it will rapidly disappear.

Unlikely. Spamming has already been less and less profitable over the years margin-wise to the point that for many spammers, it is actually not profitable. Yet, for every spammer that drops it because it is no longer profitable, another dozen n00bs join the trade.

The idea of killing a few key companies/guys will significantly lower spam is a sexy idea but little else, IMO. In short-term, getting rid of a key component that kills a third of spam may help. But it doesn't take a long time for someone else to fill in those shoes using different technologies/products/banks.

I actually dabbled in this industry for a little bit during my teenage years so I have some insights though some of it is obviously outdated. The only thing I am still confident of is that there are more spammers today and margins are lower than when I was messin with it.

Based on your personal experience, you may well know more about this industry than I do. But I certainly had the impression that, while spamming is LESS profitable today, that it still had a net-positive income flow. This impression came from sources like this: http://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamal... (admittedly, 3 years old).

A brief dip into unprofitability will not destroy the industry because (as you say) another dozen n00bs will join. But I believe that an extended period (say, a year or two) might kill it off -- the "n00bs" could not operate without the extensive infrastructure of tools and those WOULD be damaged or destroyed by unprofitibility.

Seems like a spam-banker blacklist could make a real dent if there are truly only three major players. The existence of only three major players suggests that there aren't a lot of banks lining up for this business ...

Everyone talks about how awesome Bitcoin is, but as Bitcoin becomes more popular, we're going to start getting a lot more spam, and it's going to be impossible to "follow the money".

You know bitcoin has gone mainstream when spammers accept it for fake viagra.

Actually, when the porn sites accept it, you know it's mainstream. That would be a nice way to end all the recurring billing bullshit.

Very interesting, but I'd really like a report that gave more than "implication[s]" on the question of whether other banks are reluctant to work with spammers.

Whether or not that is true now, if banks that were friendly from spammers found themselves suffering major penalties, this implication could be made true.

Unlike the other links in the spam problem, banks have the problem that they can only stay in business if they are seen as legit by legitimate banks, credit card companies, and the like. The same is not true for botnets (illegal), spammers (already breaking the law) or the manufacturers (as long as they have money, they can get supplies, and they are hard to regulate as long as their countries turn a blind eye). But if you're a would be Viagra purchaser, and your credit card won't let you purchase your Viagra, the spammer is out of luck.

The best way to end this is to make it illegal to buy things advertised in a spam mail. This would absolutely kill their margin.

Only if it actually stopped people buying things advertised in spam emails. That would probably need there to be a credible risk of getting caught when buying something advertised in a spam email. That seems awfully difficult: how are the police -- or whoever -- going to know you're buying something from a spammer? how could they prove it? why would they bother, given all the other crimes they could be going after?

Now, maaaybe making it illegal to by Hrebal Vigara would dissuade potential customers despite the negligible chance that they'd get into any trouble for it. But do you really think it would dissuade them enough to make much difference to the profitability of the spam? Doesn't seem at all likely to me.

The people buying Viagara without a prescription or fake Rolexes or fake diplomas probably already know they're doing something wrong.

Cool, so instead of spending money on fighting spam, we have to also spend money on enforcing this.

On the plus side, it is a proven solution, since nobody pirates music, movies or games ever since it was made illegal.

Spammer are major annoyance. I have an obsessive compulsion to keep my email clean including my spam folder. Because I have to keep cleaning my spam folder, whenever I check my email, I loathe them with a passion, like of people here. HOWEVER, even with all these annoyances, this does not make spamming _illegal_ for bank to not extend them their services.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact