New research suggests that companies behind some of America’s best known consumer brands may be far more effective at fighting cybercrime than any efforts to enact more stringent computer security and anti-piracy laws.
Recent legislative proposals in the United States — such as the Stop Online Piracy Act — have sought to combat online trafficking in copyrighted intellectual property and counterfeit goods by granting Internet service providers and authorities broader powers to prosecute offenders, and by imposing stronger criminal penalties for such activity. But recent data collected by academic researchers suggests that brand holders already have the tools to quash much of this activity.
Over the past two years, a team of academic researchers made hundreds of “test buys” at Web sites from 40 different shady businesses peddling knockoff prescription drugs, counterfeit software and fake antivirus products. The researchers, from George Mason University, the International Computer Science Institute, and the University of California, San Diego, posed as buyers for these products, which tend to be promoted primarily via hacked Web sites, junk email and computer viruses.
The test buys were intended to reveal relationships between the shadowy merchants and the banks that process credit and debit card transactions for these businesses. Following the money trail showed that a majority of the purchases were processed by just 12 banks in a handful of countries, including Azerbaijan, China, Georgia, Latvia, and Mauritius.
The researchers said they submitted the test buy results to a database run by the International AntiCounterfeiting Coalition, (IACC), a Washington, D.C.-based non-profit organization devoted to combating product counterfeiting and piracy. Several pharmacy and software vendors and IACC members whose trademarks were infringed in those transactions (the researchers said non-disclosure agreements prohibit them from naming the brands) used the data to lodge complaints with Visa (only Visa-branded debit cards were used to make the test buys).
Contracts between the banks and Visa and MasterCard stipulate that merchants are prohibiting from selling goods and services that are illegal in the country into which those goods or services are being sold. The credit card associations have a standard process for accepting complaints about such transactions, in which they warn the online merchant’s bank (including a notice of potential fines for noncompliance). After a complaint about such activity, the merchant’s bank conducts its investigation, and may choose to contest the issue if they believe it is in error. But if the bank decides not to challenge the complaint, then they will need to take action to prevent future such transactions, or else face an escalating series of fines from the card associations.
The researchers noticed that in case after case, merchant accounts that were used in fraudulent activity for some extended period of time before they filed a complaint with the IACC generally stopped being used within one month after a complaint was lodged. Neither Visa nor the IACC responded to requests for comment on this story.
Stefan Savage, a professor at UCSD’s Department of Computer Science and Engineering, said the data suggests that the private sector can have a major impact on cybercrime merely by going after the funding for these operations.
“It doesn’t require a judge, a law-enforcement officer or even much in the way of sophisticated security capabilities. If you can purchase a product, then there’s a record of it and that record points back to the merchant account getting the money,” Savage said. “Visa and MasterCard frown on sales of illegal purchases made on their networks and will act appropriately on complaints from brandholders based on undercover purchases.”
Savage said it doesn’t take concerted action by all of the affected brands to have a major impact on the rogue businesses that incentivize this type of commerce. On the contrary, he said one software brandholder pursued the merchant banks tied to all of the group’s test buys for its products with such a ferocity and swiftness that it virtually shut down the market for pirated brand name software [a.k.a "OEM"] overnight.
“This vendor went after everything. They did it so quickly — and not only for their own products — that it all but shut down the entire OEM ecosystem,” Savage said. “A couple of [OEM affiliate programs] survived by getting rid of that company’s brand, but in the beginning, when people had no clue what’s going on, it shut down the entire business for everyone.”
FINES ‘RAINING DOWN ON MERCHANTS’
The researchers note that in mid-2011, Visa made a series of changes to their operating regulations that seem designed to specifically target on-line pharmacies and sellers of counterfeit goods. First, sales of goods categorized as pharmaceutical-related were explicitly classified as “high risk” (along with gambling and various kinds of direct marketing services), and acquirers issuing new contracts for high-risk e-commerce merchants required significantly more due diligence (including $100M in equity capital and good standing in risk management programs). Also, the new documents explicitly call out examples of illegal transactions including “Unlawful sale of prescription drugs,” and “Sale of counterfeit or trademark-infringing products or services,” among others. Finally, these changes include more aggressive fine schedules for noncompliance.
Some of the best evidence of the success of the test buys+complaints strategy comes directly from the folks operating the affiliate programs that reward spammers and miscreants for promoting fake antivirus, pirated software and dodgy pill sites. In June 2012, a leader of one popular pharmacy affiliate program posted a lengthy message to gofuckbiz.com, a Russian language forum that caters to a variety of such affiliate programs. In that discussion thread, which is now some 234 pages long, the affiliate program manager explains to a number of mystified forum members why the pharmacy programs have had so much trouble maintaining reliable credit card processing.
“In May 2011, Visa initiated a new program, the so-called “Global Brand Protection Program. How this would turn out for banks and merchants no one knew at the time, so at the time nothing much changed — everything kept working as before,” the program manager explained. “After several months, Visa begins to act, and beginning in November 2011, fines of $25,000 USD on every domain containing brands Viagra, Cialis and/or Levitra or other copyrighted medications began raining down on merchants.”
The manager continued:
“All affiliate programs have come under fire. Today, all sizable affiliate programs have paid more than hundreds of thousands in fines under this program. Banks also come under fire, and although in most cases they can cover their financial losses at the expense of merchants — provided their turnover is sufficient — Visa’s audits, reputation risks, and other hassles complicate their work. That is why some banks have completely refused to do business [and] some have greatly reduced the volume of ‘pharma’ payments, some have ‘overinsured’ themselves in one way or another, leading to practically zero approval rates. Some (banks) continue to work, but today their number is very limited.”
Another affiliate of a rogue pharmacy program put the situation in far less delicate terms, observing: “Right now most affiliate programs have a mass of declines, cancels and pendings, and it doesn’t depend much on the program IMHO, there is a general sad picture, fucking Visa is burning us with napalm.”
THE UNDERGROUND RESPONDS
Damon McCoy, assistant professor at GMU’s Computer Science Department, said many pharmacy, scareware and OEM software affiliate programs have responded by putting in place security measures to screen out test buys. For example, some rogue pharmacy programs — such as RxPayouts — have begun requiring buyers to send scans or faxes of their drivers licenses and physical credit cards. Others have decided only to process payments for existing customers.
But both security measures can be self-defeating, for customers and affiliates alike. The researchers note that RxPayouts’ photo ID requirement for new customers (enacted in January 2012) caused an uproar among affiliates. According to the researchers, one affiliate wrote in response, “This new rule is killing me, my conversion rate for new customers have dropped to [zero]. As soon as my new customers find out they have to fax their customer service a Photo-ID, they cancel their order.”
But McCoy said the new requirements also serve to insulate affiliate programs from another potential source of headache and trouble: rogue affiliates who join the program merely to reap the commissions for orders placed with stolen credit cards.
“Originally, the affiliate programs were doing this to defend against the carders, and in the past if there was a chargeback for a purchase, the affiliate program ate that chargeback cost,” McCoy said. “Now, if a chargeback comes through, they’ll take that charge out of the affiliate’s subsequent earnings.”
The researchers observed that pharmacy affiliate programs also have responded recently by replacing brand name drugs with their generic equivalents (e.g., Sildenafil Citrate instead of Viagra, Tadalafil instead of Cialis, etc). The operators of these programs argue to their affiliates that such actions will eliminate the brand and trademark issues and thus undermine the ability of brandholders to shutdown both individual sites as well as the associated merchant accounts.
Whether this last step will allow banks that cater to such businesses to continue to do so undisturbed by the credit card networks remains to be seen, according to the program affiliate manager quoted above, who posted to gofuckbiz.com.
“What this will lead to in the end, time will tell, either everyone will stop using well-known brand names, which are so well know to buyers, and will start using the Indian generic names or names of active ingredients, or will continue to compete in this mad race of who will outsmart whom.”
A copy of the research paper is available here (PDF).