Bruce Sterling: Hit Spammers at their Payment Processors

[Logan Darklighter]

Via Instapundit: 

BRUCE STERLING: Hit Spammers At Their Payment Processors. “Nearly all financial transactions arising from spam operations are handled by just three banks, according to a paper from 15 researchers from the University of California at Berkeley, the University of California at San Diego, the International Computer Science Institute and the Budapest University of Technology and Economics. The three banks are Azerigazbank in Azerbaijan, DnB NOR in Latvia, and St. Kitts-Nevis-Anguilla National Bank in the Caribbean. As potential solutions, the researchers recommend that issuing banks in the US refuse to conduct ‘card not present’ transactions for known spammers.”

[Editor's Note (Schultz): This is one of the most interesting information security research efforts in recent years.
(Honan): This is a very interesting development in the fight against spam. While changing hosting providers is a trivial matter for spam operators changing their payment processor is not easy making it more time consuming and costly for spammers to conduct their operations. * Should enough of these payment processors be identified and blacklisted it could have a major impact in the amount of spam flooding our networks.]

* Emphasis Mine. 

http://www.informationweek.com/news/sec ... /229625599
http://www.networkworld.com/news/2011/0 ... email.html

http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf

[Wiregeek]

how about we cancel their payment processors with nuclear weapons?
"No can brain today. Want cheezeburger."
From NGE: Nobody Dies, by Gregg Landsman
http://www.fanfiction.net/s/5579457/1/NGE_Nobody_Dies

[Foxboy]

Always with the explosions!

Though I gotta wonder how many of these operations evolved from the old "classifieds" that used to be in the National Enquirer, back of Comic Books, etc...
''We don't just borrow words; on occasion, English has pursued other languages down alleyways to beat
them unconscious and rifle their pockets for new vocabulary.''

-- James Nicoll

[Rev Dark]

Great synopsis - I want to see the full paper on full publication.
Unfortunately, it is not a solution to the spam problem.  Not even close.
Once you hit their sales site - it is a legitimate transaction - with the caveat that the product is what is advertised, etc.etc.
The problem is that you have to be able to conclusively show a trail leading from the agent that sent the spam back to the vendor.  Otherwise the vendor cannot be held responsible in regards to the spam.  They can easily say that they paid the third party to distribute the e-mails in a legal fashion, or claim not to have commissioned the e-mails to go out in the first place.  Add in that you are dealing with the laws and regulations of multiple countries, some of which have a strong economic impetus to maintain the status quo and it is not going to go too far, too fast.
Besides which, product spamming makes up only a portion of the spam out there - phishing, spear-phishing, and other malicious e-mails have a very different funding path in terms of the bad guy getting paid; which would not necessarily be impacted by putting pressure on the identified financial institutions (and of course one can always find another bank willing to reap the rewards of such lucrative customers.)
Love the research.
I can't say the solution is particularly practical.

[Sofaspud]

Rev, I think you're being unduly pessimistic, here.  No, it is not a magic bullet, nor is it wholly practical.  Yes, there are gaping holes in it, and even reasonably clever spammers -- not the geniuses, just the everymen -- are going to be able to roll on to a different bank and start over again.
The question is not whether this is a full solution.  The question is, is it worth implementing regardless?
I don't have the answer to that, but I don't think it should be dismissed.  If the cost of shutting down, or at least inconveniencing, the payment processors is less than what could be regained by slackening the spam flow, then I'd say it's worth the effort.

--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs

[Black Aeronaut]

Hell, America represents the world's largest market of consumers, QED. If you blacklist a payment center for transactions from USA, then you've effectively crippled them. The end result will be that banks will not want to do business with spammers.

What will really hurt them will be if you can get Japan, the EU, the UK, and others on board with the program. Do that and it will make it very hard for anyone to make money through an obnoxious means.