Money Transfers, Creative Scammers, and Fraud
In Fitness for Geeks: Real Science, Great Nutrition, and Good Health, author Bruce Perry writes of Tabata sprints, an ultra-intense exercise that has dramatic benefits. But however effective they may be, even Izumi Tabata himself felt that given their difficulty, only the most serious athletes would use them.
When it comes to information security, security awareness is often viewed as the lynchpin that, if done appropriately, can obviate myriad security and privacy concerns. If it were only so easy.
Security awareness is ultimately akin to Tabata sprints. Regardless of how much security awareness there is and how well it is delivered, only the serious will heed its call. When it comes to the security risk of online fraud, awareness pales in comparison to the fraudsters' resourcefulness.
In baseball they say good hitting always beats good pitching. In the online world, clever fraudsters always beat oblivious end-users.
Fraud is eternal
Everyone from the FTC to your corporate information security staff, and everyone in between, have long warned about advance free frauds, including the infamous Nigerian scams for so long that the awareness pundits are often perceived as Chicken Little. It is hard to believe that in 2012, people are still sending money to scammers on a daily basis. Will they ever learn?
The underlying question is how people can be so oblivious to the scams right in front of their face. Why are they unmindful that sons of princes won't really email them, nor will widows of third-world defense ministers reach out to them? But ultimately, as Dr. House astutely noted, "everybody does stupid things".
If everybody indeed does stupid things, the scammers want them to do these stupid things as fast and as stealthily as possible--and that is where the money transfer organizations (MTOs) come into play.
Western Union and MoneyGram are two of the best known MTOs. They are often used as vehicles for these frauds, and often the ones taking the blame for facilitating the fraud. The knee-jerk anti-fraud solution sounds simple: Shut them down. But even the draconian approach of shutting down these two large MTO would ultimately do little in the long-term to significantly stop the fraudsters.
The rationale in shutting down a MTO is that one of the methods used to reduce terrorism has been to stop the money flow to terrorist organizations. Terrorists need money to carry out their efforts, and if there is no money (the reasoning goes), there are no terrorist actions. So too with scammers, if there is no MTO, then the hope is that the scammer will be put out of business. But that approach is far from reality, and would still not really put much of a dent in the problem.
According to the Aite Group in Cross-Border Consumer Money Transfers, Western Union and MoneyGram handled $88.5 billion in business in 2011. But at the global level, they are but 17.6% and 3.7% of the market respectively. That still leaves roughly 80% of this highly fragmented market open for business (and fraud).
Scammers, fraudsters and the like need to have their money trail stopped so they can stop robbing innocent victims. So the question is this--how can that be done?
The reality is that it can't.
Scammers and Western Union
Western Union has myriad locations in nearly every country. What that means is that scammers can attempt to steal from victims worldwide. Western Union's global reach is precisely what is behind its power, and its power to be misused. The downside is that the scammers have tapped into that power.
Western Union and MoneyGram MTOs are fast and easy methods to send funds to people you know. The underlying security issue, though, is that these MTOs are not designed to be used as an escrow-type payment scheme for sending money to people you don't know. MTOs have always been about sending money to people you know and trust.
It is crucial that anyone using a MTO realize that using them is synonymous as cash; meaning that once it has been given over, you have no recourse to get it back. And that is precisely the point that these victims are oblivious to.
Contrast this with PayPal, eBay and other escrowed on-line services. Even though online escrow service fraud is still problematic, scammers avoid PayPal given its stronger accounting and authentication characteristics. See these tips to avoid online escrow fraud from the Better Business Bureau. But after all is said and done, it still is safer than a MTO.
That's why most scammers are explicit that it is Western Union and MoneyGram only--no PayPal, given the traceability and accountability it affords, as this image attests.
Western Union can't be blamed for scammers misusing its service any more than Ford can be blamed for those who drive their automobiles in an unsafe manner. Scammers love these MTOs and use them as their preferred money transfer mechanism.
Stopping fraud does not mean stopping Western Union
As noted, scammers choose Western Union and MoneyGram given their global reach and stopping these services won't stop fraudsters.
But more importantly, by the time a victim walks into a MTO location, they are convinced that it is their road to riches. The scammers have the victims believing they are days away from millions of dollars. While MTO agents are often trained and alerted to these scams, the scammers have socialized the victims to lie for them. If the MTO agents ask, the victims have been prepared to say that they are sending the money to people they know.
These victims are so convinced of their impending wealth, that they are casualties of inattentional blindness, so well-described in The Invisible Gorilla: How Our Intuitions Deceive Us. This inattentional blindness causes the victim to forget the mantra that "there ain't no such thing as a free lunch" and other essentials of basic economics.
For those consumers who use a phone transfer MTO, Western Union may flag the transfer if their analytics suspect that it is fraudulent. They place a hold on the transaction and inquire with the sender as to the legitimacy of the recipient. Again, since scammers know this, they instruct their victims to tell any inquisitive agent that they are sending the money 'to a family member'.
In a fascinating piece here at CSO, George Hulme writes about how ticket marketplace StubHub is motivated to catch fraudsters. The article quoted Robert Capps, senior manager of trust and safety at StubHub, saying that "being in the middle of this marketplace and being responsible for all the edges of the transactions means that we have to be really creative about how we address the different risks within our marketplace".
How much more creative the MTOs can be is debatable, but it is the victims that have to suffer the consequences of the scammers.
So while it is for the most part not practical to shut down an MTO, other methods to impede the scammers have been considered. But all of them have invariably collapsed on the weight of the scammers' dexterity.
How about requiring presentation of government issued IDs before funds can be picked up? That is impractical for too many reasons to fully detail here.
First off, IDs are notoriously easy to forge. They are also hard to verify. In the US, the issue with government IDs is that there is no way to do a database search to see if a driver's license or passport is legitimate, as the agencies do not share this information. It is easier to verify a credit card than Iowa driver's license. Nearly every proposed solution to stop the scammers simply does not work in Eastern Europe and Africa where these frauds are taking place.
When it comes to Internet frauds, the best awareness is to use common sense. Everybody does stupid things and the scammers capitalize on that. But the same people that are surprised when their Kardashian weight-loss supplements don't work are equally surprised when their millions from Cote d'Ivoire never arrive.
Americans like movies with happy endings, but when scammers are directing the movie; the endings can only be tragic. Scammers are infinitely creative and adaptive; their victims are not. A tragedy on every level.
Ben Rothke, CISSP, is an information security professional and the author of Computer Security: 20 Things Every Employee Should Know. He is @benrothke on Twitter.